LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-30-2013, 01:22 PM   #1
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Mint, Xubuntu
Posts: 187

Rep: Reputation: 13
Evil maid detector?


Hello.

<blablabla>
Recently I started encrypting all my hard disks by default. For linux boxes I'm using full disk encryption with LUKS/LVM. Well technically it is not really "full" disk encryption because the computers have to boot from some unencrypted space. This will most likely be a part of the HDD where the MBR and the /boot partition reside - both unencrypted. The boot partition is home to the kernel, the grub2 boot loader, etc. The computers do not support secure boot.

Out of curiosity I did a little research on this subject, and I read about this thing called "evil maid" attack. It's a process where an adversary sneaks into your quarters and gains physical access to the computer. While he may not be able to obtain any data from it (data is encrypted, adversary doesn't have the password), he can easily modify the kernel or some other script and insert a malicious keylogger on the unencrypted /boot partition. Finally he leaves the place and waits for me to login again and type the password, unaware that the computer has been bugged. The keylogger either writes down the password to an unencrypted space on /boot for later retrieval or it can transmit the key to a specified IP address once I connect to the internet.
</blablabla>


Is there a decent way to protect against this attack? I'm talking about detecting, if the unencrypted space has been bugged before any damage is done. Yes yes, I know I can move the /boot partition and the bootloader to an external USB stick and boot from there. I already do that for a number of computers, but it gets a bit unpractical having to carry around a large stash of USB keys. What if I misplace them?

The only idea I came up with was to hash the boot sector/MBR and the /boot partition each time a PC boots, then compare the hashes against stored values, and abort the boot process until the attack can be migitated. But I can't come up with a decent way of implementing it. If the hashing scripts reside on the /boot partition then they can easily be bypassed. If they reside inside the encrypted space then the keylogger will have already logged the key before the execution reaches the point where the hashing scripts are executed. The only sensible solution here appears to be a setup that uses two encrypted partitions - first one stores the hashing scripts, and the second the actual operating system. This way the user has to enter two passwords. The first password prevents the adversary from modifying the verification scripts while allowing the scripts to warn the user not to enter the second password, which protects the operating system.


This is the theory at least. Has anybody experimented with this yet?

~dis
 
Old 01-30-2013, 02:34 PM   #2
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,624
Blog Entries: 1

Rep: Reputation: Disabled
There is NO security without physical security.

Last edited by Habitual; 02-01-2013 at 09:34 AM.
 
1 members found this post helpful.
Old 01-30-2013, 02:45 PM   #3
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,111

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
not much you can do about this one, you could take some steps to physically lock down your computer, but ultimately if someone is determined to get at your data, they will.
so the answer to your question is how much time and money are you willing to invest in physically securing access to the location, but ultimately the most dangerous people at a company are it's employees, the 'evil maid' you speak of however isn't just anyone sneaking in to your quarters and exploiting your computer, it's someone you hired to work for you (eg a janitor, sectretary) or a friend, in short someone to whom you gave the key to the room, who is doing the exploiting, hence the 'maid' part, so i suppose the best way to protect from this is simply make sure you trust the people you grant access to the room where the computer is.

Last edited by frieza; 01-30-2013 at 02:47 PM.
 
Old 01-30-2013, 11:51 PM   #4
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 1,621

Rep: Reputation: 676Reputation: 676Reputation: 676Reputation: 676Reputation: 676Reputation: 676
Put /boot (unencrypted) on a USB flash drive. Encrypt everything on the machine's hard drives. You only need to have the USB flash drive installed for booting and for kernel updates. Keep it in a secure place at all other times.
 
Old 02-01-2013, 02:16 AM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
For the original qn; you hash the /boot, grub, whatever, then carry just the hashes around on USB key. You can get plenty ona modern USB key.
Obviously you keep the hash prog on the USB key, maybe leave a copy for bad guy to play with. Take a hash of the hash prog so you can check.

Of course if they put a HW keylogger in your keybd .... its game over.
Allegedly this is one method used by the various Secret Services around the world.

You may possibly be over-worrying unless you work for a eg a Govt Dept already, in which case that's what Guards (people, ideally with HKs) are for.
 
Old 02-01-2013, 04:13 AM   #6
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,111

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
that doesn't stop someone from sticking a cd in the drive, booting from it, and making a copy of the drive and taking that with them to crack, nor does it detect it since hashing only detect CHANGES.
 
Old 02-01-2013, 08:36 AM   #7
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Mint, Xubuntu
Posts: 187

Original Poster
Rep: Reputation: 13
Quote:
Originally Posted by frieza View Post
not much you can do about this one, you could take some steps to physically lock down your computer, but ultimately if someone is determined to get at your data, they will.
so the answer to your question is how much time and money are you willing to invest in physically securing access to the location, but ultimately the most dangerous people at a company are it's employees, the 'evil maid' you speak of however isn't just anyone sneaking in to your quarters and exploiting your computer, it's someone you hired to work for you (eg a janitor, sectretary) or a friend, in short someone to whom you gave the key to the room, who is doing the exploiting, hence the 'maid' part, so i suppose the best way to protect from this is simply make sure you trust the people you grant access to the room where the computer is.
Thank you for the insight.

Regarding the sneaking part, I understand its the everyday people who are most likely to commit an attack. I was only implying that the attack is going to happen in my absence. The theory is that in order for the attack to be successful it must happen in multiple stages. The first stage is the part where an adversary bugs my computer with a keylogger let it be hardware or software. This stage is never going to be successful alone. The crucial stage is the second one where it is required that the unaware user types in the passphrase which will be keylogged. Finally the third stage is the recovery of the passphrase and decrypton of encrypted data.

If I manage to detect the first stage of the attack, I can easily mitigate without any real damage.


Quote:
Originally Posted by rknichols View Post
Put /boot (unencrypted) on a USB flash drive. Encrypt everything on the machine's hard drives. You only need to have the USB flash drive installed for booting and for kernel updates. Keep it in a secure place at all other times.
I am already doing this for a couple of computers. But as I said in my first post, its difficult to always carry the keys along and keep an eye out on them. There's also a possibility that I misplace/lose them - no more access without a proper backup. A single key can only hold boot data for a single computer - lots of computers = lots of USB keys.

Quote:
Originally Posted by chrism01 View Post
For the original qn; you hash the /boot, grub, whatever, then carry just the hashes around on USB key. You can get plenty ona modern USB key.
Obviously you keep the hash prog on the USB key, maybe leave a copy for bad guy to play with. Take a hash of the hash prog so you can check.

Of course if they put a HW keylogger in your keybd .... its game over.
Allegedly this is one method used by the various Secret Services around the world.

You may possibly be over-worrying unless you work for a eg a Govt Dept already, in which case that's what Guards (people, ideally with HKs) are for.
I do not work for any Govt, and am not on any watch list - at least not to my knowledge or expectations. Regardless, I still like to properly secure my data. It never hurts to be careful though. It's a good idea to have a single USB key that contains only hashes for multiple computers! Perhaps I can add a GRUB option to verify the hashes...

I know that some hardware keyloggers are available in the shape of a small plug that can be placed inbetween a computer and the USB (or PS/2) plug of a keyboard. Fortunately these can be easily spotted. And laptops have a built-in hardware keyboard so unless they're going to open the case I don't see a way how they could keylog my laptop with a HW keylogger. I mean is there even enough space inside a laptop to install a HW keylogger? I could probably place some hard-to-forge sticker (similar to those "warranty void, if removed" seals) over the case and check whether it has been torn. This would indicate someone opened the case. I've also heard that some people weigh their laptops. An increase in mass would suggest extra hardware has been installed.

Quote:
Originally Posted by frieza View Post
that doesn't stop someone from sticking a cd in the drive, booting from it, and making a copy of the drive and taking that with them to crack, nor does it detect it since hashing only detect CHANGES.
Yes, I am familiar with the procedure. I used to rescue data on a number of HDDs like that (systemrescuecd). But let's assume that the passphrase is too strong to crack. Personally I use passphrases at least 16 characters long, without any words that can be found in a dictionary. I use a combination of uppercase and lowercase letters, at least one number and at least one special character.
 
Old 02-01-2013, 10:00 AM   #8
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,624
Blog Entries: 1

Rep: Reputation: Disabled
You sound like me my first week over at http://ga-asi.com/ . When they appointed me as Network/Systems Admin and Oracle DBA for a 15 million dollar project, all their "product" was sitting on an Oracle Database on WindowsNT 4.0. OMG.

For a year, I worried about those Ones and Zeros, reliable backups, intrusion response, etc. Shit, the USGovt. has serious standards and I wasn't quite sure that our setup would pass any of their tests, even if it passed mine.

I moved Oracle to a Sun box (without any data loss or downtime) with Solaris 8 (I think)
and left the Window-only client-app to a Citrix front-end.


One of those tests I had, was I called a hacker friend of mine and gave him an IP to the Citrix Server and a port and said "go". 3 hours later, he told me I was good to go. He did not succeed.

In the end, I just made sure NO ONE but me had physical access to the "gold1" and gold2" servers at http://ga-asi.com/ and I had reduntant backups of the Oracle data.

"the unaware user"... are there any other kind?

A shout out to the folks over at the MIS Dept. of General Atomics, Aeronautical Systems.

John Jones

Last edited by Habitual; 02-01-2013 at 10:01 AM.
 
Old 02-06-2013, 02:46 PM   #9
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
Quote:
Originally Posted by Habitual
There is NO security without physical security.
THIS.

Even if your software structure was invulnerable (and it won't be), there are funny hardware keyloggers and toys they can place in your computer... Even hardware keyloggers for laptops.

If we are up to the level of awareness involved in protecting against a Evil Maid attack, you should beware these.

It remembers me of a film when they take the things of a lawyer and replace them with hacked copies.

The most reasonable thing would be, at least for me, to set the /boot on an external device you have always secured, and periodically perform integrity checks on it just in case.

Detection of a conventional disk encryption scheme... well, you could run Aide or some other integrity checks, but once they have managed to run a bootkit on you, they could be able to cover their tracks and remain undetected in unsuspected ways.
 
Old 02-06-2013, 02:49 PM   #10
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
Quote:
A single key can only hold boot data for a single computer
It depends. I sometimes build multi-boot USB devices for fun. Just saying.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Don't Be Evil Means Don't Be Evil LXer Syndicated Linux News 0 10-12-2009 04:40 PM
rfid detector graffixx General 2 06-08-2008 02:34 PM
evil evil pcmcia problems WRSpithead Linux - Hardware 3 09-25-2006 03:21 AM
Evil sagem fast or evil mandrake???? edgefield Mandriva 17 01-24-2005 04:22 AM
Evil, evil question. x_fire_phly General 5 10-03-2004 04:56 PM


All times are GMT -5. The time now is 08:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration