LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Lightweight solutions to deterring an opportunistic laptop thief? (http://www.linuxquestions.org/questions/linux-security-4/lightweight-solutions-to-deterring-an-opportunistic-laptop-thief-4175490357/)

Willard 01-06-2014 05:08 PM

Lightweight solutions to deterring an opportunistic laptop thief?
 
Greetings.

I want to protect the data I store on the drive from an opportunistic thief who snatches my laptop and wants to snoop around for data he can exploit.

The ideal solution, naturally, is to TrueCrypt the whole drive. Indeed, this is what I am currently doing on my laptop.

However, I find that my laptop performs poorly. My laptop is an Asus eee 1015PEM, with 2GB RAM and a Intel® Atom™ N550 (Dual Core; 1.5GHz) Processor. The N550 does not have the AES instruction set extension, and is slow already.

I am about to install an SSD into my laptop, and I am concerned that encrypting the SSD will kill the performance gain that an SSD would otherwise offer to my laptop (I have asked around on Tom's Hardware a few times after an extensive research on TrueCrypt-ing an SSD, and got no convincing answer of the contrary).

I am also thinking that encrypting the drive is overkill for my purposes; I am not protecting my files from the NSA, after all. I want to deter the thief from popping the drive in an external hard drive case and explore partitions, or to try to break the disk encryption. I am thinking the best way to do that is to give the illusion that the thief has full access to everything from the get-go.

I am thinking something along the following lines: If a certain keyboard (combination) is NOT held down as the computer is booting, the computer will boot into a decoy operating system (Windows 7 Starter). If the key (combination) is held down as the computer is booting, the boot menu appears, where you can choose what operating system to boot (for instance, your favourite Linux distribution).

It would be really nice if the above could be realized using only one partition; if both the decoy OS and the real OS use a file system which does not fill the partition with null bytes when the file system is created, then, theoretically, the decoy OS and the real OS could reside on the same partition, at opposite "ends" of the partition (if one OS would fill its partition, then it would overwrite the other OS in that case).

A much simpler, but less convincing solution along these same lines: Your favorite Linux distribution starts up, with a single graphical "log in" button. If pressed, the file system on /home is deleted, recreated, a bogus passwordless user is created, and the thief is logged into a desktop as that user. This can be bypassed with a keyboard combination.

Do any of you know about an existing solution which works along these lines? (Does a combination of the TrueCrypt tools achieve this effect?)

Kind regards,
Willard.

unSpawn 01-06-2014 07:43 PM

Physical access means it's out of your control. So there is no way you can deter a person from doing anything. Creating illusions is the domain of "security by obscurity". Which isn't providing or enhancing security at all. Sure the illusion may hold at first glance but a 250 GiB SSD with an actual OS partition size of 10 GiB isn't going to fool any ten year old kid. How about a scheme where you force unlocking disk encryption using a key on an USB stick? That way the encrypted medium and the key are separate entities and worthless without the other.

metaschima 01-06-2014 09:32 PM

Encrypt what is important, and use a K-lock:
http://en.wikipedia.org/wiki/K-Lock

Willard 01-07-2014 07:44 AM

Thank you for your replies unSpawn and metaschima.

***

Quote:

Originally Posted by unSpawn (Post 5093213)
Physical access means it's out of your control. So there is no way you can deter a person from doing anything. Creating illusions is the domain of "security by obscurity". Which isn't providing or enhancing security at all.

I am aware that what I am asking for does not guarantee anything, and that I cannot prevent anyone with physical access to explore the raw data on the drive. Maybe "deter" was not the right word to use here. But as I wrote:
Quote:

Originally Posted by Willard (Post 5093159)
I want to [fool] the thief from popping the drive in an external hard drive case and explore partitions, or to try to break the disk encryption. I am thinking the [most lightweight] way to do that is to give the illusion that the thief has full access to everything from the get-go.

***

Quote:

Originally Posted by unSpawn (Post 5093213)
Sure the illusion may hold at first glance but a 250 GiB SSD with an actual OS partition size of 10 GiB isn't going to fool any ten year old kid.

To which I refer to:
Quote:

Originally Posted by Willard (Post 5093159)
It would be really nice if the above could be realized using only one partition; if both the decoy OS and the real OS use a file system which does not fill the partition with null bytes when the file system is created, then, theoretically, the decoy OS and the real OS could reside on the same partition, at opposite "ends" of the partition (if one OS would fill its partition, then it would overwrite the other OS in that case).

A much simpler, but less convincing solution along these same lines: Your favorite Linux distribution starts up, with a single graphical "log in" button. If pressed, the file system on /home is deleted, recreated, a bogus passwordless user is created, and the thief is logged into a desktop as that user. This can be bypassed with a keyboard combination.

In these ideas, the scenario you describe would never arise; the decoy OS always has the whole drive at its disposal.

Say you steal a laptop, boot it, Windows starts up, there is one partition for the whole drive, and there are normal files laying around indicating normal use. It looks like you have full access to everything. Would you dd the drive and start exploring the raw data from the drive for deleted, or hidden, files? Why? You would have to have the competence (which would probably mean that you can earn a living in other ways than stealing laptops), and you would have to either be looking for something (if you don't know me, and don't know what files I have, you don't know what to look for), or be immensely curious/paranoid to spend time and effort on this. From what I have read about laptop thefts, I don't think many thieves are.

***

Quote:

Originally Posted by unSpawn (Post 5093213)
How about a scheme where you force unlocking disk encryption using a key on an USB stick? That way the encrypted medium and the key are separate entities and worthless without the other.

To which I refer to
Quote:

Originally Posted by Willard (Post 5093159)
The ideal solution, naturally, is to TrueCrypt the whole drive. Indeed, this is what I am currently doing on my laptop. However, I find that my laptop performs poorly. The [processor] does not have the AES instruction set extension, and is slow already.

***

Quote:

Originally Posted by metaschima (Post 5093247)
Encrypt what is important

To which I refer to
Quote:

Originally Posted by Willard (Post 5093159)
[...]TrueCrypt the whole drive. Indeed, this is what I am currently doing on my laptop. However, I find that my laptop performs poorly. The [processor] does not have the AES instruction set extension, and is slow already.

But perhaps encrypting /home is less burdensome for my system than encrypting / ? Do you know anything about average disk activity in a Linux installation these days? Does the OS spend most of its time manipulating files in /home, or in /tmp, /etc and other places?

***

Quote:

Originally Posted by metaschima (Post 5093247)

My model does not have a Kensington lock hole in the chassis, and this approach won't work if my laptop is in a bag, and my bag is stolen (I travel a lot). :-/

metaschima 01-07-2014 11:00 AM

I would encrypt just /home if that's where you store your important files. Or maybe create a separate partition just for important files and encrypt that.

If you use a swap partition you should encrypt it as well, because anything swapped to it is vulnerable.

Depending on what programs you use /tmp may also need to be encrypted in case temporary files leak sensitive info. This isn't always necessary.

I'm quite positive that your netbook has a K-lock, I can see it in the image right next to the ethernet port:
http://www.asus.com/Notebooks_Ultrab...15PEM/#gallery

And I have a similar model, the PN model.

You could always handcuff the case to your wrist :)

unSpawn 01-07-2014 03:30 PM

Quote:

Originally Posted by Willard (Post 5093488)
From what I have read about laptop thefts, I don't think many thieves are.

It's only natural to try and come up with scenarios in which whatever measures you propose will hold up. (BTW there's no way two disparate Operating Systems will happily share one partition). Personally I wouldn't waste energy and time on obfuscation but rather rely on what works.


Quote:

Originally Posted by Willard (Post 5093488)
But perhaps encrypting /home is less burdensome for my system than encrypting ?

That's a trade-off you can estimate the risks of for yourself: what's the nfo you expose outside of home worth? (/tmp if not SHM, cached data in /var, swap, /etc, etc.)


Quote:

Originally Posted by Willard (Post 5093488)
Do you know anything about average disk activity in a Linux installation these days?

No but it would be quite easy to measure.


Quote:

Originally Posted by Willard (Post 5093488)
Does the OS spend most of its time manipulating files in /home, or in /tmp, /etc and other places?

That kind of depends on what you're running and what you're running it for.

sundialsvcs 01-08-2014 02:05 PM

I bought a very nice locking cable that fits into the security hole on my laptop, and I always attach it, even when I am just stepping away from my laptop for a few seconds in a friendly coffee-shop. (I loop the cable through the carrying handles of the bag, too.)

When I am working with my computer in some external place, "that's simply what I always do." I plug in the power, and then I attach the security cable, looping it around the table leg. I smile pleasantly at the occasional people who notice, and most of them say that they're going to get one too.

It certainly is a "lightweight solution" to the problem of an "opportunistic laptop thief." Remove the opportunity!

jamison20000e 01-08-2014 03:01 PM

I haven't read all here so sorry but hope these helps:
http://forums.debian.net/viewtopic.php?f=30&t=76350
http://www.linuxplanet.com/linuxplanet/tutorials/6744/1
http://youtu.be/U4oB28ksiIo
http://lwn.net/Articles/450221/
http://forums.linuxmint.com/viewtopic.php?f=47&t=74111
http://www.linuxquestions.org/questi...archid=6110194
could also set up cron in some way to email ip?

ReaperX7 01-08-2014 09:41 PM

If you have a webcam, you could also institute a VNC client running in the background to send a continuous video feed to a server. Might be a good move to see who stole your laptop.

You should also password the BIOS/CMOS/UEFI as well as the hard drives to prevent tampering.

sundialsvcs 01-09-2014 07:52 AM

Heh.

"Well, I kept my barn completely unlocked and walked away from it ... but now I have this very nice video of who stole my horse."

Bottom Line: somebody stole your horse, and you're never going to get it back.

As with the legendary story of the "pizza-delivery cat burglar," most crimes involving computers are crimes of opportunity. People troll through millions of computers automatically, looking for unprotected computers to mess with. They walk through coffee shops and public places also looking "merely" for opportunity. If they "try the door and find it locked," even if it's locked with a paper-clip, they'll move on to easier pickin's. Likewise, the simplest device that fastens down your laptop, such that no one can walk-away with it without attracting attention, will keep it safe. Burglars don't carry incriminating "burglar tools."


All times are GMT -5. The time now is 09:55 PM.