LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 03-14-2008, 10:29 AM   #1
SolarisZen
LQ Newbie
 
Registered: Dec 2007
Location: Planet Earth
Distribution: OpenSuSE & Fedora Core 4
Posts: 28

Rep: Reputation: 15
Question Securing Linux against physical threats


Hi,

After following an article that I have been blogging about. I have been wondering how one secures their workstation and or server from such physical attacks, etc.

After reviewing a post located here. I have decided the full disk encryption is actually quite dangerous given the threat model I am putting forward.

Before asking my question I would like to tell you what I am using OpenSuSE 10.2 Linux and its file encryption system that it comes with along with Jetico Best Crypt. After reviewing the article from news.com I now have a few questions.

How "strong" is the encrypted file system on OpenSuSe against such attacks?

How does one shut off firewire in Linux?
How does one configure OpenSuSE Linux or any Linux to promote plausible deniability?

Do I create a new user account then partition an encrypted directory to create this deniability?

How does one protect Workstations and Servers from physical attacks if they take your computer e.g a warrant etc.

How does one stop RAM from caching the key to your encrypted file system? Is there a way to prevent this form happening?

If such an official takes my wares and returns it, how would I know I am compromised with a root kit? Would chkrootkit and rkhunter even pick said root kit up?



if some one out there with knowledge on this subject could help me on my quest I would greatly appreciate it!
 
Old 03-14-2008, 12:58 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by SolarisZen View Post
How does one configure OpenSuSE Linux or any Linux to promote plausible deniability?
So how does the theory of plausible deniability go?


Quote:
Originally Posted by SolarisZen View Post
How does one stop RAM from caching the key to your encrypted file system?
How does RAM work? Can a position hold 1 or more values simultaneously at the same time? How does overwriting a value work? How would you envision that you would work seamlessly with a encrypted file system if you don't store the key somewhere?


Quote:
Originally Posted by SolarisZen View Post
If such an official takes my wares and returns it, how would I know I am compromised with a root kit?
Almost all articles handle about Windows. As far as I've read they didn't plant rootkits but keyloggers. A rootkit is a toolkit but it just sounds more exhilarating for the cheap thrill craving audience. In GNU/Linux you'd just boot off a Live CD (since the VFS is dead there's few places for them to hide stuff statically) and verify the installation using a package manager (if capable), a file integrity checker like Aide, Samhain or even tripwire (if deployed before the incident) before moving to more specialist tools (forensics).


Quote:
Originally Posted by SolarisZen View Post
I have been blogging about.
Sorry for this OT remark and with all due respect but your web log article does not contain any added value in terms of creativity or originality compared to the original one. Maybe it's me but just copying over an article doesn't seem web logging to me.
 
Old 03-14-2008, 01:06 PM   #3
rg.viza
Member
 
Registered: Aug 2006
Posts: 73

Rep: Reputation: 15
>How "strong" is the encrypted file system on OpenSuSe against such attacks?
Assume that it's as strong as the password and encryption method. If you use "dog" as your password a dictionary attack can comprimise it in a few seconds.

>How does one shut off firewire in Linux?
Train the driver to not load at boot. Load it manually when you need it with insmod and rmmod it when finished.

>How does one configure OpenSuSE Linux or any Linux to promote plausible deniability?
Depends on who the expert witness is. Currently drive encryption is considered a best effort if you use a strong password for the key, and also use a strong password on all of your accounts. I believe that this will become less so as time goes on. The sensitive data shouldn't be there in the first place unless you are busily working with it.

>How does one protect Workstations and Servers from physical attacks if they take your computer e.g a warrant etc.
You can't. Even if you zap the drive they can recover the data. Good encryption with a strong password just makes it take a lot longer.

>If such an official takes my wares and returns it, how would I know I am compromised with a root kit?

Depends on the root kit. Root kits alter the perception of the programs running on the computer so they can't see the rootkit. A well written rootkit is virtually undetectable, especially if it was written to elude rootkit detectors. Eventually the author of the detector will figure out how to detect it and it will be detectable. You have to know it's there first. It's an arms race, just like virus detection. You won't be able to find a well written new 0day root kit by yourself.

An IDS/packet sniffing (to see if your machine is sending packets to an unknown host) can help as can scanning the machine from the outside for new ports. It's still an arms race. If you are that concerned about your OS being altered, format the drive(and make sure you rewrite the boot sector), then patch the bios with the latest bios update (from a boot floppy) and reinstall the OS.

If someone else physically takes possession of your machine, they can always eventually compromise it if they know what they are doing. Encrypting the drive just slows them down.

In the case of border inspections, they could just ghost the drive, give you your laptop back 20 minutes later, then crack it at their leisure. Don't think there won't be a black market created over this. There will be id theives etc paying corrupt border inspectors off for drive images.

My favorite statement applies: "If man made it, man can break it." (by me)

All it takes is talent, time, and the right toolset.

For you, I'll make up another quote "If it has value, someone will be bribed for it.". Government officials don't always get paid very well. Everyone wants a new TV or car.

Kudos for noticing the security implications of these developments. Hopefully your employer appreciates your diligence.

The best advice you could possibly give your readers is to get a second laptop for traveling across borders and only take what they need for the trip on the drive. Assume that everything on there can and will be seen no matter what security precautions they take. If you expect this to happen, and prepare accordingly, it won't cause any trouble.

Alternately just get a second hard drive and swap it out with a stripped down clean one when flying.

The minute you think you can't be compromised, or that it's even possible to be 100% secure you have already lost the fight.

It'd be pretty smart to set up a couple of laptops for this purpose, have them hand in their local laptop, for a specially prepared "customs proof" one that always has a fresh copy of your image on it and is preinstalled with the VPN connection and _no data_. When they bring it back, simply ghost your image back over it so it's cleaned up for the next person. You might want to do a cursory check of the drive to find out what they gave customs, then do some damage control if you find something.

There's absolutely no reason for any sensitive data to be on a laptop while flying. They should VPN to the office from the destination to get this stuff when they need it, then promptly delete it with shred when they are finished, before heading to the airport, or even going to lunch. While not 100% effective this is damn close. It's definitely more effective than encryption by itself.

If they leave the office with a clean drive, then shred it all before leaving to come back you can't go wrong. You could even write a script that completely destroys all data on the drive, for them, before they leave at the end of their trip.

Doing that would hold up in any court of law as a best effort and is future proof. It's really hard to steal data that's not there and has been clobbered, even in deleted and encrypted form.

If you do this, the customs agents will take one look at it, and just move on to the 3 year old dell the next guy has, which has a gold mine on it (his entire life) and a sticky with the encryption password on the flat spot at the top of the keyboard or in his wallet (which they will also search 8)

When faced with a tough nut to crack and a shiny juicy apple, people tend to toss the nut in the trash and eat the big juicy apple.

"Suspicion breeds confidence" - Fyodor(author of nmap)

-Viz

Last edited by rg.viza; 03-14-2008 at 01:24 PM.
 
Old 03-14-2008, 05:53 PM   #4
SolarisZen
LQ Newbie
 
Registered: Dec 2007
Location: Planet Earth
Distribution: OpenSuSE & Fedora Core 4
Posts: 28

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rg.viza View Post
>How "strong" is the encrypted file system on OpenSuSe against such attacks?
Assume that it's as strong as the password and encryption method. If you use "dog" as your password a dictionary attack can comprimise it in a few seconds.
Thats very good news and relieves my stress a bit

Quote:
>How does one shut off firewire in Linux?
Train the driver to not load at boot. Load it manually when you need it with insmod and rmmod it when finished.
How does one "train the driver not to load" or better yet, Would uninstalling the packages to the firewire helps kill it?





Quote:
>If such an official takes my wares and returns it, how would I know I am compromised with a root kit?

Depends on the root kit. Root kits alter the perception of the programs running on the computer so they can't see the rootkit. A well written rootkit is virtually undetectable, especially if it was written to elude rootkit detectors. Eventually the author of the detector will figure out how to detect it and it will be detectable. You have to know it's there first. It's an arms race, just like virus detection. You won't be able to find a well written new 0day root kit by yourself.

An IDS/packet sniffing (to see if your machine is sending packets to an unknown host) can help as can scanning the machine from the outside for new ports. It's still an arms race. If you are that concerned about your OS being altered, format the drive(and make sure you rewrite the boot sector), then patch the bios with the latest bios update (from a boot floppy) and reinstall the OS.
That is some very good advice! So if I went onto the machine and actually run Nmap against it locally, would that help? Or do I have to be on another machine for the analysis. What program would I use for an IDS/packet sniffing?

Quote:
If someone else physically takes possession of your machine, they can always eventually compromise it if they know what they are doing. Encrypting the drive just slows them down.

In the case of border inspections, they could just ghost the drive, give you your laptop back 20 minutes later, then crack it at their leisure. Don't think there won't be a black market created over this. There will be id theives etc paying corrupt border inspectors off for drive images.
So true!

Quote:
My favorite statement applies: "If man made it, man can break it." (by me)
That would make an awesome tee shirt!

Quote:
All it takes is talent, time, and the right toolset
Quote:
For you, I'll make up another quote "If it has value, someone will be bribed for it.". Government officials don't always get paid very well. Everyone wants a new TV or car.
Very true and wise words.

Quote:
Kudos for noticing the security implications of these developments. Hopefully your employer appreciates your diligence
Thank you for your kind words and help .

Quote:
The best advice you could possibly give your readers is to get a second laptop for traveling across borders and only take what they need for the trip on the drive. Assume that everything on there can and will be seen no matter what security precautions they take. If you expect this to happen, and prepare accordingly, it won't cause any trouble.

Alternately just get a second hard drive and swap it out with a stripped down clean one when flying.

The minute you think you can't be compromised, or that it's even possible to be 100% secure you have already lost the fight.

It'd be pretty smart to set up a couple of laptops for this purpose, have them hand in their local laptop, for a specially prepared "customs proof" one that always has a fresh copy of your image on it and is preinstalled with the VPN connection and _no data_. When they bring it back, simply ghost your image back over it so it's cleaned up for the next person. You might want to do a cursory check of the drive to find out what they gave customs, then do some damage control if you find something.

There's absolutely no reason for any sensitive data to be on a laptop while flying. They should VPN to the office from the destination to get this stuff when they need it, then promptly delete it with shred when they are finished, before heading to the airport, or even going to lunch. While not 100% effective this is damn close. It's definitely more effective than encryption by itself.

If they leave the office with a clean drive, then shred it all before leaving to come back you can't go wrong. You could even write a script that completely destroys all data on the drive, for them, before they leave at the end of their trip.

Doing that would hold up in any court of law as a best effort and is future proof. It's really hard to steal data that's not there and has been clobbered, even in deleted and encrypted form.

If you do this, the customs agents will take one look at it, and just move on to the 3 year old dell the next guy has, which has a gold mine on it (his entire life) and a sticky with the encryption password on the flat spot at the top of the keyboard or in his wallet (which they will also search 8)

When faced with a tough nut to crack and a shiny juicy apple, people tend to toss the nut in the trash and eat the big juicy apple.

"Suspicion breeds confidence" - Fyodor(author of nmap)

-Viz
Thats an awesome response and veer throughly detailed I very much appreciate your help and expertise on this subject! It has truly been invaluable.

Again thank you so much.
 
Old 03-17-2008, 06:39 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by rg.viza View Post
How "strong" is the encrypted file system on OpenSuSe against such attacks?
Assume that it's as strong as the password and encryption method. If you use "dog" as your password a dictionary attack can comprimise it in a few seconds.
So how strong is that in absolute terms? And compared with what? Any pointers?


Quote:
Originally Posted by rg.viza View Post
How does one configure OpenSuSE Linux or any Linux to promote plausible deniability?
Depends on who the expert witness is. Currently drive encryption is considered a best effort if you use a strong password for the key, and also use a strong password on all of your accounts.
How would you configure SUSE to have any chance at plausible deniability? Please give some examples. Let's say the machine gets imaged by the CBP (Live, in a forensically sound way and on entry and exit), the hidden material is binary format, doesn't exceed 5MB in total uncompressed and has to be accessable while in the country.


Quote:
Originally Posted by rg.viza View Post
If such an official takes my wares and returns it, how would I know I am compromised with a root kit?
Depends on the root kit. Root kits alter the perception of the programs running on the computer so they can't see the rootkit. A well written rootkit is virtually undetectable, especially if it was written to elude rootkit detectors.
Have you actually played with rootkits yourself? No running kernel, no hiding place for processes. I'll just boot a Live CD. Just have to know where to look.


Quote:
Originally Posted by rg.viza View Post
You have to know it's there first. It's an arms race, just like virus detection. You won't be able to find a well written new 0day root kit by yourself.
Nice to use hedges like "well-written" and "0-day" but how many new, kernel 2.6-capable rootkits have left PoC stage the past five years?


Quote:
Originally Posted by rg.viza View Post
An IDS/packet sniffing (to see if your machine is sending packets to an unknown host) can help as can scanning the machine from the outside for new ports.
Do you really think that, practically speaking, any agency would have planted *a rootkit* if they had the chance? And even if they did, they would be that stupid to make it "phone home"?


Quote:
Originally Posted by rg.viza View Post
There's absolutely no reason for any sensitive data to be on a laptop while flying.
Yeah, that I can agree with.
 
Old 03-17-2008, 08:07 AM   #6
SolarisZen
LQ Newbie
 
Registered: Dec 2007
Location: Planet Earth
Distribution: OpenSuSE & Fedora Core 4
Posts: 28

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
So how strong is that in absolute terms? And compared with what? Any pointers?
Lets say to Bit locker or File Vault etc.




Quote:
Have you actually played with rootkits yourself? No running kernel, no hiding place for processes. I'll just boot a Live CD. Just have to know where to look.
Where would you look? How do you know how to spot them? What should one look out for.



Quote:
Nice to use hedges like "well-written" and "0-day" but how many new, kernel 2.6-capable rootkits have left PoC stage the past five years?
o.k. How many has there been?



Quote:
Do you really think that, practically speaking, any agency would have planted *a rootkit* if they had the chance? And even if they did, they would be that stupid to make it "phone home"?
Yes, because they have done some really daft things in the past.
 
Old 03-18-2008, 08:14 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by SolarisZen View Post
Where would you look? How do you know how to spot them? What should one look out for.
There's some rootkit threads in this forum. Maybe you should go read some. Those threads and the docs referred to contain enough hooks to get the picture. If you're still interested after that we can go into details.

With respect to your other remarks (and I don't know how well you actually read posts) those are apparently in reply to what I'm asking rg.viza. I'm waiting for him to answer those, however I doubt he will.

Last edited by unSpawn; 03-18-2008 at 08:16 AM.
 
  


Reply

Tags
air, attack, encryption, linux, opensuse102, physical, ram


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Detect insider threats with Linux auditing LXer Syndicated Linux News 0 06-22-2007 12:17 PM
LXer: Microsoft Responds to Alleged Ballmer 'Threats' Against Linux LXer Syndicated Linux News 0 02-23-2007 10:16 AM
LXer: Ballmer repeats threats against Linux LXer Syndicated Linux News 0 02-20-2007 06:46 PM
Linux Threats nédée Linux - Newbie 4 12-17-2006 05:29 AM
LXer: Ballmer: Microsoft Will Meet Threats of Google, Linux - Over Time LXer Syndicated Linux News 0 05-13-2006 01:33 AM


All times are GMT -5. The time now is 04:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration