The Paranoid PC – Part 4 – Hardware and Firmware Updates

Greetings patriots and privacy nuts:

I was going to have this be the final article, but I’m having a little trouble with the tail end, so we’re going to break it into two.

Before we begin today’s piece, just a word about common sense and OPSEC/PERSEC.  We all have our own tolerance for personal risk.  Those of us writing for TOWR accept the risk of writing with our real names and speaking out for our guiding principles and against tyrrany.  We run classes that almost certainly have been infiltrated and work hard to protect the identities of our students.

That said, please have respect for those around you.  If you’re a member of your group and stick your head up, all of those affiliated with you are at risk when the metaphorical (or literal) bombs start to drop.  There is a place for bold, principled stands, and there is a time to break out the rifles and say, “no more”.  However, Facebook is not the place to telegraph your punches or reveal your capabilities.  Answering a survey of, “How does your patriot group keep in contact outside of Facebook?” is the height of foolishness.  Our adversaries, whoever you see them as, now have an area to focus on.  An article from Kit goes into this in more detail, but for now, “Know your role and shut your hole!”

On to the PC article after the jump.

Continue reading “The Paranoid PC – Part 4 – Hardware and Firmware Updates”

The Paranoid PC – Part 3 – Stripping it Down

Hello all,

It took a little while for me to get around to doing this piece in that I needed to spend some time on the hardware modifications, take pictures, and organize it in a semi-sane fashion.

Let’s start with a few disclaimers:

1. I’m an IT generalist with an interest in security and tradecraft.  I may have overlooked some things, although I would use these techniques if I was doing secret squirrel stuff and wanted to stay private and secure.

2. I suck at electronics / soldering.  I want to be good, and I’ve put some effort into it, but it’s just not something I have a natural aptitude for.  However, on principle, I keep trying.

3. Every laptop is different.  If you destroy your equipment trying to copy me, that’s on you.  Do your research.

Our victim today is a mid-grade corporate laptop circa 2006.  It was from the final days of IBM before they sold all of their PC business to China.  We’re going to strip out as much identifying material as possible from it to confound those who might try to trace its provenance as long as possible.

We’re also going to make it possible for this machine to be as airgapped as possible.  There are a couple of other plausible, but difficult attacks that you might still be vulnerable to, however they’re unlikely to be used on you unless you are personally targeted and would generally require your machine’s software to be compromised.

Continue reading “The Paranoid PC – Part 3 – Stripping it Down”

The Paranoid PC – Part 2 – Hunting You Down

Hello Patriots and Partisans,

Let’s talk a little about the markers that can identify a computer to an attacker or investigator.  We’ll consider the typical perspective of tying Internet activity to a user and computer, as well as that of an investigator who, having gotten his hands on a laptop, is trying to find out who it belongs to.

As I was working on this article, CCC published a talk from the #32c3 by Joanna Rutkowska.  You can find it here.  If you’re not a techie, you don’t need to watch it, but the primary takeaway is that your computer is vulnerable to many attacks which cannot be effectively mitigated.  We’ll discuss those attacks and what you can do to reduce their effectiveness in a future article, but my desire is that you’ll understand that if the machine cannot be trusted, then you should work that much harder at your privacy.

“Personal computers are extensions of our brains… yet they are insecure and untrustworthy. -Joanna Rutkowska”

While this list is fairly thorough, it is not exhaustive.  Items listed are in no particular order.

Serial Number

The Serial Number is of course usually on a sticker on the machine, but did you know that it is written to memory on the computer?  For most manufacturers it is very difficult to change the serial number saved on the computer.  In order to change the serial number on the motherboard you’ll need a maintenance disc from the manufacturer.  You can often find these leaked online.

Here are a couple of examples of how someone with root/administrator access to your system can find your serial number without physical access.

In Windows, there are a few ways to do it.  For example, you can open PowerShell and run the Get-WMIObject win32_bios command.  In Linux, the dmidecode utility will do effectively the same thing.

Linux Serial Number

So what does that mean to you?  Let’s say you use your laptop for partisan things.  You’ve behaved well, running a secure OS, and protected your identity.  Now, let’s say somehow you’ve lost your laptop; perhaps you loaned it to a friend who was using it to keep a log of the birds he was observing at a particular wildlife refuge.  However it’s happened, your laptop is now in evidence and someone really wants to find the owner.

Let’s pretend that everything is perfect from an IT perspective.  Their forensics guys can’t get any data off of your hard drive.  Then, they extract the serial number and start down the supply chain.

First, they contact the manufacturer, let’s say, Dell.  Here’s one way it could go:

Dell looks up the serial number and says, “It was sold directly to Joe Smith on March 14, 2014, was shipped on March 21 to 123 Main Street, Seattle, and delivery was confirmed on March 24.  They had one service request for a bad LCD cable on June 26 of the same year.  The technician’s note says they had an aggressive dog.”  The investigators now go and find Joe to see if he can explain what happened to the laptop after that.  Was it still Joe’s?  Did he lend it out?  Did he sell it?  How did he sell it?  Does he have the buyer’s information?

If Joe sold the laptop on Craigslist maybe it’s a dead end…  unless Joe still has his emails with the buyer, boyer’s email address, and phone number.  If Joe sold it via eBay, you’ve got all of that information, plus likely a PayPal account and so on.  Our investigator now goes to the next person and repeats the process.

Here’s another way it could go:

Dell looks up the serial number and says, “It was sold to Walmart for retail sale and shipped to the distribution center in Grandview, Washington on March 21, 2014.”  Our intrepid gumshoe then calls up Walmart and asks them what happened to it.  “It was sent on to store number 1234 in Oak Harbor.”  “Can you tell me who bought it?” asks the investigator.  “Four of them were sold in the three months after we sent your unit to the store.  Here are the transaction numbers and the credit cards used in each of them.”

Our investigator now has four names to chase down.  Three of them probably still have their computers, leaving us with the original buyer.

Asset Number

If you purchased your computer used from a company, they may have filled in the “Asset Number” field in the BIOS.  If they did, and an investigator follows the trail to them, then their accounting department may be able to say who they sold the computer to, or which recycler they sold the computer to.

MAC Address

All networking devices have one more more MAC Addresses.  Your ethernet adapter, wireless network adapter and bluetooth radio all have a MAC address.  The MAC address is a unique (with a few minor exceptions) identifier that can be used to identify your computer.  Without getting into too much detail, the MAC address is essential to any kind of networking, must be unique, and pretty much anyone on your network can see it.

An investigator armed with your MAC address can go to the chipset manufacturer (for example, Intel), who can say who they sold that device (or chip) to, who will then be able to tie it to your serial number.

If they know what networks you were connected to, and their administrators log things, they could find out what you accessed based off of your MAC address.

ESN/IMEI

Similar to a MAC address, if your laptop has a cellular modem (even if it’s not enabled), it has an IMEI number, just like your cell phone.  In addition to the investigational methods used for tracking down someone by their MAC address, if the device ever was registered with a cellular carrier an investigator might be able to trace you from there, too.

Screen Resolution

Anything that makes you unique can track you.  For example, Tor Browser warns you against maximizing your window:

Screen Resolution

That covers many of the moderate difficulty ways to track you.  There are a number of much easier ways for Windows users in particular to be traced or victimized.  There are also some harder methods that are a bit out of scope for our discussion.

Considering all of the above, that there are numerous ways to track the provenance of a device for an investigator with significant resources, how do we disassociate ourselves from our device, as far as we can?  Part of the answer is thoughtfulness and tradecraft.

The target for this series is the laptop you’re using for “serious” work.  This isn’t about watching Youtube, this is about securely and privately doing research, communicating with other patriots, and staying under the wire.  With that in mind, here are some suggestions for separating yourself from your device:

  • Pay for the device in cash.
  • Buy from somewhere without cameras (fly-by-night guys found on craigslist, contacted with a burner email and phone are great).
  • Buy outside of your normal area.  Leave your normal phone at home.
  • Don’t buy the extended warranty.
  • Don’t connect it to your home network.
  • Don’t sign in to any of your “real” accounts from it.

Do you have any other suggestions?  Hit us up in the comments!

Coming up, we’re going to discuss some common and extreme methods for adding misdirection and obfuscation to our device to confuse any pursuers.

EDUCATE. EMPOWER. RESIST.

The Paranoid PC – Part 1a – Risks to Email

Hello again, Patriots.

At the end of our last Paranoid PC article, I gave you some homework.  I asked you to consider three ways that someone could gain access to your email, what the consequences would be, and how you could counter.

The obvious place to look first is your password.  How would an attacker get your password?

  • Guessing (weak password).
  • Reusing the same password in multiple places.
  • Writing your password down.
  • Keystroke Logger

Another way an attacker could access your email is through physical access to your computer.  If your password is saved (either in a browser or mail client), or with the “keep my computer logged in” cookie selected in Gmail, all they need to do it open it up.  Losing physical access to your smartphone, with your email logged in, is a similar risk.

If you access your personal email from work, that’s another potential risk.  Aside from the physical access issue, there’s usually a team of people who can get limitless access to your machine making you vulnerable to keystroke loggers, cookie theft, and man in the middle attacks.

Do you share your password with anyone?  Do you share your account with anyone else (such as family)?  You’ve now multiplied all of those other risks we’ve already discussed by each person who knows your password.

Coercion is another threat, and now we’re getting serious.  However, if someone is shoving splinters under your fingernails to gain access to it at least you know you’ve been compromised.

Who runs your mail servers?  Do they actually secure it correctly?  Do they comply with law enforcement “requests”, or do they require an actual warrant?

That’s not all of the ways someone could access your email, but it’s the high points.

Now, let’s address the consequences of someone accessing your email without your consent.

  • On it’s face, your personal correspondence is now open to your attacker.
  • Many of your other accounts (Facebook, banking, etc) are now vulnerable if the attacker uses the “forgot my password” function to send a password reset to your email address.
  • Your attacker can now impersonate you and either discredit you or entrap or endanger your contacts.
  • Speaking of your contacts, your attacker can now start mapping relationships between you and everyone you’ve ever contacted.  Guess who’s next on their list?

So, how do we protect against these attacks?

The weak password is the easiest to deal with.  Don’t use a weak password. One suggestion from this guide is:

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

Also, don’t reuse passwords.  I’ll be honest; I reuse mine sometimes too, but only for the most trivial of accounts.  If I need to sign on to some obscure site one time, that doesn’t have any personal info, then I’ll give a common password.  It’s better to use a throwaway email account for those, however.

“But,” I hear you say, “if we have all of these complex passwords, how are we supposed to remember them?”  The answer to that is a password manager such as Password Safe or Keepass.  We’ll discuss that further in a future piece.  Whatever you do, don’t write it down…

Two factor authentication is incredibly helpful.  Even though we don’t recommend Gmail for serious work, their two-factor authentication system is easy to use.  Once enabled, when you go to login, Gmail will send you a text message with an authentication code that is also required before you are able to access your email.  This serves two purposes: aside from blocking the attacker, it also notifies you that someone just tried to log in other than you and your password has been compromised.

When it comes to the risk of losing physical control of your device, good physical device security plays a part; that will be discussed in more detail later in the series, but having a good password for your computer (that is different than your email!), full disk encryption, and a fully updated OS goes a long way to stopping anyone that’s not a nation state.  Further, make sure you don’t leave your PC or your email logged in when you are away.

I’d recommend that if you use your email account for anything serious that you not access it from work.  With the click of a couple of buttons it’s fairly trivial for your system administrators to access your computer and compromise you.  If you need to access your email, do it with a personal device of some kind.

If you are being coerced, assume that you’re going to eventually give in.  PGP helps here, but if your enemy is pressuring you enough to give up your password, you’ll probably be giving up your keys, too.

Who runs your email server?  Are they in the US or UK, or in another country that’s less likely to quietly submit to the NSA or GCHQ?  Consider getting an account on a site such as unseen.is.

We mentioned PGP earlier.  If you encrypt all of your emails, then it doesn’t matter who your provider is; as long as they don’t have the relevant keys, they aren’t going to get anything but the recipient and subject line.  With proper key management, this helps with everything but the loss of physical device.

I know that’s a lot to digest.  Hopefully you can see that you need a layered defense.  If there is a weakness a dedicated enough or powerful enough enemy will use it to obtain useful intelligence about your activities.

Since this turned into a post of its own, we’ll put off the supply chain and identifying characteristics post for another day.  Stay agile and train hard.

EDUCATE. EMPOWER. RESIST.

The Paranoid PC – Part 1 – Bad Actors

Hello Patriots,

We here at TOWR hope that you had a good Christmas.  Today we’re going to start a series that I have tentatively titled, “The Paranoid PC”.  We’re going to look at many ways that your computer could betray you today and in a future Excessive Rule of Law environment.  We’ll discuss the capabilities of various different actors.  We’ll take a high level view of the supply chain.  Then we’ll discuss the vulnerabilities in an example piece of hardware and ways that you can remediate them.

Let’s talk about our enemies.  Who is coming after you?

Common Criminals:
Common criminals are generally just after your hardware.  They’re going to steal your computer and sell it on Craigslist.  Strong passwords, encryption, and off-site backups will protect your data, which is the most important thing in this case.

Opportunistic Cyber-criminals:
These are folks that aren’t necessarily after you in particular.  They’re looking to pick off the weak in the herd.  They will attack you in ways that are as seemingly innocuous as tracking your browsing habits and pushing ads to your computer, to extorting money from you by locking your data away from you, to having your computer join a botnet be used for attacks.  Basic safe browsing and computer maintenance will generally protect you from these attackers.

Personal Enemies:
Personal enemies are those who are after you personally.  Obviously, if your enemy is a l33t hacker dude, it’s a different story than your opponent for school board president.  Generally speaking, if your enemy isn’t somehow involved in IT or IT Security, your biggest threats will be theft of your equipment and/or poor passwords.  A motivated party might spend money hiring an expert to attack, at which point you’ll be happy that you took your security seriously.

Organized Crime:
If you are targeted by organized crime, it is because you have some kind of value to them.  IT Administrators and Security personnel are targets.  So are executives, business owners, or anyone who deals with customer data.  Even if you don’t have PII (personally identifiable information) on your own computer, an operative for an organized crime organization may attempt to coerce you via blackmail or other pressure points to obtain information for them.  Be aware of your pressure points and have plans to deal with it if they are exploited.

Opposing Political Organizations:
Let’s say you run a blog that takes a severe anti-abortion stance and you’re actually starting to get some traction.  Do you think that Planned Parenthood, or another pro-abortion organization would take notice and perhaps try to act against your blog?  Anonymous is well-known for attacking organizations based on their political persuasion.  Opposing Political Organizations may have more compelling motives, more money, more contacts, and more resources in general to attack you with.

For those of us who are Conservative/libertarian this can be a challenge; many of those who are technically proficient black/grey hat hackers fall ideologically with the progressive/socialist/Occupy camp.  If you rise to the level that Anonymous is taking notice, then watch out.  While many question how technically proficient they are, they are certainly adept at attacking known vulnerabilities and making headlines.

Nation State:
Once the Eye of Mordor turns to you, escape will be very difficult; more to the point, while government and commercial databases are lousy at predicting criminal activity (such as San Bernardino), they are fantastic at putting the pieces together once attention has been brought to a target.

Everything that we said about organized crime and opposing political organizations applies here, but multiplied exponentially.  Nation states have limitless (for our purposes) resources, incredibly clever teams of technical people, a monopoly of force, and with a little old national security letter, access to the information of pretty much any company you’ve ever done business with.  All they have to do is call you a terrorist.

I want to make this painfully, painfully clear: If a nation state comes after you they will find a way to get what they want from you.  We’ll discuss ways to minimize the risk, but their reach is far and their fists are big.

On that happy note, I’ll bid you adieu.  Keep learning and keep training.  Keep your mind agile.  Homework for next time: Think of three ways someone could gain access to your email, what the consequences would be, and how you could counter.

EDUCATE. EMPOWER. RESIST.