Occasionally I am asked for advice on locking down a laptop or I run across a post on a message board looking for details on how to prevent tampering with laptops. It has gotten to the point where I’ve written and said the same things over and over again, so I think it’s time I discuss what I do with your run of the mill laptop.
What I will write here will presume a few things about you and your laptop:
- You travel with your laptop often.
- It is possible it could be in the hands of someone else whether you like it or not.
- You wish to safeguard the contents of the laptop.
What we’ll be looking to do then is the following:
- Ensuring that the laptop cannot be compromised at pre-boot stage.
- Ensuring that the laptop cannot be compromised via the OS.
- Ensuring that data is safe regardless of the conditions encountered.
- Safeguarding against certain types of attacks that are largely preventable.
What we will not be doing here is ensuring that the laptop cannot get stolen. This is something outside of the scope that I care to focus on.
Upon the turning on of your laptop, the first thing that occurs is that the BIOS loads itself and begins to check its settings to determine what the next steps are. This is by far one of the biggest holes that you can have on your laptop as it can be changed to break down the other layers of defence you’ve created.
Here are the basic things that should be done to your BIOS settings:
- Disable the booting off of removable media. This can be achieved by simply disabling if there is a feature that permits that action or by setting the hard disk to the highest boot order of priority.
- Ensuring that there is a password for boot up, on the hard drive (ATA password), and for the settings itself. I would also make sure that the password is different for the each of them.
- Disable the netboot (PXE) feature of your network card.
When it comes to the disabling of netboot or removable media (USB drives, optical discs), it’s important to do this as one could theoretically replace the bootloader and use that to snatch other things such as an encrypted hard drive key–of which I will cover on later.
Passwords are important to set for a number of reasons, but the main one is to prevent someone from making changes to the BIOS in order to get around the removable media settings. In addition, if the laptop is ever stolen, the password at bootup is going to make it difficult to get any use out of it. However, one thing to keep in mind is that while some laptops are safeguarded against having the password reset with some manipulation of the hardware, it doesn’t add complete security. Fortunately when you set an ATA password, it is much more difficult to make use of the disk (there are tools that can break or reset the password, but they’re not easy to come by and are not simple), thus rendering the value of the stolen laptop significantly lower.
In addition to the above, if you have the ability to do so, setting a password prompt to appear after you wake up your laptop from sleep is useful–this allows you to just close your lid before wandering off. Most Dell laptops have this feature and it is very likely that other manufacturers have similar features.
One thing to note is that there is a slight annoyance with some BIOSes in that they only allow a maximum of eight character passwords. You’ll want to ensure that you use a password of maximum strength. While using bits is not a good indication of strength, the maximum you can get out of eight should be 53 provided that the BIOS does not limit you on the types of characters you can use. At the same time, make sure you can remember the password for obvious reasons.
Avoiding compromise outside of the BIOS
After your system has turned on (or turned off for that matter), it is vitally important to ensure that you add more layers of protection to your system. There are two approaches to this that work well when combined:
- Encrypting the hard drive.
- Ensuring a password is required at OS boot up.
The last point is quite important as the one thing that prevents someone from viewing your files while on is if the machine is locked or logged out and requires a password to get back in. Layers of security are important. In the case of Windows, it sometimes will by default login without a password. This should be disabled.
Encrypting the hard drive is useful in that even if the ATA password is defeated, they still have an encrypted drive to defeat to get at your information. With a drive encrypted in AES-256, extraction of the data could take longer than the expected lifespan of the Sun as known methods are way too slow (you can put all of the computers in the world together and it still wouldn’t be done until well after we’re swallowed up when the star dies). Solutions for encrypting the drive do sometimes come with the OS, but a popular free solution to investigate to Truecrypt, which works with Windows, Mac OS X, and Linux. There are also numerous commercial solutions that are great if you’re managing several laptops at once.
Preventing everything from being compromised
While encrypting your hard drive, ensuring that your BIOS is protected with a password, and so forth are all well and good, the layers can be broken down if you do not take other safeguards to prevent your laptop from being compromised.
For example, while your computer is on and the hard drive is presently in use by the OS, the key used for encryption is sitting in memory. There are two ways where this key can be grabbed by a nefarious entity:
- A rogue program could possibly extract the key from memory and transmit it to someone or;
- Someone who has physical access to the machine takes advantage of certain external-facing peripheral ports on the machine to extract the key from memory without requiring any software to run.
The first concern can be defeated using a combination of smarts and adequate OS security. Ensuring that you do not run software you are unfamiliar with is the first step you should take regardless of whether or not you’re trying to protect a laptop using the above steps. However, keeping your OS and software up to date with the latest patches, disabling and removal any unnecessary services and software, and while not popular with some security individuals, having some level of anti-virus are good ways to ensure that from a user-level that this laptop will have the possibility of being safe.
When it comes to protecting your data, having it encrypted is a good way to defeat someone from reading the drive should it fall into the wrong hands, but you cannot presume that even if the computer is locked that it cannot be intruded if the machine is still on.
There are known attacks that use either offline analysis of the system’s memory or even worse, analysis of the memory using the peripheral ports on the system itself.
For example, there are known attacks that use the direct memory access (DMA) that Firewire employs that could allow an attacker to extract not only your system password, but potentially the key used to encrypt your hard drive. These sort of attacks are considered possible against other ports such as eSATA and memory card (SD, Memory Stick, et cetera) readers that use the PCI bus, but so far the only known working example at this time is with Firewire. Fortunately attacks using DMA cannot be used against USB due to its design, but it would be best to disable any non-essential ports to ensure that this sort of attack is less likely to be used.
With regards to the offline analysis, simply turning off a computer does not necessarily mean that the data stored within RAM is immediately destroyed. It in fact slowly degrades and can be read for a short period of time. This method is referred to as a “cold boot attack” and is a bit harder to guard against if you’re not physically at the laptop. However, there are a few things to keep in mind:
- This sort of attack does require the attacker to be physically at your laptop and provided you have prevented it from booting off of removable media, the time required to physically remove the RAM and then analyse it is quite extensive.
- You’ll be aware of the laptop being tampered with if you arrive to find that it has been turned off or is missing its RAM. It is more likely however that the laptop will be stolen.
- The attacker will need to make sure that they’re capable of using the RAM that you have should they decide to pop it into another machine.
Some care will need to be taken when it comes to safeguarding the laptop from being in the possession of others.
I plan to rewrite this article and publish newer editions as time goes on, but the above is a good start to locking down your laptop and protecting it from malicious individuals. You cannot be 100% protected when it comes to these steps or anything in addition, but you can at least minimise the likelihood of being compromised. You should also always have a plan in the event that something happens, but decisions regarding that will need to take into account personal and any business considerations.