155

I am looking to make a clean install of a Debian system on my home desktop. To clarify, I am switching from Windows and wish to use it as my day-to-day home OS - I'm not going to be running any servers or anything like that.

I also have reason to believe that some members of my household (who have physical access to my machine) would try to gain access to it, and look through my data or possibly even install a keylogger.

For the purpose of this question, please ignore the social aspects, except for the fact that I cannot act openly confrontational, so e.g. locking my room to prevent anyone accessing my PC is not an option.

The people I want to protect against are technologically literate; they know their way around linux even if they may lack much experience with it, and if something can be found with some googling and takes maybe an hour or two of messing around then it's most likely going to get attempted. That said, I am pretty certain that acquiring specialist equipment is not something they would bother with, which means that I don't have to worry about most hardware attacks, e.g. a keyboard keylogger or bug on my mobo / RAM sniffer / whatever.

One other thing is that I have a Windows 7 system to which they have admin access (so it can be considered compromised). This is one of the reasons I am switching to Linux; however, I'd like to keep a dual-boot system rather than removing Windows outright. I am aware that this would allow an attacker to outright nuke my Linux partition, and that is a risk I'm willing to take.

I am not concerned with securing my Windows system. I am aware it's compromised and don't really care what happens to it. As I mentioned, other people have accounts on my Windows system and occasionally use it (for legitimate reasons!). I am certainly looking to secure my Linux installation, but preventing access to Windows has no point unless it contributes to the security of the Linux part of my machine. In fact, I'd rather avoid limiting access to Windows if possible because I don't want to appear paranoid or create conflict in the household.

Full-disk encryption will prevent anyone from actually accessing my data from outside my Linux installation itself, which should then take care of both the Windows system and even make booting from a USB drive mostly useless (I am quite certain that the people in question do not have the resources or the motivation to decrypt a well-encrypted drive). I will also need to password-protect the single-user mode, of course.

What other things would I need to do to secure my system? I am handy with the command line and willing to get my hands dirty, but I have limited Linux experience and fragmentary knowledge of computer security. The choice of Debian is largely arbitrary and I would have no problem trying out a different distro if it would be better in my case. If there's anything I've missed, or if you have tips on things I mentioned (e.g. best practices for disk encryption?), then I would be glad to hear them.

I do not believe this question is a duplicate because all of the other questions I found on securing Linux on this site concern themselves with remote attackers and protection against viruses and exploits. They certainly have good answers but that is not the kind of information I am looking for here.
Another question has been brought to my attention when my post was flagged as duplicate. However, that one asks in general whether their machine is secure when others have physical access to it; the answers to it generally boil down to "Physical access = game over" and provide some tips to mitigate various attacks (including things such as rearview mirrors on your monitor). Many of those tips are not applicable here, since I am aware that unlimited physical access means the machine isn't mine anymore in theory, and hence I provide some limitations to the attackers in my threat model which fit my personal scenario.

Boris
  • 1,410
  • 2
  • 9
  • 11
  • 73
    Why not just disconnect hard drive, boot into Linux live environment from a USB, then store anything on an external HDD full disk encrypted? Use TrueCrypt so you can potentially use 2 passwords (dummy and real). – k1308517 Jun 15 '16 at 11:03
  • 4
    Start with the [Securing Debian manual](https://www.debian.org/doc/manuals/securing-debian-howto/). – user Jun 15 '16 at 13:25
  • 70
    "who have physical access to my machine" There is an old saying in IT, Physical access equals game over. Good luck, but you're probably wasting your time. – Little Code Jun 15 '16 at 13:59
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/41248/discussion-on-question-by-boris-hardening-linux-desktop-machine-against-people-f). – Rory Alsop Jun 16 '16 at 09:19
  • 55
    When you distrust your housemates so much, perhaps the best security measure would be to cease co-locating with them. In short, move house. – spender Jun 16 '16 at 16:06
  • 2
    They do not need to access your computer to see what are you doing on the internet :) As long as they have access to the router. Which I assume they do since they already have admin access to your windows system. – Ubaidah Jun 16 '16 at 18:30
  • 3
    Possible duplicate of [How can I protect my computer from my potentially malicious colleagues?](http://security.stackexchange.com/questions/6150/how-can-i-protect-my-computer-from-my-potentially-malicious-colleagues) – D.W. Jun 16 '16 at 20:29
  • 3
    This is already pretty well covered by a bunch of other questions here: http://security.stackexchange.com/q/6150/971, http://security.stackexchange.com/q/2613/971, http://security.stackexchange.com/q/2463/971, http://security.stackexchange.com/q/10354/971, http://security.stackexchange.com/q/85373/971, http://security.stackexchange.com/q/112976/971. – D.W. Jun 16 '16 at 20:31
  • 1
    Make sure to protect against hardware attacks. Debian can be secured with FDE and such, but what if they simply plug in a small hardware keylogger between your computer and your keyboard? – André Borie Jun 16 '16 at 21:43
  • 1
    Make sure they don't simply attach a mini-camera to your computer. The best way to make sure a system is secure is trying to hack into it. Also, why does your family want your info so badly? – noɥʇʎԀʎzɐɹƆ Jun 16 '16 at 23:49
  • 39
    Have to admit, my first thought was "tired of your parents coming down to the basement and checking your browser history, huh?" – brichins Jun 17 '16 at 21:04
  • 1
    The best security is physical - Buy an SSD with a nifty external USB case. Install your linux and data partitions there. Set your machine's BIOS to boot from USB as top priority. Hide the SSD when not in use. Never use the internal HDD, which is very slow compared to SSD anyway (Linux boots in under 5 secs). To be extra covert, install the same version of linux on the HDD as a red herring, and load up the browser history with pictures of Nixon and kittens. –  Jun 20 '16 at 01:36
  • 1
    @DominicCerisano USB will be a much more limiting factor than the type of hard drive inside the enclosure. – Criggie Jun 20 '16 at 01:45
  • 2
    Not an answer, but: if you cannot be confrontational because you don't have any proof, consider gathering it. For example with your own keylogger. – Dennis Jaheruddin Jun 20 '16 at 09:32
  • 2
    @Criggie it depends on the speed of USB and drive. Most external drives are slower than USB 3.0’s throughput, but many SSDs are faster than USB2.0. – törzsmókus Jun 20 '16 at 20:41
  • @Criggie a good SSD is around 400MBps and USB3.0 is 640MBps. A good HDD is only around 200MBps. Internal drives are very old hat and insecure - the space and cost can be repurposed for better graphics. External storage is just getting faster, cheaper, smaller and is physically more secure. –  Jun 21 '16 at 19:39
  • 1
    If the attacker has 20 second access to your running and unlocked computer, he can do the following: download a script from the web, the script would detect and kill the screen saver, start a modified screen saver which accepts an additional password, start a background server which accepts shell commands over TCP, and modify startup scripts (possibly the X11 profile script) to start the background server and the modified screen saver at startup. -- So you don't want to have your running computer unattended. – pts Jun 21 '16 at 20:10
  • "since I am aware that unlimited physical access means the machine isn't mine anymore in theory" - That's not in "theory". It is what really happens in practice. Doesn't matter what kind of limitations you _think_ your attacker has - if they have physical access, you already lost. – T. Sar Jun 29 '16 at 17:42

23 Answers23

101
  1. Use a strong and difficult password for the root user. Secondly, always login and work from another user with no administrative rights (and also a strong password).

  2. Enable the BIOS password option. Every time you power on your computer, the BIOS itself will ask you for a password before even booting on. It will also prevent everyone from applying changes to the BIOS setup.

  3. Encrypt every partition of your hard drive (check cryptsetup for Debian - if it can't encrypt you Windows partition, too, use TrueCrypt (from Windows for your Windows))

  4. Watch out for external hardware devices connected on your PC (like USB sticks or hubs) that you haven't used before. Someone might have plugged in a keylogger or something.

  5. Always lock or power off the machine when you are away.

  6. Software hardening:

    Install gufw (GUI for the iptables firewall which is pre-installed) and block incoming traffic. Also install rkhunter and check your system for known rootkits and other threats from time to time.

That's all I can think of right now. If you have any questions feel free to comment below.

Chris Tsiakoulas
  • 1,757
  • 1
  • 10
  • 9
  • 2
    Thank you for your answer! I have a couple questions: 1) Is disabling root login a good idea, or does it change anything at all? 2) Is it worth encrypting the Windows partition, just to secure the Linux installation? Because at this point I know that Windows is compromised and don't really have any interest in trying to secure it; I'm only concerned about the Linux part. – Boris Jun 15 '16 at 11:44
  • 8
    Don't forget the grub password. And locking the root account altogether. – Blue Jun 15 '16 at 11:46
  • 13
    "Enable the bios password option" - this doesn't provide much security. Legacy BIOSes usually had a service password (e.g. AWARD_SW in case of some Award BIOSes), some UEFIs have them too. Getting into BIOS/UEFI Setup allows you to boot any OS from pretty much any device. You have to use HDD encryption because of that, because otherwise the attacker can boot some live Linux distro, mount the disks and there goes your privacy. – Jakub Jun 15 '16 at 11:49
  • @Blue: See my new edit to the OP; I don't care what happens to Windows. Is it still a good idea to set up BIOS and Grub passwords? – Boris Jun 15 '16 at 11:52
  • @Boris It should prevent any other people from booting into live disks (like Kali) that will try to break disk encryption. Also, for grub, you don't have to set passwords on all entries (https://help.ubuntu.com/community/Grub2/Passwords) – Blue Jun 15 '16 at 11:57
  • @Blue That's good to know, I'm definitely gonna look into that. Thanks for the advice. – Boris Jun 15 '16 at 12:00
  • 4
    Using TrueCrypt on windows solves nothing. If anything it creates a problem as he does Windows gaming (it slows down computer). – k1308517 Jun 15 '16 at 12:19
  • Disabling root login will let you be root only when needed (along with anyone else). Not lettin everyone become eoot means that less people can perform serious tasks allover the machine. Well, if you don't care about your windows, let it. Windows dont recognise ext file systems anyway. And even of someone downloads some utility dor that, they will have a hard time decrypting your volume. – Chris Tsiakoulas Jun 15 '16 at 13:41
  • 9
    As for the BIOS passwords, if the attacker has physical access they most probably can simply unplug the PC, remove the CMOS battery, cycle the power switch, wait a few seconds, plug back and get in. – arul Jun 16 '16 at 00:39
  • 1
    @arul True -- not without OP noticing it, though. – Federico Poloni Jun 16 '16 at 14:24
  • 2
    BIOS password is useless with physical access, as you can just short two pins (basically the same as removing the battery) and the password is cleared. – Stephan Bijzitter Jun 16 '16 at 14:27
  • You can access ext file systems inside windows!!!!! Care about it. It's an attack vector. – coteyr Jun 16 '16 at 14:42
  • 11
    BIOS password is useful, but not for intrusion prevention but for intrusion detection. For an attacker It's trivial to reset BIOS, but next time you try to log in, you'll notice that the password prompt is gone or your old password no longer works. All that assuming that your particular BIOS has no backdoors, like @Ushuru said. – Agent_L Jun 16 '16 at 14:52
  • 1
    @coteyr That's what #3 (encrypted partitions) is for – Izkata Jun 16 '16 at 20:11
  • The more security constrains applied the better. Even if some are easily bypassed or not, they still will need efford and knowledge from an intruder's side. Discouraging an attacker is not a standalone option, but still an option. – Chris Tsiakoulas Jun 16 '16 at 20:22
  • Debian actually supports LUKS filesystem encryption, and you can set them up when you originally install, you just have to build your partition table manually. There is a nice walkthrough here: http://www.tecmint.com/install-debian-8-with-luks-encrypted-home-var-lvm-partitions/ – Drunken Code Monkey Jun 17 '16 at 00:00
  • 2
    Since the question states "other people have accounts on my Windows system and occasionally use it (for legitimate reasons!)" I'm guessing a BIOS password isn't an option, since it would prevent legitimate use of the Windows partition by other users. – Ajedi32 Jun 17 '16 at 14:03
  • I actually thought of it, but I thought it would be better to give him lots of options and let him exclude some. – Chris Tsiakoulas Jun 17 '16 at 14:52
  • @Ajedi32 In most BIOSes you can chose between a BIOS password for booting or to protect BIOS setup access. In this case you must remember to disable all boot media except the disk you are booting from in the BIOS setup. – Dubu Jun 17 '16 at 16:06
  • 1
    I don't know any disk encryption which even attempts to secure against this threat model. Usually disk encryption products do not attempt to protect integrity of the data on disk whatsoever. If the encrypted data has been mangled, they will happily decrypt whatever is on disk and hand it to the next layer up the stack without reporting any errors. Moreover they frequently assume the attacker can only achieve an image of the disk at one point in time. If the attacker can mirror your disk more than once, you have lost. – kasperd Jun 18 '16 at 12:09
  • 3
    Buy an SSD and an external USB case. Install your Linux and data partitions there. Prioritize USB in the BIOS startup. Unplug and hide the SSD when not in use. To be extra non-confrontational, install the same Linux on the HDD. Load that account's browser history with kittens. Disguise your SSD in a stuffed toy. –  Jun 20 '16 at 02:49
  • 1
    Damn @Dominic Cerisano! Are you CIA or something? That was a good one! – Chris Tsiakoulas Jun 20 '16 at 07:35
  • Check out https://github.com/dkopecek/usbguard to blacklist/whitelist usb devices – Dog eat cat world Jun 22 '16 at 22:03
98

I hate to be this guy, but

Law 3:

If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

You are asking how to best lock a plywood door. People are giving you very good suggestions for locks, but none of them matter since your system is physically vulnerable and your attackers are competent. They will just use an axe (or in your case, a screwdriver).

user1717828
  • 2,392
  • 14
  • 19
  • 16
    Like I mentioned in the OP, these types of attacks don't need to be considered. They're extremely unlikely to happen, and in any case to defend against them I'd have wear not just a tinfoil hat, but a tinfoil bodysuit and at that point I agree it might be easier to just move out into my own appartment and get a completely new PC. Which I'm not prepared to do at this point in time. – Boris Jun 15 '16 at 21:24
  • 11
    +1 this is the only real answer. @Boris "these types of attacks don't need to be considered" I think you're mistakenly believing that any form of attack that might succeed would be extremely difficult or obvious that the attack was done. That's simply not true. You cannot truly secure something against an opponent who has unlimited time to sit there and figure out how to break it. –  Jun 15 '16 at 21:35
  • 3
    @Boris *Like I mentioned in the OP, these types of attacks don't need to be considered.* - You said they're technically literate, familiar with Linux, and would spend a couple of hours attacking you, and they have compromised your existing OS. But they won't point a phone at your keyboard for ten minutes to record you typing your password? – TessellatingHeckler Jun 16 '16 at 00:30
  • 154
    This answer wrongly implies that any security less than total security is useless. Actually, locking a plywood door can be quite useful sometimes. – dan1111 Jun 16 '16 at 06:54
  • 34
    In particular, locking a plywood door will not prevent attacks, but it will make them noticeable. And while physical access allows attackers to format your harddisk bypassing full-disk encryption, this will also be very obvious. Given the remark about nuking the Linux partition from Windows, the threat here is not attacks, but _undetected_ attacks. – MSalters Jun 16 '16 at 09:06
  • 1
    @Boris Solution to them opening the case up and putting some hardware in (even if you're not concerned, this should be pretty easy): superglue the screws in. Again, not impossible to attack, but will be *noticed* if it is. – ArtOfCode Jun 16 '16 at 14:15
  • @ArtOfCode That's fine but then how am *I* going to open my case? E.g. to change or upgrade things, or if something breaks. – Boris Jun 16 '16 at 15:05
  • 62
    Once I asked my dad why we put a lock on our bicycles when we go on vacation, a thief could just bring wirecutters. He told me they "keep honest people honest." A locked door can keep the mildly curious out in the same way the safeguards from the other questions can keep the lazy and not-so-interested out of your computer. – Captain Man Jun 16 '16 at 16:18
  • 4
    @Boris Don't use glue. Use [glitter nail polish on the screws and take a picture of it](https://www.wired.com/2013/12/better-data-security-nail-polish/). – Dubu Jun 17 '16 at 16:01
  • 13
    @MichaelB: Because mitigation is helpful. Solutions are imperfect, security is a tradeoff, attackers have limited time and resources. An answer that says "give up, you can't do this" just repeats kitschy advice for cheap upvotes without really examining the real issues at stake here with any depth or nuance. – Dietrich Epp Jun 19 '16 at 16:02
  • 3
    @DietrichEpp I think the accepted answer here is a good answer, and should be accepted, because it does give solutions to the question asked. However I - personally - feel that the accepted answer would be considerably weaker if this wasn't the second answer. The two together create an answer that says 'this are the practical steps of what you could do, but underneath those practical steps, remember this core problem' Its not saying give up, it is describing the actual problem that exists. – Michael B Jun 19 '16 at 16:56
  • This is an over-generalisation and very simplistic and defeatist point of view. Some security is better than no security. Absolute security does not exist. The fact that certain attack vectors are potentially viable does not impair the usefulness of other security measures. A threat assessment will help work out how much effort is required to secure the host. – Pedro May 05 '20 at 13:20
70

Depending on the performance you require and money you are willing to expend, a removable "Live USB" or completely bootable normal system on a USB "hard drive" (a small ssd would work great) might be an ideal solution considering your "unique" constraints of needing high security against local attackers. It would allow you to just leave the compromised windows system in place, and create a Linux system on a removable device that you can keep with your person. For lowest cost you can use a very cheap thumbdrive. Spend a little more on a fast thumbdrive or a more robust USB SSD and you can achieve reasonable performance for most applications. Encrypting it is a good idea in case you are separated from it, but given that it's always with you and it constitutes the entire OS it is safe from local attacks.

Jeff Meden
  • 3,976
  • 13
  • 16
  • 16
    This seems the best approach to me; they can't tamper with what isn't there, and the computer itself is completely unmodified relative to its current situation, so there's no indication you secured anything. The entire current PC (including your compromised Windows install) acts as a nice decoy. As for a Debian install, ensuring no network services are running at all will go a long way. Remove the `rpcbind` and `nfs-common` packages. In case you install SSH, secure it properly (meaning: only allow public key authentication). – marcelm Jun 15 '16 at 17:20
  • 3
    Wouldn't that still be vulnerable to an hardware keylogger? – 0xFF Jun 15 '16 at 17:27
  • 6
    @fhlamarche the OP stated the mitigation did not need to account for hardware keyloggers. However, it would be easy to conduct a basic check of the USB ports when attaching the external storage, in order to rule that out (assuming you are not concerned with very well hidden ones i.e. completely modified keyboards) – Jeff Meden Jun 15 '16 at 17:54
  • 3
    A USB 3.1 PCI-e card (if your system doesn't already have 3.1) and a USB 3.1 external SSD would eliminate the performance issue. – cas Jun 15 '16 at 21:42
  • Using UNetBootin, you can add persistent space to it, to allow files saved in the standard place. very useful. – Tim Jun 16 '16 at 19:22
  • 2
    These days you can get a whole computer on an HDMI stick and just take it with you everywhere you go: http://www.digitaltrends.com/computing/best-stick-pcs/ – Matthew Lock Jun 17 '16 at 03:07
  • 2
    @MatthewLock yes if some money can be spent there are lots of options for him, they even have these little portable PCs that are complete, with a screen and everything, you just open it up and it's ready to use, even on your lap! ;-) – Jeff Meden Jun 17 '16 at 12:48
  • @JeffMeden A hardware keylogger could be inside the computer case. – user253751 Jun 19 '16 at 01:56
  • 1
    Aren't there ways of infecting the host machine's BIOS? This could then infect the portable hard drive, no? – jpmc26 Jun 20 '16 at 01:26
  • I used to use this distro. https://tails.boum.org/ – Jammin4CO Jun 20 '16 at 15:51
  • @Immibis it would actually be pretty challenging to conceal it inside the case and also hide it from the OS, since it can't sit between the keyboard and the host like most off the shelf loggers do. You would need a device that could tell the OS to send it all keystrokes without setting off any red flags. I suppose you could install a new USB port on a slot cover that was wired to a logger, but that would be obvious to the outside. – Jeff Meden Jun 23 '16 at 15:00
  • @JeffMeden If the keyboard is connected to a front USB port, the internal USB cable can be cut and connected to the keylogger. – user253751 Jun 23 '16 at 20:59
  • @immibis true, a good protection is to always use onboard ports directly attached. Noticing the cables coming from the front instead of back (if someone moved them for this attack) would be pretty easy. – Jeff Meden Jun 24 '16 at 12:30
  • I wonder if it's possible to install the OS on the system, and then make it read-only, and put only changed files on the USB. Even if they install a keylogger, the keylogger is saving _to the USB_, so the attacker would be unable to access the results. – Mooing Duck May 05 '20 at 20:53
25

There's some things to consider that differ from all the answers previously given: what you're looking for is privacy, not security.

While they seem very similar, the goals of each are different, and the ways to implement each are different. If you were looking to implement security, you would remove other users' admin access, lock down each users' account, and put protections in place to prevent abuse. This, of course, comes at the cost of usability.

Now for the privacy solution. Since you're only looking at protecting your information while leaving everyone else intact, there are 3 major attack vectors to address (assuming you move to Linux as you planned):

  1. Data at rest (on the hard drive)
  2. Data in motion (on the network)
  3. Protection while the device is on (firewall)

For data at rest: You will want to use some sort of encryption. This will prevent anyone who doesn't have the key/password from looking at any data that you are saving. There are plenty other answers that cover this topic, so please refer to them for specific implementation details.

For data in motion: I would recommend buying a VPN service (or setting one up externally if you have the resources). This will encrypt and protect all traffic coming to and from the box. Not only does it protect traffic, but it also protects traffic inference based on connection information. For example, SSL encrypts all traffic between you and the site you're visting; however, if someone sniffs your traffic and sees facebook.com in the initial request, while they don't know what you're sending to Facebook, they know you're doing something on Facebook. A VPN would tunnel all traffic through its server before sending to the internet, effectively removing this leakage.

For protection while the device is on: Assuming that all hardware attacks are out of the picture (such as keyloggers or cameras), the only area the machine is exposed is the Ethernet. If there is a service turned on that has a vulnerability, it would be possible to attack that service from the network and gain control of your machine (within that few hours of Googling you assumed). To protect against this, you'll want to set up a firewall. On Debian, iptables should do just fine. On any incoming traffic, you'll want to block everything that is not RELATED or ESTABLISHED. To even further restrictions, you could block all traffic that is not coming to or from your VPN. In this way, it almost completely removes any attack surface, and will take an attacker much more dedicated than your roomates to break.

Here's a sample of the options to use with iptables to set up the limitations:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
# iptables -A INPUT -s [VPN IP] -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -A OUTPUT -d [VPN IP] -j ACCEPT

And what each is doing:

  1. Drop all packets coming into the machine
  2. Drop all packets being routed through the machine
  3. Drop all packates being sent from the machine
  4. Allow packets from the VPN IP that were created from connections that already exist (ones you made to the VPN) to be processed
  5. Allow any packet being sent to the VPN from your machine

You could also only allow the specific ports the VPN uses to even further limit the attack vector. It is important to note that you will be unable to access the internet except through your VPN, so make sure that is set up and working before you apply these changes.

Once all these are applied, the box should be nearly impossible to break into either while you're using it, or while you're away, by the people trying to look at your data.

Disclaimer: This assumes attacks on your infrastructure. Social engineering and alike attacks are much more difficult to prevent.

Qwerty01
  • 351
  • 2
  • 5
18

Here is an all inclusive solution since you stated you were not worried about hardware/USB/physical attacks. Install Virtualbox/VMWare/Other on your desktop. Go about creating your guest and put that guest on a removable USB key. When you're done with your work, power off the virtual machine, remove the key, and it's a wrap.

There are plenty of other methods you could go about this as well including creating a TrueCrypt hidden container, then installing your guest inside that container. That raises a red flag if someone is snooping: "Oh so he is hiding something now... Must find!" Versus taking your operating system with you. You could do this on a USB key, removable drive, or you could boot into a throwaway system (Kali, bootable Linux), save data to the cloud (Dropbox, etc), and worry little about the operating system since it will be booting off of a DVD, and be a fresh install every time.

As for services. Running 1000 services means nothing if all the services are free from vulnerabilities. What is there to access, and how? Strong passwords are always key but imagine the worse case scenario here. Keystroke logger on Windows... It will defeat your guest security since you are typing through the host. The best option would be to boot into a bootable distro, leveraging the cloud to save/store data, or removable disk.

munkeyoto
  • 8,682
  • 16
  • 31
  • This is the best answer for the most security - but might be inconvenient. the next answer would be more convenient, but less secure (albeit, still very secure). It depends on how paranoid you are... (or need to be). – Stone True Jun 15 '16 at 13:15
  • 3
    This does nothing to protect from the possibility of a well hidden remote access Trojan that will record/relay all activity, thereby giving up his confidential information even though he has it in his possession the entire time. Further, if they were even more diabolical, they could keylog and also silently duplicate his USB drive while he is sitting there, giving them later unfettered access to a snapshot of his system and data. Any situation involving a compromised hypervisor is a complete non-starter. – Jeff Meden Jun 15 '16 at 14:54
  • 28
    How does virtual box defeat a key logger or traffic sniffing from Windows 7? – Patrick Trentin Jun 15 '16 at 15:53
  • 2
    The biggest problem I see with this answer is that you're suggesting that I create my guest from my (compromised) Windows machine. (If you meant something else, then it's not clear from your current wording.) In an extreme scenario, I could then consider the entire system I created to be compromised; more realistically, it would at least alert anyone watching that I'm trying to hide something. Now, a full Linux partition is a lot more obvious of course, but it's also a lot less suspicious - hey, I like the OS! Much less likely to prompt investigations than the creation of a live-bootable USB. – Boris Jun 15 '16 at 17:14
  • @PatrickTrentin I can think of nothing on a guest defeating a host based keystroke logger hence me stating: "bootable linux/bsd" distro. – munkeyoto Jun 15 '16 at 17:15
  • @PatrickTrentin I mentioned two solutions in the event he is on a workstation with no CD/DVD that would enable him to use a bootable. Being I offered an alternative it was only proper to mention the risk associated with going that route (using virtualbox/vmware/etc) – munkeyoto Jun 15 '16 at 17:28
  • 1
    The part with the virtual machine only makes sense if you put windows inside the box to limit its access to linux files/partitions. Or did I miss something? – hkBst Jun 16 '16 at 06:09
14

I like the answers that suggest you run Linux from removable media. It hides the fact that you're taking precautions from your not-so-nice house mates. There's a few problems with it, though, from a practical standpoint. You're sacrificing drive speed and space, but what's more important is that carrying your whole operating system around with you is cumbersome. You'll forget the drive at school/work when you need it at home. You're prone to lose all your data if you misplace your removable OS disk or drop it one time too many.

If you don't mind tipping your house mates off with the presence of an encrypted partition on your computer, there's an easier way that gives you the same amount of security, without the problems.

If you install Linux on your internal hard drive, obviously you need to encrypt all your Linux partitions. However, you can't encrypt the boot partition which contains the kernel, so I'd suggest that you copy the boot partition to a removable (and, ideally, write-protectable) USB drive and always boot your system from the USB drive. So even if somebody messes with the (unencrypted) kernel, initial ram drive or even the boot loader to get a software key logger into your system, it won't matter because you're bypassing the messed-up boot process by booting from your (hopefully) clean USB drive.

You might want to take a hash of the two boot partitions (the one on the HDD and the one on your USB stick) and check now and then whether the partitions changed, just to know whether someone is in fact trying to mess with you. In fact, you could automate this, having an init script on your encrypted root partition check both the boot partitions and warn you if one of them changed. This way, you can be reasonably confident that your boot partitions are fine even if you don't always keep your boot USB drive under close surveillance.

Only having to keep the bootloader, kernel and initial ram disk on the USB drive makes this solution a bit more practical. Also, it's not immediately obvious that your USB stick contains a bootable kernel if you fill the drive with some harmless folders, though of course it won't pass anything but the most rudimentary inspection.

This all assumes your adversaries won't be able to infect your computer's BIOS with a key logger, in which case all bets are off, but if they knew how to do that and went to such lengths, you've lost anyway.

Having said all that, are you sure it wouldn't be simpler, more effective and especially better for your well-being to address the social issues that clearly exist in your household?

A few pointers as to how to implement this (in answer to Boris' comment):

I haven't done such a setup myself, so I can't give you step by step instructions. However, here's a few pointers:

  1. Start by installing a normal Linux distribution on your hard drive with an encrypted root partition. If you need multiple partitions, use an underlying encrypted LVM so you only have to enter your password once, not once for every partition. You'll need to provide a small (say, 200 MB) unencrypted boot partition which will contain the boot loader, the kernel and the initial ram drive. The Ubuntu and Debian standard installers let you do all this quite easily.
  2. Make sure the system boots and then encrypt your swap partition if the installer doesn't let you do that already (haven't tried any recent installers). There's various step-by-step instructions available on the internet, simply google for encrypted swap.
  3. Now to getting your boot partition onto a USB stick. The difficult part is getting the kernel to boot from the USB flash drive (which I think doesn't boot like a regular external USB drive). Probably the easiest way would be to use the standard installer again to put another whole installation of the same distribution on the USB stick. I did something close to that before and it worked fine (though I seem to remember I had to jump through some hoops - I used an Ubuntu distribution and I'm not sure if I used the standard Ubuntu installer or a customized Ubuntu live system), and of course actually using the flash drive system is a bad idea, since it will
    constantly write to your USB disk (mostly /var/log/ messages) and ruin the stick in just a few weeks - happened to two of mine). Make sure you can boot that second purely-on-a-flash-drive system from the USB flash drive.

  4. Now that you have a working, bootable kernel on the flash drive, all you need to do is change the flash-drive system's root partition. It's pointing to the root partition on the flash drive, but you want the flash drive kernel to use the root partition on your internal hard drive. To change this, you need to unpack the initial RAM drive on the USB flash drive, which should be sitting on the boot partition on the flash drive and be called something like initrd.img-xxxxx, copy over /etc/fstab from your internal hard drive's root partition to the extracted initrd, and repack the
    initrd. Again, modifying initial RAM drive images is covered by various tutorials on the net. Note that an easier way might be to simply replace the initrd.img file on your USB flash drive with the one sitting on the boot partition on your HDD. But I haven't ever tried this, so I don't know if it would work.

  5. Once you've done this, you should end up with a flash drive which boots from the flash drive but uses your internal HD's root partition. You can then clean out your flash drive; the only stuff you need to keep on it is the boot loader, kernel and initial ram drive (basically, everything under /boot).

  6. Alternatively, you can install a "live distribution", on the USB flash drive and tinker with it until you get it to use your internal HD's root partition. However, this is probably much more difficult, because live distributions are set up so they use overlay filesystems that write to RAM instead of the flash drive, to prolong the flash drive's lifetime. So you'd have to yank this out, too. Plus you'd have to ensure you use a live distribution with a kernel kernel version that's compatible with the system on your internal HD's root partition.
  7. As to the building of hash checksums for your boot partitions, assuming you know your boot partition's device name and it's /dev/sda1 for the internal boot partition and /dev/sdb1 for the flash drive partition, building a hash can be as simple as

      $ sha256sum -b /dev/sda1 > hd-boot-fingerprint.sha256
      $ sha256sum -b /dev/sdb1 > usb-boot-fingerprint.sha256
    

    This will build a fingerprint of the whole partition and should therefore pick up changes to your boot loader. I'm not sure about the protocol used to boot USB flash drives; on internal hard disks, you should also build a fingerprint of the first megabyte of the disk because that's where the master boot record and the first stage of the grub boot loader is often kept:

      $ dd if=/dev/sda of=first-meg.dd bs=1M count=1
      $ sha256sum -b first-meg.dd > first-meg-fingerprint.sha256
    

    Once you have these fingerprints, you can periodically recalculate them and compare the calculated new fingerprints to the originals.

user2428118
  • 2,788
  • 16
  • 23
Out of Band
  • 9,200
  • 1
  • 22
  • 30
  • I actually really like this answer. Do you have some tips or resources explaining how it would be done? – Boris Jun 16 '16 at 15:11
  • I expanded on my answer, see above. However, I've gotten really curious about the social situation you're in. I know you said to ignore all that, but would you mind divulging whether you're a teenager trying to keep your parents from spying on you? Some of the posters here seem to assume so, and while I strongly believe in everyone's right to privacy regardless of age, I am concerned that fixing your problem with a technical solution will keep you from addressing the social issues, which might make your situation worse in the long run if you are in fact dealing with parents, not peers. – Out of Band Jun 22 '16 at 21:35
  • Alright, why not. Yes, I am in fact a teenager trying to hide from my parents, as you put it. The reality is that when I got my first PC at about 10 or so, I was really irresponsible, so my parents started enforcing strict parental controls including a keylogger (one marketed at family monitoring, actually). Years later, and it survives to this day, and still sees some use time to time. Now, I have a work laptop which they obviously have no access to, and a smartphone with 4G which basically allows me to bypass anything my parents could do to block or spy on me, but on my main PC I still... – Boris Jun 22 '16 at 22:30
  • ...have that keylogger. Since I was thinking of moving to Linux anyway, I was curious whether that could be used to secure my machine from my parents more or less comprehensively. (I also plan to only move out after I finish university and get a stable job, by which point I'm going to be ~22+ years old.) I am almost certainly not going to bother putting my entire system on an external drive; if my parents decide to go all NSA on me then I would probably really, really need to talk to them. Your solution seems really interesting so I might implement it mostly out of interest. – Boris Jun 22 '16 at 22:34
  • 1
    And while most of the answers are actually of not much use to me as mentioned just above, apparently 129 (at the time of writing) people thought this was a good question, so I'm basically leaving it as it is. By the way, I'm seriouly considering accepting your answer since it was the most helpful to me, but unlike the current accepted one it details only one method (albeit a great one) and so might be less generally applicable to future visitors. Since this is my first question, what is the etiquette here regarding changing the accepted answer and accepting an answer with relatively few votes? – Boris Jun 22 '16 at 22:38
  • I don't care about my answer getting accepted. I posted it after you accepted another one, and I'm not in it for the reputation, so no need to change that.. Glad if my solution works for you. Note I posted another one about getting a very cheap second computer which might also be a fun project. You might also be interested in www.torproject.org (probably does protect you from the NSA :-) ). Thanks for satisfying my curiosity and (not wanting to go all parental on you, but still...) as a parent myself, I hope you and your parents will be able to build up some trust again in the future. – Out of Band Jun 22 '16 at 23:04
  • Maybe start by asking them nicely to remove the keylogger, as you're now older and wiser; and then see what happens ;-). – Out of Band Jun 22 '16 at 23:13
12

You can not secure the system under the conditions in your question.

No matter what, with physical access to your machine there is no security. With the exception of the bios password every counter measure on this page could be circumvented by booting into rescue mode (in one form or another).

The BIOS password is easy to reset. It's usually a jumper or battery removal.

The most likely answers involve removable media. If you run Linux off a USB hard drive, and always keep it with you, there's not much for them to break into. But again with physical access, they could adjust your boot order and your back to square one.

Your only real recourse is to address the underlining problem of trust and access control.

p.s. Disk encryption will help, but it won't be a 100 % solution, cause they have access.

coteyr
  • 1,546
  • 9
  • 12
  • 1
    Many (most?) systems nowadays do not reset BIOS passwords by CMOS battery removal. My old Lenovo W510 ThinkPad, e.g., can't be reset in that way and it's getting outdated. – user2338816 Jun 16 '16 at 23:28
  • 2
    However, some BIOSes show a code after several failed attempts, and you use this to call the vendor to have them send over a reset key. See also [bios-pw.org](https://github.com/bacher09/pwgen-for-bios), which can calculate the key for a few vendors. – kirb Jun 17 '16 at 07:53
11

Just buy a notebook and carry it around with you.

If you don't want other people to check your data, don't leave your data near them.

If any part of your machine is compromised, everything on your machine is compromised. Hacking hardware is not necessarily expensive and you don't really know how far would this person go to get access to your data. The best way to avoid leaks on this machine is to stop using it altogether.

As many people told you - physical access equals game over on the security world. Don't store sensitive or privative data on a machine you share with people you don't want accessing your data.

T. Sar
  • 537
  • 3
  • 9
  • 4
    Since physical access is unpreventable, your idea of removing physical access is excellent, and thinking outside the box of the question. – Criggie Jun 20 '16 at 01:51
  • "if *any* part of your machine is compromised, everything on your machine is compromised" - if the Intel Inside sticker is compromised by being scribbled over with a permanent marker, then not everything is compromised. – user253751 Jun 21 '16 at 05:19
  • 3
    @immibis Damaged is Not the same as compromised. If you do manage to somehow hack the sticker to act as a keylogger, then yes, your machine is compromised! – T. Sar Jun 21 '16 at 10:11
8

Not sure why nobody has mentioned this yet (maybe I don't understand the site that well).

Put a camera in your room (one WITHOUT wifi capabilities). Get your linux system set up, casually mention it to your housemates in passing conversation. Record them breaking into your personal computer and reading your information. Have them arrested and fined, use the compensation money (if there is any) to help move out. Or, get the housemate thrown out for A), a serious breach of the law, and B), not respecting your privacy. Breaking into someone's personal computer is tantamount to stealing.

This is the easiest solution to me. Set a trap. The best defence is a good offence.

John
  • 89
  • 1
  • 11
    The scenario sounds like a child securing a computer against his parents, in which case getting them arrested isn't a viable plan. – MSalters Jun 16 '16 at 09:10
  • What makes you think that the OP is a child? – Mawg says reinstate Monica Jun 16 '16 at 13:12
  • 16
    While the OP doesn't mention it, the social factors certainly fit this scenario, for example not being able to lock the door to the room. Open confrontation is specifically mentioned as not possible by the OP, which I'm pretty sure covers trying to get them arrested. – paulw1128 Jun 16 '16 at 14:08
  • 1
    Firstly I don't see why you are ruling out keyloggers. It would be trivial to hide one inside the keyboard/mouse/pc/any other device. Secondly if they are parents or something like that then arn't they going to see you using this locked down other system and demand access to it whatever measures are taken? – JamesRyan Jun 18 '16 at 01:14
5

I would get two USB sticks. The first would have the capability to be set as read-only at the hardware level with password protection, and the second would be either a normal stick or a PIN-enabled stick (but these tend to self-destruct if the wrong PIN is entered a few times, so beware...).

Install your operating system on to the first stick, and configure the second stick to use full disk encryption. Set up your partitions such that anything that requires write access can be stored on the second stick, such as /home. Once fully configured, and locked down with secure passwords, set the USB stick as read only.

This will protect you from everything except physical keyloggers or leaving your system powered on/unlocked while you walk away. The read-only OS means that single-user mode would be useless as a form of attack, as you can't write anything to the OS stick while it's locked, and the second stick can't be read without the decryption password, protecting all sensitive data.

phyrfox
  • 5,724
  • 21
  • 24
4

This would be my plan of action:

  1. Lock down the BIOS by adding a BIOS password to the setup. I would not add a startup password to allow users to use the computer without my supervision. Disable automatic booting from USB, CD and network.
  2. Force boot from USB/CD and install Linux with an encrypted home folder and encrypted swap on the hard disk. If possible, I would attempt to keep the system partition on a very fast USB disk but if you still need performance, this is not possible. If you take this option, consider configuring Linux to load the entire system into RAM on boot.
  3. Done!

Every time I wanted to use my computer, I would shut it down and check for hardware keyloggers. Then I would connect my USB disk (assuming the system was installed on a USB disk) and force boot from USB to boot the system. This reduces the attack vector signficantly:

  • Nobody can view my personal files (they are encrypted).
  • Nobody can modify the Linux OS to include a keylogger (the OS is on my USB disk or the BIOS is locked to make accesing the Linux partition more difficult)

Remember to always shut down the computer when you are away from it to prevent cold boot attacks.

It's also very difficult to notice that you are hiding something with this setup. The home partition is difficult to see and access from Windows. In the case that they gain access to the home partition, they see a bunch of random looking files with random filenames holding random information. Assuming Linux is installed on the USB disk, they don't even see another operating system!

Installing Linux with a seperate home and systemm partition is very simple but I will not cover it for now. Add a comment if you need this information.

nulldev
  • 141
  • 3
  • how does shutting down your PC prevent a cold boot attack? – RozzA Jun 17 '16 at 07:20
  • 1
    A cold boot attack is an attack used to recover your encryption key directly from memory. Shutting down your PC prevents someone else from shutting down your PC and immediately rebooting it into their memory dumping program. I don't think that anybody will walk in front of you immediately after you shut down your computer and try to recover your keys as you would get suspicious. – nulldev Jun 17 '16 at 11:39
4

Also, I forgot to mention. If you want to set a BIOS password, and depending on how much hassle you want to go through, you could invest in a case that has a lock for the side. While that wouldn't entirely prevent intrusion, it would prevent people from tampering with it if they didn't want to be detected. That way they can't just remove the CMOS or access the motherboard/jumper in order to reset the BIOS password.

You could also Kensington lock that thing to the desk if you don't want that disappearing out of your room when you're not around. Not sure what lengths these folks will go to in order to access your data.

ted123
  • 41
  • 1
4

I encountered the following ages ago from somebody who was excessively paranoid:

Full disk encryption where /boot was on removable media and the master password had to be entered from a grid display so that the keystrokes that corresponded to the letters of the master password changed every time the computer booted.

My personal recommendation involved here calls for the boot media to be a CD-R marked by hand with a sharpie so that you can tell if somebody tries to swap it. (You can store it just fine in its case right next to the computer this way.)

The original recommendation involved /boot being a floppy you took with you (it's that old).

Joshua
  • 1,090
  • 7
  • 11
  • Despite all that, all it would take is someone to modify the computer with custom boot software or hardware that would steal the contents of the removable /boot for later use to present the user with a fake password entry screen to steal their password. If the hardware isn't secure it's hopeless. The hijacking boot program would say something like "Booting from USB" but it wouldn't actually be the BIOS printing that message. – Alex Cannon Apr 19 '18 at 16:23
  • @AlexCannon: Replacing the contents of the system BIOS to be able to do this is beyond the range of almost everybody. Most major computer manufactures used signed BIOS now. Muhahaha. – Joshua Apr 19 '18 at 16:56
  • All you have to do is unlock the CMOS password and then configure it to boot off of a hidden USB drive or such. Then it steals a small copy of the real boot drive and then chain loads it. It only causes a small delay that the user may not notice. – Alex Cannon Apr 20 '18 at 15:06
  • @AlexCannon: You mean you don't use F12->choose boot media every time? – Joshua Apr 20 '18 at 15:08
3

I did some admin-work in the past in a company where past admins didn't leave many notes. But there was hardware that was vital, connected to the networks, and not trustworthy. From that experience I can tell you that the old saying is right: if you have physical access and are determined, game over is only a question of time investment. You can make it harder to compromise your data without you noticing, but that's just more time to spend for the attacker.

One attack vector you might not have thought about yet: Instead of a hardware keylogger, a determined attacker could install a tiny video camera to get your passwords. Or, depending on the keyboard, a cheap microphone recording your keypresses might be enough. One innocent call on your cellphone while you're typing the super-secret password...

So the only real solution is to limit physical access, and I can see only very few ways to achieve that in your scenario:

  1. As mentioned in other answers, take the system with you, eg. on a usb stick. Encrypt it and wear it on your neck or lock it up when you sleep.
  2. Encrypt your Linux partitions but use a script to change the password every time. Use a separate device (your phone?) to re-generate that password. It could either be synchronized or it could capture some image your pc generates and use that to synchronize and re-generate the password. That's how some banks protect their online banking. Protect this second device with the same rigor as you would a usb-based system.
  3. Store your data on remote servers where you can see when files were accessed, and from which locations. Post-Monitor the accesses closely (from an independent, secure location). This will not give you protection, but it will give you proof. Access the data from a Live DVD only. Again: protect that Live DVD as if it were writeable.
  4. Use a different PC in a different location altogether.
  5. Only work on paper and burn that paper after you use it. Make sure it burns completely and doesn't leave indentations on the sheets below like in the movies.
  6. Become a genius and run Linux in your head. But don't take drugs, don't let yourself be kidnapped, and make sure nobody slips something into your drinks.
  7. Just use the PC, but relocate with it into a new household.

Also don't forget to protect your backups, your usb sticks, and anything else you plug into your PC. Especially when choosing option 6.

MarLinn
  • 238
  • 1
  • 5
  • 1
    My thought also, that he should move his actual *computing and data* into the cloud. Access via the LiveDVD and also implement a Yubi key, or equivalent. – Paulb Jun 18 '16 at 12:53
3

Other folks had some great ideas. I didn't read down to determine whether or not this was already mentioned, so I apologize if it has been. I know you mentioned you cannot physically lock the door to your room, but how about working solely off of an external hard drive, encrypting it, and locking that up elsewhere, in a lockbox or safe or something like that? Then hide the key or make sure it is on your person at all times.

You could even go as far as to put a small lockbox containing the external encrypted hard drive in the glove compartment of your car. Then lock up your car. Then that's up to 4 obstacles (decrypting data, key for lockbox, key for glove compartment, key for car) these hackers would have to go through to access your data (depending on if you have the same key for the compartment as for the door to your car).

As others mentioned, working entirely off of a live CD is a great idea.

ted123
  • 31
  • 1
  • 1
    I think an SSD would survive the vibration of being in a car better than a physical spinning HD. As for the heat from being parked in the sun all day, probably bad for both. – Xen2050 Jun 16 '16 at 09:48
  • @Xen2050 Nonoperating HDDs are commonly rated to a few hundred G at low frequencies, so that's not really much of a problem. (Check the data sheet for your particular one if you are curious.) Shock while operating is commonly far less. As for temperatures, I agree. – user Jun 16 '16 at 20:26
3

I see lots of people mentioning that physical access is game over. While this is true given a well resourced attacker, there is a defence against less well resourced ones: Qubes OS and antievilmaid.

https://www.qubes-os.org/

Qubes is essentially Xen running Fedora VMs (you can have other VMs, including Debian and Windows).

antievilmaid is a program which uses the TPM (hardware security module) to encrypt a secret, then, on boot, decrypt it and present it to you. The key for this encryption is derived from hashes of ROM, boot loader, etc. If something in this list is changed, the hash changes, and your secret cannot be decrypted. So your computer identifies to you as you boot, telling you "I have not been changed since you encrypted your secret".

Qubes has the ability to map all USB controllers to a separate VM, so someone plugging in a USB keylogger would end up keylogging an inactive VM while you're happily tying away on dom0, which forwards to the active VM. The USB VM will never be active, as it role is to just sit there, and control the USB controllers. If you need a USB port, you can temporarily forward it to another VM.

Since the Qubes partition will be encrypted, you don't need to worry about Windows users dumping the partition. Attempts to modify the boot loader to log the disk passphrase will cause antievilmaid to fail to present your secret to you, since the bootloader will hash to a different key.

user36303
  • 131
  • 1
  • 1
    I just bought a keylogger and put it between the keyboard and the computer on a day you happened to not check (assuming you were in the first place). For under $50, I got all your account and decryption passwords despite Qubes' security measures. – Qwerty01 Jun 16 '16 at 01:38
  • I don't mean to say this is a bad answer, but physical access most certainly is game over. – Qwerty01 Jun 16 '16 at 01:38
  • Hmm, point, yes. I guess it's a lot easier for desktop computers too. But the question does say physical access is a hard prerequisite, so... – user36303 Jun 16 '16 at 07:10
  • @Qwerty01: Would you like to try plugging that into my laptop keyboard? – Joshua Oct 28 '17 at 02:11
2

Apart from what others said (Live CD, full disk encryption etc), the following are some precautions.

(1) Download your Linux distro on a trusted computer. Don't do that on your Windows system because the ISO image may get replaced/infected/amended secretly. Don't just trust checksums (checksum utilities can be fake, too).

(2) Sign on your Live CD/DVD/USB stick. I mean, put a physical signature on it so that you can check whether you are having your data storage device. It is not hard to prepare a Live CD/DVD with a fake operating system. Using a write-once-read-many CD/DVD is the best option.

(3) Don't type on physical keyboards. If you know some programming you can write your own on-screen keyboard. Don't use qwerty layout. Instead, create a custom layout which only you know. Don't paint the characters on the keys. As long as there are no characters being shown on the keyboard, it is useless for your household members to record what you type by a hidden video camera. Remember use that custom keyboard only when you are typing in password fields (in which characters are replaced by other symbols such as dots) so as not to reveal your layout.

(4) Use a key obfuscator. A key obfuscator dispatches random key events in the background. If keyloggers are present, they will receive all the random keystrokes, which means it is much harder to recover your credentials.

tonychow0929
  • 2,247
  • 3
  • 13
  • 14
2

Another idea:

You could buy a cheap single-board computer (think Raspberry Pi). The Pi 3 is fast enough to replace a desktop PC if you're only browsing the internet and watching movies etc and costs about $40.

It's powered by an usb phone charger cable (or another computer's usb port) and supports hdmi output. It's small enough that you can hide it in a sock :-) or carry it around in your jacket pocket. It's probably even safe from hardware keyloggers, because you can immediately see any manipulation, since it's just a single board. It boots from a micro sd card, which is so tiny that you can hide it basically everywhere (or put it in an old smartphone or camera). You can easily modify the initial ram disk on the sd card so that the system uses another root partition - e.g. one on an external usb drive (this is something you should seriously consider because sd cards aren't made for running write-intensive operating systems on them). Plus if you don't want to or can't hide the Pi, you can easily explain it's presence - and the fact that you're suddenly using Linux - by saying that you want to tinker with the Pi - buy some additional cheap connector cables, a breadboard and Leds for a dozen bucks or so and look at some cool easy projects you can do with the Pi that make Leds blink. You can then use two sdcards for booting; the secret one you use when you want privacy, and the public one you use as a decoy which only contains a standard raspbian image and some blinking-leds projects.

This solution doesn't even touch your Desktop system, gives you much better control over the hardware (the only remaining hardware danger is your keyboard) and is pretty much immune to any readily available software malware (because it's an uncommon hardware platform). Plus it is easily explainable because lots of people love to tinker with a Pi, so if you're even remotely the type who'd be interested in anything like that, here's your perfect explanation of why you're suddenly interested in owning a second computer running only Linux.

Out of Band
  • 9,200
  • 1
  • 22
  • 30
  • "the only remaining hardware danger is your keyboard", you could get a roll up or at least very slim portable keyboard and carry it and your Raspberry Pi in a tote bag. – pilkch Feb 27 '17 at 01:57
1

While it might be in theory impossible to prevent an attack given physical access, you can do a lot to limit the physical access to what matters, thus limiting the attack vectors.

I think your best option would be a custom Linux boot CD plus an encrypted USB stick for storage. Many distros make creating a custom CD fairly easy, including Arch and Gentoo. A security-focused distro might also be an option, like Kali or Ubuntu Privacy Remix. Even a normal boot CD like Knppoix is probably sufficient in many cases if you are not dealing with attackers with unlimited resources.

The primary benefit of a security-focused or custom CD is the ability to tweak how the drivers work, allowing you to prevent loading drivers to potentially compromised hardware. While there are still risks, the difficulty involved in, for example, hacking the BIOS is substantially greater than the vast majority of casual attackers are capable of.

Of course, you should always be aware of the hardware. Use a wired keyboard, never wireless; even better, use one you can prevent access to by unplugging it, like a portable tablet keyboard. Ensure no foreign peripherals are installed and that the internals of the system have not been tampered with before booting. Any USB or FireWire device, PCI card, and indeed any hardware you are not certain of is a potential attack vector.

Be careful of network and internet. You should assume you are subject to ARP poisoning and take measures such as blocking all non-encrypted traffic.

To a degree, this is a question of how committed and skilled the people you are trying to keep out are. If you're trying to keep out a nebby wife who Googled "keylogger", the measures you need to take are substantially different than if your roommate works for Chinese computer intelligence.

And of course, a benefit to the boot CD + tablet keyboard + USB stick approach is that, depending on the context, the attacker might not notice this is even being done. You could easily keep around dummy installs that you "use" occasionally to keep up appearances.

1

Use a hot-swap cage for you hard drive, and remove the hard drive when not in use. Take away with you or keep in a safe place.

Such drive can be connected to the usual SATA connection. Unlike with USB, you do not loose your speed and it can be any capacity. The OS can boot from this drive no problem - and they really cannot get anything from your computer when you take the drive away.

h22
  • 901
  • 6
  • 10
1

Most of the answers are over complicating this on the software aspect.

If you set the CMOS password to prevent BIOS changes and lock the boot drive, lock the bootloader, set a login password, do a little research on any commonly forgotten login screen bypass hacks, and you don't forget to lock your session when you walk away, then there is practially no way anyone can get in though software be it GNU/Linux or Windows.

I know you said you are not interested in protecting against attacks that require custom hardware or highly advanced attacks, but if you did, but you would want to disable any Firewire ports since those give DMA access, and possibly disable USB plug and play just to be safe from exploiting USB driver bugs.

So if they want to gain access to your computer they'll just get in to the hardware. So set it up for full disk encryption. Then you may want to have a lockable chassis and configure the chassis intruder switch to wipe the encryption key from memory and erase the rest of RAM.

If you think they may pick the chassis lock or modify your keyboard, then make your keyboard and chassis tamper evident by getting some good stickers with your signature or such on them that will rip apart if your keyboard or computer chassis is opened. Make sure they're good so that heating them up with a hair dryer won't defeat them. You could also use something like sealing wax and a custom stamp. Putting wax by the stickers would reveal if they've been heated. You'll have to get in the habit of checking the integrity of the tamper evident features each time you turn on your computer. Otherwise they could put some kind of cheap DMA hardware in there or some external PCIe attachment that lets someone retrieve your disk encryption password from memory. Or they could clear the CMOS password and reconfigure your BIOS to boot up a full disk encryption password stealing tool and wait for you to come enter it in.

Make sure that your screensaver unlock password is different from your full disk encryption password. Otherwise, if they image your encrypted hard drive, they could then get your password from you by presenting you with a fake unlock screen. By the time you enter you password and find that the unlock screen was a fake, it may have already sent your password to them over the network.

Make sure they don't monitor your keyboard by having a hidden camera pointing at it.

Verify everything you download in case they do something to the local network that adds malware to downloaded files.

Alex Cannon
  • 402
  • 2
  • 7
0

My primary PC consists of a passwordless desktop PC, that anyone in the house can use. From this machine I connect to a Windows 10 machine running on Azure. I don't have an issue with anyone installing keyloggers etc (I don't think!) but there are a number of 2 factor authentication options freely available to home users that would make the password for that machine useless without the device you use to login.

With a clean up script to delete MSTSC saved settings and a VPN it would be impossible to know you were connecting to a VM.

The other suggestions here address the keylogging issues, and booting from a live CD etc would keep the underlying OS clean.

Obviously there is a cost issue here, but you could use AWS spot instances and only start one when you wish to do something that you want to keep private, this makes it a reasonably nominal cost.

It is an alternative approach, and perhaps doesn't completely address your needs, but it can provide a good solution to privacy (unless you're wanting to keep things private from governments and big corp of course)

Michael B
  • 446
  • 4
  • 13
0

Something that doesn't seem to have been mentioned in the other answers is the HDD password.

If you set a HDD password on your drive, it will refuse to talk to the computer until you gave it the password. The BIOS prompts for the pass at boot time. You also have to set the password in the BIOS setup.

The advantage is that it will be very difficult to read or alter the data on the drive when your computer is powered off, because the drive's controller won't work.

It doesn't replace encryption (because some companies still can read the platters directly), but it makes it impossible to mess with your system or read your data without being very motivated (and willing to pay).

Just notice that if you lose the HDD password, your drive will simply stop working, definitely (some manufacturers have "master keys" and some can be found on the Internet, but it depends on the model and I wouldn't count on it).

Finally, know that some drives (like Samsung's SSD 850 Evo) encrypt the data on them with the HDD password, providing real security).

Hey
  • 1,915
  • 1
  • 17
  • 24
  • Only works if you shut down your machine. If the OP is using full-disk encryption (as he says), I'm not sure this will add any additional security. – schroeder Dec 13 '16 at 18:03
  • It can at least make evil maid attackes way harder : the encryption provides confidentiality, and the HDD passwords provide integrity. I thought it could help. – Hey Dec 14 '16 at 20:48
  • The problem is there is a growing number of tools available to unlock ATA locked hard drives from certain brands. – Alex Cannon Apr 19 '18 at 03:12