3

I am on a project which is illegal in my nation but is not illegal anywhere in the world. In order not to get a 100yr sentence I should be prepared for seizures and forensics.

I am running a server with ESXi 6.7 hypervisor and has three CentOS 7.5 VMs FDE'd with LUKS.

  • I have placed a thick resin to JTAG ports, PCIe ports and RAMs, in case of a cold boot attack.
  • ESXi shuts down automatically when chasis intrusion is detected.
  • I have a CCTV installed in the server room and if it detects too much movement, it will cut power to the server.

What more can I do to be more safe?

forest
  • 65,613
  • 20
  • 208
  • 262
John Doe
  • 31
  • 1
  • There was a great talk last DEF CON on physical security for servers... – forest Sep 04 '18 at 10:10
  • It may also be helpful if you gave us some hints on what kinds of things you need to do on those servers. Will they be hosting files that may be malicious? Will they be a social medium for a covert organization? Will they be used to download classified material from some gov't box you popped? Etc. I mean you don't need to go into specifics, just enough to make it easier to understand your threat model and what kinds of threats your servers will be exposed to / what kind of information they will be containing. – forest Sep 04 '18 at 10:28

2 Answers2

5

The most important factor here is that seizure of the server does not result in your identity as the server's owner being revealed. This must be accomplished by both purchasing the server anonymously, and by not keeping anything on the server which may be linked to you. This is important enough that, without knowing your specific threat model at least, I would consider buying a dedicated server from a company like Ecatel anonymously and forgoing the extensive physical security you have put in place. The reason is that, with enough effort, any physical deterrence measures can be bypassed. A few notes on your current setup, though:

I have placed a thick resin to JTAG ports, PCIe ports and RAMs, in case of a cold boot attack.

Be aware that you would need to use tamper-resistant epoxy (and non-conductive and non-insulating at that), not just any thick resin, otherwise it may be possible to destroy it with various solvents. In addition, cold boot attacks do not always require physically removing memory. There have been instances where a server's BIOS was modified on the fly to trigger a low-memory footprint cold boot attack. Just because your RAM is epoxied down doesn't mean your RAM is safe.

ESXi shuts down automatically when chasis intrusion is detected.

Chassis intrusion is often very easy to defeat.

I have a CCTV installed in the server room and if it detects too much movement, it will cut power to the server.

There are many ways to defeat this. For example, gradually dimming (or increasing) the lights so no sudden change is detected. Eventually the lights will go beyond the camera's specifications and it will be effectively blind to any further motion. You can prevent this by using motion sensitive software which takes into account the risk of gradually changing ambient light levels to hide motion.

What more can I do to be more safe?

There are other things you need to take into account. Before you decide to host something highly illegal, you need to really understand in detail both your adversary, and various ways your anonymity can be defeated. For example, when you SSH into a server, your public key is uploaded to it. Unless you explicitly disable this in the configuration, every server you SSH in to will be able to know you are the same person, even if you use a different IP. Additional things to keep in mind are keystroke biometrics, where your unique typing pattern (monitored either over the wire or on a compromised system) can be used to identify you. Anonymity is hard if you are going high-profile.

You must use remote attestation if you are going to be managing this server remotely. Setting up remote attestation can be complicated, but it is absolutely vital in this scenario. It will protect from firmware tampering as well as intercepting your LUKS password as you send it over the wire. Remote attestation is a technique using a device's TPM (yes, they are safe) to prove to a remote party that the software and firmware exists in a specific, known-good state. It will be able to send back to you a quote which cryptographically ensures that the server is in a good state.

But the most important thing of all... maintain your OPSEC!

forest
  • 65,613
  • 20
  • 208
  • 262
1

Hmm... I do not know what your country is, but when I see illegal in my country, I immediately go back one step. Because as soon as your potential attacker is your government you have to prepare to much more than seizures and technical forensics. Some government are known to use rubber hose forensics if they suspect something that they think to be serious enough.

That means that you should be prepared to plausible deniability. And this is hard to argue if you have setup a system able to auto destroy if a chassis intrusion is detected... Furthermore, you will find here a lot of advices that are relevant for the casual attacker. Because we are used to setup security measures aimed at certain threats and possible attackers.

And IMHO if your adversary is a powerful governmental organization, only 2 paths can be used (both in the IT world and in the reald world):

  • you are working in an comparable organization that can use physical defense and hire security experts
  • you manage to stay under the radar, so that they do not even considere seriously watching at you

You will find here and there people saying that cops are stupid and do not understand the IT world. Do not trust that. All important governments nowadays have a agencies in charge of Information Security. And there are true experts there...

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84