0

For someone who deals with dangerous files and websites frequently or even for the general user what is the way to avoid getting infected by spyware/virus permanently?

I am looking to buy a new laptop and the problem mentioned above is what I am worried about. Here is one idea that came to my mind: Use two usbs. One is a live USB to be used as the operating system and another for storage. And I encrypt the harddisk completely before so some malware can't jump there. Or could I install the operating system on my USB? I could have multiple usbs with different operating systems. The priority is to protect the laptop from getting infected by an undetectable/unremovable pegasus kind of malware. Will the bios be secure using this method?

Should I also look for some specific type of hardware when purchasing a laptop? Like a non programmable bios if available?

What do you suggest?

User4857
  • 31
  • 3
  • The subject of undetectable/unremovable malware is a difficult state to test/measure to be free unless there is some evidence. "How secure" is a question of perception unless there are enough test criteria of the bootable media stored files available to be loaded. – Tony Stewart EE75 Jul 28 '22 at 23:05

2 Answers2

1

Frame change:

There's probably not a hardware solution to every risk of downloading malware regularly.

Solution:

Virtual Machines (VM). There is still a risk of a VM escape but it's pretty rare. Virtual Machines also let one boot whatever OS they want at will. Throw away or roll back OSes at will after an infection.

Considerations:

  • Disable any hardware passthrough (USB, PCIE, etc)

As for special hardware:

  • Plenty of RAM, both the host OS and the guest have to share.
  • Processor with support virtualization acceleration (Intel VT-x, etc)
  • Plenty of HDD, each OS needs room on the HDD for all it's stuff

It is recommended to keep one's VM software up to date to avoid lingering bugs which might allow a VM escape.

foreverska
  • 1,712
  • 11
1

And I encrypt the harddisk completely before so some malware can't jump there.

Your bootloader will still be unencrypted, and disk encryption modes (such as XTS) are malleable, making it possible for malware to intelligently modify the contents of the disk without knowing the key.

Will the bios be secure using this method?

No. Any task running on a computer with superuser (kernel mode) privileges will be able to modify the BIOS if the hardware allows it. Look into CHIPSEC, a firmware security analysis framework. It will give you a lot of information about your system, including whether or not your firmware is writable. Spoiler alert: It probably is (and if not, I'm sure your option ROMs are writable!).

What do you suggest?

Use a computer with Intel BootGuard and don't keep anything on it that you don't want stolen. Simply buying a computer with the feature isn't enough; you must understand the capabilities and limitations of trusted boot technologies. This is a fairly difficult task, so honestly, you're probably better off using a burner computer for your malware analysis jobs. Look into how TPMs can provide integrity as well.

forest
  • 65,613
  • 20
  • 208
  • 262
  • 1) You say the bootloader will be unencrypted but can't you simply access boot settings and set a password (encrypt) for the bootloader and it asks you each time you power on your computer? – User4857 Jul 30 '22 at 07:10
  • Nope. The bootloader is always unencrypted and it has to be. In fact, usually the entire kernel is also unencrypted! You can ask your BIOS to ask for a password, but it only helps with casual security. It's very easy to bypass and does not involve any encryption. Only [trusted boot](https://security.stackexchange.com/q/39329/106285) technologies (of which BootGuard is an example) can detect (but not prevent!) tampering, and they're not trivial to use. – forest Jul 30 '22 at 07:12
  • 2)Are there any encryption modes beside XTS that are not vulnerable or malleable? 3)When you say that method won't be secure do you mean installing an OS on a USB? But I should not have those problems if I use a live USB right? – User4857 Jul 30 '22 at 07:14
  • Yes, there are modes that are not malleable. Some encryption software supports integrity, where the cipher is combined with HMAC to detect tampering. However that doesn't really help when your BIOS can just be overwritten. Encryption is useful for confidentiality. You need other tools if you want to ensure software integrity. The only way to do that is with some form of trusted boot. See QubesOS' "Anti-Evil Maid" tool for a relatively easy-to-use example, or the academic STARK/MARK for a more powerful but much harder to use tool. It's not something you can just "turn on" and be secure. – forest Jul 30 '22 at 07:15
  • Does Intel boot guard or other similar setups work if I modify the contents of the harddisk? For example if I do a full disk encryption with ubuntu and delete windows and install that? Or another OS like qubes? Or is it independent from the harddisk? – User4857 Jul 30 '22 at 07:22
  • @User4857 It depends on your set up. Usually all they can do is allow you to _detect_ tampering. See the link I just added. Basically, a TPM can store ("seal") a secret value, and it will only unseal that value if it has detected that the system has not been tampered with. It can display that value on the screen, and if you don't see it, you can surmise that the system has been tampered with and you can decide not to enter your encryption password. – forest Jul 30 '22 at 07:22
  • I am not sure if I understood you. My question was that can I modify my harddisk without affecting the boot guard? – User4857 Jul 30 '22 at 07:27
  • @User4857 All it verifies is things like the bootloader and kernel (and associated boot components). It's up to the kernel to then verify the rest of the hard disk (e.g. with dm-verity or IMA on Linux). – forest Jul 30 '22 at 07:28
  • If it verifies the bootloader and kernel only then I don't think that erasing the harddisk should have any effect on it. But if the bootloader is infected can the attacker somehow remove the warning the boot guard will give or is that tamper proof? – User4857 Jul 30 '22 at 07:33
  • If the bootloader is infected, BootGuard will refuse to boot it. However files on the hard drive could be infected and if the kernel doesn't verify the contents, you would never know. You'd also need to use CHIPSEC to make sure (or at least be a little more confident) that the BIOS doesn't have any bugs that would allow it to be easily overwritten. Normally BootGuard would prevent that, but you never know... Firmware developers rarely write very secure software. – forest Jul 30 '22 at 07:34
  • So you are saying that boot guard is tamper proof? – User4857 Jul 30 '22 at 07:35
  • @User4857 It is only tamper-resistant for _certain components_ of the boot chain. Those other components must verify the rest of the device in order for your _system_ to be tamper-resistant. And verified boot using a TPM is similar, except it's tamper-_evident_ instead (which is just as good if you use encryption). – forest Jul 30 '22 at 07:36
  • Thanks. You have been a great help. – User4857 Jul 30 '22 at 07:37