Imperial Command

Physical Security

The first layer of security you need to take into account is the physical security of your computer systems. Who has direct physical access to your machine? Should they? Can you protect your machine from their tampering?

How much physical security you need on your system is very dependent on your situation, and/or budget.

Obvious physical security methods such as locks on doors, cables, locked cabinets, and video surveillance are all good ideas, but there are limits to what you can accommodate for your desktop(s) and laptop(s).

For your personal Desktop computer(s), it is unlikely you will be able to afford the cost or space of a dedicated area, lock and key security and a round the clock security staff that a corporate data center can accommodate. And of course, there will be times that your Laptop(s) will be unattended as well.

At some companies, leaving your console unsecured is a termination offense.

These work place data protection policies should be extended to your personal systems as well whenever possible. (though a bit difficult to terminate yourself...)

Cases and Computer locks

When selecting a case, consider a Server or Server Style case as many of these cases include a "locking" feature of one kind or another. Case locks can help prevent someone from opening up the case and directly manipulating / stealing your hardware. Depending on the style and features, they can also prevent someone from rebooting your computer from their own floppy, Live CD or USB drive.

Some styles of case make it so you have to break the case to get the case open. On others, they will not let you plug in new keyboards or mice (also helping to prevent some one from installing a cheap hardware key logger).

Cases such as these can sometimes have very useful features, even though the locks are usually very low-quality and can easily be defeated by someone with determination or rudimentary locksmithing.

As such, these measures are effective only against the situation where your computer is not stolen, seized or the victim of a sneak and peek intrusion by State sponsored thugs.

Think, protection from the curious or the malicious amateur.

BIOS Security

The BIOS is the lowest level of software that configures or manipulates your x86-based hardware.

Most PC BIOSs let you set a boot password. Though this doesn't provide all that much security.

The BIOS can be reset if someone can get into the case. So this is at best a deterrent in that it will take time and also leave an obvious trace of tampering.

Another risk of trusting BIOS passwords to secure your system is the default password problem. Most BIOS makers don't expect people to open up their computer and disconnect batteries if they forget their password and have equipped their BIOSes with default passwords that work regardless of your chosen password.

These passwords are quite easily available from manufacturers' websites and as such, a BIOS password cannot be considered adequate protection from a knowledgeable attacker.

Think, keeps the children or your cat from causing trouble. So, setting a BIOS password is probably not even worth bothering with.

Boot Loader Security

The various Linux boot loaders can also set a boot password. (GRUB / LILO)

Keep in mind when setting all these passwords that you need to remember them and remember that these passwords will merely slow the determined attacker. They won't prevent someone from booting from a Live CD / USB drive, and mounting your root partition.

Probably not another password you should even bother with.

GDM / KDM and user login

Linux started life patterned after a multi user system (Unix) and the login with password for the root and user accounts is very much a part of the normal Linux distribution.

For protection from remote logins, these remain reasonably effective. But for your Desktop(s) and Laptops(s) where someone has physical access, these are even more useless than the BIOS or Boot Loader passwords. The GDM / KDM user login is easily defeated by rebooting from a Live CD or USB drive.

Although you might like the system login splash screen, today they all have settings to enable “Auto Login” after boot for those that don't want to bother with entering the user name and password with each session.

For the personal Desktop / Laptop, these login managers have been more or less reduced to useless bloat, thanks to the LiveCD.

xlock and vlock

If you wander away from your machine from time to time, it is nice to be able to "lock" your console so that no one can tamper with, or look at, your work. Two programs that do this are: xlock and vlock.

xlock is an X display locker. It should be included in any Linux distributions that support X. In general you can run xlock from any xterm on your console and it will lock the display and require your password to unlock. This is often what your screen saver will use to lock the system when the screen saver is activated. (note, this feature is usually disabled if logged in as root)

vlock is a simple little program that allows you to lock some or all of the virtual consoles on your Linux box. You can lock just the one you are working in or all of them. If you just lock one, others can come in and use the console; they will just not be able to use your virtual console until you unlock it.

Of course locking your console will prevent someone from tampering with your work, but won't prevent them from rebooting your machine or otherwise disrupting your work.

More importantly, it does not prevent someone from switching out of the X Window System entirely, and going to a normal virtual console login prompt, or to the virtual console that X11 was started from, and suspending it, thus obtaining your privileges.

Though as we proceed and later get to protecting your system from any unauthorized reboot, the screen lock will become a much more useful deterrent when leaving your computer(s) unattended.

Security of Web Cam or Microphone

If you have a Web Cam or a microphone attached to your system, you should consider if there is some danger of anyone gaining access to those devices. When not in use, unplugging or removing such devices might be an option. Though it is unlikely anyone could plant spy ware on your Linux system that would use these devices to record what you do and say, the possibility exists and there is the greater possibility that malicious persons with access will hard-wire those devices for data capture.

Not the most serious of threats, but one to consider.

Detecting Physical Security Compromises

Depending on the scenario, this can be anything from difficult to nearly impossible to detect in an effective manner.

Obviously, if your computer is subject to theft or seizure, the compromise will be no secret and only the defenses you left in place can make a deterrent.

Unlike a server that is on all the time and an interruption of service will be noticed and system logs can be checked for unauthorized boot ups, your Desktop and Laptop are booted often. Checking logs every time you boot up is an extra effort. A savvy intruder would cover those tracks or boot from some other media and thus cover all tracks of an intrusion.

It is only prudent to check for signs of tampering on the case. However, unless you have a server style case with good locks, case entry is easy and locks will only slow down the determined intruder.

In this respect, Laptops are even more vulnerable. For most Laptops, it is only a screw or two that secures the hard drive. If a PATA drive, a simple adapter makes it a USB drive and it can be copied or tampered with. If a SATA drive, it only needs to be plugged into an E-SATA connector and the data can be transferred or manipulated even faster. In most situations, you would never know when it happened.

The deadly Key Logger

Logging your every keystroke may sound futuristic or James Bond like, but it is not. Hardware Key Loggers are relatively cheap and readily available to State and private thugs alike.

The products from http://www.keyghost.com/ are a good place to start.

For the Desktop, they sell an in-line device that plugs into the PS/2 keyboard port and the keyboard plugs into that. Unless someone looks on the back of the computer, they will never notice it. As of today, for just 89.99 USD, you can have such a key logger with 128K of storage to place on any such PS/2 keyboard and collect every keystroke the user makes.

Comments from their website:

It records every keystroke, even those typed in the critical period between computer switch on and the operating system being loaded.

KeyGhost even captures and displays key combinations such as Ctrl+C, Alt+F and Ctrl+Alt+Delete, making it easy to understand exactly what was typed.

Keylogger works with any PC operating system, and stores a continuous log even across multiple operating systems on one computer.

No software installation is necessary to record or retrieve keystrokes. KeyGhost is software free!

It has a capacity of up to 2,000,000 keystrokes stored with STRONG 128-bit encryption. (This is approximately 300,000 words, or 1 years worth of typing).

Keylogger features looping memory so you will never miss the most recent keystrokes.

Impossible to detect and/or disable by using software scanners.

It is a very user-friendly keylogger which can be easily used even by those with little computer knowledge. It has a very simple operation for such a powerful tool. Simply plug the key logger device into the keyboard cable.

The log in the KeyGhost cannot be tampered with. It is an authentic record of what was typed, and therefore, it may be used as strong evidence in a court of law.

Have a USB wired or wireless keyboard to capture data from? No problem, they offer a plug style for 249USD and a cable extension style for 199USD.

Too obvious to leave a plug exposed? They also sell a Microsoft Keyboard with the key logger embedded inside the keyboard. In most cases, people would notice a new keyboard and suspect something. But placing the hidden device inside your keyboard is just a matter of splicing it into the cable and you would never know it is there unless you take apart your keyboard and look for it. More effort than the few seconds it takes to slip in the plug type, but great for a sneak and peak raid. The only good news is: “Although no software can disable the KeyGhost USB Keylogger, it may be possible to detect a hardware change with software scanners in some situations.” So, at some point, Linux could be able to detect this added hardware and let you know about it..... But not today.

Of course you might be thinking that since your laptop has a built in keyboard that it is more secure or even immune from such a thing – wrong!

Just taker a look at the "KeyCarbon Raptor" from http://www.keycarbon.com/

From a press release: The "KeyCarbon Raptor" card records all typing on a laptop keyboard, plugs into the Mini-PCI slot of a laptop computer, and stores captured keystrokes on the onboard 256 MB MicroSD card. The card is 100% passive, requires no drivers, is undetectable by any software running on the laptop and operates from the moment it is plugged in. As the card is completely invisible to the Operating System (OS) it does not slow the computer down or drain system resources.

"Law enforcement and government agencies have led the way in adopting this card as part of their toolkit. Early adopters were impressed with how easy it was to record typing on a laptop, by simply plugging the card into a spare slot on the laptop. The passive card requires no drivers, and operates from the moment it is plugged in," said Shane Tolmie, President of BitForensics.

So, for just 187USD you too can have one. For just another 20USD, you can also have a mini-PCI to PCI adapter card to slip this into a standard PC as well.

Defeating the hardware Key Logger

For as deadly and damaging as these devices can be in collecting all your account names and passwords, with a little planning, they are not to hard to defeat or at least reduce the threat to a level only the NSA would attempt to get past.

Possible strategies for the Laptop:

Most Laptops have a mini-PCI slot somewhere. On my Legacy Dell C400, it is under the keyboard, so sneaking a Key Logger in there would take 10 or 15 minutes rather than a few seconds. Though the simple remedies would be: a) Disable the PCI slot by filling it with super glue. b) Install the Wireless card that belongs there. If the system originally did not have wireless, there will be no antenna, so it will get no signal. But it will always appear as an Ethernet device. Thus if it is missing from the Network Manager display when the network connects, it would be obvious the system was compromised.

For my Fujitsu, the slot has a plastic cover secured with 2 screws and it is on the bottom of the Laptop. Here again, I have a few choices. a) Disable the slot with some filler or glue material. b) Make a nice clear Lexan cover so I can see what is there. c) Add some device to the slot that I can easily notice from the desktop if it is missing.

Possible strategies for the Desktop:

First, do not use a PS/2 style keyboard that can only plug into the back of the computer. Rather, buy a USB keyboard and plug it into a front or top USB port (depending on your case). Right off, this defeats the PS/2 and USB plug type.

With your shiny new USB keyboard, take off the back, then put it back on with super glue or in some other way make disassembly impossible without visible damage. You will never service your keyboard, but buy another one if it fails. Sealing it securely will cause no harm and will defeat having any Key Logger installed inside it.

What about the insidious "KeyCarbon Raptor"?

Well, after you have your system up and running, you could have the case welded shut, but I do not recommend that as a practical solution.

Beyond that, if you have a server style case with locks and keys, how good are they and will they only slow down the entry or prevent it? Probably just slow it down.

But here we can take an idea from the Gaming computers. The clear side window and cold cathode lights. Either a window in your present case or a Gaming case, and you can see all the slots for yourself. Then you just need to remember to look in the window from time to time to see if your system has been compromised. If so, remove the Key Logger, destroy it with a hammer, then change your pass phrases on the computer and all your accounts.

There is no guarantee that the above steps would protect you from a serious NSA or Homeland Security intrusion with their unlimited budgets and specially made devices, but it is a practical defense against the average private and State sponsored thugs that buy from retail vendors and would try to install such a device.