Hey everybody, I was recently looking into improving the security of my laptop, and by security I mean more than just a Kensington laptop lock. So I thought, why not ask one of our elite cyber spec ops warriors! I reached out to a friend who knows th3j35t3r and asked if he could make any recommendations. He came back with a nice overview of his rig:
- Laptop, business class
- TPM chip – allows him to lock hardware to the device. For example, if you pull the hd and put it in another machine, it will not work.
- Biometric login
- BIOS/boot password
- Full disk encryption across the board
- Won’t boot without a secure token (usb)
- 2 wireless cards – one normal, one transmitting decoy access point ssids
- Two factor authentication on all accounts using Google authenticator w/ mobile device
- Laptop pings cellphone over Bluetooth every few seconds. If cellphone goes out of range, laptop locks and requires fingerprint and phone to re-login.
After looking this over I sent a note back asking if I could use it here in Team Room. I was surprised and very happy to get a note back that The Jester was writing a full post on this topic, and I’d be able to publish it here for you guys.
This is way above and beyond where most people need to be with their laptops, but it’s still fun to know how the-best-of-the-best hackers treat their tools of the trade.
So, without further ado…
Jester’s Loadout: The Laptop
‘Have more than thou showest, Speak less than thou knowest, Lend less than thou owest’ – William Shakespeare
So I wanted to continue my ‘Loadout‘ series, as I know I’ve neglected it to the point that the ‘series’ currently consists of only one other article. It’s busy times, so I apologize in advance. I get lots of questions regarding how I secure my connection and manage to stay ‘underground’ for so long. I thought about talking about that, but decided against it, at least for now for reasons I am sure must be obvious to anyone who possesses an IQ that exceeds that of Mr John Tiessen AKA @johntiessen and that of Ms Jennifer Emick AKA @asherahresearch combined. (Sorry couldn’t resist).
Now there’s something to be said for spreading your operation out, so if ‘they’ (whoever your ‘they’ is) get one thing they don’t get it all. But there’s also something to be said for keeping your attack surface as small as possible. Its two schools of thought, I prefer the latter. It makes things manageable and easier to monitor. This is why EVERYTHING I do, whether offensive, defensive or passive, as ‘Jester’ is done on a single laptop. There is zero cross polanation between that and my actual identity. This ensures that even if the laptop somehow leaves my possession, all they got was ‘Jesters’ laptop. This blog post will concentrate on how to secure that laptop and the information on it from physical or coerced infiltration, so even if they get a hold of it in your absence, it’s a case of fuggit, no harm done.
What to buy
We’ve all been there. In the store. Pesky sales guy honey-badgering the shit out of us. There’s all kinds of shiny objects begging for our money. The hybrid lapTab, the gargantuan power house laptop that takes 3 thick-set fully grown fighting age males to move from A to B, it’s a minefield. Here’s my advice for what it’s worth.
Don’t buy anything other than business or enterprise class machines. They are easier to upgrade later or sooner if you are the same as me with gigabytes of DDR3 Sodimms floating round the place along with a bunch of SSD MSata’s. My point here is simple, enterprise class machines are uglier yes, but they are built to easily be ripped apart so you can get inside and upgrade, and they come with things like TPM chips and extended BIOS which we will get to later in this post. I won’t be mentioning any actual laptop brand names so don’t ask folks.
Sooner or later you are gonna want to upgrade, bear this in mind when you buy. Me personally, I like at least 16Gb Ram and a system drive (or a internal disk that boots the OS) that is MSATA SSD for speedy boots and a secondary internal SATA that I use for storage. All this can be fitted into a very small enterprise class form-factor, that’s what they are built for, and good luck finding consumer models that allow the same level of flexibility, power and form-factor.
First thing you will want to do is secure your BIOS, set individual passwords for BIOS modification, system boot, boot drive selection and anything else your particular BIOS version allows. Mix it up a little. Also enable any biometric options and your TPM (Trusted Platform Module) chip. When you do this you also need to ‘own’ your TPM so it is not the same chip config as when it left the factory.
Full Disk Encryption
I am fully aware that most readers are running Windows, so I would advise for the sake of argument, utilizing Bitlocker which ships with the Pro versions of Windows as standard.
- System Drive (SSD) I would advise for this drive to use Bitlocker and allow 2-factor authentication, you can use the group policies within windows by running ‘gpedit.msc’ to force you to have to insert a USB stick into your laptop in order for it to even boot, even though you have previously enabled your TPM chip. This combined with your BIOS password means someone needs ‘something you know’ as well as ‘something you have’ to get the laptop to boot.
- Storage Drive (SATA) For this disk on a Windows laptop, my advice would be to use Bitlocker again, but this time, just make it TPM based only IE: you don’t need a USB stick to access it, decryption is transparent, but it does however need to be physically present in your particular laptop. No other will do.
Caveat: I know I know, Bitlocker is MS but this combined with the 3rd ‘plausible deniability’ solution below covers you pretty nicely.
A lot of enterprise class laptops these days come with Biometric Fingerprint scanning hardware, drivers and software to prevent logging into your OS of choice without your finger being present at the time of login or unlock. Enable this too. When you enable it you can select which finger you use as your key. If you are right-handed use your left pinky, and vice versa. That way when ‘they’ cut your digit off to access your machine you are not completely fucked.
Important sidenote: Never, ever, under any circumstances nominate your thumb for fingerprint scanners, humans are the only creatures blessed with opposing thumbs, you’ll miss not being able to use scissors without mom’s supervision.
Ever walk away from your machine and forget to lock it? Yeah, it happens right? There’s software out there available for free that allows you to associate any bluetooth device with your laptop. The most obvious device to utilize here is your cell as it’s most likely to leave your workstation when you do. This software causes your laptop to ‘ping’ your cell over bluetooth every few seconds, if your cell is out of range, your laptop locks down and requires your 2 or 3 factor authentication in order to let you back in.
Worst case scenario. You and your laptop are compromised together. Nobody wants to lose a digit here right? This is where we get really tricky. There’s software that will allow you to encrypt your system drive as a hidden ‘partition’ and have another decoy system drive, such that one boot password will boot the decoy partition and the other password will boot the real one. That way if you really are in the shit, you can appear to be giving up your machine when in actual fact you are merely giving up the decoy, which obviously contains dummy/fake information.
For those interested it looks a little like this:
Now that’s what I’m talking about. All these mechanisms are available cross-platform (well Linux and Windows at least) I have not gone into full details of individual specifics for obvious reasons. Google is your friend. Seek and ye shall find.
Disclaimer: All information here is my humble opinion and theoretically explaining what I would do if I was an international man of mystery hacker type super-geek. Nothing more. Peace.