Just like your friends, don't abandon your boxen, either.

25 September 2008

A basic maxim of information security is that when someone has physical access to a machine, all bets are off. If someone can touch a box, they can do pretty much whatever they want to it: if the console is unlocked they can poke around at whatever the access privileges of the logged in account will allow (how many of you configure your screensavers to require a password to turn off? how many of you walk away without logging out?), and possibly copy data to a removable storage device, such as a USB key. An intruder can also power the machine off by pressing the power button or disconnecting the power or battery (in the case of a laptop) and steal any removable media attached to the machine for later analysis. More likely, if an intruder is going to go to the trouble of killing the power, they may as well steal the hard drive(s) while they're at it to analyze elsewhere. Such measures are un-subtle, however, and will be detected rapidly if the system is in use (as it would be in a corporate data center). Mitigating measures are simple and common sense: don't walk away from a machine without logging out or locking the screen. If you absolutely have to, the machine really should be in a secure room that a small number of people have access to (like a data center). Set your screensaver to come on after three minutes and require a password to unlock it. You might even want to become familiar with keyboard shortcuts for locking your screen (Windows: Windows key + L). I sincerely hope that you lock the doors and windows of the place you live. When transporting gear, store it in the trunk of your vehicle where it isn't visible (and thus, unlikely to be stolen), and if you have to leave it out someplace lock it down.

People who read my weblog occasionally know how much I love Live CDs - bootable CDs or DVDs containing self-contained versions of Linux or BSD full of tools that might not be otherwise available. An intruder could easily reboot an unattended system with a Live CD, attach a removable drive, and root through the contents of the system for interesting looking files. In point of fact, they could also take a forensic image of the hard drive. If you think that this isn't an issue, please keep in mind that laptops that cross the US border are sometimes pre-emptively imaged or even impounded for arbitrary periods of time... just in case you're up to anything, whether or not you look suspicious. The border patrols of some countries are also interested in the kinds of media files you're carrying around and where you got them, and given how forgiving border guards are, it's probably not very easy to explain the difference between a podcast licensed under the Creative Commons and a song you downloaded from Usenet. Not too long ago, the country of Canada proposed a law in which they want to legally search media players brought into the country for pirated material, which would effectively turn border guards into media police.

If your concern is that this applies more to a server in a poorly secured data center, ask yourself this: when was the last time you locked up your laptop when you left it in your hotel room? Do you own an equipment cable? Do you make use of the safe in your hotel room when there is one? When was the last time you came back from the field and discovered something small but expensive was missing from your stuff even though you didn't fly (it's happened to me to the tune of a couple of hundred dollars)? Do you work from hotel lobbies, airports, coffee shops, or restaurants? How easy do you think it would be for someone to grab your laptop and walk away with it before you get back?

To mitigate this risk, there are many things you can do: Physically lock your gear to something big and heavy or immobile (like a table or desk in your hotel room), change the boot order in the BIOS so that it won't boot from removable media (easy to do if you follow the instructions in the manual), and set a password that must be entered before anyone can a) enter the BIOS setup screen or b) boot the machine. As for setting a BIOS password, this is considered best practice in the industry for portable devices, especially given that some operating systems may not prompt you for a password, instead presenting a set of icons for the accounts you can log into. If you're feeling hardcore you can purchase locks that seal the CD-ROM drive or USB ports of your computer, but that seems too extreme for the sort of threat model I'll usually be writing about here.

Creative Commons License
This work by The Doctor [412/724/301/703] is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.