There is a wealth of information on how to secure your computer against remote intrusions and infections by malicious mobile code on the Internet, and such topics are central to a lot of formal IT security education. Physically securing a computer against theft is generally pretty easy, if you’re smart about it. A more problematic area of security for your IT resources is that of securing them against unauthorized use when someone has physical access to them.
Whole books — whole libraries, even — of discussion of this subject have been written, for purposes of controlling how computers are used on a corporate network, monitoring their use, and even dealing with the sticky problem of policy enforcement. An oft-neglected matter is that of just ensuring that other people do not have unauthorized access when you leave your computer unattended for a few minutes.
There may be any number of reasons this facet of computer security is important to you, in particular. For instance:
While you may think the workplace is a safe place to leave your computer unattended, even when there isn’t strict employee monitoring going on, it’s always worth ensuring you don’t fall prey to the malicious behavior of disgruntled employees or unexpected visitors.
In a workplace where employee behavior is audited based on activity under login name, it may be desirable to ensure that nobody else can do something under your user account while you’re on break.
If you spend a fair bit of time in coffee shops and other public places, working (or playing) with your laptop, you may find yourself certain it won’t be stolen but not so certain that someone won’t do something with it while you’re away. Even normally trustworthy friends with whom you leave your laptop might have a mischievous streak and decide to change your GUI configuration to use a painful color scheme, such as MS Windows’ Hot Dog Stand theme.
While one would hope you do not leave your computer so unprotected as to get it stolen, protecting your sensitive data against recovery by thieves can be very important.
Let’s assume you use the obvious, high-tech measures that are all the rage these days — e.g. full disk encryption, strong password security for OS login, and individual file encryption where warranted. More immediate concerns, of the sort that can help protect you when you leave your laptop to go to the bathroom or when you leave your desk for an IT department meeting, should still be addressed. Five simple measures that can be taken to improve the security of your system against those who have direct access follow:
1. Set a BIOS/CMOS password.
On one hand, setting a BIOS/CMOS password for a computer doesn’t really provide much in the way of “real” security. If someone doesn’t mind taking apart the computer and pulling the CMOS battery off the motherboard, it’s easy to bypass a BIOS/CMOS password. On the other hand, if someone is only going to have access to your computer for a few minutes while you’re away from it, that can prove a significant stumbling block — a problem that could slow down someone’s ability to get in and out before you get back. Since the BIOS/CMOS password would then be cleared, rather than simply cracked, you would also have a pretty good indicator that someone was trying to get unauthorized access to what’s on your computer.
2. Disable booting from external media.
With the ability to carry around an operating system on a floppy disk, a bootable CD or DVD, or even a USB flash media storage device, any number of security cracking tools can be brought to bear very quickly by simply inserting such bootable media into the appropriate drive, tray, et cetera, and rebooting the machine. If you have all boot options other than your hard drive disabled in the CMOS settings, though, those settings would have to be changed to allow someone to boot up another OS with a bunch of automated security cracking tools. If you have a BIOS/CMOS password set, the would be security cracker will not be able to change those boot device settings without clearing CMOS settings, as I described above.
3. Always lock your screen and/or log out when away from the computer.
Leaving your computer running with everything still active and receptive to user input while you’re away is the quickest and easiest way to give unauthorized people access to a lot of stuff on your computer. Full disk encryption doesn’t do much good if you leave it running with the disk decrypted for use so any old joker can come along and sit down in front of it, pretending to be you long enough to copy sensitive files to a USB flash media storage device or — perhaps even easier — email them to himself via GMail or Yahoo! Mail. Use your system’s screen locking functionality to protect against this kind of physical access, such as a screen saver that won’t deactivate without a password, or just log out of everything so anyone that wants access has to log in again.
Some GUI environments don’t include this kind of functionality by default, of course, including my own window managers of choice (AHWM and wmii). Users of lightweight GUI environments like these are not without options, however; I use a tiny little screen locking utility called slock to get the screen locking capabilities I need, and it works brilliantly. If you use a tool like that, however, make sure you remember to log out of your TTY consoles as well, because slock and its kin will only lock the X session — not the TTY consoles.
4. Only use secure memory for encryption tools.
As I explained in the “insecure memory” FAQ, encryption tools that take a password have to be able to store that password somewhere when you use it — and if your computer’s RAM is being taxed by heavy usage, some of what’s in memory might get swapped to disk (i.e., stored in the page file, in Microsoft terminology). If that happens, it becomes difficult to ensure that the data will not still be there when you shut down your computer, sitting inertly on the hard drive, waiting for someone to come along with a simple forensic tool to recover your encryption password.
The key is to make sure you’re using secure memory — basically, memory that is managed differently from the way RAM usage is normally managed by the OS, so that the contents of the memory locations set aside for a given application will never be swapped to disk. See the “insecure memory” FAQ for more details. While you’re at it, make sure you don’t leave a computer unattended where others can get at it for a few minutes after your first shut it down, because even data stored only in RAM can sometimes be recovered if a malicious security cracker with physical access to the machine is very quick about it.
5. Set speedbumps in the way of unauthorized password recovery.
Most modern, general purpose OSes these days offer options for recovering from varying degrees of system corruption and user error. Some of these can even provide a means of recovering or resetting a lost administrator password — which then, in theory, gives one almost unfettered access to everything on the system (barring need for additional passwords in the case of encrypted files and the like). One of the easiest ways to accomplish this is with alternate operating modes, such as MS Windows Safe Mode and Unix (and Linux) Single-User Mode.
Safe Mode can ensure that a lot of security software is disabled on MS Windows, including some logging tools and encryption utilities that you may use. A stumbling block in the way of the would-be security cracker, however, is to simply make sure you give the Administrator account a password; by default, MS Windows XP (for instance) creates the Administrator account without a password, which is a terrible lapse in good security practice. Rectify that problem, and Safe Mode will be inaccessible to the casual, “drive-by” unauthorized person who wants access to your system. If such a person has one of the dozens of simple MS Windows password recovery tools available for free download from the Internet, though, this won’t be much of a barrier to entry.
Unix and Unix-like systems, on the other hand, tend to be more difficult to crack when it comes to circumventing security on the root password. Such OSes do have a Single-User Mode that can provide root-level access to much of the system if you don’t have it set up properly. It is possible to change configuration for TTY consoles to deny root access, to solve this problem, though. How this is accomplished will vary from system to system. For instance, on FreeBSD and Apple MacOS X the configuration options you need are in the /etc/ttys file, and on many Linux systems they’re in the /etc/securetty file.
Wrapping Up
Obviously, this article isn’t intended to provide you with better perimeter security in your enterprise network, or to teach you how to perform a site survey or penetration test. It is, however, meant to remind you about the sort of security measures that we should all employ on an individual basis, no matter what the context — work, home, school, et cetera — in one of the most overlooked, but most common, cases of vulnerability created by user carelessness. It isn’t comprehensive (it’s only a five item list, after all), but it gives you a place to start.
Often, the weakest link in a chain of security is the user. Don’t let that be true of you.
Tuesday, December 9, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment