I was searching and reading this forum but couldn't find some answers. I need some help because my threat model are hacker bullies. Say they don't have physical access to my machine. But know where I live. I use linux, chained VPNs, VMs, firewalls, FDE. - About BIOS security. Could they hack my BIOS without physical access to my machine? - Is there any other part of hardware that I need to worry about except for HDD, flash drives, BIOS and RAM? - If I use an air card or a broadband usb modem bought anonymously, could they somehow find out that it's coming from my home? By somehow I mean by remote hacking, scanning etc. (not surveillance, following etc.) If they could, could they then find out the SIM number or hack the device? - What if I used a WIFI usb antenna in the same scenario? (connecting anonymously with VPNs to free APs around my home) - And an easy question, every time I restore a snapshot in VM I must set time and date. Is there some other solution? And is there any point in changing time to a different time zone, in terms of tracking, so that it appears that I am from some other part of the world, or is there a downside to this?
I would think it's best that your computer's time zone corresponds to the time zone indicated by your IP address, otherwise you might "stand out."
Thank you Brian! And mirimir. Here is some more on the subject. http://www.linuxquestions.org/questions/general-10/can-a-bios-be-hacked-by-a-cybercriminal-903464/ But it's all from 2011. I guess flashing BIOS solves this rare but possible nightmare threat? You're right, it should match the IP time zone! I'm using virtualbox, my workspace VM snapshots hold their time & date settings from the last time I saved it. Or is it a mistake recalling a snapshot of an already booted OS? Should I always boot my VM OS like when you start a computer by pressing the power button? By the way, are there any news on using FDE on SSD? Last thing I read was that it leaves traces in unused part of the drive. I would love to use SSD, but only if FDE doesn't leave this kind of traces.
Did you install VirtualBox Guest Additions? If not, that would perhaps explain the lack of time sync between host and guest.
I've become comfortable using SSDs with FDE. But I have concerns about both reliabiliy and privacy. So I've gone with my standard setup. I have two RAID10 volumes, a small one (~500 MB) for /boot, and a large one for dm-crypt/LUKS. Then I use LVM on the LUKS volume for swap, /root and /home. SSDs frequently remap data for wear-leveling and such. And it's possible for plaintext to be stranded outside the RAID-member partitions. However, that leakage occurs independently on each SSD. And RAID10 is a stripe (RAID0) of mirrors (RAID1). Data is striped across the two mirrors, in chunk-size blocks (default being 64K). So at most, fragments of those 64K blocks might be left as plaintext on various SSDs. But those fragments would not readily be accessible, because they're in parts of the SSDs that aren't part of the RAID10 array. Indeed, they would not even be visible if the RAID10 array were unmounted and stopped, and individual RAID-member partitions were inspected. To access them, an adversary would need to directly access the SSDs using low-level tools. Making sense of any fragments found would be nontrivial, I think.
Thank you MrBrian. And thank you mirimir. Then I will not use SSD for this purpose. I don't use guest additions because it's less secure. But no one answered the most important questions that bother me. If anyone would be so kind to give me the answer to this scenario: I need some help because my threat model are hacker bullies. Say they don't have physical access to my machine. But know where I live. - Say I use a broadband usb modem bought anonymously. Based on asumption that I use some kind of internet, could they somehow find out that it's coming from my home? By somehow I mean by remote hacking, scanning the signal etc. (not physical surveillance, following etc.) If they could, could they then find out the SIM number or hack the device (remotely)? - What if I used a WIFI usb antenna in the same scenario? (connecting anonymously to public free APs around my home, safe ones that I know that belong to a public organisation) Say my machine is not compromised and I use linux, chained VPNs, VMs, firewalls, FDE, changing MAC. And say I just use it for surfing, very carefully, leaving no identifiable information. I mean do I have to visit some shady website, receive a hacked email, install infected software in order to be hacked - or could they just somehow hack straight into my broadband modem or WIFI by just me connecting or transmitting the signal? Sorry if it sounds stupid, but I'm serious. I don't know much about hacking. I really need some help, please.
Well, don't use wifi, because it's fundamentally insecure. Use all wired connections. If you have a good perimeter router/firewall that's properly secured, it's unlikely that "hacker bullies" can do anything except make fun of you online. Although malware droppers for Windows are freely available, pwning Linux via websites etc would be much harder. If they've compromised your ISP, you have bigger problems. But a good perimeter router/firewall that's properly secured should still protect you.
Unless attacker compromised your ISP, finding you remotely will be only possible after they cracked your machine, either PC (you only said you use Linux, but assume it is desktop or notebook PC) or router, either by infecting you through email or a link in SMS, or after they locate your home (if any of your family or you have some real info on internet) and try to sniff your wireless (theoretically even wired, but it's not trivial) connection from outside of your home. As to public wifi, I'm not inclined to use it by myself regardless of whether it is from reputable company, and regardless of it employs WPA2-PSK(AES) with 63 char shared key. Not only someone in the same network can see your connection, but those who have physical access to that AP may compromise the AP. If you have to use it, then make sure all your connections are through VPN. I guess you already have been doing it, then theoretically it should be secure. There can be straight crack to your modem, router, AP, or PC but if they only want to attack you and nothing else, they have to either know your IP and attack you before it changes (assuming you don't have fixed IP address; IP itself is open so anyone can know your IP, but correlate it with you is another story) or track you by malware or scam (e.g. phishing site). Cookie or other tracking technology itself can't reveal what it tracks is you, so they have to correlate them with your real info by either fooling you or compromise any of online service you're using.
Thank you mirimir and 142395. Some things are more clear to me now. I would like to learn about this good perimeter router/firewall and how to properly secure it. Unless it is software firewall then I already know. They know where I live. I don't know if they compromised my old ISP. I must assume and act like they did. That's why I can't use wired connection from my home anymore. I must find a different solution. Ok wifi is fundamentally insecure. But I wanted to use it very carefully and on rare occasions only, to download or update the system through VPN. What about broadband modem security? And what about IMEI, should I or could I change that like MAC address or there is no need for that? Let's just say that they could make a wild guess that I use a broadband modem. But they don't know the SIM number. But they know where I live. And there is no way that they know what sites I'm visiting. Am I safe in that scenario?
I recommend pfSense as a perimeter router/firewall. It will run on standard PCs. pfSense is enterprise grade, based on FreeBSD. Even if an adversary has compromised your ISP, which seems unlikely unless you live in a very anarchic place, it's possible to remain secure using pfSense. Basically you run an OpenVPN client, and lock down the WAN interface so that nothing goes in or out except traffic with the OpenVPN server. In a high-risk environment, you'll need to lock down pfSense WAN before connecting it to your ISP modem. I recommend signing up for pfSense gold support. In addition to customer support, you'll get a copy of their book/manual.
So they know exact physical address of your house? I didn't assume that as you excluded physical intrusion, but then they can sniff your wifi and of course can see your MAC, but as long as connection is properly encrypted they can't do much. Also they might see what is your PC or other device through window, possibly with scope w/out direct intrusion into your house. Those info might help they develop exploit to your device, but still can't reach identifying you within internet connection. IPv6 once conveyed MAC but IIRC this is addressed in most modern OS (correct me if I'm wrong). I haven't heard of any in-the-wild exploit against modem, but there have been some exploit to broadband router. You care about IMEI because you use mobile? IMEI can be spoofed if you rooted your phone. But unless you use old mobile phone (not smart phone) those uid can't be acquired from internet unless attacker exploit your phone (and attacked program has access to those uid, or attacker escaped its sandbox). P.S. I don't have enough experience of pfSense, but it's one of my candidate for next perimeter defense after I build new PC (and install those OS to old PC). I'm still wondering what is the best, you can see this discussion from some other threads. Many of them support VPN but confirm by yourself. https://www.wilderssecurity.com/threads/utm-thread.370018/ https://www.wilderssecurity.com/threads/sophos-utm-home-edition.365413/ https://www.wilderssecurity.com/thre...o-evolve-to-avoid-becoming-irrelevant.369834/ https://www.wilderssecurity.com/threads/installing-a-firewall.364460/#post-2376990
And how do I lock down pfSense WAN before connecting it to my ISP modem? Did you mean just disconnect it in VM and then connect it after I made the connection? Or just start its VM after I made the connection to ISP? They can't see through my window but you are right, I should look more into this sort of stuff. Like available technology for surveillance and spying. Are you saying it is worse to use an old school GSM mobile phone without internet, bluetooth, etc than modern smartphones? I mean not for the internet but for talking and SMS? I was thinking about a usb dongle with SIM card. This dongle also has an IMEI. Would you say that in my scenario it is not a good idea to use this in terms of security?
If you don't use old school phone for internet, it's no problem. But if you surf internet through the phone, depending on your career and the device some uid can be leaked. It's not a matter on smart phone. Sorry, I mistook. Not bad idea, IMEI shouldn't be leaked unless you allow physical intrusion and even if somehow leaked, still IMEI itself is not enough to identify you unless it is correlated with you. There're known vulnerability on some usb modem but I haven't heard any actual exploit against them.
Thank you so much for your help 142395. Can you please point me to some quality threads, forums or links where I can learn about dangers of spying and surveillance technology other than using computers? I want to know what is available today and how far they can go. Things like mini cameras, scopes, and all this sort of stuff. mirimir, can you please recommend me what I should look for when buying a laptop or a netbook in terms of hardware if I were to use your kind of approach? I know I need 8GB of RAM. That Realtec NIC is bad. Intel is better than AMD? Any specific models that are known to work well with linux? What else should I look for? Are there big downsides in performance with netbooks compared to laptops? I don't want a PC because I think I want to become mobile after all.
Thinkpads tend to work very nicely with linux, with all drivers and such working out of the box in most cases. Stallman and Appelbaum both use Thinkpads. I'm not sure AMD vs Intel is necessarily going to matter a whole lot as long as you're comparing at a similar price range, although pretty much everybody uses Intel. You can get away with less RAM than 8gb if you use light distros and it won't make any real difference, but definitely don't get a cheap processor (and you can always add RAM very easily). I would just caution against ordering online or doing some sort of pre-order at Best Buy or wherever, just walk in the store, pick the laptop and walk out with it in one go. Nobody's mentioned coreboot in this thread, you can put that onto a Thinkpad with a bit of tinkering in most cases, it's a solution if you are worried about BIOS security. It's risky though (possible bricking if you do it wrong) and I'm uncertain of its exact functionalities. If somebody knows more than I do here please say something
Although I mostly go on about pfSense VMs, here I'm talking about pfSense on hardware as a perimeter router/firewall. Let's say that you plan to access the Internet through a VPN service, with the VPN client running in your computer, or in a pfSense VPN-gateway VM running therein. In order to lock down WAN on the perimeter router/firewall, you would create firewall (aka pf) rules that allow both outgoing connections to the remote VPN server, and incoming connections from it, and lastly a rule to block everything else. You would also need analogous rulesets to allow connections with an NTP (time) server, and with the repository servers for your Linux distro. If there are legitimate redirects, you might need to add additional incoming rules to allow them. To start, you would not connect the router/firewall hardware to your ISP modem. Then you'd boot with the pfSense LiveCD, and complete the installation. Although there's no DHCP server for WAN to get an IP from, the installation should still complete. You then access the webGUI (at 192.168.1.1 by default) and add the firewall rules on WAN. Now you connect the router/firewall hardware to your ISP modem, and reboot. Avoid smartphones aka tracking and snooping devices. I don't see the necessity of this. That is, unless your ISP is totally compromised.
You sound like some of the clients I work for. You want real security. One of the things you will learn is for real security, you need to have a dead-mans-switch. We used these in the military. Essentially they 'hardware' knock your system off of the internet if you aren't there to push the button every hour. It's an extremely effective method to avoid hackers bricking your systems, waking them from remote, and otherwise tampering/snooping. If they can't snoop you, they will brick you, a Pathlock will come in handy. (I have several) Grab a Pathlock. http://www.ebay.com/itm/NEW-PathLoc...r-Security-Device-NIP-Net-Timer-/111443462477 Also, I recommend using one of the canned, anonymous bootable OS's like TailsOS or Liberte' on a legacy Lenovo... I can't really go into a long essay on privacy/security, and counter intelligence here. If someone is really serious about snooping they will be scraping the EMF signatures of your location. We introduce a lot of EMF-Chaos to saturate this, and prevent this activity, it's quite effective. Also, you can setup a cheap server (or laptop), and run 10,000-20,000 outbounds a day to obfuscate your real activity in a tirade of internet activity and burst behavior that makes it difficult to parse your real activity. You can inject a variety of spoofed meta-data into these to make them even more difficult. Right now I toss hundreds of thousands of packets out of my network a day over a variety of encrypted pipes. These packets/traffic are all meaningless, and contain nothing useful, but they saturate any meta-analysis, and make peeling apart the activity extremely arduous. (especially when combined with other technologies/methods) VOIP is commonly snooped. My VOIP is tossed into a 2048-Bit mutated key pipe everytime I use it. There is a slight 2-5 second delay before the dial tone while it negotiates this. Any other VOIP is quite handily snooped on my connection, and I simply cannot use them. You may try something like this, but it's not the easiest to setup - run your own cheap PBX if you like. (Asterick, etc) You want ATP, or at least UTM. A home router won't stop anyone. But toss a good UTM in front of yourself, and you've presented a pretty significant barrier to mid grade actors. Sponsored boys will bypass them (depending), but even then you can lock down a ZyXEL so heavily they won't, and you will sniff packets to a level they can't quantum inject. Something to consider - home routers are largely a joke. (save a few) I wouldn't run my home network without a Layer 7 UTM for even a day if I can avoid it. Most of the bigger actors know when someone knows their stuff pretty fast, the quality of the locks on the door, the installed applications on the system, the appliance on their gateway. It's a pitbull in your home for the late night prowler. They rely on most people having $19.99 Linksys junk from Best Buy, and when they see a $1000 appliance on a guys home network, it puts some serious nails on the road in front of them. Finally, you can try some public domain counter intelligence. Create fake profiles, social media, and accounts, ones that 'conform' to the image you want to present. Then use secure, encrypted, or otherwise obfuscated ones for the 'real stuff'. For example I have a junk email where I talk about stuff like ladies, tv shows, and crap the brainwashed public talk about. When I want to get serious I use an encrypted offshore email service that uses advanced encryption, and server on server email traffic via ram drives wiped each night. The image 'they' see of me is pristine, clean, nerdy, and 'conforming', and that's all they will ever see, there is no sigint or humint in the world that can extract anything more on me or my family, and that's by design. It's entirely possible to be invisible to all of the actors out there. I'm not a criminal (not in the slightest), but I value extreme privacy, and I work with a lot of clients that by nature of their titles, and positions, sometimes require extreme privacy. Finally, why not blackhole all of the spooks, hackers, and malcode IPs? I block 355MILLION IP addresses from my network. If I want you in/out, then you get in/out, if I don't, you don't. Very effective.. Including all known DISA, DARPA, NSA, and CIA IP clusters from around the world obviously. That's merely a layer in the total package but even then the actors can use VPN's, MAC spoofing, etc themselves. (top purchasers of MAC spoofing clients are US Govt.) It's just a layer of the onion. Hackers are silly. SIGINT are silly. Most of them think they are smarter than they really are, but they aren't actually totally aware of the counterintelligence happening to them.
As to inteligence, I don't know any reliable internet source. I learned most thing from military magazine and books. Sorry I can't recommend specific book as all I read was written in my mother tongue (Japanese), some of them were translated ones but don't remember the exact original writer and title (one of them was Barry Davies, ex-SAS soldier but it seems he have many writings and I couldn't identify what is the original of what I read). I think it's better you search in military magazine available in your country, and also search for good and relatively new books in English or in your mother tongue if it is not English. Sorry that I can't help much. Well, though it is right, he's not caring about general privacy or national survailance. Oh, but I also want to know he have smartphone or not as he still haven't explained. I guess he's not inclined to as his adversary also might look this thread, so okay I don't ask but as a general information, if you have smartphone and use 3G/LTE network, there is a threat known as IMSI-catcher. this is good introduction and explanation about their Android app to detect this threat. Remember his situation, he said his adversary know exact physical address of his house. In this case, if national agency determined to spy on him with all HUMINT and SIGINT, it's trivial for them and nobody will be able to defend against. But actually, he said in another thread that he doesn't afraid of state-sponsored. What he fears is internet bullies. Well, at least US inteligence agencies already should have learned this after their failure on Iraq. Their mistake was disregard of HUMINT.
They know the physical address of anyone. Your resident Home Depot locks can be bumped in about 3 seconds, then they can get into your home and boilerplate you. They like to try to make targets insane, swapping out brands of coffee, moving things, switching Colgate for Crest so you begin to question your reality, and sanity. Nevertheless, there are still ways to heavily impede them locally which aren't the scope of this. But try getting into a home with Grade 1 Bilock's on the door rather than vanilla Lowes Kwiksets, or pulling ambient EMF off for analysis in an environment with EMF injectors. All fun stuff. I'd go with a Pathlock if I was him.
While all that is true, if you close the door, they will come through the window (both literally and figuratively hehe). There are stories off FBI teams drilling a hole in a wall to get into an apartment, and patching the entire thing up within the span of a few hours. Realistically you can't prevent them from breaking into your home, but you can detect it, with surveillance cameras or some other such technology. You can point the camera at a clock to make it a lot more difficult to tamper with the footage. Or you can pretend to booby trap your house with explosives or whatever to scare them off but don't actually do that hehe. That sounds rather cocky, completely the wrong attitude in my opinion, the lengths that they can go to will blow anyone's mind. One minor minor slip up is all it takes.
