Would the following setup work to prevent 'leaking'?

Discussion in 'privacy technology' started by miyamoto, May 10, 2015.

  1. miyamoto

    miyamoto Registered Member

    Joined:
    May 9, 2015
    Posts:
    2
    Hello readers,

    Yesterday I was thinking of a security setup that would look something like this:

    1) Create volume using Dataram RAMDISK
    2) Create Truecrypt Encrypted volume on RAMDISK
    3) Inside the TrueCrypt volume 1x Whonix Gateway and 1x Workstation VM
    4) HAVE FUN***
    5) Eraser ## passes afterwards on RAMDISK-volume
    6) Remove Dataram RAMDISK-volume
    7) Privazer run (Include pagefile if enabled)
    8) Optional: Eraser run on free space


    *** - I figure there might be steps in between that would make this setup far more secure such as setting up DNS, VPN or clearing logs created by TrueCrypt/RamDISK but I'm not very sure what the best way of setting that up would entail.(Which software to use ... etc.)

    Purpose of this setup is ensuring data is irretrievable spare for a few logs created by the applications or operating system used. The setup would although be far more secure in a carefully set-up Linux-based operating system.

    What are your thoughts on this and tips?
     
  2. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Frankly, this is overkill.

    Whonix will never leak, short of a new exotic malware designed specifically to break through the Virtualbox hypervisor on a Linux guest. Malware has been shown to break through other much more common hypervisors like VMWare, but it's typically through a shared network, folders, or USB capabilities, none of which are possible with Whonix. This was never seen in the wild as far as I know, it's more theoretical than anything. If the NSA or Vupen or Russian criminals wanted to develop an exploit for a virtualization program, I'm inclined to believe that more important programs used in enterprise like VMWare, KVM or OpenVZ would be much juicier targets than a program used primarily by individuals- but still there's no news of such exploits occuring in any program.

    The whole ramdisk, Truecrypt volume, and wiping swap scheme is overly complicated, unnecessary, and still not 100% secure in my opinion. Simply use full disk encryption on the host, and you do not have to worry about data written to swap or anywhere else on disk, since it's all encrypted.

    My personal Whonix setup and suggestion is as follows:

    SSD with hardware encryption
    Linux host (I use Ubuntu, Debian may be marginally better) using LUKS, used for little other than downloading ISO's, no personally identifiable data/activity on it
    No logs OpenVPN on host
    Virtualbox (secured with Firejail/apparmor if extra cautious, but I don't think this is essential), running Whonix and any other OS I like

    That's all you need to do. You don't need to remove Windows from your current computer, I'd just buy a separate SSD or hard drive just for this setup and swap it out on a laptop when needed (30 seconds) or keep it in your desktop and boot from it when needed. Drives are dirt cheap nowadays, even 120gb Kingston SSD's are only $50
     
    Last edited: May 10, 2015
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    As krustytheclown2 said, your plan is overkill in some ways but ineffective in other key ways. Even though the Whonix VMs will be totally nuked, information from them will be retained elsewhere on the host, in VirtualBox and Windows logs, Windows tempfile and so on. Just use a Linux host with FDE.

    If it's wretched overkill that you want, use a Linux LiveCD. You'd need to install VirtualBox for each use. But you could keep copies of the freshly-downloaded Whonix appliances, and installing them would go quickly. That would be more secure than your plan, and would take far less time and effort.
     
  4. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    This isn't the direction I'd go in for added (but almost certainly unnecessary) security. First of all, using a LiveCD won't prevent exploits from executing, it'll only prevent them from being carried through more than one session, and any super sophisticated attack that reaches the host through a VM could potentially hit your firmware from there and persist that way. Second of all, it's painfully slow and the whole setup would require a ton of RAM as there would be no writable media to keep the large files.

    The first additional step I would take is securing Whonix to a paranoid level by configuring AppArmor profiles and using Firejail. Given that Vupen and the NSA probably have a number of zero-days up their sleeve at any moment for Firefox and by extension the TBB and Iceweasel, I would consider using an obscure browser like Midori or Rekonq with a spoofed user agent within Whonix, as I doubt anybody cares about these enough to develop zero-days.

    Next step would be isolating Virtualbox from the host OS, so compromising the hypervisor limits an attacker to seeing your VPN exit IP. Firejail and Apparmor or something like Grsec/Pax on the host are obvious here. You can run Whonix within a VMWare VM since it supports virtualized hardware virtualization, meaning that it would take hacking through two hypervisors to get to the host. And you could add an additional VPN in the VMWare VM. Also, a UFW killswitch for the VPN would be prudent.

    The last step I would take is preventing the computer and VPN used from being easily tied to my real identity, were all previous defenses to fail. Buy the laptop with cash in a random shop you've never been to and that's across town. Only ever connect the computer to Wifi in a coffee shop /McDonald's you've never been to across town, buying coffee with cash and spoofing your MAC address, or to an air card bought with cash while being far from your home/work. Always try to be as non-descript as possible during these trips, park a good distance away from whatever shop, never carry your cellphone and put on a baseball cap and glasses. The new USBKill might help if all of this fails.

    Additional steps would be required if there's reason to believe that you're under physical surveillance, it would greatly complicate things as esoteric attack vectors like electromagnetic leaks, keyboard sounds, or evil maid firmware attacks could come into play if you're very important (i.e. a CIA worker leaking secrets to the Russians).

    Realistically, I don't think any of this is necessary and I doubt there are many situations where my initial setup would be put to the test in any meaningful way.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I like that :)

    I'm working on hardware isolation, using Raspberry Pi instead of VMs, with physical hardening, EMF shielding, etc.
     
  6. miyamoto

    miyamoto Registered Member

    Joined:
    May 9, 2015
    Posts:
    2
    Thanks for the replies guys; Hypothetically speaking if I were to break havoc using the setup in the initial post would any of the data be recoverable or would that take a lot of time/effort? The reason I'm not using hardware encryption is because I've seen it fail in the past rendering data on it useless and irrecoverable.

    I was thinking of perhaps a mini-laptop or raspberry pi for that, by the way wouldn't components from Ebay be an option as well like buying a few LAN/WIFI-cards and 'hot swap' them ?
     
  7. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    The Pi setup is cool, novel, and probably very effective, but personally I need mobility. Physical hardening/security is critical, if you don't mind, could you critique my laptop setup (I fly across the ocean pretty often, so it might get tested)?:

    Power-On BIOS Password
    Hardware Encrypted SSD with TPM/Hard Disk Password (uses different password than power-on), so no plaintext Grub
    USB, Firewire, DVD, SD card, e-SATA, Ethernet/LAN disabled by BIOS so no booting from anything other than HD, no data transmission to OS or BIOS from anything other than SSD, keyboard, mousepad, headphone jack and Wifi card
    Selected option to only allow BIOS updates signed by the OEM
    Glitter on screws to the HD bay and the screws to get to the keyboard, mobo, RAM, etc., pics kept on person

    EMF-shielding seems a bit tin-foily to me ;) since Van Eck phreaking is highly unlikely unless you work for a foreign embassy or are somebody of importance to national security which I'm not overly concerned with. It's probably an easier attack than most though, care to share your ideas there? A tin foil tent isn't very practical for me haha.
     
  8. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    By recoverable I'm assuming you're asking whether anything would be readable from the hard drive if it were seized after the fact- definitely not if the disk is encrypted and it's completely off, so long as you have a good password and can't be coerced, and weren't compromised before. If quantum computing increases password cracking abilities a googolplex-fold in the future, maybe, but the bits will probably have rotted away by then.

    Data on an encrypted SSD does rely on the life of the mobo and drive itself, SSD's themselves die often enough that you should backup important files anyways, for privacy upload it to any cloud service as a Truecrypt volume over a VPN. Data on any unencrypted SSD that dies is essentially irretrievable anyways, it's not like a spinner with data persisting on the platter, only LE might have solutions for that if at all possible. I prefer hardware encryption because there is no unencrypted bootloader to backdoor, and cold boot attack from RAM is impossible as key is in the SSD internal memory (correct me if I'm wrong about this).

    I see software spoofing a Wifi MAC address when connecting to public Wifi as far more private than using a card you buy on eBay with your shipping address and credit card- that's as traceable as it gets.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    The long-term plan involves hacking 4-6 Pi 2 into an old laptop chassis, sharing keyboard, keypad and display via KVM. I want to implement something like Whonix or Qubes in hardware. One of the Pi will be air-gapped for secure storage. And I'll restrict information flow among the other Pi using optical isolators, as in Tinfoil Chat. The Pi will be EMF shielded from each other to prevent information leakage.
    Sure :)
    That's cool. But it's easily bypassed by putting the SSD in a different machine (except that you've covered that using TPM).
    From what I've read, that should be solid. But the SSD is unfortunately a closed-source black box, and you rely on the manufacturer having gotten it right.
    If you won't be needing any of those, disabling them physically would be more secure. Especially Firewire and e-SATA, I think.
    That's prudent. TLAs and maybe determined NGO criminals could work around that, but hey ;)
    :thumb:
    I'm thinking of side-channel crypto attacks. Like that Israeli pita bread hack ;)
    One goal would be a "laptop" with virtually no EMF leakage. Or little enough, anyway, that adversaries would need to be in your space.
     
  10. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    @mirimir

    About the custom Pi top, I have a few questions/concerns- please take them as thoughts from a friend and not a criticism, I realize that this is in its early stages and that you've probably thought of the same things. If this could work in a prototype, I might jack your idea and become a Kickstarter millionaire ;) ! Jk, but I think it's a far more innovative idea than the grossly overpriced, crappy Chinese counterfeit MacBook called Purism (I've heard that it's literally based of the shell for a counterfeit MacBook and they do in fact counterfeit everything in China, entire Apple stores, but I digress).

    How do you figure you'll connect one laptop battery to four Pi's? I am not an expert in how laptop PSU's work but this strikes me as a challenge right off the bat.

    Pi's use SD for non-volatile storage, which employ wear leveling without the protection offered by hardware encryption in SSD's. Have you considered this as a weakness for FDE implementation, as well as durability?

    What reasons do you have for believing that hardware separation is inherently that much more secure than a hypervisor sans a USB controller, shared network/folders, and as of today floppy controller (lol)? Malware on a PC can jump to your router after all, there was a story out of Serbia or some other godforsaken place recently about a massive router botnet. I think that this is more common than hypervisor break out but then again what do I know. You mention KVM as the method to switch between physical Pi's, how this is implemented is over my head, but wouldn't this mean that your security is dependent on a hypervisor nonetheless? In which case my chained hypervisors + MAC seems better and far less complicated, assuming the free VMWare Player is privacy friendly (not certain about this, and paying for Workstation anonymously is non-trivial)...

    Disregarding all of this, the extreme obscurity of this setup should prevent anything short of a very targeted custom attack, the biggest plus. To me personally, however, my thoughts are that I like to blend in with the cookie cutter business crowd when traveling (and otherwise), carrying an encrypted business notebook does not stand out much at all, whereas this is probably the weirdest thing I've seen. None of that means anything if I my name is present on some watch list or if I visit Airstrip One and face the choice between revealing my password or prison, but it's still something.

    Addressing what you said in response to my previous post, I agree that the proprietary firmware in the BIOS, TPM, and SSD controller is a mess. The whole NSA hacking hard drives fiasco was dependent on them knowing the private keys of the OEM's, since HDD/SSD firmware is protected from unsigned updates by default, so my mobo is not safe from this. However, the idea of the setup is mainly to be tamper evident, they would need to split open the laptop to do anything, which glitter prevents.

    I've never heard of the Israeli pita bread hack and a search only revealed pita and hummus recipes (lol), care to elaborate? And by side-channel attacks, I take it you're referring to power analysis attacks and CPU acoustics, this seems more sci-fi than reality to me, no? Emanations from LCD and CRT screens have been vulnerable for decades now and an amateur can do it, keyboard acoustics/vibrations are easily captured with a bug/motion sensor/laser through your window, it's 1,000x more likely than the aforementioned. I don't see any way around these other than a literal tin foil tent in a sound proof room, or underground bunker, not a realistic solution for anybody other than the military (which is genuinely how top secret data is handled)...
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Thanks :)
    Good luck, my friend :) But at this level of paranoia, we want to build as much as possible ourselves, no?
    Pi take 5V, so I'll use a DC-to-DC converter to get from 19V or whatever.
    Yes, that's an issue. I plan to test embedding Pi in Arctic Alumina Thermal Adhesive. Maybe I'll also play with anti-tamper wire grids and such. Another option would be read-only SD to boot, and SSD via USB for storage.
    With hardware isolation, it's possible to specify exactly what can get through. See https://github.com/maqp/tfc/ for example. It's my inspiration :)
    That's true. But I suspect that most of those were consumer routers with default passwords.
    Sorry. KVM is ambiguous term. KVM ("keyboard, video and mouse") switch <> KVM ("kernel-based virtual machine")
    I need to look more carefully at that. Another possibility is QEMU inside VirtualBox. But still, I trust hardware isolation more, because software attack can't reconfigure hardware. Yet, anyway ;)
    Yes, that's also a factor.
    Right, I wouldn't try to carry a "Pi top" through customs.
    Yes, the glitter prevents many local attacks. But firmware can be reflashed remotely via attack platforms.
    See http://www.techrepublic.com/article...-keys-are-not-safe-from-side-channel-attacks/
    True. My goals include protecting private keys, specifics of nested VPN chains, and such. I also want to harden against compromise after capture. I want to frustrate attacks that combine side channel monitoring with disassembly.
     
  12. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    @mirimir Agreed on everything but the Vbox --> QEMU idea. Two reasons, most importantly, the two share too much code for this to add to the security, evidenced by the recent Venom vulnerability affecting both. Since Xen was affected too, I don't think Qubes --> Whonix is that good either. Second, it'll be terribly slow in the second VM since it will lack hardware VT-x (so it'll have to be one-core 32-bit running paravirtualized which will limit you to very lightweight distros). VMWare supports virtualized hardware virtualization, it's the only hypervisor with this feature as far as I know, plus it's totally independent from the open-source competitors so no shared vulns.

    One option that I'm considering is OpenVZ --> Vbox. OpenVZ is a unique open-source solution that uses the same kernel as the host, which is cool for a few reasons. The RAM allocated to the VM is shared between the host and other guests(with security measures put in place, of course), which makes it more efficient and it's the reason why OpenVZ VPS's are cheaper than Xen, KVM etc. Kernel sharing may also allow for VT-x support to pass through to the guest, I just thought of this so I haven't tested it yet, but it looks promising to me. OpenVZ is a bit more complicated to set up than other options since it's enterprise-oriented but it's not insurmountable, definitely easier than your pfSense set up IMO ;)
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    OK, I'll look into those possibilities. Thanks :)

    Superficial reading leads me to think that at least some of these double virtualization setups require enterprise CPUs like Xeon or AMD equivalent. But maybe the latest i& is enough? Please share.
     
  14. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    I think what you've read is from several years ago, Core2Duo/Quad didn't have nested paging and other features present in most i5's/i7's dating back a few years. I'm typing right now from the TBB running in a lite Debian Vbox VM, inside of a lite Debian VMWare VM, on a lite *buntu host, all 64-bit. I don't have the latest and greatest Dell Precision workstation/equivalent, but it's a solid Core i5 or i7 business notebook, I don't want to get too specific. CPU on host is around 25-35%, RAM at an impressive 1GB. On the final guest, CPU is around 10-60%, sometimes hitting 100% but not often, RAM is 400-500mb. There's noticeable stutters when switching between windows, I think that this is GPU related more than CPU. It's totally usable for web browsing and email though, and I think I could even pull off something a bit heavier like Win7 32-bit as the final guest. All I can foresee being problematic are 3D desktops like Unity or KDE Plasma or Aero.

    OpenVZ should be much lighter than this. I need to research more as it's not too beginner friendly.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    OK, cool :thumb: I will check it out!
     
Loading...