[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 21/08/13 21:52, Simon Avery wrote:Yeah, if the machine is running and the encrypted storage is online and
>
> Not necessarily, if it can be accessed remotely.
mounted, the crypto isn't going to help much. It's weird how many people
don't seem to realise that! It's for protecting at rest, when the
machine and it's storage is off.
Not necessarily (see my reply to the other Simon yesterday). It's also
>
> Sticky label on a physical machine, especially if it's locked away in a
> cupboard, ain't so bad. If the bad guy has physical access to your
> hardware, you've already lost.
>
>
strange - to me at least - that people automatically assume physical
access = game over. There are a lot of gradations of "physical access".
Now, if the bad guys have literally nicked your equipment and it's now
sat in their well-stocked lab, they have skillz, coffee and patience...
well, you are definitely screwed. Even super-hardened devices
specifically designed to withstand exactly this kind of attack are going
to fall to determined enough attackers eventually (see: every games
machine ever released). Once they start chemically stripping the chips
and putting them under electron microscopes, well, they kind of deserve
to get to the bottom of it to be fair.
However, a lot of people - I'd even say most - seem to equate "the bad
guy has physical access" with "the bad guy is in your office, sat down
in front of one of your computers". As I pointed out, that isn't
difficult to mitigate. Lock all firmware and boot code with admin
passwords, and if you've got a TPM, the admin can actually leverage the
good side of this technology to secure everything with keys instead. All
options to change boot order, trigger a linux recovery image boot,
tamper with the kernel stanza, reconfigure BIOS, default EFI... all of
that should be locked out against the users anyway. With employers who
let me, I have all workstations and laptops tethered to bolted down
desks or a wall ringbolt with a decent locking cable - most boring,
cheap-ass £300 business PCs have reinforced latches on the case to
thread the same cable through too, preventing the case being opened
(turn chassis intrusion alerts on as well). Most servers have lockable
cases by default, and I tether them to the racks as well even though
they're already in an access-controlled room.
At this point the bad guy is going to need a good couple of hours, when
nobody else is around and really, he's just going to have to steal the
damn thing anyway if he can cut the lock cable. Can't get into the case
to reset jumpers or just nick the drives, can't boot from USB, can't
reset anything... Thwarted.
This is exactly what I do with my home systems, except I'm way too lazy
to keep all the various laptops, phones and other portable gadgets
secured, it would compromise their usefulness too much. All full size
computers however are physically tethered down and cases locked shut.
Without my admin passwords, it's not possible to do anything after
turning them on except watch them boot to their configured OS -
bootloaders, BIOS/EFI/etc firmware, the lot: it's all locked. The best
crims/spooks could hope for if they broke in whilst we were all away on
holiday is nicking all our other gadgets (only computers get this
treatment, anyone could waltz in and nick the big TV downstairs or the
stereo!) and any small stuff we'd left lying around - with some decent
boltcutters and a van they could certainly nick everything but they
won't be getting any data from them as all drives are encrypted.
So I don't think this old "if the bad guy has physical access" mantra
isn't anywhere near as absolute as people make it out to be.
Regards
--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq