Solved

Could you hack this setup?  Could anyone?

Posted on 2009-03-31
8
1,458 Views
Last Modified: 2013-11-16
If I really wanted to be anonymous and free of worry, I'd do this:

BIOS Password using fingerprint biometrics-> NO HARD DISK INSTALLED -> LiveCD OS -> REMOVABLE USB WiFi to net -> IKE over VPN -> Firewall/Router Filter USB WiFi MAC Address -> TrueCrypt ->  Terminal Server -> 128 bit encrypted RAR -> Putty.exe ->  Putty SSH over VNC  -> FileVault -> Mac OSX Workstation-> FileVault ->Removable USB thumbdrive -> 256 bit AES encrypted -> disk image -> 128bit AES -> Password Protected Archive -> Password protected Microsoft Office documents -> Codes to the nukes

I would also do the following to cause slow the attacker just a tad bit more:

Windows Terminal Server:
Terminal Server will appear to be configured to be something simple, such as a print server that was accidentally broadcast to the internet.
Terminal Server will be setup on a Virtual Machine, and have several other "mock" servers connected as well.  These other servers will not trust the "Print Server"
Encrypted Archive containing putty.exe will be stored in a hidden folder that is constantly modified, such as System32 print driver folder
Terminal Server's purpose is so appear as "low hanging fruit that is easy for picking", thus creating the illusion of vulnerability and also an easy method of viewing "hackers" in action.
Terminal Server will not use Administrator as user name and password for the password to ensure the "low fruit" is recognized.
Terminal Server will only open port 3389 will be available.  All other ports are closed to the WAN.
Random photo folder (cats being silly, demotivational posters, etc.) will be placed on Terminal Server desktop in last attempt to keep hacker logged on long enough.

Use a minimum of 12 characters per password using special characters only accessible using multiple keys (ie.  user name:  ÐÆß) This would be Unicode character set.

All archives and images will have the file extension altered to .tmp and marked as hidden.

When I started writing this, I had no intention of making it this long.  I guess my creativity started flowing!
0
Comment
Question by:MrMintanet
  • 4
  • 3
8 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
Ok, from the top:

>> BIOS Password using fingerprint biometrics-> NO HARD DISK INSTALLED -> LiveCD OS

this invalidates any need for the first two. if you are using a live cd (or a bootable, write protected usb device) why do you care how the host machine is configured? In practice, I would use a stock windows xp machine, use it daily for non-secure tasks (web browsing etc) to keep the hard drive believable, and make sure my cd drive is really booting by forcing the boot-start menu (if there is one fitted) by hotkey from bios.

>> REMOVABLE USB WiFi to net -> IKE over VPN

unless you mean some sort of usb modem/broadband dongle that uses a mobile card sim, there is no benefit there - just use however the pc normally connects to the internet. I would also suggest using x509 certificate based IKE as the IPSEC VPN stage 1 rather than PSK; you can take that a bit further with a smartcard, but I suspect we are in overkill territory anyhow.

>> Firewall/Router Filter USB WiFi MAC Address

wifi card mac addresses are trivially fakeable, and hence offer near no security. I would replace this router and the usb wifi mentioned earlier with a 3g "broadband" usb dongle, giving you a second and dedicated internet route without passing though devices that could be compromised out of your control.

the only case in which I would consider using a fixed wifi router would be if I were using something like the nintendo DS (running linux via an R4 card) as the terminal.

>> TrueCrypt

always useful, but if this is just an endpoint terminal, there is no part of it that needs truecrypting as nothing should be stored there - in fact, as close as possible (sans the IKE certificate file, which can be kept on a commodity usb drive 7zipped with a password) you should be using a stock bootable live cd, ideally a pressed production one such as the ones the ubuntu project give away free. there is nothing so far that would require or benefit from a truecrypt volume.

>>  Terminal Server

Really too heavy an application for a relay. normally, I would use vnc (with the server limited to localhost connections only) via ssh (putty if you are on winpe, or on a linux live cd, you would expect openssh to be available)

>> 128 bit encrypted RAR

truecrypt has one advantage over a rar file - you don't have to store the extracted file anywhere, thus risking a race condition or evidence of your actions being left in a temp dir someplace. there is no benefit to not just fetching a fresh copy of the putty client (if you need it) direct from the website.

>> Putty.exe ->  Putty SSH over VNC

I assume you mean  VNC over ssh here. there is no point to this intermediate step - just use VNC over SSH directly from the client node.

>> FileVault -> Mac OSX Workstation-> FileVault ->Removable USB thumbdrive -> 256 bit AES encrypted -> disk image

none of this adds any real value, you are just hopping from machine to machine. if you really want to do that, just run ssh tunnels inside ssh tunnels, it will save you all the time and effort. you can run openssh on any platform, currently I have servers running on netware, linux, macos and windows.

if you want to gate off your filestore server, you could create a dedicated network for network-attached printers, give a machine two nics, and run it as the print server. you add the file server to the printer net, and use openssh on the print server to hop into the private (non-routable) space.

now, your issue is that you are accessing ms documents, using ms office. this is really not the most secure of scenarios, although I can see a way to make it secure when you are not using it. build a virtual machine (vmware, xen, whatever) on a hidden, truecrypt-protected partition. when you need the partition, mount it (by remote, using ssh) and start the virtual machine. run the machine on a virtual net only the host and the virtual machine can see, then use a ssh tunnel to rdp to the machine to access it. all the memory image crap, temp files and so forth stay within the virtual machine (which lives in a truecrypt volume) so when you are done, shut down the virtual machine, and dismount the volume. only remaining factor is explaining the physical presence of the machine on the network - and for that, make it into either a NAS box or a print server, using a small form factor pc (they are the size of a pci card, and you could trivially build one that has ethernet one side, a usb port the other, and "appears" to be just a lpr print server for commodity usb printers by mounting it in a generic beige pcb box from radio shack/maplins/your electronic store of choice. install sled on there (for the xen kernel support) plus truecrypt, and you have a box you can explain away on a network diagram and velcro to the back of a printer that doesn't itself have onboard ethernet.
0
 
LVL 8

Author Comment

by:MrMintanet
Comment Utility
>> REMOVABLE USB WiFi to net -> IKE over VPN
Easy disposal of a MAC address is the benefit

As for the rest, thanks for the input.  Your answer really must have taken a great deal of time to write.  My strategy is not only to shut the user down, but give them opportunities to walk down the wrong road and waste their time as well.  I find that giving them a bit of direction down the wrong road is a great way to hold them off a bit longer.  

I am a complete novice to security, and I hardly consider myself a expert on the subject, but I do feel that my crazed setup would inevitably choke out and get disconnects constantly due to fragmented packets, MTU instability, and time outs.  Honestly, I had posted this configuration as a suggestion to a question regarding hard drive encryption.  I was being a bit daft about it, but at the same time, I thought it was interesting enough to post as a question in itself.

I am eager to see other people's thoughts on my crazed setup.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
using USB wifi instead of an onboard connection will only slow them down by seconds, if any - one simple packet capture from a wifi sniffer would give them the mac address, and mac addresses only matter for the local lan anyhow (no remote node knows or cares what your mac address is, its l2 information, not l3)

you won't have too many packet problems - all the packets are regenerated frequently when they pass though servers, other than the stream encapsulated in VPN - but hopping between different gui remote control protocols - vnc, rdp, pcanywhere, etc etc - causes no end of problems and is to be avoided. just hopping repeatedly and retaining one protocol (rdp say) can cause issues. really,  you want to have one gui session, and tunnel only tcp (so the following will work reliably:

IPSEC tunnel - remote site, carries SSH to lan server
SSH tunnel via lan server to unroutable network - connects to SSH endpoint2
SSH tunnel via SSH endpoint2 to VNC or RDP server
remote control session, via tunnel-in-tunnel-in-vpn to actual server that does the work.

the problem here is that the remote endnode itself is unaffected by the security of the access method - if you can get physical access, odds are good you can log onto either the endnode or (if its virtualized) its host environment directly, and access the screen that way. by making the security dependent on booting a truecrypt protected virtual machine, you can compartmentalize that security risk  - have the physical access route exposed *only* when the data is unlocked - but you can't eliminate it entirely. If you copy the file to local ram on the local endnode AND you can unlock them there - which for ms office documents means an install of ms office (so, better to have a 7z archive and just use rtf format so you can use open office from the live cd) then you could move the final exposure to the local endnode which you control, but that is not guaranteed to be any better than having a dedicated secure endnode on the final storage server you can use to view and update the files in situ.  Terminal endnode physical security is one of the two achillies heels of an extended cryptography chain - the other is "rubber hose cryptoanalysis" :)
0
 
LVL 8

Author Comment

by:MrMintanet
Comment Utility
The MAC address is also used as physical evidence in court.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
that would be foolish - I frequently use COTS software that can fake a mac on wifi or wired ethernet in seconds, and most high-end nic drivers (for example, hp servers with dual nics) have that ability built into the normal installed version.  I can also throw *any* packet (with any source or destination MAC you choose) onto the LAN using a trivial to operate tool called "nemesis" - holding an actual conversation means changing the MAC on the NIC, using the aforementioned software, or writing my own code against the pcap libraries of course.

no competent prosecution expert would go into court with a mac address as "evidence" and expect it to survive against a competent defence expert.
0
 
LVL 34

Expert Comment

by:Michael-Best
Comment Utility
"Could you hack this setup?  Could anyone?"

Yes, anything digital can be hacked.
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
In practical terms, a box is unhackable if it is faster and easier for the attacker to ship you and your loved ones to pakistan and torture you and them until you give them the key. once you reach that point, feel free to stop, as adding more code just makes it more likely they will get curious about what you want to hide so badly...
0
 
LVL 8

Author Closing Comment

by:MrMintanet
Comment Utility
I wish I could give more points than this.  Thank you very much for your help and professional insight.  Please ignore my "shadow" down near the bottom of the comments.  He's been trolling all of my questions.  If you ever wanted to chat outside of EE, my contact info:  ComputerIdioth AT gmail
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now