I used to travel quite extensively around the country, and even had the opportunity to leave the country and go abroad. My laptop was always with me. As a result, I was very concerned for the integrity and safety of my data. As such, I took the necessary precautions that travelers can take when their laptops are with them. This post is hopefully informational should you decide to travel with your faithful friend (I call my laptop “Kratos”- the Greek God who always did Zeus’ will and bidding).
First, a disclaimer. This post is not meant to be a sure method for defeating attackers. Rule number one in computer security is that if an attacker has physical access to your machine, all bets as to data integrity and physical safety are off. However, than doesn’t mean that you can make the process so tedious and time consuming for the attacker, that he will likely not bother and move to another victim. This post is about those methods. If they’re going to attack you, why not at least make it challenging for them?
If you have the ability, this post requires wiping your disk by starting from scratch. So, if you have data on that disk, you should probably back that up first. If it’s a new laptop, and you’re not invested into the operating system, then maybe you don’t need to worry about it. Just realize, that from this point on, if you decide to “follow along” with your own equipment, this will wipe your data, and if you didn’t back up your data first, you’re the moron, not me.
Okay, with that out of the way, shall we continue?
Step One: Prepare your hard drive.
The goal of this step is to install an encrypted filesystem. So, before we do that, we need to do some preparation. In order to get to that point, you will need to write random or pseudorandom data to the entire disk. This will take some time. My experience has show that laptop drives usually operate around 30MBps, so if you have a 300GB drive, this will take you just under 3 hours. The reason for doing this is to confuse the attacker just exactly where the encrypted filesystems reside. If the entire disk is underlined with random or pseudorandom data (it doesn’t necessarily need to be cryptographically secure here), then when looking at the drive level, it will be practically improbable to determine where the encrypted filesystem starts and where it ends. If you skip this step, then it’s quite obvious, and rather than wast his time on the entire disk, the attacker can focus his efforts on just the obvious encrypted portions of the disk.
Now, some tools for installing encrypted filesystems will already have this step built in, such as the Debian installer, but some won’t. You’ll need to discover your vendor’s documentation to see if this is the case. I would say it doesn’t hurt to be safe, and take this step anyway, but it’s up to you.
There are many utilities for writing random or pseudorandom data to the drive. Probably the best tool will be DBAN, or Derik’s Boot and Nuke. This utility is generally used for destroying data, but in this case, we’ll use it for preparing data. Download the live CD, burn it, and reboot your machine. I would recommend selecting the “PRNG Stream” from the menu. This will normally write pseudorandom data to the disk 4 times. However, it shows a progress report on the number of passes, so after it completes its first pass, you can reboot. It’s important to note that selecting “Quick Erase” will do a single pass of zeros. This isn’t what we want. We’re trying to deter attackers by not giving them the boundaries of our encrypted filesystems. If you choose “Quick Erase”, then you’ll be clearly showing them where those boundaries exist. As tempting as it may be, don’t select it.
If you’re familiar with Linux live CDs, you can boot into a live environment, such as KNOPPIX, pull up a terminal and run the following, assuming the drive you’re preparing is “/dev/sda”:
dd if=/dev/urandom of=/dev/sda
The point is getting random or pseudorandom data down on the entire disk. However you accomplish that, is up to you.
After a few hours pass (depending on the size of your drive, and if you cancel the operation after a single pass of PRNG Stream), you are now ready to reboot into your operating system installer if it provides the ability to encrypt the filesystems, or into a separate utility for doing so.
Step Two: Set up volumes or partitions and encrypt
With the Debian installer, and most GNU/Linux installers, you can set up your partitions or logical volumes, then tell the installer to encrypt them, even with some options on the cryptography. When you’ve defined your filesystem boundaries (I’m not going to cover that here), and you’re ready to encrypt, you’ll inevitably be required to type in a username and passphrase. Some encryption utilities will use this passphrase as a seed for the encryption algorithm, so the stronger the passphrase, the stronger the seed, and this the more unlikely an attack will be successful on the filesystem. So, choose wisely and choose securely.
Step Three: Install the operating system
Whether it be Windows, Mac, Linux or whatever operating system that supports encrypted filesystems, you’re now ready to install it. Follow the operating system’s installer to the end, reebot, and make any additional final preparations to your computer before putting down the data. You should at this point be able to boot the computer, provide the necessary username and passphrase, and use your operating system as normal. If not, you’ll need to spend some time with your operating system’s documentation or encrypted filesystem documentation to get to that point. This post isn’t about that, so Google might be your friend here.
Okay, so now we have a usable operating system running on top of a fully encrypted drive. If we were to stop here, we wouldn’t make things very challenging for the attacker. We want to do that. So, we’re going to start adding some hurdles along the way. If the attacker has the stamina, then so be it. I’m guess that most attackers, when faced with each of these hurdles, likely won’t bother, and move to their next victim, rather than waste time trying to figure out how to get from Point A to Point B.
Step Four: Password protect your BIOS
This will vary widely on hardware, so consult your vendor’s documentation on how to boot into your laptop BIOS and set an administrator password. However, this functionality should be provided on most modern BIOSes. When found, go ahead and set the password. It can be whatever you want. I would recommend making it hard to guess, but it doesn’t really need to be on the same level as the encryption passphrase you provided earlier. Just don’t make it successful to a dictionary attack, and you should be good. Don’t reboot. Stay in your BIOS for the next step.
Step Five: Change your boot order to boot off the hard drive first
The reason for setting the administrator password in the BIOS was so we can tell the BIOS that we always want it booting from the hard drive first, rather than from the floppy, CDROM, network or USB. This step is necessary to hopefully avoid the Evil Maid attack, something I’ve already blogged about here. In summary, the Evil Maid attack is booting your computer from a USB or CDROM, replacing your bootloader by installing a custom bootloader with a keylogger, and powering down. Then, when you boot your machine, and enter the encryption passphrase, it gets stored on disk, or sent over the network to a remote server. After you leave your laptop a second time, the attacker comes back to your computer, boots off the hard drive, provides the newly discovered encryption credentials, and steals your data.
So, if your laptop is BIOS password protected to only boot from the hard drive, this is a good deterrent. Why? Well, in order to remove the password off the BIOS, so the attacker can boot from some other medium, they will need to disassemble the laptop to get to the motherboard, and flash the BIOS. This is easier said than done on laptops. Have you ever taken your laptop apart? I have. I’ve take apart both my old HP Pavilion and my current ThinkPad T61. They’re a royal pain, and extremely time consuming.
A good attacker will be paranoid for time. They don’t want to get caught. If it means spending 3 hours disassembling a laptop just to flash the BIOS, so they can install their custom bootloader and keylogger, chances are high he’ll move on to another victim. Now, that’s not to say that every attacker can’t do this, or they know they have the time, and your data is that valuable to them. Maybe the attacker is skilled at disassembling Dell, Lenovo and HP laptops, so it’s only a 30 minute inconvenience that he knows he can make. But, maybe not. At least this is a moderately challenging task, and I’d be willing to bet most attackers won’t bother.
Step Six: Physically lock down your laptop or take it with you
Again, just another deterrent, but locking your laptop down to a secure location could provide enough of a challenge to deter physical theft, should all efforts being made at getting to your data fail. After all, there is value in the hardware itself. EBAY is probably making a killing of such scenarios without knowing specifics. This doesn’t mean the attacker isn’t skilled at lock picking or doesn’t have a strong set of bolt cutters with them. However, if the time it takes to remove the laptop from the premises is a challenging effort, the attacker likely won’t bother, and move on.
With that said, I had my car broken into once. They were after my stereo. Thankfully, they were caught in the act, and found guilty in court of seven counts of theft and property damage, among other things. However, in the car before mine, they couldn’t successfully remove the deck from the dash. It was bolted down. So, out of frustration, they physically destroyed the deck and the dash. Not out of failing to remove it, but out of anger for not succeeding. Your laptop may fall victim to such physical damage.
So, if you can carry it with you, you probably should. When I was on the road, I took my laptop with me everywhere I went for fear of physical damage or theft. I would take it with me to dinner. I would take it with me to events. I would take it with me sight seeing. I was paranoid. Sure, I run the risk of damage while traveling with it, but I know how to treat my bag carrying the laptop. At least then I’m somewhat in control. Further, an attacker can’t attack what isn’t there. But, when I couldn’t take it with me, I would lock it down securely, and hope it remained in tact when I returned.
Step Seven: Remove the data and/or encrypt it a second time
Many operating systems support encrypting directories and files on top of the filesystem itself. This means you can have an encrypted directory in your home folder, where the valuable data resides. Should the attacker successfully get access to your encrypted filesystem, if you chose a different passphrase for your encrypted directory, hopefully, they won’t get access to that.
But, keeping that sort of sensitive data on the drive might not be wise, even if it is encrypted. So, it would be best to have that data on an encrypted USB disk. Your only concern should be making sure you don’t lose that drive. Even if it’s not stolen data, lost data still sucks. Backups here help.
At my place of employment, we’re developing a virtualization solution where all the developers will have virtual desktops in our datacenter. The idea is to keep the data off of the developer’s laptop. So, when they login to their laptop, they then must login to the VPN, then use RDP or SPICE (yeah, we’re deploying RHEV) to login to their remote desktop, and work from there. At this point, the laptop becomes a mere dummy terminal, not storing a single piece of data- even email. There are concerns, like if the developer doesn’t have Internet access, or if the datacenter is compromised, but from a traveling perspective, keeping the data off of the traveling laptop is a net win. Some hotels might have crappy WIFI, but at least security has come first, and the data is safe.
Appendix A: Learn how to remove and restore your bootloader
This is a crucial skill, I think. It doesn’t really fit into the above steps per se, so I’ve added it as an appendix. The idea is simple. When traveling from another country to the United States, the Department of Homeland Security thinks it’s fun to ignore the Constitution, and seize and search your laptop without a warrant. Bruce Scheier has covered this extensively, so I’ll let you read up on his posts about the topic. If you’re running an encrypted filesystem, they can detain you until you provide them with the passphrase, at which point they can then image your drive, keeping your data. This is wrong on so many levels, but you have a good deterrent- wipe your bootloader before landing.
When I traveled to Canada for training, I was already aware of the DHS doing this at customs. So, before being required to turn off my laptop during landing, I wiped the bootloader, and prepared a script in my mind should the DHS want my to power on my laptop. I was resolved that I wouldn’t lie, as that would be perjury, but I would dance around the issue as best I could. The script would go something like this:
Agent: Can you power on your laptop please?
Me: Sure, but while on the road, something happened, and it will no longer boot. It says it’s missing an operating system. I’m hoping to get it fixed when I get back to the office.
Agent: Will you power it on anyway please?
(I power on the computer, at which point, it behaves exactly as described.)
Agent: Okay, thank you. Carry on.
When I was returning from my Canada trip, and passing through customs, the agent asked me to remove the laptop from my bag and open it. I was already prepared with a removed bootloader, and my heart was racing to go through the script. When I opened the laptop, we proceeded to swipe it looking for traces of explosives. When he was satisfied, he said thank you, I put the laptop back in my bag, and was on my way. I was a bit bummed that I didn’t get to defeat the DHS at their own game, but was relieved at the same time that I didn’t miss my flight home.
After I was on US soil, I boot off a rescue CD, and restored my bootloader, and was able to boot back into my Debian install without trouble. This takes some practice and know-how, but I think it’s really quite worth it should that scenario ever present itself. Of course, who knows what would happen? Maybe I would be detained until they could fix the problem with my laptop, at which point, I would still be required to turn over the passphrase, and they image the disk. Who knows? Still worth a shot, and it’s easy to do, if you know what you’re doing. Just don’t lie.
Appendix B: Stay with your belongings through metal detectors
Again, this is something that doesn’t really fit in the steps above, so it’s in the appendix as well. When you are entering an airport, and your belongings have to go through XRAY, there is an attack to steal laptops that is rather trivial and easy to setup. All it requires is three people- two attackers and the victim.
The attackers find a victim with a laptop (or bag obviously carrying a laptop) they want. They both position themselves immediately in front of the victim when standing in line to go through security. By the time the first attacker reaches the metal detector, the victim has likely placed their personal belongings on the belt to go through the XRAY machine. The first attacker goes through the metal detector without a problem. He waits at the end of the conveyor belt to get his belongings as well as snatch the laptop. The second attacker, however, causes problems going through. Every time he attempts to go through, something in his pockets, or otherwise, causes the detector to go off. Now, generally, it only takes 2 or 3 attempts before the agent will just get his magic want, and swipe him down from head to foot. But, two to three attempts is all the time that is needed for the victim’s bag or laptop to go through XRAY, at which point the first attacker takes the computer, and disappears into the crowd before the victim even had an opportunity to get through. It’s sneaky, it’s effective, it’s fast and it’s clean. Further, TSA isn’t keeping track of who’s belongings belong to who. For all they know, that was their laptop, not yours.
How do you avoid this attack? When I traveled, I stood at the XRAY machine with my hand on my laptop bin, and I sent it through the same time I went through. I never gave it a chance to get ahead of me. This would slow down the line a bit sometimes. In fact, I would let people go ahead of me while I waited. I took no chances. I’ll go through metal detection faster than my laptop will go through XRAY, so I can wait for it to come down the belt right into my own hands. It requires a bit of patience and stubbornness, but I think it’s worth it. You’ll likely not bump into the cranky people behind you again, so no biggie.
So, there you have it. Those are the procedures and steps I would take when traveling with my laptop. I would recommend the same to you. Really, it boils down to determination, knowledge and a bit of luck. You can avoid the worst if you are sufficiently paranoid. There’s nothing wrong with taking the extra precautions to protect your data and your laptop from theft or damage. Of course, these steps aren’t bullet proof, and everything comes at a cost. There might be a slight inconvenience to the traveler to jump through some of these hoops. But, what is it worth? If the cost of the inconvenience outweighs the cost of the data, then some or all of these steps might not be necessary. If the cost of the data outweighs the cost of the inconvenience, then I would say stick to each step religiously. That’s just me.