By Brandon Ching
On July 25th, 2008
News that our US Customs agents can stop and look through a person’s laptop and digital devices when they enter the country happened to hit me very late. Only yesterday did I actually read an article explaining this gross violation of privacy; US citizen or not. While I would love to go off on the legal, constitutional, and ethical shortcomings of a policy such as this, I promised my editors (read: bosses) I would try to provide a bit more of an upside with my rants, instead of just straight ranting.
Thus I am here today to offer a few recommendations for those of us that still believe in the right to individual privacy. (And a few that might get you into trouble on your next time at the airport.)
As a certified GIAC Computer Forensic Analyst, I have a bit of experience in the methods used by law enforcement to collect and process digital evidence. Thus, here is a list of 10 things that you can do to keep your data protected when either crossing the Gestapo-controlled borders of our fine country or sitting in your home office with a warm mug of hot chocolate:
Yes, this one may seem obvious, but I am constantly amazed at how many people do not encrypt their data or encrypt it in a less-than-ideal manner. There is (currently) no easy or entirely effective way to retrieve data within a well-encrypted (1024-bit key or greater) archive. Despite the fact that most types of encryption today are considered relatively safe against attack, I would still recommend a tiered approach to data encryption:
Your first and most broad layer of protection should be at the system or hardware level. This type of encryption is implemented by either the operating system or hard disk hardware itself. In general, this type of protection is very good. Most current major OS’s either include or offer as an enhancement, the ability to encrypt your entire drive. (This is true of OSX and Vista Ultimate) There are also third-party software packages like TrueCrypt that offer this ability.
Many hard drive manufacturers now also offer hardware-based encryption of their drives. How’s this work? Well, prior to any data being read/written, the hard drive I/O stream is passed through a hardware encryption chip. Thus, there is no way for any unencrypted data to be accidentally written to the disk.
However, keep in mind that both of these methods, while easy to implement, have some downfalls: In order for an OS-level encryption scheme to work seamlessly, the encryption key must be readily available for use. Otherwise, the system would constantly ask you for your password for every file you wish modify, add, delete and move. How does the OS get around this? It keeps the encryption key in memory. To try it yourself, do a memory dump and parse it for your entire key…it will be there. If you can find it, so can the fuzz (usually). (Consider, this is also the method used successfully by hackers trying to break HD-DVD and Blu-Ray encryption.)
As far as hardware encryption is concerned, I don’t entirely trust it. There are a number of recorded instances where the government has successfully “requested” private entities to build in backdoor access to systems it deemed important. Thus, I’m inclined not to fully trust the claims of the manufacturers. (If your whole-drive encryption scheme was backdoored for the government, would you advertise that a vulnerability existed?) For casual, non-the-feds-have-confiscated-my-shit use, this is a good option. But we’re trying to beat the feds here.
The next layer of protection would be individual file encryption for your most sensitive files. Programs like GPG, PGP, TrueCrypt and a multitude of others offer solid encryption methods. Most of these programs will also allow you to create encrypted “drives” or self-executing archives that contain many files and can be used to fill USB drives or moved around quite easily. Also, your hard disk key and file level key should be different. (In other words, use different passwords and encryption algorithms!)
I have read a number of threads where people recommend file-level passwords to protect their content. Here’s the story there: These password protection schemes are useless unless there is some form of encryption involved. This means that, in general, PDF, Word, ZIP, and other types of password-only protections are a waste of time—cracking tools are easily available to even casual users with a quick Google search. They’re typically based on two-way encryption schemes and thus, aren’t secure at all.
2. Frequent Free Space Drive Wipes
Most encryption packages also include a method to “wipe” your drive. This is important since we all know that “delete” really doesn’t mean delete. (When you delete a file, the OS just marks that space as “writable” and removes the file’s listing from the file system. It’s still highly recoverable, though.)
A free space wipe forces your hard drive to write either a set or random stream of 1′s or 0′s to all the areas of your drive designated as free space by your OS. (Or basically, over the files you’ve deleted.) If you are using an encryption software package, you may find that there are all kinds of crazy options for drive wiping including impressive titles like, “NSA level data protection, blah, blah, blah” that wipe your drive 7+ times. It’s generally a waste of time—a single wipe with random data is typically all you need. But if you want to feel extra safe, go ahead and run a few more passes over it.
3. Setting Your Browser To Automatically Clear Its Cache & Cookies on Close
I know this one is a pain in the ass since you end up losing all of your logins and such but it makes clearing your internet trail automatic and fast. It would suck if your friend quickly jumped on your computer only to see all the S&M sites in your history from the other day that you forgot to clear. Unless that’s your thing. And maybe their thing. And then you guys could, you know, discuss it. As men do.
It’s a judgment call if this level of protection is worth it for you. At the very least, you need to make sure you follow my next tip and:
4. Password-Protect Your Screen Saver
. This one may be a bit annoying, but it’s nowhere near as frustrating as clearing your browser cache can be. And it’s probably the most important thing you can do to protect your data after encrypting your drive. This one’s simple. Quick instructions follow, for XP users, for Vista users and for OSX users.
Also, get in the habit of locking your screen ANYTIME you leave your desk. It may not seem like much, but from a Five-O investigative perspective, this is a serious pain in the ass. The reason being, if you encrypted your drive like you should, then the investigator has no choice but to pull the plug on your system since they cannot do a live forensic duplication. However, when they later proceed with the duplication after seizing your drive, they will find the drive is encrypted AND they will have lost the volatile evidence in memory. Thus, they will get NOTHING!
Don’t forget to use strong passwords or passphrases. Be clever: pick a line in a song you really like and use the first letter of each word. Better if it has a number. And don’t write your passwords down.
5. Always Wipe the Entire Drive When Giving Away a System or Drive
Again, this should be obvious but it bears repeating: formatting does not overwrite data on the drive, it simply erases any reference to the data. The best method to wipe an entire drive is to attach that drive to an existing system and to wipe the entire drive from there. There are many people out there who buy drives or old systems for the sole purpose of analyzing them for the previous owner’s personal data. We did this as part of my CF training. Fortunately, we didn’t do anything with the private data, but this represents a huge vector for identity theft. If you’re simply tossing a hard drive instead of donating it, go the extra mile: Wipe the drive and then drill several holes straight through it.
Other, Less Savory Data Protection Practices…
All that said, I’ve gone ahead and brainstormed a few ways to give your friendly customs agent a bit of a hazard at getting to your data. Try these at your own risk:
Remove the hard drive and mail it home. When customs tries to start the laptop and it won’t boot, tell them it’s idiot proof. (Expect a pistol-whipping or a tasing here.)
Leave your computer in sleep mode but take a screen shot of your desktop (with incriminating filenames on the desktop) and make that the background of the login screen. See how many mouse clicks and keystrokes it takes them to figure out that their actions aren’t really doing anything. (Vista doesn’t display your desktop wallpaper when your system is locked, but there are ways to customize your login screen for fun as well.)
Pop the keys off the keyboard and move them around to different positions. (Or just use Dvorak.) When they ask for your password, give them a random sting and watch as they try to figure it out.
Mail your real laptop home and/or bring a fake/broken laptop. (If you happen to have one on hand. Clearly, we’re being a bit tongue-in-cheek here.) Before you leave, epoxy the lid closed and see how long it takes them to get the lid open. When they ask you how to open it, explain that they have to say a Harry Potter spell to open the laptop. (Expect a tasing here, too.)
When it still doesn’t open, tell them you left your wand at home. Or that you just use the battery compartment to store your cocaine. Customs agents are renowned for their wonderful sense of humor.