sen-material: comparison Airgaps-Schneier

equal deleted inserted replaced

-:fdd0c7fa1b65
+:279fa5a06231
+Air Gaps
+Since I started working with Snowden's documents, I have been using a
+number of tools to try to stay secure from the NSA. The advice I shared
+included using Tor, preferring certain cryptography over others, and
+using public-domain encryption wherever possible.
+I also recommended using an air gap, which physically isolates a
+computer or local network of computers from the Internet. (The name
+comes from the literal gap of air between the computer and the Internet;
+the word predates wireless networks.)
+But this is more complicated than it sounds, and requires explanation.
+Since we know that computers connected to the Internet are vulnerable to
+outside hacking, an air gap should protect against those attacks. There
+are a lot of systems that use -- or should use -- air gaps: classified
+military networks, nuclear power plant controls, medical equipment,
+avionics, and so on.
+Osama Bin Laden used one. I hope human rights organizations in
+repressive countries are doing the same.
+Air gaps might be conceptually simple, but they're hard to maintain in
+practice. The truth is that nobody wants a computer that never receives
+files from the Internet and never sends files out into the Internet.
+What they want is a computer that's not directly connected to the
+Internet, albeit with some secure way of moving files on and off.
+But every time a file moves back or forth, there's the potential for attack.
+And air gaps *have* been breached. Stuxnet was a US and Israeli
+military-grade piece of malware that attacked the Natanz nuclear plant
+in Iran. It successfully jumped the air gap and penetrated the Natanz
+network. Another piece of malware named agent.btz, probably Chinese in
+origin, successfully jumped the air gap protecting US military networks.
+These attacks work by exploiting security vulnerabilities in the
+removable media used to transfer files on and off the air-gapped computers.
+Since working with Snowden's NSA files, I have tried to maintain a
+single air-gapped computer. It turned out to be harder than I expected,
+and I have ten rules for anyone trying to do the same:
+1. When you set up your computer, connect it to the Internet as little
+as possible. It's impossible to completely avoid connecting the computer
+to the Internet, but try to configure it all at once and as anonymously
+as possible. I purchased my computer off-the-shelf in a big box store,
+then went to a friend's network and downloaded everything I needed in a
+single session. (The ultra-paranoid way to do this is to buy two
+identical computers, configure one using the above method, upload the
+results to a cloud-based anti-virus checker, and transfer the results of
+*that* to the air gap machine using a one-way process.)
+2. Install the minimum software set you need to do your job, and disable
+all operating system services that you won't need. The less software you
+install, the less an attacker has available to exploit. I downloaded and
+installed OpenOffice, a PDF reader, a text editor, TrueCrypt, and
+BleachBit. That's all. (No, I don't have any inside knowledge about
+TrueCrypt, and there's a lot about it that makes me suspicious. But for
+Windows full-disk encryption it's that, Microsoft's BitLocker, or
+Symantec's PGPDisk -- and I am more worried about large US corporations
+being pressured by the NSA than I am about TrueCrypt.)
+3. Once you have your computer configured, never directly connect it to
+the Internet again. Consider physically disabling the wireless
+capability, so it doesn't get turned on by accident.
+4. If you need to install new software, download it anonymously from a
+random network, put it on some removable media, and then manually
+transfer it to the air-gapped computer. This is by no means perfect, but
+it's an attempt to make it harder for the attacker to target your computer.
+5. Turn off all autorun features. This should be standard practice for
+all the computers you own, but it's especially important for an
+air-gapped computer. Agent.btz used autorun to infect US military computers.
+6. Minimize the amount of executable code you move onto the air-gapped
+computer. Text files are best. Microsoft Office files and PDFs are more
+dangerous, since they might have embedded macros. Turn off all macro
+capabilities you can on the air-gapped computer. Don't worry too much
+about patching your system; in general, the risk of the executable code
+is worse than the risk of not having your patches up to date. You're not
+on the Internet, after all.
+7. Only use trusted media to move files on and off air-gapped computers.
+A USB stick you purchase from a store is safer than one given to you by
+someone you don't know -- or one you find in a parking lot.
+8. For file transfer, a writable optical disk (CD or DVD) is safer than
+a USB stick. Malware can silently write data to a USB stick, but it
+can't spin the CD-R up to 1000 rpm without your noticing. This means
+that the malware can only write to the disk when you write to the disk.
+You can also verify how much data has been written to the CD by
+physically checking the back of it. If you've only written one file, but
+it looks like three-quarters of the CD was burned, you have a problem.
+Note: the first company to market a USB stick with a light that
+indicates a write operation -- not read *or* write; I've got one of
+those -- wins a prize.
+9. When moving files on and off your air-gapped computer, use the
+absolute smallest storage device you can. And fill up the entire device
+with random files. If an air-gapped computer is compromised, the malware
+is going to try to sneak data off it using that media. While malware can
+easily hide stolen files from you, it can't break the laws of physics.
+So if you use a tiny transfer device, it can only steal a very small
+amount of data at a time. If you use a large device, it can take that
+much more. Business-card-sized mini-CDs can have capacity as low as 30
+MB. I still see 1-GB USB sticks for sale.
+10. Consider encrypting everything you move on and off the air-gapped
+computer. Sometimes you'll be moving public files and it won't matter,
+but sometimes you won't be, and it will. And if you're using optical
+media, those disks will be impossible to erase. Strong encryption solves
+these problems. And don't forget to encrypt the computer as well;
+whole-disk encryption is the best.
+One thing I didn't do, although it's worth considering, is use a
+stateless operating system like Tails. You can configure Tails with a
+persistent volume to save your data, but no operating system changes are
+ever saved. Booting Tails from a read-only DVD -- you can keep your data
+on an encrypted USB stick -- is even more secure. Of course, this is not
+foolproof, but it greatly reduces the potential avenues for attack.
+Yes, all this is advice for the paranoid. And it's probably impossible
+to enforce for any network more complicated than a single computer with
+a single user. But if you're thinking about setting up an air-gapped
+computer, you already believe that some very powerful attackers are
+after you personally. If you're going to use an air gap, use it properly.
+Of course you can take things further. I have met people who have
+physically removed the camera, microphone, and wireless capability
+altogether. But that's too much paranoia for me right now.
+Yes, I am ignoring TEMPEST attacks.  I am also ignoring black bag
+attacks against my home.
+My previous advice:
+https://www.schneier.com/essay-450.html
+Bin Laden had an air gap:
+https://www.schneier.com/blog/archives/2011/05/bin_laden_maint.html
+agent.btz:
+http://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html
+or http://tinyurl.com/cjqxphd
+TrueCrypt:
+http://www.truecrypt.org/
+BleachBit:
+http://bleachbit.sourceforge.net/
+People plugging in found USB drives:
+https://www.schneier.com/blog/archives/2012/07/dropped_usb_sti.html
+Tails:
+https://tails.boum.org/