Air Gaps
Since I started working with Snowden's documents, I have been using a
number of tools to try to stay secure from the NSA. The advice I shared
included using Tor, preferring certain cryptography over others, and
using public-domain encryption wherever possible.
I also recommended using an air gap, which physically isolates a
computer or local network of computers from the Internet. (The name
comes from the literal gap of air between the computer and the Internet;
the word predates wireless networks.)
But this is more complicated than it sounds, and requires explanation.
Since we know that computers connected to the Internet are vulnerable to
outside hacking, an air gap should protect against those attacks. There
are a lot of systems that use -- or should use -- air gaps: classified
military networks, nuclear power plant controls, medical equipment,
avionics, and so on.
Osama Bin Laden used one. I hope human rights organizations in
repressive countries are doing the same.
Air gaps might be conceptually simple, but they're hard to maintain in
practice. The truth is that nobody wants a computer that never receives
files from the Internet and never sends files out into the Internet.
What they want is a computer that's not directly connected to the
Internet, albeit with some secure way of moving files on and off.
But every time a file moves back or forth, there's the potential for attack.
And air gaps *have* been breached. Stuxnet was a US and Israeli
military-grade piece of malware that attacked the Natanz nuclear plant
in Iran. It successfully jumped the air gap and penetrated the Natanz
network. Another piece of malware named agent.btz, probably Chinese in
origin, successfully jumped the air gap protecting US military networks.
These attacks work by exploiting security vulnerabilities in the
removable media used to transfer files on and off the air-gapped computers.
Since working with Snowden's NSA files, I have tried to maintain a
single air-gapped computer. It turned out to be harder than I expected,
and I have ten rules for anyone trying to do the same:
1. When you set up your computer, connect it to the Internet as little
as possible. It's impossible to completely avoid connecting the computer
to the Internet, but try to configure it all at once and as anonymously
as possible. I purchased my computer off-the-shelf in a big box store,
then went to a friend's network and downloaded everything I needed in a
single session. (The ultra-paranoid way to do this is to buy two
identical computers, configure one using the above method, upload the
results to a cloud-based anti-virus checker, and transfer the results of
*that* to the air gap machine using a one-way process.)
2. Install the minimum software set you need to do your job, and disable
all operating system services that you won't need. The less software you
install, the less an attacker has available to exploit. I downloaded and
installed OpenOffice, a PDF reader, a text editor, TrueCrypt, and
BleachBit. That's all. (No, I don't have any inside knowledge about
TrueCrypt, and there's a lot about it that makes me suspicious. But for
Windows full-disk encryption it's that, Microsoft's BitLocker, or
Symantec's PGPDisk -- and I am more worried about large US corporations
being pressured by the NSA than I am about TrueCrypt.)
3. Once you have your computer configured, never directly connect it to
the Internet again. Consider physically disabling the wireless
capability, so it doesn't get turned on by accident.
4. If you need to install new software, download it anonymously from a
random network, put it on some removable media, and then manually
transfer it to the air-gapped computer. This is by no means perfect, but
it's an attempt to make it harder for the attacker to target your computer.
5. Turn off all autorun features. This should be standard practice for
all the computers you own, but it's especially important for an
air-gapped computer. Agent.btz used autorun to infect US military computers.
6. Minimize the amount of executable code you move onto the air-gapped
computer. Text files are best. Microsoft Office files and PDFs are more
dangerous, since they might have embedded macros. Turn off all macro
capabilities you can on the air-gapped computer. Don't worry too much
about patching your system; in general, the risk of the executable code
is worse than the risk of not having your patches up to date. You're not
on the Internet, after all.
7. Only use trusted media to move files on and off air-gapped computers.
A USB stick you purchase from a store is safer than one given to you by
someone you don't know -- or one you find in a parking lot.
8. For file transfer, a writable optical disk (CD or DVD) is safer than
a USB stick. Malware can silently write data to a USB stick, but it
can't spin the CD-R up to 1000 rpm without your noticing. This means
that the malware can only write to the disk when you write to the disk.
You can also verify how much data has been written to the CD by
physically checking the back of it. If you've only written one file, but
it looks like three-quarters of the CD was burned, you have a problem.
Note: the first company to market a USB stick with a light that
indicates a write operation -- not read *or* write; I've got one of
those -- wins a prize.
9. When moving files on and off your air-gapped computer, use the
absolute smallest storage device you can. And fill up the entire device
with random files. If an air-gapped computer is compromised, the malware
is going to try to sneak data off it using that media. While malware can
easily hide stolen files from you, it can't break the laws of physics.
So if you use a tiny transfer device, it can only steal a very small
amount of data at a time. If you use a large device, it can take that
much more. Business-card-sized mini-CDs can have capacity as low as 30
MB. I still see 1-GB USB sticks for sale.
10. Consider encrypting everything you move on and off the air-gapped
computer. Sometimes you'll be moving public files and it won't matter,
but sometimes you won't be, and it will. And if you're using optical
media, those disks will be impossible to erase. Strong encryption solves
these problems. And don't forget to encrypt the computer as well;
whole-disk encryption is the best.
One thing I didn't do, although it's worth considering, is use a
stateless operating system like Tails. You can configure Tails with a
persistent volume to save your data, but no operating system changes are
ever saved. Booting Tails from a read-only DVD -- you can keep your data
on an encrypted USB stick -- is even more secure. Of course, this is not
foolproof, but it greatly reduces the potential avenues for attack.
Yes, all this is advice for the paranoid. And it's probably impossible
to enforce for any network more complicated than a single computer with
a single user. But if you're thinking about setting up an air-gapped
computer, you already believe that some very powerful attackers are
after you personally. If you're going to use an air gap, use it properly.
Of course you can take things further. I have met people who have
physically removed the camera, microphone, and wireless capability
altogether. But that's too much paranoia for me right now.
Yes, I am ignoring TEMPEST attacks. I am also ignoring black bag
attacks against my home.
My previous advice:
https://www.schneier.com/essay-450.html
Bin Laden had an air gap:
https://www.schneier.com/blog/archives/2011/05/bin_laden_maint.html
agent.btz:
http://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html
or http://tinyurl.com/cjqxphd
TrueCrypt:
http://www.truecrypt.org/
BleachBit:
http://bleachbit.sourceforge.net/
People plugging in found USB drives:
https://www.schneier.com/blog/archives/2012/07/dropped_usb_sti.html
Tails:
https://tails.boum.org/