# HG changeset patch # User Christian Urban # Date 1385978680 0 # Node ID 279fa5a062316622368300ea449f48151a5fc063 # Parent fdd0c7fa1b6550d23c8726c8cce5109c10691460 updated slides diff -r fdd0c7fa1b65 -r 279fa5a06231 Airgaps-Schneier --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/Airgaps-Schneier Mon Dec 02 10:04:40 2013 +0000 @@ -0,0 +1,161 @@ + Air Gaps + + + +Since I started working with Snowden's documents, I have been using a +number of tools to try to stay secure from the NSA. The advice I shared +included using Tor, preferring certain cryptography over others, and +using public-domain encryption wherever possible. + +I also recommended using an air gap, which physically isolates a +computer or local network of computers from the Internet. (The name +comes from the literal gap of air between the computer and the Internet; +the word predates wireless networks.) + +But this is more complicated than it sounds, and requires explanation. + +Since we know that computers connected to the Internet are vulnerable to +outside hacking, an air gap should protect against those attacks. There +are a lot of systems that use -- or should use -- air gaps: classified +military networks, nuclear power plant controls, medical equipment, +avionics, and so on. + +Osama Bin Laden used one. I hope human rights organizations in +repressive countries are doing the same. + +Air gaps might be conceptually simple, but they're hard to maintain in +practice. The truth is that nobody wants a computer that never receives +files from the Internet and never sends files out into the Internet. +What they want is a computer that's not directly connected to the +Internet, albeit with some secure way of moving files on and off. + +But every time a file moves back or forth, there's the potential for attack. + +And air gaps *have* been breached. Stuxnet was a US and Israeli +military-grade piece of malware that attacked the Natanz nuclear plant +in Iran. It successfully jumped the air gap and penetrated the Natanz +network. Another piece of malware named agent.btz, probably Chinese in +origin, successfully jumped the air gap protecting US military networks. + +These attacks work by exploiting security vulnerabilities in the +removable media used to transfer files on and off the air-gapped computers. + +Since working with Snowden's NSA files, I have tried to maintain a +single air-gapped computer. It turned out to be harder than I expected, +and I have ten rules for anyone trying to do the same: + +1. When you set up your computer, connect it to the Internet as little +as possible. It's impossible to completely avoid connecting the computer +to the Internet, but try to configure it all at once and as anonymously +as possible. I purchased my computer off-the-shelf in a big box store, +then went to a friend's network and downloaded everything I needed in a +single session. (The ultra-paranoid way to do this is to buy two +identical computers, configure one using the above method, upload the +results to a cloud-based anti-virus checker, and transfer the results of +*that* to the air gap machine using a one-way process.) + +2. Install the minimum software set you need to do your job, and disable +all operating system services that you won't need. The less software you +install, the less an attacker has available to exploit. I downloaded and +installed OpenOffice, a PDF reader, a text editor, TrueCrypt, and +BleachBit. That's all. (No, I don't have any inside knowledge about +TrueCrypt, and there's a lot about it that makes me suspicious. But for +Windows full-disk encryption it's that, Microsoft's BitLocker, or +Symantec's PGPDisk -- and I am more worried about large US corporations +being pressured by the NSA than I am about TrueCrypt.) + +3. Once you have your computer configured, never directly connect it to +the Internet again. Consider physically disabling the wireless +capability, so it doesn't get turned on by accident. + +4. If you need to install new software, download it anonymously from a +random network, put it on some removable media, and then manually +transfer it to the air-gapped computer. This is by no means perfect, but +it's an attempt to make it harder for the attacker to target your computer. + +5. Turn off all autorun features. This should be standard practice for +all the computers you own, but it's especially important for an +air-gapped computer. Agent.btz used autorun to infect US military computers. + +6. Minimize the amount of executable code you move onto the air-gapped +computer. Text files are best. Microsoft Office files and PDFs are more +dangerous, since they might have embedded macros. Turn off all macro +capabilities you can on the air-gapped computer. Don't worry too much +about patching your system; in general, the risk of the executable code +is worse than the risk of not having your patches up to date. You're not +on the Internet, after all. + +7. Only use trusted media to move files on and off air-gapped computers. +A USB stick you purchase from a store is safer than one given to you by +someone you don't know -- or one you find in a parking lot. + +8. For file transfer, a writable optical disk (CD or DVD) is safer than +a USB stick. Malware can silently write data to a USB stick, but it +can't spin the CD-R up to 1000 rpm without your noticing. This means +that the malware can only write to the disk when you write to the disk. +You can also verify how much data has been written to the CD by +physically checking the back of it. If you've only written one file, but +it looks like three-quarters of the CD was burned, you have a problem. +Note: the first company to market a USB stick with a light that +indicates a write operation -- not read *or* write; I've got one of +those -- wins a prize. + +9. When moving files on and off your air-gapped computer, use the +absolute smallest storage device you can. And fill up the entire device +with random files. If an air-gapped computer is compromised, the malware +is going to try to sneak data off it using that media. While malware can +easily hide stolen files from you, it can't break the laws of physics. +So if you use a tiny transfer device, it can only steal a very small +amount of data at a time. If you use a large device, it can take that +much more. Business-card-sized mini-CDs can have capacity as low as 30 +MB. I still see 1-GB USB sticks for sale. + +10. Consider encrypting everything you move on and off the air-gapped +computer. Sometimes you'll be moving public files and it won't matter, +but sometimes you won't be, and it will. And if you're using optical +media, those disks will be impossible to erase. Strong encryption solves +these problems. And don't forget to encrypt the computer as well; +whole-disk encryption is the best. + +One thing I didn't do, although it's worth considering, is use a +stateless operating system like Tails. You can configure Tails with a +persistent volume to save your data, but no operating system changes are +ever saved. Booting Tails from a read-only DVD -- you can keep your data +on an encrypted USB stick -- is even more secure. Of course, this is not +foolproof, but it greatly reduces the potential avenues for attack. + +Yes, all this is advice for the paranoid. And it's probably impossible +to enforce for any network more complicated than a single computer with +a single user. But if you're thinking about setting up an air-gapped +computer, you already believe that some very powerful attackers are +after you personally. If you're going to use an air gap, use it properly. + +Of course you can take things further. I have met people who have +physically removed the camera, microphone, and wireless capability +altogether. But that's too much paranoia for me right now. + + +Yes, I am ignoring TEMPEST attacks. I am also ignoring black bag +attacks against my home. + +My previous advice: +https://www.schneier.com/essay-450.html + +Bin Laden had an air gap: +https://www.schneier.com/blog/archives/2011/05/bin_laden_maint.html + +agent.btz: +http://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html +or http://tinyurl.com/cjqxphd + +TrueCrypt: +http://www.truecrypt.org/ + +BleachBit: +http://bleachbit.sourceforge.net/ + +People plugging in found USB drives: +https://www.schneier.com/blog/archives/2012/07/dropped_usb_sti.html + +Tails: +https://tails.boum.org/ \ No newline at end of file diff -r fdd0c7fa1b65 -r 279fa5a06231 slides/slides09.tex --- a/slides/slides09.tex Sat Nov 30 13:52:21 2013 +0000 +++ b/slides/slides09.tex Mon Dec 02 10:04:40 2013 +0000 @@ -1,8 +1,6 @@ \documentclass[dvipsnames,14pt,t]{beamer} \usepackage{proof} -\usepackage{beamerthemeplainculight} -\usepackage[T1]{fontenc} -\usepackage[latin1]{inputenc} +\usepackage{beamerthemeplaincu} \usepackage{mathpartir} \usepackage{isabelle} \usepackage{isabellesym} @@ -93,7 +91,7 @@ showstringspaces=false} % beamer stuff -\renewcommand{\slidecaption}{APP 09, King's College London, 27 November 2012} +\renewcommand{\slidecaption}{APP 09, King's College London, 2 December 2013} \newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions \newcommand{\bl}[1]{\textcolor{blue}{#1}}