Mercurial Mercurial > hg > sen-material / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | gz | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
updated slides
authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Mon, 02 Dec 2013 10:04:40 +0000
changeset 145 279fa5a06231
parent 144 fdd0c7fa1b65
child 146 6f884231ca57
updated slides
Airgaps-Schneier file | annotate | diff | comparison | revisions
slides/slides09.tex file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/Airgaps-Schneier	Mon Dec 02 10:04:40 2013 +0000
@@ -0,0 +1,161 @@
+     Air Gaps
+
+
+
+Since I started working with Snowden's documents, I have been using a 
+number of tools to try to stay secure from the NSA. The advice I shared 
+included using Tor, preferring certain cryptography over others, and 
+using public-domain encryption wherever possible.
+
+I also recommended using an air gap, which physically isolates a 
+computer or local network of computers from the Internet. (The name 
+comes from the literal gap of air between the computer and the Internet; 
+the word predates wireless networks.)
+
+But this is more complicated than it sounds, and requires explanation.
+
+Since we know that computers connected to the Internet are vulnerable to 
+outside hacking, an air gap should protect against those attacks. There 
+are a lot of systems that use -- or should use -- air gaps: classified 
+military networks, nuclear power plant controls, medical equipment, 
+avionics, and so on.
+
+Osama Bin Laden used one. I hope human rights organizations in 
+repressive countries are doing the same.
+
+Air gaps might be conceptually simple, but they're hard to maintain in 
+practice. The truth is that nobody wants a computer that never receives 
+files from the Internet and never sends files out into the Internet. 
+What they want is a computer that's not directly connected to the 
+Internet, albeit with some secure way of moving files on and off.
+
+But every time a file moves back or forth, there's the potential for attack.
+
+And air gaps *have* been breached. Stuxnet was a US and Israeli 
+military-grade piece of malware that attacked the Natanz nuclear plant 
+in Iran. It successfully jumped the air gap and penetrated the Natanz 
+network. Another piece of malware named agent.btz, probably Chinese in 
+origin, successfully jumped the air gap protecting US military networks.
+
+These attacks work by exploiting security vulnerabilities in the 
+removable media used to transfer files on and off the air-gapped computers.
+
+Since working with Snowden's NSA files, I have tried to maintain a 
+single air-gapped computer. It turned out to be harder than I expected, 
+and I have ten rules for anyone trying to do the same:
+
+1. When you set up your computer, connect it to the Internet as little 
+as possible. It's impossible to completely avoid connecting the computer 
+to the Internet, but try to configure it all at once and as anonymously 
+as possible. I purchased my computer off-the-shelf in a big box store, 
+then went to a friend's network and downloaded everything I needed in a 
+single session. (The ultra-paranoid way to do this is to buy two 
+identical computers, configure one using the above method, upload the 
+results to a cloud-based anti-virus checker, and transfer the results of 
+*that* to the air gap machine using a one-way process.)
+
+2. Install the minimum software set you need to do your job, and disable 
+all operating system services that you won't need. The less software you 
+install, the less an attacker has available to exploit. I downloaded and 
+installed OpenOffice, a PDF reader, a text editor, TrueCrypt, and 
+BleachBit. That's all. (No, I don't have any inside knowledge about 
+TrueCrypt, and there's a lot about it that makes me suspicious. But for 
+Windows full-disk encryption it's that, Microsoft's BitLocker, or 
+Symantec's PGPDisk -- and I am more worried about large US corporations 
+being pressured by the NSA than I am about TrueCrypt.)
+
+3. Once you have your computer configured, never directly connect it to 
+the Internet again. Consider physically disabling the wireless 
+capability, so it doesn't get turned on by accident.
+
+4. If you need to install new software, download it anonymously from a 
+random network, put it on some removable media, and then manually 
+transfer it to the air-gapped computer. This is by no means perfect, but 
+it's an attempt to make it harder for the attacker to target your computer.
+
+5. Turn off all autorun features. This should be standard practice for 
+all the computers you own, but it's especially important for an 
+air-gapped computer. Agent.btz used autorun to infect US military computers.
+
+6. Minimize the amount of executable code you move onto the air-gapped 
+computer. Text files are best. Microsoft Office files and PDFs are more 
+dangerous, since they might have embedded macros. Turn off all macro 
+capabilities you can on the air-gapped computer. Don't worry too much 
+about patching your system; in general, the risk of the executable code 
+is worse than the risk of not having your patches up to date. You're not 
+on the Internet, after all.
+
+7. Only use trusted media to move files on and off air-gapped computers. 
+A USB stick you purchase from a store is safer than one given to you by 
+someone you don't know -- or one you find in a parking lot.
+
+8. For file transfer, a writable optical disk (CD or DVD) is safer than 
+a USB stick. Malware can silently write data to a USB stick, but it 
+can't spin the CD-R up to 1000 rpm without your noticing. This means 
+that the malware can only write to the disk when you write to the disk. 
+You can also verify how much data has been written to the CD by 
+physically checking the back of it. If you've only written one file, but 
+it looks like three-quarters of the CD was burned, you have a problem. 
+Note: the first company to market a USB stick with a light that 
+indicates a write operation -- not read *or* write; I've got one of 
+those -- wins a prize.
+
+9. When moving files on and off your air-gapped computer, use the 
+absolute smallest storage device you can. And fill up the entire device 
+with random files. If an air-gapped computer is compromised, the malware 
+is going to try to sneak data off it using that media. While malware can 
+easily hide stolen files from you, it can't break the laws of physics. 
+So if you use a tiny transfer device, it can only steal a very small 
+amount of data at a time. If you use a large device, it can take that 
+much more. Business-card-sized mini-CDs can have capacity as low as 30 
+MB. I still see 1-GB USB sticks for sale.
+
+10. Consider encrypting everything you move on and off the air-gapped 
+computer. Sometimes you'll be moving public files and it won't matter, 
+but sometimes you won't be, and it will. And if you're using optical 
+media, those disks will be impossible to erase. Strong encryption solves 
+these problems. And don't forget to encrypt the computer as well; 
+whole-disk encryption is the best.
+
+One thing I didn't do, although it's worth considering, is use a 
+stateless operating system like Tails. You can configure Tails with a 
+persistent volume to save your data, but no operating system changes are 
+ever saved. Booting Tails from a read-only DVD -- you can keep your data 
+on an encrypted USB stick -- is even more secure. Of course, this is not 
+foolproof, but it greatly reduces the potential avenues for attack.
+
+Yes, all this is advice for the paranoid. And it's probably impossible 
+to enforce for any network more complicated than a single computer with 
+a single user. But if you're thinking about setting up an air-gapped 
+computer, you already believe that some very powerful attackers are 
+after you personally. If you're going to use an air gap, use it properly.
+
+Of course you can take things further. I have met people who have 
+physically removed the camera, microphone, and wireless capability 
+altogether. But that's too much paranoia for me right now.
+
+
+Yes, I am ignoring TEMPEST attacks.  I am also ignoring black bag 
+attacks against my home.
+
+My previous advice:
+https://www.schneier.com/essay-450.html
+
+Bin Laden had an air gap:
+https://www.schneier.com/blog/archives/2011/05/bin_laden_maint.html
+
+agent.btz:
+http://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html 
+or http://tinyurl.com/cjqxphd
+
+TrueCrypt:
+http://www.truecrypt.org/
+
+BleachBit:
+http://bleachbit.sourceforge.net/
+
+People plugging in found USB drives:
+https://www.schneier.com/blog/archives/2012/07/dropped_usb_sti.html
+
+Tails:
+https://tails.boum.org/
\ No newline at end of file
--- a/slides/slides09.tex	Sat Nov 30 13:52:21 2013 +0000
+++ b/slides/slides09.tex	Mon Dec 02 10:04:40 2013 +0000
@@ -1,8 +1,6 @@
 \documentclass[dvipsnames,14pt,t]{beamer}
 \usepackage{proof}
-\usepackage{beamerthemeplainculight}
-\usepackage[T1]{fontenc}
-\usepackage[latin1]{inputenc}
+\usepackage{beamerthemeplaincu}
 \usepackage{mathpartir}
 \usepackage{isabelle}
 \usepackage{isabellesym}
@@ -93,7 +91,7 @@
 	showstringspaces=false}
 
 % beamer stuff 
-\renewcommand{\slidecaption}{APP 09, King's College London, 27 November 2012}
+\renewcommand{\slidecaption}{APP 09, King's College London, 2 December 2013}
 \newcommand{\dn}{\stackrel{\mbox{\scriptsize def}}{=}}% for definitions
 \newcommand{\bl}[1]{\textcolor{blue}{#1}}
sen-material