Google Search

Friday, September 6, 2013

Computer security when physical access is compromised

Before I begin:
I'm writing this post because I tried getting answers in forums, but got no real answers. Most answers referred to the user as the problem, and while I accept the user is always the weakest link, the software one uses should protect him/her from the things he/she doesn't know.
I don't believe teaching users is the only way to go like some others told me in forums. Teaching comes last, not first, when all other things have been done, simply because human beings make mistakes.

And now for the main article:

Couple of friends of mine had their home broken into and their laptop computer stolen. Bad enough, you may think, as a laptop computer costs quite a lot of money. Now you may think that all the documents and photo, unless backed up, are lost, and that's a greater problem of its own. Well, it gets worst - their online accounts were broken in to and money was stolen using their PayPal account. The scariest thing about this is the thing you don't know about - Identity Theft.

Today there are all these cloud services, like DropBox and Copy and Google Drive. We store all the important things there, so we won't lose them, and because it is much easier to share files between several computers that way.

However, when a computer is physically stolen (and a laptop is the second easiest computer to steal after the smartphone) it compromises all of your online data.

"How?" you may ask. "My account is password protected, and I even chose a very strong password!"

That's great, but unfortunately will not help you if your computer was stolen. It might help you, actually if you are always signing out, but if you don't that means your data is probably lost by now.

"OK, I see what you mean, and I usually signing out of most things, like my bank account, which by the way is signing out automatically if I haven't done anything for a few minutes, and my DropBox account. I try to sign out of everything I don't use regularly."

What about your email account? 

"I use my email regularly, no point for me to sign out, I'll get back to it in a few minutes. An hour tops."

Did you check the "Remember me" or "Keep me signed in" checkbox when you last signed in?

"I did, because it makes life so much easier. But I also enabled advanced verification methods. It requires me to enter a code and answer questions only I know the answers to, and even have my phone next to me, if I want to make changes to the account. So I'm safe from someone trying to change my password."

The main problem is that the account is left logged in to. Even if you closed the browser, all the hacker have to do is to try some of the common providers (Google, Microsoft, Yahoo!) and one of them will respond by showing the inbox. Now your world is open to the hacker - have a DropBox account? just go to DropBox and say you forgot your password. A reset link will be sent to your email, and as you remember, the hacker can now read your email.

"OK, so I'll sign out."

It's a good thing to do, but you're still partially safe, because someone may always contact your account provider and say someone else hacked into it and try to answer some questions. Sometimes the hacker will get lucky and the provider will reset the password for him.
Besides, that's not the main issue. The main issue is that it shouldn't be easy for someone who stole your computer to see your emails.

"But it isn't, as my computer is password protected."

So the hacker just need to copy the content of the disk, by rebooting the computer with a USB storage device.

"So I'll encrypt the content of my disk. It's a hassle, and not everyone knows how to do it, but I do."

Great, so copying will not help, but is your computer really password protected? When you open the laptop lid, does it always asks you for password?

"I do know people where it's not always the case... But it is the case with my machine."

Did you know it is very easy to change your password by getting administrative privileges by simply rebooting the machine on Linux, and with a little more hassle on Windows? YouTube is full of such demos.

"So what is there to do?"

Right now? Not much, except asking the developers of the operating systems and other software with great importance to improve the security. This is what I suggest:


  • No need to encrypt the entire disk content. Just encrypt a specific folder that holds applications data, so when someone copies the disk content, this folder becomes useless, and so "just seeing" the online account is impossible.
  • Asking vendors to use the above folder for storing sensitive data, or encrypting such data on their own, in a way not accessible without the password for someone who copied the disk content.
  • Not allowing rebooting the machine and gaining administrative access:
    • On Linux (well, actually it's the GRUB boot loader) gaining root access is as simple as choosing it from the menu - no questions asked. This should be changed. They will try to tell you there have been long discussions about that and this is what was decided. But you don't see it anywhere else, so why there? Request gaining root access from GRUB will be password protected by default. Not for you, the IT Professional who can always set it up the way you want, with or without password, but for those who don't know what they are doing, whether they understand it or not.
    • On Windows there's a loophole in the recovery mode - it allows you to open Notepad by clicking on a link to a log file. Notepad is then run with administrative privileges and allows access to the file system (using the File > Open menu item). There you need to find some program that you can run from the login screen, like the Sticky Keys handler, and replace it with a command prompt, and there you have a command prompt that runs as administrator.
These three simple changes (and they are pretty simple) will greatly reduce the chances of someone hacking into your online digital life and stealing your money or worse - your identity.

And another thing to remember, and this is the most important of all: Security is measured by the time it takes a hacker to break into something. It can be your account, it can be a safe at your home or office. Nothing is unbreakable. The idea is to slow the hacker down enough to have time to find out about it and handle the situation. If it's a robber trying to get the content of the safe, then to have enough time to stop him physically, and if it's a hacker trying to change your passwords, than have enough time to block the accounts remotely.

Security can be made very harsh, but it comes to protect the things important for us, and so if it's too harsh we wouldn't use it at all. We must find the delicate point where it protects us to a sufficient level and that we accept the hassle that comes with it.

And last, the common person doesn't really know anything about security, so the operating system must make the best choices by default. Currently Windows is trying but failing, Linux (GRUB) isn't even trying.

Disclaimer:
  • I don't know how other operating systems handling security on those levels, and so I haven't mentioned the MacOS and some others.
  • When I write about Linux and GRUB, I refer mainly to Ubuntu. I don't know if it is done differently in other distributions.

No comments:

Post a Comment