14

I will be traveling abroad for several weeks on a business trip as a consultant.

I will carry a laptop with an IDE and all the necessary source code so I can make changes on site (which is the purpose of this trip). The boss is very worried about the source code being stolen.

I have put forward the idea of filling the USB ports with glue, but my boss thinks I’m being silly and wants real ideas.

I understand any security is only going to slow people down, but ideally I’m looking for a setup where, if anyone got the laptop without my notice (say, while I was sleeping and returned it before I awoke), they could not have accessed the data in such a small amount of time.

I guess some form of encryption would be necessary.

unor
  • 1,769
  • 1
  • 19
  • 38
Skeith
  • 249
  • 2
  • 5
  • 11
    Who are you worried about will steal your source code? Are you worried about a random thief? the transport security agents/hostile government? A corporate spy from competitors? Do you store production database passwords, encryption keys, or other such sensitive materials with the source code? What's your threat model? – Lie Ryan Aug 20 '14 at 14:34
  • Further to @LieRyan's questions, and when considering your threat model, don't forget, if you do too much you end up effectively DOSing yourself. Say for sake of argument you fill the USB ports with glue and physically remove the wireless card (if you can get into the machine and it's a removable card), ho do you then get the updated code compile and to the client? A "spy" could open up the IDE if the machine was on, and photograph the screen to work on at their leisure - you'd have a pretty tricky client visit if the only up-to-date executable was on your machine. – Chris H Aug 20 '14 at 16:05
  • One thing I did not see mentioned in the answers is to use secure passwords (e.g. long password, including special characters and numbers). I would at least do that and full disk encryption. – Jonathan Aug 20 '14 at 16:58
  • While this question is technically marked as a duplicated, consider accepting an answer as this helps future researchers :) – Matthew Peters Nov 06 '15 at 12:42

5 Answers5

20

You need to start by using a full disk encryption (FDE) mechanism. Something like BitLocker for Microsoft or FileVault for Mac or any others. edit: do not store your recovery key on the same pc.

That is your base line defense but it is certainly not enough for total protection.

To be perfectly honest, you need to change your behaviours in order to be very secure. For instance:

  • If possible, do not travel with all of the code.
  • Consider using a secure VPN to access your sensitive info (that leads to other threat vectors though).
  • Limit your exposure in threat zones, keep your laptop with you.
  • Do not hibernate your computer (always turn it off and on). edit: hibernation may be ok (personally I do not trust it -but I have an SSD so what's the real difference). Stand-by or sleep mode is the real issue in regards to cold boot attacks.
  • As an aside to the cold boot attack vector, you may want to look here for info on how to safegaurd against cold boot attacks.
  • Be alert in general.
  • Change your passwords frequently.
  • Never access public wifi
  • Disable bluetooth and wifi (if possible and when not using it)
  • You could also look into a remote wipe software/service (but it's not perfect).
  • Disable Ad Hoc Connections as this is potentially a huge risk.

update: Others have mentioned the bios. You can enable a password there and disable booting from removable media but the bottom line is that if an attacker has your pc in their hands, your only line of protection might very well be FDE. Here is an article about bios protection.

Community
  • 1
Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
  • 1
    Hibernation should be safe, as long as the hibernation data (file/partition) is also encrypted. All serious FDE solutions should do this; at least on Linux with LUKS, it works that way. Of course, this means you must unlock the disk on each resume. – sleske Aug 20 '14 at 15:01
  • And, unless they've improved the state of things, when you turn your computer off ensure that for at least several minutes it's secure as the motivated individual with a can of compressed air could recover information from RAM. – Wayne Werner Aug 20 '14 at 15:14
  • I've made my answer clearer :) – Matthew Peters Aug 20 '14 at 15:39
  • @WayneWerner most laptops would need a very accomplished spy to get near enough the RAM to cool it in a few minutes especially without leaving a trace. The bucket of liquid nitrogen required otherwise might look a bit suspicious. I'm now wondering about a heater resistor with a circuit to switch it on for a few seconds when the machine shuts down, to clear the RAM faster. – Chris H Aug 20 '14 at 16:02
  • 3
    Also disable FireWire or enable [iommu](https://en.wikipedia.org/wiki/Iommu) if your laptop has one as it enables [DMA attacks](https://en.wikipedia.org/wiki/DMA_attack). – Maciej Piechotka Aug 20 '14 at 16:23
3

It seems like you are mostly worried about people that have physical access to your machine. For example when you are sleeping or during the breaks.

The simplest solution if you have everything set up on 1 laptop, want to work with it but still want minimal risk:

To prevent unwanted access, leave the laptop at home

You can just set up a remote desktop connection to work on it and bring a travel laptop.

If people then have one time access to your travel laptop your source code is quite secure. Of course you would need to do something to make sure the device that you log on with cannot easily be compromised without your knowledge (if someone could install a keylogger its game over), but that should be much easier than preventign people from compromising it at all.

Community
  • 1
Dennis Jaheruddin
  • 1,715
  • 11
  • 17
2

What I would do (but know that this is incomplete, as I'm not experienced in this)

  • Enable disk encryption - Most laptops have TPM, so you should be able to enable bitlocker on windows or something similar in another OS (I know mac and Linux do have this too)
  • Add bios password.
  • disable cdrom from bios.
  • disable usb ports from bios.
  • disable bluetooth from bios
  • ensure you have a full security suit installed on the laptop

why?

  • Disk encryption in case the laptop is stolen.
  • disable USB to ensure that no-one plugs a UBS key with malware to steal the data while you go to the loo.
  • bios password to prevent someone from enabling the usb ports.

If you do need USB ports, only enable the devices you want allowed from windows (e.g. only mouse and keyboard). Unfortunately, I don't know how to do this, but I know that some software can do it.

And last (but maybe not feasible) disable the wifi and ethernet ports from bios too.

HocusPocus
  • 462
  • 2
  • 8
  • Just be aware that it is relatively straightforward to [bypass BIOS level security](http://www.technibble.com/how-to-bypass-or-remove-a-bios-password/) – Matthew Peters Aug 25 '14 at 13:18
  • @MatthewPeters yes, I wasn't very explicit, but the idea just to have a bios password and disable the USB from the bios to prevent someone from pluging a USB device while a person goes to the loo (assuming you don't even trust the people in the offices of a client) – HocusPocus Aug 25 '14 at 16:54
2

In addition to the good advice for securing your laptop, put your source code on a hardware encrypted external drive and remove it from your laptop when not in use.

Colin Pickard
  • 1,800
  • 2
  • 11
  • 14
  • 1
    There is no particular reason to expect hardware encryption to be more secure than software. Both approaches to encryption can be secure, if implemented correctly. Both approaches can suffer from serious implementation flaws. – kasperd Aug 20 '14 at 19:26
  • Doing the encryption on the device instead of the host makes it a smaller attack surface and can be simpler to use securely. – Colin Pickard Aug 20 '14 at 19:57
1

Turn on full disk encryption for the computer with either bitlocker (Windows) or filevault(OS X). After that if you don't need to regularly make changes to the source code you can put it in an encrypted zipped drive (WinZip or 7Zip) or use a truecrypt volume.

There are also commercial vendors that offer full disk encryption solutions. Just check out the big AV companies and see what they offer.

If you want to further lock down the laptop turn off any extra interfaces (wifi,bluetooth etc) password protect the BIOS and don't connect to any foreign network. If you need internet access use a secure VPN.

Oh, and re-image the laptop when you get back home =)

KDEx
  • 4,981
  • 2
  • 20
  • 34
  • 1
    Truecrypt is dead, you should definitely not use truecrpt lest you fall into a false sense of security. – Matthew Peters Aug 20 '14 at 13:50
  • 1
    @MatthewPeters a full source code review is moving forward and the project has been picked up. I wouldn't call that dead. – KDEx Aug 20 '14 at 13:54
  • as of today, it is dead. Just go to the [official site](http://truecrypt.sourceforge.net/). – Matthew Peters Aug 20 '14 at 14:00
  • @MatthewPeters In spite of that message, it seem s that death is relative (see http://security.stackexchange.com/questions/59082/what-is-the-problem-with-truecrypt?lq=1 and http://security.stackexchange.com/questions/58940/is-truecrypt-not-secure-now-and-should-i-stop-using-it), so decisions to use it or not may depend on one's level of paranoia. – Hagen von Eitzen Aug 20 '14 at 15:07