Search for military installed backdoors on laptop
My laptop was confiscated by the military institute of my country and they made me to give them all my passwords (I cannot tell you the name of my country). They did not give it back to me for one week (yes, it was out of my sight for a while).
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?
and
I need to make sure if they have added something to monitor my activities or steal my data or not? And if they have done that, what should I do to prevent them.
Update
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?
malware windows privacy backdoor
New contributor
add a comment |
My laptop was confiscated by the military institute of my country and they made me to give them all my passwords (I cannot tell you the name of my country). They did not give it back to me for one week (yes, it was out of my sight for a while).
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?
and
I need to make sure if they have added something to monitor my activities or steal my data or not? And if they have done that, what should I do to prevent them.
Update
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?
malware windows privacy backdoor
New contributor
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 15:52
add a comment |
My laptop was confiscated by the military institute of my country and they made me to give them all my passwords (I cannot tell you the name of my country). They did not give it back to me for one week (yes, it was out of my sight for a while).
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?
and
I need to make sure if they have added something to monitor my activities or steal my data or not? And if they have done that, what should I do to prevent them.
Update
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?
malware windows privacy backdoor
New contributor
My laptop was confiscated by the military institute of my country and they made me to give them all my passwords (I cannot tell you the name of my country). They did not give it back to me for one week (yes, it was out of my sight for a while).
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?
and
I need to make sure if they have added something to monitor my activities or steal my data or not? And if they have done that, what should I do to prevent them.
Update
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?
malware windows privacy backdoor
malware windows privacy backdoor
New contributor
New contributor
edited 2 days ago
New contributor
asked Dec 18 at 10:43
Posse
7362311
7362311
New contributor
New contributor
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 15:52
add a comment |
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 15:52
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 15:52
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 15:52
add a comment |
10 Answers
10
active
oldest
votes
If the device left your sight for any amount of time, replace it. It can no longer be trusted.
The cost to assure it can still be trusted significantly exceeds the cost of getting a new one
There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.
If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):
Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.
Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.
PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.
Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?
In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.
Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?
Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this. If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.
The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:45
1
Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
– redbow_kimee
2 days ago
@redbow_kimee That's extremely unlikely due to how quickly it would become known.
– forest
2 days ago
2
Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
– Peter Cordes
yesterday
1
@PeterCordes Malicious firmware can get aroundSMI_COUNT
.
– forest
yesterday
|
show 9 more comments
Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.
Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.
All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.
Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.
New contributor
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:46
add a comment |
The main information we are lacking is your threat model.
Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.
And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.
If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.
The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.
If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.
For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.
The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.
However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.
add a comment |
In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.
To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.
Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.
Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.
add a comment |
If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.
I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).
It may not be possible to wipe it even under safe conditions due to compromised firmware.
If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.
You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.
There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.
New contributor
2
Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
– Mark
Dec 19 at 0:45
2
...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
– Tom
Dec 19 at 13:36
2
@Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
– forest
Dec 21 at 4:07
@forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
– Tom
Dec 21 at 9:45
@Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
– forest
Dec 21 at 9:52
|
show 2 more comments
Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.
Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.
Do the same for every single component of your home network.
Do the same for every device that was connected to said network during the time after the laptop was "returned".
Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.
Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".
Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.
I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.
2
This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
– Xen2050
2 days ago
1
Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
– rackandboneman
2 days ago
5
Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
– rackandboneman
2 days ago
add a comment |
I need to make sure if they have added something to monitor my activities or steal my data or not
Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.
As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.
And if they have done that, what should I do to prevent them.
I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.
Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.
Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.
You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?
You may want to escape from that country as soon as possible, for what concerns me.
4
Leaving the country really is the best advice.
– Gherman
Dec 20 at 15:01
3
It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
– schroeder♦
Dec 20 at 19:24
2
There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
– Xen2050
2 days ago
The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
– rackandboneman
2 days ago
@Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
– forest
yesterday
add a comment |
A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.
That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.
A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.
12
You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
– Mark
Dec 19 at 0:43
14
@RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
– Tom
Dec 19 at 11:44
2
Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
– allo
Dec 20 at 14:11
A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
– rackandboneman
2 days ago
add a comment |
In what shit country do you live LOL? Why do governors confiscate your stuff?
New contributor
add a comment |
If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".
Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.
Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.
So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.
2
I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:07
Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
– marshal craft
Dec 20 at 12:33
"Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:39
In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:41
Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
– marshal craft
Dec 20 at 12:46
|
show 11 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Posse is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199971%2fsearch-for-military-installed-backdoors-on-laptop%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
10 Answers
10
active
oldest
votes
10 Answers
10
active
oldest
votes
active
oldest
votes
active
oldest
votes
If the device left your sight for any amount of time, replace it. It can no longer be trusted.
The cost to assure it can still be trusted significantly exceeds the cost of getting a new one
There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.
If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):
Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.
Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.
PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.
Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?
In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.
Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?
Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this. If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.
The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:45
1
Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
– redbow_kimee
2 days ago
@redbow_kimee That's extremely unlikely due to how quickly it would become known.
– forest
2 days ago
2
Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
– Peter Cordes
yesterday
1
@PeterCordes Malicious firmware can get aroundSMI_COUNT
.
– forest
yesterday
|
show 9 more comments
If the device left your sight for any amount of time, replace it. It can no longer be trusted.
The cost to assure it can still be trusted significantly exceeds the cost of getting a new one
There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.
If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):
Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.
Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.
PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.
Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?
In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.
Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?
Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this. If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.
The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:45
1
Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
– redbow_kimee
2 days ago
@redbow_kimee That's extremely unlikely due to how quickly it would become known.
– forest
2 days ago
2
Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
– Peter Cordes
yesterday
1
@PeterCordes Malicious firmware can get aroundSMI_COUNT
.
– forest
yesterday
|
show 9 more comments
If the device left your sight for any amount of time, replace it. It can no longer be trusted.
The cost to assure it can still be trusted significantly exceeds the cost of getting a new one
There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.
If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):
Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.
Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.
PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.
Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?
In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.
Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?
Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this. If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.
The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.
If the device left your sight for any amount of time, replace it. It can no longer be trusted.
The cost to assure it can still be trusted significantly exceeds the cost of getting a new one
There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.
If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):
Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.
Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.
PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.
Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?
In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.
Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?
Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this. If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.
The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.
edited Dec 20 at 11:26
answered Dec 18 at 11:34
forest
31.1k1598107
31.1k1598107
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:45
1
Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
– redbow_kimee
2 days ago
@redbow_kimee That's extremely unlikely due to how quickly it would become known.
– forest
2 days ago
2
Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
– Peter Cordes
yesterday
1
@PeterCordes Malicious firmware can get aroundSMI_COUNT
.
– forest
yesterday
|
show 9 more comments
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:45
1
Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
– redbow_kimee
2 days ago
@redbow_kimee That's extremely unlikely due to how quickly it would become known.
– forest
2 days ago
2
Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
– Peter Cordes
yesterday
1
@PeterCordes Malicious firmware can get aroundSMI_COUNT
.
– forest
yesterday
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:45
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:45
1
1
Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
– redbow_kimee
2 days ago
Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
– redbow_kimee
2 days ago
@redbow_kimee That's extremely unlikely due to how quickly it would become known.
– forest
2 days ago
@redbow_kimee That's extremely unlikely due to how quickly it would become known.
– forest
2 days ago
2
2
Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
– Peter Cordes
yesterday
Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
– Peter Cordes
yesterday
1
1
@PeterCordes Malicious firmware can get around
SMI_COUNT
.– forest
yesterday
@PeterCordes Malicious firmware can get around
SMI_COUNT
.– forest
yesterday
|
show 9 more comments
Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.
Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.
All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.
Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.
New contributor
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:46
add a comment |
Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.
Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.
All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.
Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.
New contributor
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:46
add a comment |
Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.
Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.
All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.
Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.
New contributor
Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.
Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.
All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.
Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.
New contributor
New contributor
answered Dec 18 at 16:33
Snow
50136
50136
New contributor
New contributor
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:46
add a comment |
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:46
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:46
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 19:46
add a comment |
The main information we are lacking is your threat model.
Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.
And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.
If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.
The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.
If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.
For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.
The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.
However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.
add a comment |
The main information we are lacking is your threat model.
Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.
And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.
If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.
The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.
If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.
For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.
The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.
However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.
add a comment |
The main information we are lacking is your threat model.
Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.
And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.
If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.
The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.
If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.
For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.
The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.
However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.
The main information we are lacking is your threat model.
Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.
And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.
If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.
The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.
If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.
For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.
The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.
However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.
answered Dec 19 at 11:55
Tom
4,812729
4,812729
add a comment |
add a comment |
In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.
To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.
Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.
Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.
add a comment |
In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.
To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.
Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.
Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.
add a comment |
In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.
To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.
Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.
Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.
In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.
To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.
Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.
Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.
edited Dec 18 at 23:03
answered Dec 18 at 21:05
shellster
36714
36714
add a comment |
add a comment |
If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.
I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).
It may not be possible to wipe it even under safe conditions due to compromised firmware.
If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.
You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.
There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.
New contributor
2
Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
– Mark
Dec 19 at 0:45
2
...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
– Tom
Dec 19 at 13:36
2
@Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
– forest
Dec 21 at 4:07
@forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
– Tom
Dec 21 at 9:45
@Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
– forest
Dec 21 at 9:52
|
show 2 more comments
If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.
I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).
It may not be possible to wipe it even under safe conditions due to compromised firmware.
If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.
You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.
There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.
New contributor
2
Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
– Mark
Dec 19 at 0:45
2
...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
– Tom
Dec 19 at 13:36
2
@Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
– forest
Dec 21 at 4:07
@forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
– Tom
Dec 21 at 9:45
@Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
– forest
Dec 21 at 9:52
|
show 2 more comments
If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.
I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).
It may not be possible to wipe it even under safe conditions due to compromised firmware.
If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.
You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.
There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.
New contributor
If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.
I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).
It may not be possible to wipe it even under safe conditions due to compromised firmware.
If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.
You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.
There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.
New contributor
New contributor
answered Dec 18 at 20:20
newyork10023
1012
1012
New contributor
New contributor
2
Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
– Mark
Dec 19 at 0:45
2
...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
– Tom
Dec 19 at 13:36
2
@Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
– forest
Dec 21 at 4:07
@forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
– Tom
Dec 21 at 9:45
@Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
– forest
Dec 21 at 9:52
|
show 2 more comments
2
Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
– Mark
Dec 19 at 0:45
2
...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
– Tom
Dec 19 at 13:36
2
@Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
– forest
Dec 21 at 4:07
@forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
– Tom
Dec 21 at 9:45
@Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
– forest
Dec 21 at 9:52
2
2
Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
– Mark
Dec 19 at 0:45
Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
– Mark
Dec 19 at 0:45
2
2
...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
– Tom
Dec 19 at 13:36
...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
– Tom
Dec 19 at 13:36
2
2
@Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
– forest
Dec 21 at 4:07
@Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
– forest
Dec 21 at 4:07
@forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
– Tom
Dec 21 at 9:45
@forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
– Tom
Dec 21 at 9:45
@Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
– forest
Dec 21 at 9:52
@Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
– forest
Dec 21 at 9:52
|
show 2 more comments
Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.
Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.
Do the same for every single component of your home network.
Do the same for every device that was connected to said network during the time after the laptop was "returned".
Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.
Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".
Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.
I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.
2
This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
– Xen2050
2 days ago
1
Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
– rackandboneman
2 days ago
5
Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
– rackandboneman
2 days ago
add a comment |
Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.
Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.
Do the same for every single component of your home network.
Do the same for every device that was connected to said network during the time after the laptop was "returned".
Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.
Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".
Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.
I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.
2
This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
– Xen2050
2 days ago
1
Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
– rackandboneman
2 days ago
5
Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
– rackandboneman
2 days ago
add a comment |
Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.
Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.
Do the same for every single component of your home network.
Do the same for every device that was connected to said network during the time after the laptop was "returned".
Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.
Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".
Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.
I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.
Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.
Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.
Do the same for every single component of your home network.
Do the same for every device that was connected to said network during the time after the laptop was "returned".
Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.
Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".
Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.
I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.
answered Dec 19 at 23:01
Sean
183115
183115
2
This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
– Xen2050
2 days ago
1
Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
– rackandboneman
2 days ago
5
Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
– rackandboneman
2 days ago
add a comment |
2
This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
– Xen2050
2 days ago
1
Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
– rackandboneman
2 days ago
5
Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
– rackandboneman
2 days ago
2
2
This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
– Xen2050
2 days ago
This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
– Xen2050
2 days ago
1
1
Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
– rackandboneman
2 days ago
Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
– rackandboneman
2 days ago
5
5
Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
– rackandboneman
2 days ago
Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
– rackandboneman
2 days ago
add a comment |
I need to make sure if they have added something to monitor my activities or steal my data or not
Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.
As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.
And if they have done that, what should I do to prevent them.
I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.
Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.
Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.
You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?
You may want to escape from that country as soon as possible, for what concerns me.
4
Leaving the country really is the best advice.
– Gherman
Dec 20 at 15:01
3
It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
– schroeder♦
Dec 20 at 19:24
2
There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
– Xen2050
2 days ago
The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
– rackandboneman
2 days ago
@Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
– forest
yesterday
add a comment |
I need to make sure if they have added something to monitor my activities or steal my data or not
Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.
As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.
And if they have done that, what should I do to prevent them.
I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.
Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.
Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.
You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?
You may want to escape from that country as soon as possible, for what concerns me.
4
Leaving the country really is the best advice.
– Gherman
Dec 20 at 15:01
3
It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
– schroeder♦
Dec 20 at 19:24
2
There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
– Xen2050
2 days ago
The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
– rackandboneman
2 days ago
@Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
– forest
yesterday
add a comment |
I need to make sure if they have added something to monitor my activities or steal my data or not
Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.
As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.
And if they have done that, what should I do to prevent them.
I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.
Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.
Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.
You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?
You may want to escape from that country as soon as possible, for what concerns me.
I need to make sure if they have added something to monitor my activities or steal my data or not
Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.
As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.
And if they have done that, what should I do to prevent them.
I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.
Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.
Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.
You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?
You may want to escape from that country as soon as possible, for what concerns me.
edited 2 days ago
answered Dec 20 at 12:25
usr-local-ΕΨΗΕΛΩΝ
1,111415
1,111415
4
Leaving the country really is the best advice.
– Gherman
Dec 20 at 15:01
3
It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
– schroeder♦
Dec 20 at 19:24
2
There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
– Xen2050
2 days ago
The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
– rackandboneman
2 days ago
@Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
– forest
yesterday
add a comment |
4
Leaving the country really is the best advice.
– Gherman
Dec 20 at 15:01
3
It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
– schroeder♦
Dec 20 at 19:24
2
There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
– Xen2050
2 days ago
The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
– rackandboneman
2 days ago
@Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
– forest
yesterday
4
4
Leaving the country really is the best advice.
– Gherman
Dec 20 at 15:01
Leaving the country really is the best advice.
– Gherman
Dec 20 at 15:01
3
3
It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
– schroeder♦
Dec 20 at 19:24
It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
– schroeder♦
Dec 20 at 19:24
2
2
There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
– Xen2050
2 days ago
There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
– Xen2050
2 days ago
The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
– rackandboneman
2 days ago
The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
– rackandboneman
2 days ago
@Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
– forest
yesterday
@Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
– forest
yesterday
add a comment |
A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.
That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.
A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.
12
You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
– Mark
Dec 19 at 0:43
14
@RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
– Tom
Dec 19 at 11:44
2
Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
– allo
Dec 20 at 14:11
A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
– rackandboneman
2 days ago
add a comment |
A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.
That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.
A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.
12
You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
– Mark
Dec 19 at 0:43
14
@RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
– Tom
Dec 19 at 11:44
2
Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
– allo
Dec 20 at 14:11
A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
– rackandboneman
2 days ago
add a comment |
A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.
That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.
A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.
A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.
That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.
A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.
answered Dec 18 at 22:22
RandomUs1r
1354
1354
12
You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
– Mark
Dec 19 at 0:43
14
@RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
– Tom
Dec 19 at 11:44
2
Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
– allo
Dec 20 at 14:11
A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
– rackandboneman
2 days ago
add a comment |
12
You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
– Mark
Dec 19 at 0:43
14
@RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
– Tom
Dec 19 at 11:44
2
Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
– allo
Dec 20 at 14:11
A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
– rackandboneman
2 days ago
12
12
You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
– Mark
Dec 19 at 0:43
You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
– Mark
Dec 19 at 0:43
14
14
@RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
– Tom
Dec 19 at 11:44
@RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
– Tom
Dec 19 at 11:44
2
2
Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
– allo
Dec 20 at 14:11
Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
– allo
Dec 20 at 14:11
A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
– rackandboneman
2 days ago
A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
– rackandboneman
2 days ago
add a comment |
In what shit country do you live LOL? Why do governors confiscate your stuff?
New contributor
add a comment |
In what shit country do you live LOL? Why do governors confiscate your stuff?
New contributor
add a comment |
In what shit country do you live LOL? Why do governors confiscate your stuff?
New contributor
In what shit country do you live LOL? Why do governors confiscate your stuff?
New contributor
New contributor
answered 3 hours ago
Panlantic82
11
11
New contributor
New contributor
add a comment |
add a comment |
If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".
Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.
Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.
So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.
2
I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:07
Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
– marshal craft
Dec 20 at 12:33
"Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:39
In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:41
Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
– marshal craft
Dec 20 at 12:46
|
show 11 more comments
If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".
Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.
Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.
So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.
2
I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:07
Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
– marshal craft
Dec 20 at 12:33
"Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:39
In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:41
Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
– marshal craft
Dec 20 at 12:46
|
show 11 more comments
If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".
Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.
Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.
So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.
If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".
Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.
Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.
So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.
edited Dec 20 at 11:28
answered Dec 20 at 11:22
marshal craft
947
947
2
I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:07
Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
– marshal craft
Dec 20 at 12:33
"Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:39
In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:41
Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
– marshal craft
Dec 20 at 12:46
|
show 11 more comments
2
I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:07
Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
– marshal craft
Dec 20 at 12:33
"Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:39
In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:41
Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
– marshal craft
Dec 20 at 12:46
2
2
I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:07
I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:07
Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
– marshal craft
Dec 20 at 12:33
Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
– marshal craft
Dec 20 at 12:33
"Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:39
"Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:39
In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:41
In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
– usr-local-ΕΨΗΕΛΩΝ
Dec 20 at 12:41
Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
– marshal craft
Dec 20 at 12:46
Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
– marshal craft
Dec 20 at 12:46
|
show 11 more comments
Posse is a new contributor. Be nice, and check out our Code of Conduct.
Posse is a new contributor. Be nice, and check out our Code of Conduct.
Posse is a new contributor. Be nice, and check out our Code of Conduct.
Posse is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199971%2fsearch-for-military-installed-backdoors-on-laptop%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop♦
Dec 21 at 15:52