Recent moves by the police to step up hacking people’s PCs (/. article, original Times Online article) and a recent forum thread got me thinking about ways to defend myself against the snooping that the UK seems to love so much.
A quick overview of what we are up against. In the UK the following is recorded:
- Every IP address assigned to an internet connection
- Every web site visited
- Every email address sent from and sent to and time of sending
- Every instant messenger screen name
- Time and destination of every instant message
- IP address at the time of every website/email/IM access
- Every phone number dialled from and to, time of call and duration
- Location to within a few feet of any mobile phones at time of call
- All mobile cell information related to a mobile phone (e.g. times and locations, so they know where your phone is whenever it’s turned on)
- Postal data, basically what is written on the outside of any letter/package
- Vehicle location, recorded by CCTV cameras with automatic numberplate recognition
Other information is probably kept too. The police also have the capability to record phone conversations (and probably email/IM as well), and turn any phone that is turned on into a listening device (bug). Presumably if they did this with your mobile phone you would notice the battery draining pretty fast though. (Source: http://en.wikipedia.org/wiki/Telecommunications_data_retention
Basically, it’s a modern high-tech surveillance society, and now the police are looking at trying to hack people’s PCs/wifi and trying to install viruses on target computers.
The first line of defence is your home network. It needs to have a secure firewall. Due to the possibility of there being flaws or backdoors in commercial routers, it’s probably best to use a well tested open source router such a m0n0wall or pfSense. If you have wifi, it needs to be secured with WPA2 and a very strong password (i.e. at least 60 characters, and a mix of upper/lowercase letters, numbers and punctuation.)
Physical security of your PC is important. Make sure you can see the back of it, so that if someone installed a hardware keylogger you would spot it.
You need to harden your OS from attack. Obviously using a strong password is a start, but really you need to use TrueCrypt to encrypt your entire HDD. Since you can be forced to reveal your password or face two years in prison, you should use TrueCrypt’s hidden OS feature and set up a dummy OS you can reveal the password for. Since there is no way to prove that there is a hidden OS, you are protected. Be sure to make the dummy OS look realistic – it needs to have files saved on it, applications installed, the web browser used. You should use it at least once a week to keep file access dates current. If possible, it should be used for non-sensitive use regularly.
There is are vulnerabilities in TrueCrypt if the attacker has physical access to your PC. Firewire and PCMCIA ports can be used to dump the computer’s memory and recover the encryption key, as well as read files off the HDD. It is therefore necessary to disable Firewire and PCMCIA ports. I have seen devices that exploit this vulnerability in use. You should also disable the Windows “autorun” feature on all drives to prevent similar attacks via CDs or USB flash memory. The workstation should remain locked when not in use, and require a password to unlock. The system should be powered down as often as possible.
In theory if an attacker has access to the machine while an encrypted OS is loaded, they could recover the key from the computer’s RAM, either by rebooting it into a special Linux OS or by removing the RAM and placing it in another PC. The best defence against this is to prevent the attacker gaining access to the key in RAM by performing an emergency shut-down (i.e. press the power button). TrueCrypt will clear the key on shut-down. Setting the BIOS to do a full memory test and setting a BIOS password do it cannot be disabled will erase the key during the POST cycle. None of this is foolproof.
An alternative method would be to use an OS that leaves no traces on the PC for sensitive things, such as a Linux Live CD. TrueCrypt could be used for data storage, with the above issues in mind.
For accessing the internet, at a minimum you should use a VPN service terminating in a less draconian country. Relakks seems to be a possibility. Using Tor is also a good idea. Any internet related software needs to be carefully checked for security. Using open source software is a good idea. Remember to validate any checksums available on downloads.
At all times remember that all communications and movements of your mobile phone and car are being monitored. CCTV is everywhere, and virtually unavoidable. Plausible deniability is the key. Try to avoid anything that can create a paper trail for police fishing expeditions. If you think you details may have been compromised (e.g. bank details, identity theft) report it immediately – the police usually don’t bother to check but it will be of vital importance in court.
Even if you do all this, all it takes is to be in the wrong place at the wrong time to have your life destroyed:
‘I was falsely branded a paedophile’ (BBC News)
Police witness on perjury charge (Men’s Aid)
Student researching al-Qaida tactics held for six days (Guardian Online)
A hard look at file-sharing evidence (BBC News)
Judge rules out child porn charge (BBC News)
Four suicides in child porn case (BBC News – most of the accused were later cleared)