‘Have more than thou showest, Speak less than thou knowest, Lend less than thou owest’ – William Shakespeare

So I wanted to continue my ‘Loadout‘ series, as I know I’ve neglected it to the point that the ‘series’ currently consists of only one other article. It’s busy times, so I apologize in advance. I get lots of questions regarding how I secure my connection and manage to stay ‘underground’ for so long. I thought about talking about that, but decided against it, at least for now for reasons I am sure must be obvious to anyone who possesses an IQ that exceeds that of Mr John Tiessen AKA @johntiessen and that of Ms Jennifer Emick AKA @asherahresearch combined. (Sorry couldn’t resist).

Now there’s something to be said for spreading your operation out, so if ‘they’ (whoever your ‘they’ is) get one thing they don’t get it all. But there’s also something to be said for keeping your attack surface as small as possible. Its two schools of thought, I prefer the latter. It makes things manageable and easier to monitor. This is why EVERYTHING I do, whether offensive, defensive or passive, as ‘Jester’ is done on a single laptop. There is zero cross pollination between that and my actual identity. This ensures that even if the laptop somehow leaves my possession, all they got was ‘Jesters’ laptop. This blog post will concentrate on how to secure that laptop and the information on it from physical or coerced infiltration, so even if they get a hold of it in your absence, it’s a case of fuggit, no harm done.

What to buy

We’ve all been there. In the store. Pesky sales guy honey-badgering the shit out of us. There’s all kinds of shiny objects begging for our money. The hybrid lapTab, the gargantuan power house laptop that takes 3 thick-set fully grown fighting age males to move from A to B, it’s a minefield. Here’s my advice for what it’s worth.

Don’t buy anything other than business or enterprise class machines. They are easier to upgrade later or sooner if you are the same as me with gigabytes of DDR3 Sodimms floating round the place along with a bunch of SSD MSata’s. My point here is simple, enterprise class machines are uglier yes, but they are built to easily be ripped apart so you can get inside and upgrade, and they come with things like TPM chips and extended BIOS which we will get to later in this post. I won’t be mentioning any actual laptop brand names so don’t ask folks.

Upgrade Path

Sooner or later you are gonna want to upgrade, bear this in mind when you buy. Me personally, I like at least 16Gb Ram and a system drive (or a internal disk that boots the OS) that is MSATA SSD for speedy boots and a secondary internal SATA that I use for storage. All this can be fitted into a very small enterprise class form-factor, that’s what they are built for, and good luck finding consumer models that allow the same level of flexibility, power and form-factor.

BIOS 101

First thing you will want to do is secure your BIOS, set individual passwords for BIOS modification, system boot, boot drive selection and anything else your particular BIOS version allows. Mix it up a little. Also enable any biometric options and your TPM (Trusted Platform Module) chip. When you do this you also need to ‘own’ your TPM so it is not the same chip config as when it left the factory.

Full Disk Encryption

I am fully aware that most readers are running Windows, so I would advise for the sake of argument, utilizing Bitlocker which ships with the Pro versions of Windows as standard.

System Drive (SSD) I would advise for this drive to use Bitlocker and allow 2-factor authentication, you can use the group policies within windows by running ‘gpedit.msc’ to force you to have to insert a USB stick into your laptop in order for it to even boot, even though you have previously enabled your TPM chip. This combined with your BIOS password means someone needs ‘something you know’ as well as ‘something you have’ to get the laptop to boot.

I would advise for this drive to use Bitlocker and allow 2-factor authentication, you can use the group policies within windows by running ‘gpedit.msc’ to force you to have to insert a USB stick into your laptop in order for it to even boot, even though you have previously enabled your TPM chip. This combined with your BIOS password means someone needs ‘something you know’ as well as ‘something you have’ to get the laptop to boot. Storage Drive (SATA) For this disk on a Windows laptop, my advice would be to use Bitlocker again, but this time, just make it TPM based only IE: you don’t need a USB stick to access it, decryption is transparent, but it does however need to be physically present in your particular laptop. No other will do.

Caveat: I know I know, Bitlocker is MS but this combined with the 3rd ‘plausible deniability’ solution below covers you pretty nicely.

Biometric Authentication

A lot of enterprise class laptops these days come with Biometric Fingerprint scanning hardware, drivers and software to prevent logging into your OS of choice without your finger being present at the time of login or unlock. Enable this too. When you enable it you can select which finger you use as your key. If you are right-handed use your left pinky, and vice versa. That way when ‘they’ cut your digit off to access your machine you are not completely fucked.





Important sidenote: Never, ever, under any circumstances nominate your thumb for fingerprint scanners, humans are the only creatures blessed with opposing thumbs, you’ll miss not being able to use scissors without mom’s supervision.

Proximity Lockdown

Ever walk away from your machine and forget to lock it? Yeah, it happens right? There’s software out there available for free that allows you to associate any bluetooth device with your laptop. The most obvious device to utilize here is your cell as it’s most likely to leave your workstation when you do. This software causes your laptop to ‘ping’ your cell over bluetooth every few seconds, if your cell is out of range, your laptop locks down and requires your 2 or 3 factor authentication in order to let you back in.

Push Out Decoy Wifi Access Points

Add an external USB wifi adapter in addition to your regular internal one. You can then configure this (if you are clever) to throw out hundreds of fake wireless AP SSID’s. You can even randomize the names of them based on a wordlist. Why would you do this? Well security through obscurity is by no means sensible I agree, but anyone looking to sniff your wifi traffic is not going to be able to see the forest for the trees, and you get to log all the intrusion attempts. If you use a micro-USB wifi adapter you never need to take it out and your forest will follow you wherever you roam.

Plausible Deniabilty

Worst case scenario. You and your laptop are compromised together. Nobody wants to lose a digit here right? This is where we get really tricky. There’s software that will allow you to encrypt your system drive as a hidden ‘partition’ and have another decoy system drive, such that one boot password will boot the decoy partition and the other password will boot the real one. That way if you really are in the shit, you can appear to be giving up your machine when in actual fact you are merely giving up the decoy, which obviously contains dummy/fake information.

For those interested it looks a little like this:

Now that’s what I’m talking about. All these mechanisms are available cross-platform (well Linux and Windows at least) I have not gone into full details of individual specifics for obvious reasons. Google is your friend. Seek and ye shall find.

Disclaimer: All information here is my humble opinion and theoretically explaining what I would do if I was an international man of mystery hacker type super-geek. Nothing more. Peace.

Staying Frosty

J.