On Mon, Oct 7, 2013 at 5:16 PM, Eugen Leitl eu...@leitl.org wrote:
http://www.wired.com/opinion/2013/10/149481/
Want to Evade NSA Spying? Don’t Connect to the Internet
BY BRUCE SCHNEIER 10.07.13 6:30 AM
Photo: Ariel Zambelich / WIRED; Illustration: Ross Patton / WIRED
Since I started working with Snowden’s documents, I have been using a
number
of tools to try to stay secure from the NSA. The advice I shared included
using Tor, preferring certain cryptography over others, and using
public-domain encryption wherever possible.
I also recommended using an air gap, which physically isolates a computer
or
local network of computers from the internet. (The name comes from the
literal gap of air between the computer and the internet; the word predates
wireless networks.)
But this is more complicated than it sounds, and requires explanation.
Since we know that computers connected to the internet are vulnerable to
outside hacking, an air gap should protect against those attacks. There
are a
lot of systems that use — or should use — air gaps: classified military
networks, nuclear power plant controls, medical equipment, avionics, and so
on.
Osama Bin Laden used one. I hope human rights organizations in repressive
countries are doing the same.
Air gaps might be conceptually simple, but they’re hard to maintain in
practice. The truth is that nobody wants a computer that never receives
files
from the internet and never sends files out into the internet. What they
want
is a computer that’s not directly connected to the internet, albeit with
some
secure way of moving files on and off.
But every time a file moves back or forth, there’s the potential for
attack.
And air gaps have been breached. Stuxnet was a U.S. and Israeli
military-grade piece of malware that attacked the Natanz nuclear plant in
Iran. It successfully jumped the air gap and penetrated the Natanz network.
Another piece of malware named agent.btz, probably Chinese in origin,
successfully jumped the air gap protecting U.S. military networks.
These attacks work by exploiting security vulnerabilities in the removable
media used to transfer files on and off the air gapped computers.
Bruce Schneier is a security technologist and author. His latest book is
Liars and Outliers: Enabling the Trust Society Needs to Survive.
Since working with Snowden’s NSA files, I have tried to maintain a single
air-gapped computer. It turned out to be harder than I expected, and I have
ten rules for anyone trying to do the same:
1. When you set up your computer, connect it to the internet as little as
possible. It’s impossible to completely avoid connecting the computer to
the
internet, but try to configure it all at once and as anonymously as
possible.
I purchased my computer off-the-shelf in a big box store, then went to a
friend’s network and downloaded everything I needed in a single session.
(The
ultra-paranoid way to do this is to buy two identical computers, configure
one using the above method, upload the results to a cloud-based anti-virus
checker, and transfer the results of that to the air gap machine using a
one-way process.)
2. Install the minimum software set you need to do your job, and disable
all
operating system services that you won’t need. The less software you
install,
the less an attacker has available to exploit. I downloaded and installed
OpenOffice, a PDF reader, a text editor, TrueCrypt, and BleachBit. That’s
all. (No, I don’t have any inside knowledge about TrueCrypt, and there’s a
lot about it that makes me suspicious. But for Windows full-disk encryption
it’s that, Microsoft’s BitLocker, or Symantec’s PGPDisk — and I am more
worried about large U.S. corporations being pressured by the NSA than I am
about TrueCrypt.)
3. Once you have your computer configured, never directly connect it to the
internet again. Consider physically disabling the wireless capability, so
it
doesn’t get turned on by accident.
4. If you need to install new software, download it anonymously from a
random
network, put it on some removable media, and then manually transfer it to
the
air gapped computer. This is by no means perfect, but it’s an attempt to
make
it harder for the attacker to target your computer.
5. Turn off all auto-run features. This should be standard practice for all
the computers you own, but it’s especially important for an air-gapped
computer. Agent.btz used autorun to infect U.S. military computers.
6. Minimize the amount of executable code you move onto the air-gapped
computer. Text files are best. Microsoft Office files and PDFs are more
dangerous, since they might have embedded macros. Turn off all macro
capabilities you can on the air-gapped computer. Don’t worry too much about
patching your system; in general, the risk of the executable code is worse
than the risk of not having your patches up to date. You’re not on the
internet, after all.
7.
