diff --git a/README.md b/README.md index 4ccf566..6a53f9a 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,9 @@ - [Keys](#keys) - [Cryptographic Software](#cryptographic-software) - [Obscurity](#obscurity) + - [Justification](#justification) + - [Code Implementation](#code-implementation) + - [Blending](#blending) - [Minimize Architecture](#minimize-architecture) - [Automated Shutdown Procedures](#automated-shutdown-procedures) - [Play on Resources](#play-on-resources) @@ -284,9 +287,9 @@ Hypothetically, if the algorithm/hash combination is known by the attacker, here VeraCrypt does not keep encryption/hashing algorithms secret. Keeping such information secret would break the functionality of VeraCrypt (unless the user were to enter such information on every boot, comparably to how PIMs work). An attacker will never need to attempt multiple combinations. They will simply need to attempt cracking a single, different, algorithm. Leveraging Veracrypt -i. Generate keyfiles: `veracrypt --create-keyfile` -ii. Create a Normal volume: `veracrypt -t -c /home/user/crypt/vault --volume-type=Normal --encryption=Serpent-Twofish-AES --hash=Whirlpool --filesystem=FAT --pim= -k --random-source=` -iii. Create a Hidden volume: `veracrypt -t -c /home/user/crypt/vault --volume-type=Hidden --encryption=Serpent-Twofish-AES --hash=Whirlpool --filesystem=FAT --pim= -k --random-source=` +1. Generate keyfiles: `veracrypt --create-keyfile` +2. Create a Normal volume: `veracrypt -t -c /home/user/crypt/vault --volume-type=Normal --encryption=Serpent-Twofish-AES --hash=Whirlpool --filesystem=FAT --pim= -k --random-source=` +3. Create a Hidden volume: `veracrypt -t -c /home/user/crypt/vault --volume-type=Hidden --encryption=Serpent-Twofish-AES --hash=Whirlpool --filesystem=FAT --pim= -k --random-source=` Distractions are also effective methods of increasing the resources allocated to an investigation. All of the previously listed methods for increasing time of the investigation so far have dealt with decrypting a single Veracrypt or LUKS volume. What happens if multiple decoy volumes are set up? The investigation increases in cost and time consumption. @@ -298,8 +301,7 @@ When feasible, radio transmitters should be physically removed from devices. Fro For an adversary who gains a foothold on your system(s) without the physically removed hardware, they could activate certain frequencies to create a persistent foothold and compromise your system even further. For critical operations, reduce reliance on wireless radio transmissions. Consider the process of removing all radio transmitter chipsets, otherwise known as airgapping, to mitigate a medley of threats. - Note: - Methods of "jumping" airgaps have been found in the past.[^29] One must be sure to remove all hardware which could be used for communication. This includes Wi-Fi cards (often Bluetooth and Wi-Fi are within the same physical card), Bluetooth card (if you have a Bluetooth card separate from your Wi-Fi card), microphones (communications protocols have been devised to transmit data through ultrasonic audio). Many modern OSs still have the drivers to support these protocols, and the attacks surface therefore still exists), speakers (usable for data exfiltration using the same means), physical ports (USB, SD, headphone jack). Even power cords have been used as a means of compromise (on both laptop and desktop systems). +Methods of "jumping" airgaps have been found in the past.[^29] One must be sure to remove all hardware which could be used for communication. This includes Wi-Fi cards (often Bluetooth and Wi-Fi are within the same physical card), Bluetooth card (if you have a Bluetooth card separate from your Wi-Fi card), microphones (communications protocols have been devised to transmit data through ultrasonic audio). Many modern OSs still have the drivers to support these protocols, and the attacks surface therefore still exists), speakers (usable for data exfiltration using the same means), physical ports (USB, SD, headphone jack). Even power cords have been used as a means of compromise (on both laptop and desktop systems). The traditional methods of interfacing with the internet stand to be the most secure. Systems using direct ethernet connection is optimal. While this is not a technical "airgap," this does prevent packet communications from being analyzed over the air. @@ -478,6 +480,48 @@ For the hollow men (federal agents or contractors) who stumbled upon my work by *"If ye love wealth better than liberty, the tranquility of servitude better than the animating contest of freedom, go home from us in peace. We ask not your counsels or arms. Crouch down and lick the hands which feed you. May your chains set lightly upon you, and may posterity forget that ye were our countrymen."* - Samuel Adams +## Appendix A: Cryptography Script +``` + #!/bin/bash + function mount_partition() { + veracrypt -k --pim=<#> + } + + function close_partitions() { + veracrypt -d + } + + function gone_nuclear() { + shred -n 32 -z -u -v + shred -n 32 -z -u -v + shred -n 32 -z -u -v + sdmem -v + sfill -v -z + } + + Following these functions, a case command can be created: + + options=("mount_partition" "close_partitions" "gone_nuclear" "Quit") + select opt in "${options[@]}" + do + case $opt in + "mount_partition") + mount_partition + ;; + "close_partitions") + close_partitions + ;; + "gone_nuclear") + gone_nuclear + ;; + "Quit") + break + ;; + *) echo "Select a valid option";; + esac + done +``` + ## References [^1]: https://www.forbes.com/sites/andygreenberg/2011/02/11/palantir-apologizes-for-wikileaks-attack-proposal-cuts-ties-with-hbgary/ [^2]: https://puri.sm/posts/deep-dive-into-intel-me-disablement/