Didier Stevens

Monday 2 April 2007

Digital Self Defence

Filed under: Vulnerabilities — Didier Stevens @ 8:49

I’m back from Black Hat Europe 2007. Black Hat’s theme is “Digital Self Defence”, and that is just what I did. Because I took a reverse engineering training by Halvar Flake, I had to take my Windows laptop with me. I explain how I protected my Windows laptop when accessing an insecure wireless network at the conference.

The threats I faced when enabling my wireless connection at the conference were:

  • someone compromising the integrity of my system
  • confidential data theft
  • credentials theft

In a normal situation I protect my OS and data with these procedures and tools:

  • keeping my OS and software patched
  • running McAfee Anti-Virus and update it
  • running Kerio’s free Personal Firewall
  • connecting to the Internet with a NAT router
  • using a WPA secured WiFi connection
  • using FireFox with NoScript and CookieSafe for web browsing
  • storing all my data in a TrueCrypt volume
  • making regular system backups with Acronis TrueImage on a dedicated USB hard disk
  • using a non-admin account

At home, before I left for the conference, I took a full backup of my laptop.

In the hotel, there was unencrypted, free WiFi available in the rooms and on the conference floor. My laptop has a (hardware) switch to disable WiFi. I would only switch it on when I really needed to access the Internet. And by preference in my hotel room on the 16th floor, not on the conference floor.

Each time I enabled WiFi access, I unmounted the TrueCrypt volume with all my data.

Whenever I accessed a website that needed credentials (like Gmail), I made sure that it used HTTPS or else I would use TOR as a proxy (I didn’t use TOR all the time because of the slow connection).

For the training, I installed a new virtual machine (with VMware), and installed all the software Halvar gave us and did all the exercises on this machine.

My hotel room had a laptop safe, and I would always store my laptop in it whenever I didn’t need it.

I didn’t notice an incident on my laptop when I was at Black Hat. But back home, I decided to restore my laptop, not because I feared my laptop was compromised, but mainly as an exercise to test my backup procedure.

Here is how I did it:

  1. make a new backup of my laptop, just in case the restore goes wrong
  2. copy my TrueCrypt volume with data and the training virtual machine to an USB hard disk, because I need to keep this
  3. restore the backup from before the conference
  4. copy my TrueCrypt volume with data from the USB hard disk back to the laptop

It took a long time, but the procedure is simple and everything went fine. I learned that the Acronis True Image’s progress bar during the restore is confusing. The time remaining would increase, not decrease. At the end, it was 5 hours, and then Acronis True Image rebooted my laptop. Windows was running normal, and connected immediately to my WiFi network at home. All traces of the WiFi network at Black Hat were gone.

My laptop has forgotten it was at Black Hat Europe 2007.

The key ingredients of the restore procedure are:

  • a full system backup
  • a clear separation of system files and data files

Blog at WordPress.com.