Let’s get physical (about hardware security)

Let’s get physical (about hardware security)

This post was originally scheduled to go up later this month, but after yesterday’s fascist insurrection attempt at the U.S. Capitol and some of the images coming from inside, I thought it was important to bump it up in the schedule.

A low-quality picture of a computer monitor and keyboard on a desk. There is a mouse and a phone next to the monitor. Microsoft Outlook is open and displaying an email on the screen.

This picture is floating around Twitter. The computer reportedly belongs to an aide of Nancy Pelosi and was taken by one of the insurrectionists.

The political implications of yesterday’s events have and will be written about over and over. Today we’ll take an opportunity to look at some digital security lessons we can learn.

Lock your computer

If you have to step away from your computer, you want to make sure that no one can see what’s on your screen. In the situation above with fascists literally breaking windows and beating down doors, that might have been the last thing on this staffer’s mind. They should have locked their screen or put it to sleep at the least, or better yet in this specific instance, shut it down. Pulling the plug would have been a viable option.

Locking the screen or putting it to sleep will require your password next time your computer is opened. And because you’re using strong passwords, it will be hard to guess for an attacker.

On macOS and Windows, you can set your screen to lock after a certain period of inactivity, and require your password to unlock:

On a Mac:

  1. Open the System Preferences application.
  2. Click Security & Privacy and then the General tab.
  3. Check “Require password <x> minutes after sleep or screen saver begins” and set the dropdown to as low a number – or immediately – as you are comfortable with.

Then, in back in System Preferences:

  1. Click Desktop & Screen Saver
  2. Click the Screen Saver tab.
  3. In the bottom left corner, change Start After to as low a number as possible for you.

On Windows:

  1. Open your Settings.
  2. Go to Sign-in options
  3. Change ‘Require sign-in’ to ‘When PC wakes up from sleep’

Then, set your computer to lock your screen quickly:

  1. Click the Start menu.
  2. Type Screen Saver.
  3. Click “Change Screen Saver”
  4. Next to the “Wait” text, change the number to as low a value as possible for you.

Encrypt your hard drive

Encrypting your hard drive means that even if someone steals your computer and takes out the physical storage, they’ll need a special password to unlock it. On many modern systems, this is automatically turned on.

To check on a Mac:

  1. Open System Preferences.
  2. Click Security & Privacy.
  3. Click the FileVault tab
  4. Make sure it’s turned on. If not, set a strong recovery key (like a password) and enable it.

The situation is a little more complicated for Windows, depending on which version of Windows you have. Microsoft has an applicable support article.

Careful with USB!

In 2009, the Stuxnet virus caused physical damage to centrifuges at the Natanz enrichment plant in Iran. The computers controlling the centrifuges weren’t connected to the Internet. How did the virus get on them? Through a long series of steps that started with someone plugging in a USB drive into a computer.

Stuxnet was written by US and Israeli intelligence, and a Dutch intelligence operative is reported to have either plugged in a flash drive or gotten someone else to do so. This led to the virus infecting the controllers for Iran’s centrifuges.

It might be a difficult task, but avoid plugging in other people’s USB drives into your computer unless you trust them and their security setup!

Hang on to your laptop

This might be the hardest, and depends on your threat model: what you’re trying to protect and who you’re trying to protect it from.

Having physical access to your computer would let an advanced attacker with money and time – like law enforcement – do pretty much anything they want. The steps above are important, but if you’re in a situation where you know you can grab your computer and go – a laptop, for example – that’s your best bet.