46

I bought a laptop from somebody. The laptop had Ubuntu 14 on it, I erased the entire disk and installed Ubuntu 16 on it. I definitely don't want the previous owner to have access to my data or key stroke. Does the re-installation guarantee my security? If not what should I be looking for?

muru
  • 197,895
  • 55
  • 485
  • 740
rivu
  • 636
  • 14
    No, the BIOS can be compromised, the Intel AMT can be set up to control the computer, the keyboard can have a keylogger attached, and on and on. – Chai T. Rex Feb 05 '18 at 01:17
  • 6
    @ChaiT.Rex You could recommend flashing the BIOS from mfg website... – WinEunuuchs2Unix Feb 05 '18 at 01:19
  • 3
    If you're 100% sure previous owner doesn't know how to hijack ROM on motherboard, or haven't installed any rogue chips/hardware - then erasing hard drive is safe enough. Most people, unless they're really really good hackers, don't know how to break ROM. – Sergiy Kolodyazhnyy Feb 05 '18 at 01:20
  • 36
    @rivu Unless the previous owner is your ex-spouse or the NSA I wouldn't worry. Erasing hard drive and installing Ubuntu 16 is enough precaution without paranoia. – WinEunuuchs2Unix Feb 05 '18 at 01:20
  • 1
    @SergiyKolodyazhnyy Hi long time no see. We should add most people aren't "hack-bait" in the first place. Besides most people unknowingly give away everything anyway by having a "smart" phone with location tracking, microphone and camera for fakebook, twithead, gooble and all the other goblins and trolls to track them. Even Samsung "smart TVs" can listen to your conversations when they are turned off in the Living Room. – WinEunuuchs2Unix Feb 05 '18 at 01:24
  • 1
    Then again...why put valuable data on untrusted machine anyway ? Just a food thought. – Sergiy Kolodyazhnyy Feb 05 '18 at 01:25
  • 3
    @WinEunuuchs2Unix Yep, exactly right. There's enough tracking and data mining going on without any actual malware or spyware being installed on computers or smartphones. Best way not to get hacked is not have a computer. Or data. Data can't be stolen if you don't have any :) – Sergiy Kolodyazhnyy Feb 05 '18 at 01:27
  • This question would likely be better suited to https://security.stackexchange.com – rooby Feb 05 '18 at 04:35
  • 23
    @rooby: But not in its current form. The very first thing(s) that commenters at [security.se] would ask, are the same things that should have been asked here: What is your threat model? Who or what is your adversary? How much money, resources (and morals) do they have or do they want to spend on the attack. How much money and resources do you have and want to spend on the defense? How valuable is your data? How time-sensitive is your data? What does the environment look like in which the laptop is going to operate? For example, if someone can just kidnap your kids and threaten to hurt … – Jörg W Mittag Feb 05 '18 at 07:18
  • 7
    … them, and you will give them the data anyway, then it makes no sense to secure the laptop without also securing your home, your wife, and your kids: https://xkcd.com/538/ – Jörg W Mittag Feb 05 '18 at 07:18
  • For normal users: Yes. Most people do not even know how to install a virus in the BIOS. If you suspect something (maybe the laptop is from your ex-spouse or similar) ask https://security.stackexchange.com/ for answers with much more security insight than here. This will be an interesting question for that site. – allo Feb 06 '18 at 11:07
  • As long as he isn't a expert 1337 h4xx0r your probably safe.Even for experienced users modifying a proprietary BIOS is hard (maybe if the computer has coreboot it could be modified to include a backdoor) and you cannot flash a non signed BIOS on many laptops. Maybe the disk firmware could be another place though – Suici Doga Feb 06 '18 at 11:47
  • My guess is MAYBE. But just in case if you are unsure: Encrypt your home folder or the whole disk at install. – xX0v0Xx Feb 07 '18 at 09:15
  • @rivu What is the make/model of your laptop and capacity of it's hard drive? There could be other options to explore such as a 2.5" SSD, a PCIe 1/2 length mini mSata III SSD or an NVMe M.2 Gen 3 x 4 SSD – WinEunuuchs2Unix Feb 09 '18 at 00:54

5 Answers5

48

Short Answer

YES

Long Answer

YES, but...

A laptop with Ubuntu 14.04 installed by the previous owner is on average safer than one with Windows installed on it. Windows was well known for having "worms", "viruses" and "Trojans". These days Windows is better but the historical events are still at the back of most peoples' minds. This history naturally affects the thinking of many (but not all) new users to Linux / Ubuntu as well. I think it's important to point out how less likely viruses are.

There are some Linux binary programs that can capture your keystrokes. A previous owner could have such a program installed and another program to transmit your recorded keystrokes to an Internet address. The fact you erased the hard drive and installed Ubuntu 16.04 should have eradicated it.

Thinks to remember:

  • As I mentioned in comments below your question, unless an ex-spouse or the NSA sold you the used laptop you shouldn't worry all that much.
  • If an owner setup the machine to spy on you and you purchased the machine then that means the machine is your property. Any data collected by the previous owner makes them guilty of willful trespass. Also the police could consider charging them with the intent to commit fraud, blackmail or theft (via on-line banking). Most people would not take this risk.

General points about keyloggers:

  • Employers can legally use them to spy on employees because the employers own the computers
  • High school principals have been known to spy on students in bedrooms by remotely activating webcams to the school's laptop the student is using.
  • Libraries who charge say $12 for a yearly library card probably could not use keyloggers but recently my city library made library cards free so I guess they probably could legally do it.
  • If you live in a shared home or other people have access to your computer at work you may want to install your own keylogger on your own computer to see if others are accessing it when you are away.

In the comment section of your question, myself and others were guilty of hi-jacking your question with talk about BIOS and ROM chip reprogramming. That is extremely unlikely unless you are the owner of a bitcoin exchange that the US Federal Reserve or US Treasury was keen to eradicate. However that would also mean you wouldn't be buying a used computer in the first place.

Community
  • 1
WinEunuuchs2Unix
  • 102,282
  • 11
    "you wouldn't be buying a used computer in the first place" and buying new one wont help. – talex Feb 05 '18 at 09:06
  • 2
    I'm not sure if the U.S. Federal Reserve or Treasury would actually use underhanded methods like this to achieve their goal. That doesn't really appear to be part of their mission. I find it more likely that they would go through the DoJ and the courts to enforce their policies. But I'm going off topic… – David Foerster Feb 05 '18 at 11:04
  • @talex Yes if the super-spies want in they will find a way. – WinEunuuchs2Unix Feb 05 '18 at 11:04
  • @DavidFoerster True the DoJ would be the department doing the work but it would be on behalf of US Fed or Treasury that would want to clamp down on bitcoin, if and when they want to. The point I was trying to make is those worth spying on would not be buying second hand computers (for the most part). – WinEunuuchs2Unix Feb 05 '18 at 11:08
  • 4
    We're talking about malware that survives a disk wipe here. Just because Ubuntu 14.04 was the last OS on the computer doesn't mean it was the only one. – Dennis Feb 05 '18 at 14:41
  • 12
    OP didn't mention anything about Windows, so your 1st paragraph is just an off-topic ramble. – gronostaj Feb 06 '18 at 08:43
  • 6
    Windows popularity gives preconceptions of security problems for most people. It is important to debunk them in the Linux/Ubuntu Land. – WinEunuuchs2Unix Feb 06 '18 at 11:21
  • RE: your second paragraph: google for "linux rootkit" or "linux keylogger" etc etc. – skrewler Feb 07 '18 at 15:27
  • Elaborating a bit. Off the top of my head, last owner could whip up a simple shell script w/ netcat (netcat installed by default) as a backdoor

    Linux isn't any more secure than Windows before or after a wipe. It's true there is more malware in the wild on Windows, it's pretty simple to avoid unless you're gullible. For that user "Windows Defender" is built in/free tools work quite well.

    it's easy to misconfigure your Linux box leaving it vulnerable. On Windows, not so much. Finally, Windows just has a bad rep from older releases. Post Windows vista has UAC.

    ran out of room

     – skrewler Feb 07 '18 at 16:01
  • when I tried to re-flash my bios it said I already have the latest bios :/ – flyingdrifter Feb 07 '18 at 23:45
  • @flyingdrifter For new laptops BIOS is frequently updated over the first two years after that they tend to taper off. – WinEunuuchs2Unix Feb 07 '18 at 23:46
  • @skrewler I added keylogger to my answer. Thanks for pointing that out. I left rootkit out because that was more about hiding running pids, granting kernel access to user space and other technical details making the answer tlo long after explaining everything. – WinEunuuchs2Unix Feb 08 '18 at 00:15
  • I mainly had a problem with your statement that taking ownership of a Laptop w/ Linux is inherently more secure than one with Windows. That's just wrong.

    When someone says "rootkit" they're usually referring to the kernel or other core parts of the OS replaced w/ malicious code that is undetectable. No PIDs to hide or anything.

     – skrewler Feb 09 '18 at 22:53
  • Something else I've seen is there's often some kind of mechanism to re-root even after installing a fresh kernel or whatever, living in the boot loader (Grub/LILO/Syslinux/etc) and reinfecting from there is a common tactic as well. So even if you were to do a fresh install, if you don't do a full format of the drive (including bootloader) you'd be vulnerable.

    That goes for Windows bootloaders as well (NTLDR? BootMGR?) something like that)

     – skrewler Feb 09 '18 at 23:02
  • @skrewler #1. It's been my limited experience of no viruses on Linux/Ubuntu and a few in Windows. Also in Windows lots of adware requiring me to reinstall browsers. Also in Windows clogged up registries requiring me to reinstall Windows after a couple years to make the machine run faster. #2 The OP says the disk was erased before 16.04 was installed. The next better thing is to set every byte on the hard drive to 0 I guess. – WinEunuuchs2Unix Feb 10 '18 at 00:10
  • "malware" in Linux doesn't manifest itself as annoying ads popping up or scams. (at least that I've encountered) Typically your machine becomes part of a botnet -- one of the more well known uses of botnets is to launch DDOS attacks. The Botnet will even self-propagate by continuously scanning IP Ranges for vulnerable / misconfigured systems.

    There are plenty more uses for Botnets -- Bitcoin mining, spam, and of course stealing your credentials, CC #'s, etc.

    Ransomware is a different story -- I'm running out of characters though

     – skrewler Feb 10 '18 at 07:29
  • @skrewler You are probably referring to the Ransomware known as "Wanna Cry". If so I believe that mostly effected Windows users: https://askubuntu.com/questions/914623/what-is-the-wanna-cry-ransomwares-possible-impact-on-linux-users – WinEunuuchs2Unix Feb 10 '18 at 15:14
  • Shared office space w/ another startup. One day, their DB had all of it's tables missing w/ a note asking for BTC to get their data back.

    This is what I'm talking about, it's incredibly easy to misconfigure Linux opening yourself up to attack. Main two things they screwed up: somehow their database was publicly accessible on the internet (no, not port 22 (ssh) but 3306 MySQL's port). 2nd, altho they made nightly backups they were never tested them and, surprise, the backup was useless (unsure of the details on that). Smart guys and built great product, but this took their company under

     – skrewler Feb 11 '18 at 02:37
  • They were most definitely running Linux. No one in the startup space runs Windows. What in my post gave you the impression that it was one ransomware or the other? I yet again point you towards Google: "Linux ransomware mysql"

    This will be my last post, hope you realize there are -plenty- of Linux systems being hacked/infected out there -- on top of that, the tools to do it are free, plentiful, and easy to use.

    note: deleted and edited my last post as I was on a train last night and it cut off the last part of my post.

     – skrewler Feb 11 '18 at 02:43
43

In a comment @JörgWMittag writes that you should always ask "What is your threat model?" In other words: Who is the opponent and what info do you want to keep from them? What is it worth to them?

If you are afraid of a Government-level opponent, and they think you are worth the effort, nothing is safe. You can do whatever you want, it will not be safe.

However, if you are just an average person worrying about other average people, reinstalling the OS should be more than enough.

One worry is that even you make the software safe, the hardware or firmware might be compromised. However, this would be expensive for the attacker and therefore highly improbable.

Do you know the seller? If they are just some random person on eBay, they are not going to care enough about you to do anything.

You might worry a bit if you know the seller AND they have a grudge against you AND they are good with computer hardware.

If you have more specific questions they should probably go on Security SE.

Michael come lately
  • 121
Stig Hemmer
  • 761
  • 3
    This is a good answer since it keeps things in perspective. – qwr Feb 06 '18 at 04:06
  • 1
    "You can do whatever you want, it will not be safe." I don't know... You probably need to be a Snowden-level specialist, but it's not literally impossible. – cubuspl42 Feb 06 '18 at 17:24
  • 2
    A malicious seller on eBay might intentionally send out infected laptops for a couple of commercial hacking endeavors: to gather information to support an identity theft scheme; the laptop might come preinstalled with cryptomalware to activate at a later date; the laptop might come with a botnet infection to take down opposing game servers (the motivation for Mirai). Hackers have reinstated themselves as boogeymen, it's not just corporate and government spying you need to watch out for. – YetAnotherRandomUser Feb 06 '18 at 23:46
  • 2
    @YetAnotherRandomUser I've read bitcoin miners have hi-jacked some games people play on-line to run calculations which help them mine coins with the game player's computer. Although likely not harmful to data the user is paying more for electricity and getting slower game play. – WinEunuuchs2Unix Feb 06 '18 at 23:49
15

Pretty much yes, but…

Unfortunately, unsupervised direct physical access to a computer pretty much voids all security since, theoretically, an attacker with physical access can do anything they want with the machine including tampering with it to compromise all software running on it in the future. This is very hard to to detect. However, it's similarly hard to pull off in the first place and thus takes a very dedicated attacker. Even for those it would be far simpler to try other attack vectors first.

Conclusion: You're safe unless you somehow attracted the attention of a very dedicated and resourceful attacker.

David Foerster
  • 36,264
  • 56
  • 94
  • 147
  • While the first part of this is quite accurate, I'm not sure the conclusion is correct. Think of how long generic rootkits from the vendor survived without being found, and they were not exactly subtle. There could be serious criminal money to be made if one resells, say, thousands of laptops, and puts a quiet crypto miner in each one (to steal victims' electricity); by the time they are found out months or years later the perpetrator is long gone... – madscientist159 Feb 08 '18 at 03:56
15

Disclaimer: I'm going to offer a different viewpoint to this question

Q: Is it safe to use a second hand laptop after reinstalling ubuntu on it?

A: NO

Simply re-installing will not make it "safe" in a general sense, and not make it "safe" if you suspect to be the victim of an attack by your seller.

A couple points on this:

  1. Trust

Any "foreign" hardware you use and/or bring into your home network from an "untrusted" source is a risk and should not be trusted by default. However, who do you trust? Well that depends, largely on how much of a target you are and how paranoid you are...

It's difficult to make generalizations here and say big hardware vendors are safe to buy from, because the past has showed they actually aren't. See some random highlights here:

Although these news I found with quick googlefu are Windows focused, it is a common misconception that Linux is safe(er) from viruses/trojans . Also, they can all be attributed to some degree at least, to negligence, rather than deliberate attacks.

Even more to the point, we mostly don't know what is lurking in proprietary firmware and drivers that have not been peer reviewed (and even peer-reviewed software can sometimes be the source of myth and mistrust).

To quote a study from 2015:

With the system firmware, a much more privileged software layer exists in modern computer systems though that has recently become the target in sophisticated computer attacks more often. Compromise strategies used by high profile rootkits are almost completely invisible to standard forensic procedures and can only be detected with special soft- or hardware mechanisms.

So, with a specific and targeted attack in mind, it is even plausible - though very unlikely since there are easier methods - that the firmware on your notebook, or the BIOS or even the very hardware itself has been manipulated (say with a microcontroller/keylogger soldered onto the mainboard, etc).

In conclusion to this point:

You cannot trust ANY hardware - unless you have carefully vetted it, from top to bottom, from hardware over firmware to drivers.

But who does that, right? Well, that brings us to the next point.

  1. Risk and Exposure

How likely is it that you are a target?

Well, this is something that you can only determine for yourself and there isn't a point-for-point guide out there (that I could find), but here are some pointers for exposure:

  • How much is there to steal from you: Besides the obvious social security number (for Americans) and credit cards/banking (for everyone else) - maybe you are rich or came into some money recently (inheritance, bonus payments, alt-coins, etc) or you own a business?

  • Are you exposed at your job: Maybe you handle confidential files, or are active in a political function, or you work at the DMV or maybe you work for Evil Corp or it's otherwise gainful to attack you/spy on you because of your job (government, military, science, etc)

  • Are you exposed by proxy: Maybe it's not you that is rich, but some extended family or maybe you don't have a business but your spouse has, etc

  • Enemies: Maybe there are people out to get you, that have grudge from business deals, former employers or employees, etc. Maybe you are currently in divorce proceedings or fighting about custody of your children, etc

and risk, which mainly bores down to

  • Shady sources: Are you buying a laptop out of a trunk of a car from some guy you just met minutes ago for pennies on the dollar? From darknet exchanges? From new sellers on eBay or sellers that seem to have used bots for feedback?
  • Patching: You live by the motto "Never touch a running system" and are unlikely to patch your software and operating system.

So should you start paying people to look into closed source firmware, stracing everything, etc and removing built-in microphones from your laptop?

No, because there is also

  1. Cost, likeness and discovery of an attack

Unless you are a very high profile target of a very rich, maybe even government, group, your attackers will go the way of least resistance and where you are vulnerable the most.

Because highly specialized zero-day exploit-toolkits cost money, and specialized attacks on firmware even more. Physically manipulating/bugging your hardware risks exposure - and these people generally don't want to get caught.

The past shows us that it is far more likely that someone will simply try to steal your laptop to gain valuable data, rather than plant an infected one.

Or exploit a known security vulnerability that you left unpatched because you did not update your OS and apps to the latest version or because there currently isn't a (good) patch out there at the moment. Hacking into your WiFi or maybe even LAN might also be more feasible.

It is also far easier to try and get your login credentials for banking etc either via Phishing or social engineering than manipulating your notebook.

There have been recent reports that people try and clone a SIM card, by simply going to your mobile provider and claiming to be you - not being challenged by the personnel - and subsequently using this to intercept TAN messages from your bank to empty your accounts. (Though for the life of me I can't find anything regarding this on Google at the moment)

  1. Conclusion

Taking off my tinfoil hat, let me point you to this good Ubuntu Wiki entry on basic principles of security for users.

Community
  • 1
Robert Riedl
  • 4,351
  • 3
    Even the default vendor firmware contains backdoors for the NSA – Suici Doga Feb 06 '18 at 11:45
  • 1
    @SuiciDoga, that's why I said not to to trust closed source software per default. Peer review can be the first step. – Robert Riedl Feb 06 '18 at 11:49
  • Disclaimer unnecessary. Most people here appreciate hearing the other side of the story even if they don't agree. +1. I would hope my bank would follow your advice but I wouldn't worry for the casual used laptop buyer. – WinEunuuchs2Unix Feb 06 '18 at 23:52
1

On a practical note, if you're concerned about security to the point you don't trust the hardware, you should consider taking your laptop to a service centre. People there will be able to tell you if your laptop was ever opened before, and will spot any modified/unusual hardware that may have been installed. Many advanced attacks (like hardware keyloggers, which will survive an OS reinstall) will require the previous owner to open the case.

You can try to do the inspection yourself (checking bezels, rims, screws and anti-tamper labels / warranty seals for damage), but you will most probably overlook many more clues than a professional will. E.g. you will see if an anti-tamper label is damaged, but you may overlook a fake one or a missing one.

Dmitry Grigoryev
  • 1,942