2

Overview

I am running Ubuntu 12.04 - 64bit - Gnome3 as my preferred Operating System at work. However after recently taking time off, I return to my desk finding my machine was broken in to (I am also told it took most of an afternoon to do).

Initial Enhancements

The very first thing I did was removed root access, simply passwd -u root. The second thing I did was create a new user with 'sudo' access adduser fkchu. I finally modified the sudoers file visudo only granting fkchu access to sudo (root didn't even have this access).

Thus, to access root privileges one would; a) login my normal user providing a fairly strong password, then would require to su fkchu using a second, very different strong password. Only then, this user can use sudo or sudo su.

Big problem (I hope to be advised)

Despite arriving to work with my background changed and all of my fonts Uninstalled (except from part Chinese and part French) I found my password also got changed. The only way I gained access was via:

  1. Booting from my installation USB drive.
  2. Executing sudo su.

  3. I conducted the following steps:

    $ cd /mnt
$ fdisk -l
$ mkdir i && mount /dev/sdb1 i

Thus I then accessed my hdd via cd /mnt/i/ and put everything back such as removing the background pictures and such. Ultimately I had to reinstall because too much ended up corrupted

Conclusion

I will create an image of my HDD before I take another vacation, although i'm not 100% sure how to do this, and then restore an ISO later.

I also would appreciate anyones' further help on this issue if possible, on how I can prevent further pranks like this by making it even harder for someone to Google something and then break all of the things.

Ash
  • 459
  • 1
  • 5
  • 13
  • It's good that you reinstalled, irrespective of how much effort it would have taken to make the system fully usable again. You never know if the intruder installed a Trojan horse). – Eliah Kagan Aug 18 '12 at 12:00

1 Answers1

1

If other people are able to get physical access to your computer, I can think of two options to prevent access to your data.

Full disk encryption

Full disk encryption is only available with the alternate installer. At the prompt asking “Guided” or “Manual” partitioning, choose “Manual”.

At the partitioner:

  1. Delete the partition table for the devices that will be used. This will delete everything on the selected device, so make sure that you have everything backed up.
  2. Create partitions for /boot (no more than 256MB is needed), /, /home and swap. Boot and home partitions should be ext4. Root and swap partitions should be “Physical for Encryption”.
  3. Select “Configure encrypted volumes”, then “Create encrypted volumes”. Select the volumes that are listed as “crypto” by pressing spacebar, then continue. Enter a passphrase for each encrypted volume.
  4. Each encrypted volume will now have space available inside of it. To configure these volumes, select the space listed under each encrypted volume. Setup a encrypted volume as swap space and the other should be set to Ext4 and set the mount point to: “/”. Select “Finish partitioning and write changes to disk”.
  5. Later, when asked to “Encrypt your home directory”, select “Yes”.

For further information refer to: http://dailyanarchist.com/2012/02/20/full-disk-encryption-for-ubuntu-and-fedora/

Set HDD password

Usually, laptops and corporate desktops are able to set HDD passwords on BIOS. If you don't enter the password at POST the disk isn't exposed to the OS. From Wikipedia:

The disk lock is a built-in security feature in the disk. It is part of the ATA specification, and thus not specific to any brand or device. The disk lock can be enabled and disabled by sending special ATA commands to the drive. If a disk is locked, it will refuse all access until it is unlocked.

A disk always has two passwords: A User password and a Master password.

A disk can be locked in two modes: High security mode or Maximum security mode. In High security mode, the disk can be unlocked with either the User or Master password. There is an attempt limit, normally set to 5, after which the disk must be power cycled or hard-reset before unlocking can be attempted again.

In Maximum security mode, the disk can be unlocked only with the User password. If the User password is not available, the only remaining way to get at least the bare hardware back to a usable state is to issue the SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT. In Maximum security mode the SECURITY ERASE UNIT command requires the Master password and will completely erase all data on the disk. The operation is slow, it may take longer than half an hour or more, depending on the size of the disk.

Hard Disk imaging

Clonezilla is an great tool to image HDDs and partitions, but I don't know if it can generate images from encrypted disks, but you can certainly clone the whole disk using dd. A password locked HD won't be a problem since you'll unlock it prior image generation.

Community
  • 1
Eric Carvalho
  • 54,385
  • Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference. – nanofarad Aug 14 '12 at 15:25
  • Thanks for the information. I find this very helpful, though another question on this, If I were to create an Image of my whole HDD including configuration, volumes etc. How do I create an Image? Also how do I restore this image (considering it would contain encrypted volumes) - Thanks – Ash Aug 14 '12 at 20:50