Opsec updates 2023 – Windows

last updated on July 23, 2023

I have recently switched back to Windows after being an Ubuntu user for 16 years.

Reasons are lightly stated in a previous post if you care checking them out.

Barbie (land) is at the local movie theaters right now and so am I into the Microsoft mindset for personal computing.

Everything is tightly integrated. Everything just works out of the box. Yesterday I configured my HP 1020 lasejet printer in less than 3 minutes.

So let me just add a new vendor name to my Moses meme.

Back to the Opsec point…

I found this week that the password screen can be easily bypassed by some app installed in a boot pen-drive.

So I have to assume that the robber who had just stolen my laptop can break into it somehow.

So let me start listing my opsec directives right away.

#Windows password: not important or irrelevant at this point, as it can be bypassed via a bootloader hack.

Now let’s assume the perpetrator is looking straight at your nicely chosen wallpaper, thinking on how to get the most out of your local files and the online services you have your credit cards associated to.

#Visual clues: this is important.

  • Remove the quick launch bar from your taskbar. Don’t give clues about the apps you use.
  • Change start menu settings so it won’t show the most frequently used apps.
  • Get used to pressing the Windows key and than typing the name of the app you want to launch

#Local files: have them all into a hidden encrypted volume like VeraCrypt.

In my case, I have a VeraCrypt encrypted hard drive with all my files in it.

For a digitally illiterate laptop thief, VeraCrypt or similar apps are something incomprehensible. They don’t know what they are nor what they do. So your files will be safe. Make sure you have a backup. (disclaimer: I have a hot cloud backup company)

#Keybase: the coolest app ever.

I ❤️Keybase and I use it everyday in my businesses. But it is insecure by default within this new context. Anyone able to bypass my Windows password screen will have access to my Keybase encrypted volume without restrictions as it is mounted and decrypted on startup.

For thieves who cannot bypass your password, you’re safe. They may remove your drive from your laptop and plug it as a secondary drive in another machine to access its contents. In case they do that, the Keybase filesystem would be encrypted.

If thieves bypass your password, your Keybase filesystem will be compromised.

Thankfully, if you have a never-leaves-home Keybase device, you can use it to nuke the stolen devices, making the filesystem unusable forever.

#Web Browser: is your representation in the digital world. It has to be your biggest concern.

Web cookies are the problem. As soon as the thief opens your Amazon account, he should be able to make purchases on your behalf. Not that you can cancel them later and remedy everything; the problem is to deal with the problems in a reactive way. Every time you learn the thief caused trouble, you’ll have to fix it. That’s annoying and time consuming.

So my advice goes to folks who use Firefox as their main browser.

There are settings that will delete all cookies every time you close the browser. So if the thief is smart enough to find which browser is your default one, he would go boo hoo when he realizes all your online accounts are asking for passwords.

He typed gmail.com, but had no password.

Don’t even think about using your web browser to store your passwords. Web browsers were all designed without this threat model in mind. So once you log in to Firefox, Chrome or Edge, Windows and the browser in case will always assume, by convenience, that the user will certainly be you by the time the app is launched next time.

I’m assuming the next time somebody launches Firefox, it won’t be me.

You are going to need extra help to handle passwords then 👇

#Password managers: are your best tool.

I ❤️ Bitwarden. I have it as a Firefox extension.

If the thief got it right, he’ll know I don’t use Chrome, but Firefox. As soon as he launches it, Bitwarden will wait for the master password, which he doesn’t have as it resides only in my head.

Master passwords of password managers must reside in one place only, our good sized brains.

So now the thief is going to realize my Firefox is a digital paper weight without Bitwarden’s password. He won’t get anywhere.

#Other apps: are part of your threat model because they just work in Windows.

Yes, that’s a fact. In the Linux world, you have to rely on the browser to access most apps, whereas in the Windows world there are desktop versions available for virtually any app imaginable.

Let’s say you have Evernote and Windows Mail installed.

The laptop thief will open your mail app and start to explore your inbox for “opportunities”… if you know what I mean.

From this point you have two options:

  1. don’t save passwords in your email apps, which is a partial solution to the problem as the thief will be able to access messages already downloaded to your disk. He wouldn’t get new messages though — e.g. password reset messages; which is good.
  2. prevent access to the email app via a 3rd party app, the best option.

Tools like FolderGuard(r) allows you to set passwords to your apps. So if the thief tries to launch Slack, WhatsApp, your notes app or even MS Office, he would be stopped with a password challenge. You’d be good.

#HUGE CAVEAT
Tools of this kind won’t work to set passwords to Windows Mail. I have tested some and none of them worked. It seem that Mail is kind of embedded into the Windows OS, so there is no way to scope its EXE file for password access. So the best thing to do opsec wise is not use Mail. Yet another evidence that email is not a secure mean of communication these days.

So at this point, a bad actor won’t be able to:

  1. Access your personal files;
  2. Use your web browser to impersonate you in your online accounts; and
  3. Launch apps that are connected to online services that might expose your personal data.

Digital life with Windows is different. Is not like having LUKS in Linux, but you can change some habit and implement tech that works for your security.