Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Looking to build an intel nuc that is a air gapped machine

Nuc Intel Antenna air gapped virus hacker wireless remove antenna

  • Please log in to reply

#1
Jessie34229

Jessie34229

    New Member

  • Member
  • Pip
  • 7 posts

Hey guys, I'm new here and I am trying to build a air gapped computer for my friend. He has a lot of special requests and I'm looking for a little guidance. He is interested in the Intel Nuc or Gigabyte Brick or laptop, but is open to any options as long as it's portable. Here is his questions

 

1) Machine will not have an antenna or where the antenna can be removed. Not sure you can remove the antenna in a Nuc or Brick

 

2) No Wi-Fi or Bluetooth, Laser, Infrared at all. Should only connect with DSL.

 

3) No CMOS battery or the ability to remove it when needed - He doesn't care about time and date

 

4) Able to restore the computer to the factory settings without anything stored in the BIOS. He wants to avoid anything that can be infected with rootkits or any sort of malware.

 

5) He wants to be able to erase anything containing memory of any of the firmware or hard disks.

 

6) Computer needs to be able to erase and rewrite the BIOS or have a read only BIOS

 

7) Computer needs to have No VPRO or any other absolute persistence technology

 

8) No speaker or microphone

 

9) if the network card in the computer has data contained on it. He wants to be able to erase or remove it.

 

 

He is basically looking for the most secure computer possible.

 

Sorry guys if I had asked any of these questions wrong. I am new to this stuff and I'm trying to figure it out for him. Any help would be appreciated.

 

Thanks


  • 0

Advertisements


#2
iammykyl

iammykyl

    Tech Staff

  • Technician
  • 7,579 posts

:welcome: Jessie34229.

 

By definition, a portable computer can't be Air Gapped as it is taken outside of a secure installation with all the security protocols it entails.   Even said systems have now become very vulnerable as it has been discovered that a basic simple mobile phone can hack into any system by utilizing the RF field generated by all computers. > http://www.wired.com...le-cell-phone/b

1&2.   Remove the wifi card.

3.       All system have a CMOS battery, just remove it.

4.       Factory Reset is normally present on a Retail system,like HP/Dell.   Use software like Macruim Reflect to take a drive image stored on a CD or USB stick and use it to                restore to the original setup.

5.      Not understood.

6.      All BIOS/UEFI are erase/writeable, you can't have a read only one as you can't write it in the first place.   If it is possible, later, to make a bios read only, then it would be            possible to reverse that.

7.      VPRO. Select a processor not on this list, > https://www.realvnc....sProcessors.pdf  Persistence technology          by Absolute is                     embedded at manufacturing either on a chip or firmware of a BIOS/UEFI and present in many devices today, and there may be other vendors I am not . I don't know if it is         present in MBs or CPUs.     removal.

I.e. you have to allow CompuTrace to be installed, persuade Absolute that you are the authorised user now, get control transferred to you, and de-activate it using their managed service.

What if the Absolute software agent needs to be removed from a device?

IT administrators that have been authorized to do so, may carry out this function themselves within the Absolute Customer Center for Computrace, or from within the Absolute Manage console for Absolute Manage software agent removal.

Source, > http://security.stac...ance-technology

8.     Don't install them.

9.     It does not contain Data as such, it does generate logs which you can delete. 

 

He might be better of with a MAC, lock it down and encrypt the drives.   It does not matter how good the security is on a computer, if someone really, really wants to hack it, they probable can. Let us know if he still wants to attempt a NUC and we will see what we can configure. 


  • 0

#3
Jessie34229

Jessie34229

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Thank you for your reply iammykyl. This is very helpful. My friend had his computer hacked before and lost a lot of stuff. He does not want to go through that ever again. He wants to make sure that if he believes there was a breach in any one of his systems that he can disable it immediately and wipe it down to factory settings.

 

I am a Mac guy and I've been using Macs for the past 20 years. I'm trying to convince him to get a Mac because I would be able to be a little bit more comfortable working on it. I don't know that much about PCs.

 

He travels a lot and his idea of an ideal set up was to have 4 Nuc's and one monitor in a custom hard case suitcase. He would use

 

1 Nuc for his internet surfing

1 Nuc for his internet banking

1 Nuc for his emails and skype

1 Nuc would never go on the internet

 

I told him this was excessive but he's so paranoid he does not want to take any chances.

 

I will pass on you're reply to him and see what he says about continuing with his idea of the Nuc. 

 

Thanks again!


  • 0

#4
iammykyl

iammykyl

    Tech Staff

  • Technician
  • 7,579 posts

Thanks for the update Jessie34229.

If you are still not getting notification, to, top right of the Topic and click on "Follow this Topic.

 

Does he do any workstation type work on one of  the systems, an i5 would do, if not, then i3.

There are not many of the NUCs without WiFi/Bluetooth.   An i5 > http://www.newegg.ca/Product/Product.aspx?Item=N82E16856102055&_ga=1.222663387.1378432689.1445937396 $479.99 +   RAM, OS drive, External storage.

No VPRO > http://[email protected]   

NUC with i3 > http://www.newegg.ca...2-053-_-Product Has internal wireless antena, but you need a card.

 

He will also need a portable monitor, keyboard/mouse and OS.

 

If he is still serious about PCs, I will look at alternative type build. 


  • 0

#5
Jessie34229

Jessie34229

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Thanks iammykyl. He is not dead set on a Nuc or Brick. It was an option because he was running into a problem with his laptops that he could not open them up and disable them as he'd like to. He did some research and found the Nuc was something he could open up and pull everything out when he wanted to. I've seen this guy go through so many laptops because he gets spooked that he has malware. If he thinks his system is infected he just goes and buys another laptop. And the smallest thing could set him off. If the computer makes any sort of weird noise he get rid of it. It's such a waste. He has about 20 laptops for the last 2 years just sitting around that he won't use.

 

His idea was to be able to open up the system and pull out the hard drive or anything that would hold data and swap it out if he thought that it was infected.


  • 0

#6
iammykyl

iammykyl

    Tech Staff

  • Technician
  • 7,579 posts

Gday.

An alternative would be one SFF build using one of these cases, > http://www.newegg.co...163-237:$$$$$$$

 

You would have four SSDs each with it's own OS, at start up, select the OS to run, i.e. Banking. it would be the only OS on line, completely isolated from the other system drive, completely secured.   One or two external secure backup drives would be used to save Data.   The drive would be partitioned so each is secure from the others. > http://wp.rocstor.co...l-March2013.pdf

 

A parts list for consideration.   Does not include a monitor, case, mouse/keyboard and only one external drive.

http://pcpartpicker.com/p/mWHmXL


  • 0

#7
Jessie34229

Jessie34229

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Wow, Thanks iammykyl. That is very helpful. I will be speaking with him today and will see what he thinks about this option. I like that a lot better then what he wanted to do.


  • 0

#8
iammykyl

iammykyl

    Tech Staff

  • Technician
  • 7,579 posts

Your welcome :thumbsup: 


  • 0

#9
Jessie34229

Jessie34229

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Here are some questions that he had for me. Hopefully its not too much and redundant.

 

QUESTION 1:

Is a BIOS that is hard coded on read only memory (NOT ON FLASH MEMORY) easy for malware to rewrite?

 

You have said that: "If it is possible, later, to make a bios read only, then it would be possible to reverse that." Now I did some online searches, and some sites said that old computers used to have their BIOS hard coded to read only memory at manufacturing, and that this could not be changed. Some sites said that read only BIOS were a preventative measure against BIOS rootkit infections. What I am trying to figure out is, if these old computers had their BIOS hard coded in read only memory at manufacturing, wouldn't this make it much more difficult for a hacker to modify it and install a BIOS

rootkit? Perhaps there is some crazy, intricate way to change it, but from what I've read, it doesn't seem like these old BIOS that were hard coded were just marked read only, they were designed to be written only once, and never to be rewritten. I think most, if not all, new BIOS are on flash memory that can be rewritten, and that these are therefore vulnerable to BIOS rootkits. But what is not clear is how easy it is, if it is possible, for some kind of virus or malware to alter those BIOS that were hard coded at manufacturing. Is it easy for the malware to simply mark them to be rewriteable, or is there something about the memory of the hard coded BIOS that make it impossible to rewrite. If it is nearly impossible to rewrite, then this would obviously be a major security advantage as it could avoid the dreaded BIOS rootkit that lets in so much other malware.

 

If it turns out that this memory type is very difficult or nearly impossible for malware to alter, then I would want to find a machine with a BIOS that is on this type of hard coded memory.

 

So the question is, is the old, hard coded, memory that is supposed to be read only, that BIOS of machines often had in the early days of PCs, now easy for malware to rewrite? I mean, have virus and malware writers found an easy way to hack and modify these old BIOS that are supposed to be read only? Or are they safe from being infected with BIOS rootkits from browsing the internet?

 

QUESTION 2:

Are there any machines sold today that have a BIOS on Hard Coded Read Only Memory? Is the backup BIOS on dual BIOS Gigabyte machines, or Chromebooks, read only?

From what I've read, some machines, especially some Gigabyte machines, have dual BIOS. One BIOS is the working BIOS, and the other is a backup BIOS in case the working BIOS gets corrupted. It isn't clear to me if the backup BIOS is on flash memory or if it is on the old, hard coded, read only memory. I am trying to figure this out. Do any of the dual BIOS machines made now have their backup BIOS on the hard coded, read only memory? If so, would it be possible for me to remove the rewriteable BIOS and simply always use the backup BIOS, if it is on the hard coded read only memory? So the question is, are there any machines sold today that have a BIOS that is on hard coded read only memory? I am especially interested if one of the BIOS in the dual BIOS Gigabyte machines is on hard coded read only memory as from what I've read this might be true. But I can't confirm.

.

QUESTION 3:

Can malware rewrite Write once only CDs and DVDs after their first writing?

Now it is my understanding that there are CDs and DVDs that can be written once only and not rewritten, and that if no malware is put on them during the first writing they would be safe. But if this isn't true, if it is possible for malware to edit a write once only CD or DVD after its first writing. For example, lets say I download Skype and bum it to a write once only CD. For purposes of argument, assume that this download was safe, that the only thing that got on it this time was the Skype download and no infections got on it. That is only the Skype download was burned to it. If I later use that CD on another machine, can malware on the new machine install itself on the CD? Or is it the case that the CD that is designed to be written only once not rewriteable after that first time? What I mean by this is, can malware from the internet easily rewrite a write once only CD or DVD after it has already been burned and removed for the first machine? Maybe there is some very bizarre, intricate way for this to be done, but I mean generally, is it easy for virus writers to write malware that can do this?

 

So the question is, after a write once only CD or DVD is written to, then removed from the computer, can a malware program edit it? Or is it basically extremely difficult or impossible to change after the first writing?

 

QUESTION 4:

Same as Question 3, except for store bought programs on CD or DVD, like Microsoft Office 2007 Professional.

 

If I use a store bought program, like one I bought long ago, Microsoft Office 2007 Professional, can malware infect and change the CD or DVD that it is on so that it can infect other computers? I mean, if I use it on one computer, then uninstall it from an old machine and install it on a new machine, could it possibly transmit malware to the new machine? I suppose the answer to this is the same as the answer to Question 3, but I am not certain.

 

QUESTION 5:

Firmware on Printers, Scanners, mouse, keyboard, monitors, usb cd drives and other peripherals, can it be infected and spread the infection?

 

I used to think that all malware would infect the hard drive of a computer. It is only recently that I've learned that rootkits can infect the BIOS and the Network Interface Card of a computer. This is pretty scary. I don't know much about what memory, if any, peripherals like scanners and printers have, and

if this memory can be infected. Do printers, scanners, routers, and other peripherals have some sort of memory, like the BIOS does? Can it be infected and spread an infection? In other words, if I have one printer and one scanner, and I use them for all of my 4 computers, can they spread an infection? Or do they not have memory or don't have memory that can be hacked and modified?

 

So the question is, do computer peripherals have memory that can be infected?

 

QUESTION 6:

Removing soldiered down WIFI. I was considering getting a NUC. However, all of the NUC's available seem to either have VPRO or have WIFI that has been soldiered down into the unit. Removing VPRO would obviously be quite difficult. So I would prefer to buy one without VPRO and then, if possible, somehow cut out the WIFl.

 

So the question is, can a person remove a soldiered down WIFI card without ruining the computer? Are there tools which can safely cut the WIFI card out without destroying the rest of the computer?

 

QUESTION 7:

Macrium Reflect, does it create an image of the BIOS? It isn't clear to me if Macrium Reflect creates an image of the BIOS? How does it do this? Also, how

would one wipe down the BIOS in the way that a hard drive is wiped down?


  • 0

#10
iammykyl

iammykyl

    Tech Staff

  • Technician
  • 7,579 posts

Gday.

I am not a software expert, so can only give answers based on general knowledge and how I see things.

1.   UEFI and older BIOS contains ROM/PROM (not able to alter, performs the POST) and EEPROM, the Firmware, allows you to set functions like RAM speed. can be updated, flashed so can be infected.

ROM can't be written to so can't be hacked.  Older system, perhaps never altered so only had ROM, don't think such computers exist today.  The EEPROM can be altered, so tha'ts where infections arise.  > http://www.pcguide.c...typesROM-c.html

 

2.  Only physical lock I have read about, to prevent flashing the BIOS, there may be others, > http://www.matws.org/c300/

The backup BIOS is firmware, so can be infected.   I don't think there are any computers with just a RAM BIOS.

 

3.   No to the first part.   No to the rest, once written, it is safe, can't be infected in any way.  

 

4.   All safe from reputable sources.   Some spyware/key loggers were found on early give away discs that came with some magazines.   Softwarte discs are finalized, so safe.

 

5.  Not the actual hardware but the software/drivers could contain code to infect a PC, or >  https://srlabs.de/badusb/

"do computer peripherals have memory that can be infected?"   Yes in theory, say a handycam, it has memory, but someone has to infect that device, not very likely. 

 

6.   An expert PC repair tech, might, but most likely brick the NUC.

 

7.   RefLect takes a bit for bit copy of the hard drive, including all partitions.   It does not copye the BIOS.   You can't wipe the bios, only overwrite it.

 

 

 

 


  • 0

#11
Jessie34229

Jessie34229

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Great iammykyl! Thank you. You are very helpful. I will forward your answers to my friend.


  • 0

#12
iammykyl

iammykyl

    Tech Staff

  • Technician
  • 7,579 posts

:thumbsup:   :rockon:


  • 0

#13
iammykyl

iammykyl

    Tech Staff

  • Technician
  • 7,579 posts

Gday Jessie34229.

What was your friends reaction?   Likely to proceed further?   An update would be appreciated.

 

Thanks.


  • 0

#14
Jessie34229

Jessie34229

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Hey iammykyl,

 

He is still working on a couple questions to get back to me. He is in the middle of moving and has been busy with that. I will post his response asap.

 

Thanks again!


  • 0






Similar Topics


Also tagged with one or more of these keywords: Nuc, Intel, Antenna, air gapped, virus, hacker, wireless, remove antenna

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP