1 00:00:00,563 --> 00:00:03,681 There are other possible unique hardware IDs 2 00:00:03,706 --> 00:00:06,193 other than the MAC address that you need to be aware of 3 00:00:06,249 --> 00:00:09,465 and mitigate the risks associated with them if you need 4 00:00:09,529 --> 00:00:11,658 anonymity and non-attribution. 5 00:00:11,762 --> 00:00:16,195 So let’s start with the CPUs. Almost all modern CPUs 6 00:00:16,355 --> 00:00:19,998 do not have a software readable serial number. 7 00:00:20,167 --> 00:00:23,892 Intel started to try to add them in the 1990s with the Pentium 3, 8 00:00:23,917 --> 00:00:26,766 but because of the massive public upset, 9 00:00:26,814 --> 00:00:29,325 they discontinued the serial numbers, which is good. 10 00:00:29,635 --> 00:00:31,171 So with most CPUs, 11 00:00:31,196 --> 00:00:35,063 you can only identify a particular model and that’s all, 12 00:00:35,126 --> 00:00:37,008 because there’s no serial numbers. 13 00:00:37,421 --> 00:00:39,709 Now, if you want to examine your CPU 14 00:00:39,778 --> 00:00:42,267 and see what sort of information you can get from it, 15 00:00:42,307 --> 00:00:45,386 then on Windows you can use CPU-Zed, 16 00:00:45,442 --> 00:00:48,331 or CPU-Z, which you can download from here. 17 00:00:49,492 --> 00:00:53,527 This will show you what information is available in your CPU, 18 00:00:53,675 --> 00:00:56,191 but as I said, there shouldn’t be anything unique 19 00:00:56,239 --> 00:00:58,781 if you have a modern processor. 20 00:00:59,437 --> 00:01:01,604 And on Linux, there’s a very similar tool 21 00:01:01,706 --> 00:01:05,032 to view CPU information called I-Nex, 22 00:01:05,071 --> 00:01:06,630 which you can download from here. 23 00:01:08,532 --> 00:01:12,038 And that looks like this, pretty similar to CPU-Zed. 24 00:01:13,095 --> 00:01:15,575 And on Mac, if you want to see the CPU information, 25 00:01:15,667 --> 00:01:17,346 download this tool here. 26 00:01:18,381 --> 00:01:20,476 So that’s CPU. Should be nothing much 27 00:01:20,619 --> 00:01:24,186 to worry about with CPUs in terms of hardware serial numbers. 28 00:01:24,413 --> 00:01:26,739 Now, the next thing is the motherboard. 29 00:01:27,310 --> 00:01:29,363 Motherboards often, but not always, 30 00:01:29,388 --> 00:01:33,476 contain unique identifiers in the system management BiOS, 31 00:01:33,516 --> 00:01:34,960 SMBiOS memory. 32 00:01:35,111 --> 00:01:39,806 And major OEMs typically have these serial numbers in the SMBiOS, 33 00:01:40,311 --> 00:01:43,287 which means an adversary could get access to this 34 00:01:43,349 --> 00:01:45,956 and tie it back to the purchaser or you. 35 00:01:46,627 --> 00:01:49,509 In Windows, you can view the hardware information 36 00:01:49,534 --> 00:01:54,052 using the Windows Management Instrumentation tool, WMI. 37 00:01:54,278 --> 00:01:57,644 So malware could pretty much do exactly the same. 38 00:01:57,715 --> 00:01:58,798 From the command prompt, 39 00:01:58,893 --> 00:02:02,313 check out if your device has a unique identifier. 40 00:02:02,377 --> 00:02:04,189 You can run a command similar to this. 41 00:02:10,825 --> 00:02:14,190 This will tell you the name of your BiOS current version 42 00:02:14,310 --> 00:02:16,595 and its serial number if there is any. 43 00:02:25,286 --> 00:02:28,469 And this command tells you the system motherboard name, 44 00:02:28,610 --> 00:02:31,011 number, and its UUID. 45 00:02:31,185 --> 00:02:34,333 I’m currently using VMware so you can see the UUID 46 00:02:34,371 --> 00:02:35,990 for this virtual machine. 47 00:02:36,571 --> 00:02:39,067 So that tool’s unique to Windows. 48 00:02:39,119 --> 00:02:41,608 There is another tool for determining hardware information 49 00:02:41,633 --> 00:02:45,506 that you can use on Linux, Mac OSX, and Windows, 50 00:02:46,149 --> 00:02:48,514 and that’s this: DmiDecode. 51 00:02:48,561 --> 00:02:53,056 This is the Windows version that you can just download and install. 52 00:02:53,381 --> 00:02:57,425 This is the version you can download and install for both Linux and Mac. 53 00:02:59,206 --> 00:03:02,590 But on Linux, you’ll be able to get it from your repository quite easily 54 00:03:02,615 --> 00:03:05,468 if you're on Debian or Debian based systems, 55 00:03:05,556 --> 00:03:07,652 with just simply the apt-get tool. 56 00:03:16,024 --> 00:03:18,793 To install DmiDecode on Mac OSX, 57 00:03:18,818 --> 00:03:21,889 I recommend you use Brew because it’s the easiest way to install it 58 00:03:21,914 --> 00:03:25,781 and it can keep you updated. Just use this command here: brew install. 59 00:03:28,841 --> 00:03:31,430 There we are; DmiDecode installed. 60 00:03:32,325 --> 00:03:34,627 So let me show you how to use DmiDecode. 61 00:03:34,652 --> 00:03:38,103 It’s the same switches and options for Windows, Linux, and Mac. 62 00:03:41,056 --> 00:03:42,716 So, if you see there, it says we can’t find it, 63 00:03:42,740 --> 00:03:44,780 well that’s just because you don’t have admin right. 64 00:03:44,805 --> 00:03:46,503 So you need admin rights to run it. 65 00:03:51,135 --> 00:03:54,781 Typing “-t” will give us a list of all the options that we can run. 66 00:03:56,643 --> 00:03:57,866 So let’s start with system. 67 00:03:59,706 --> 00:04:02,164 So there you can see the UUID of the system. 68 00:04:02,373 --> 00:04:06,262 It has zero for serial number here. You may or may not get zero. 69 00:04:06,389 --> 00:04:07,756 I’m in a virtual machine 70 00:04:07,781 --> 00:04:10,535 so you may get less information on a virtual machine. 71 00:04:11,778 --> 00:04:14,604 System, then you’ve got baseboard, which is the motherboard. 72 00:04:16,770 --> 00:04:19,006 And you may find a serial number there. 73 00:04:20,198 --> 00:04:22,002 You can also find information on the BiOS. 74 00:04:26,135 --> 00:04:27,182 There you go. 75 00:04:27,563 --> 00:04:29,105 So use DmiDecode, 76 00:04:29,130 --> 00:04:31,971 check out the hardware serial numbers on your machine. 77 00:04:33,079 --> 00:04:35,135 Now we’re going to look at hard drive serial numbers 78 00:04:35,160 --> 00:04:38,374 and unique IDs as these can exist as well. 79 00:04:38,460 --> 00:04:41,583 So first we’re in Windows. We can just simply do a dir. 80 00:04:42,119 --> 00:04:45,515 And you can see here we’ve got a serial number for the drive. 81 00:04:46,183 --> 00:04:48,014 You can also try this command as well. 82 00:04:53,119 --> 00:04:56,545 And you see there, you’ve got lots of information about the disk drive. 83 00:04:56,857 --> 00:05:00,437 If we want to separate out the serial number, then we need to type 84 00:05:03,048 --> 00:05:04,707 and that would give us the serial number. 85 00:05:04,874 --> 00:05:08,566 Again, I’m in a vm so this is reducing the number of serial numbers 86 00:05:08,591 --> 00:05:11,385 that it’s producing, but check that out on your own system. 87 00:05:11,524 --> 00:05:13,666 That’s for Window; that’s how you do it in Windows. 88 00:05:14,345 --> 00:05:16,202 On Linux, there’s a couple of ways of doing it, 89 00:05:16,227 --> 00:05:20,039 but LSHW is the tool that I tend to use, 90 00:05:20,246 --> 00:05:22,618 so you need to install that if it doesn’t already exist. 91 00:05:26,952 --> 00:05:28,245 So that’s installed. 92 00:05:33,952 --> 00:05:35,271 And if we go up, 93 00:05:36,040 --> 00:05:37,051 there you go. 94 00:05:37,151 --> 00:05:39,567 See the hard drive serial number, 95 00:05:40,421 --> 00:05:43,752 at least the hard drive serial number for this virtual hard drive. 96 00:05:43,992 --> 00:05:45,749 It’s not showing my actual hard drive 97 00:05:45,815 --> 00:05:48,879 because I've got isolation within the virtual machine. 98 00:05:49,952 --> 00:05:51,636 So that’s how you do it in Linux. 99 00:05:51,724 --> 00:05:53,629 Find out your hard drive serial number. 100 00:05:54,325 --> 00:05:57,809 And then in Mac, you can go through the about Mac GUI, 101 00:05:58,008 --> 00:05:59,898 but you can also put in this command as well. 102 00:06:08,341 --> 00:06:12,737 And there we go. We can see a bunch of volume unique IDs here, 103 00:06:13,246 --> 00:06:14,254 here, 104 00:06:15,571 --> 00:06:18,281 and serial number here. I blurred these out 105 00:06:18,306 --> 00:06:22,023 as these are the actual serial numbers on this machine for the hard drive. 106 00:06:22,643 --> 00:06:25,046 Let’s consider these unique hardware identifiers 107 00:06:25,101 --> 00:06:28,506 in the context of the operating systems that you use. 108 00:06:28,706 --> 00:06:32,027 Any operating system that is licensed to a machine 109 00:06:32,230 --> 00:06:34,834 has to identify the machine uniquely. 110 00:06:34,961 --> 00:06:38,980 This is to control and track product key use and abuse. 111 00:06:39,071 --> 00:06:43,151 This means if you're using, say, Windows or Mac OSX, 112 00:06:43,191 --> 00:06:48,428 Microsoft and Apple are aware of your unique hardware IDs, 113 00:06:48,507 --> 00:06:51,320 and specifically, usually the motherboard ID 114 00:06:51,375 --> 00:06:53,465 is tied to the license in some way. 115 00:06:53,683 --> 00:06:56,200 So if you're using Windows or Mac OSX 116 00:06:56,239 --> 00:06:59,265 or other operating systems you have purchased 117 00:06:59,305 --> 00:07:01,070 and are attempting to be anonymous 118 00:07:01,095 --> 00:07:04,197 and your hardware ID is compromised, 119 00:07:04,222 --> 00:07:08,279 whoever you purchased it from could link the device back to you. 120 00:07:08,335 --> 00:07:10,140 Your adversary may have the power 121 00:07:10,165 --> 00:07:12,164 to get this information from the seller. 122 00:07:12,500 --> 00:07:14,487 And it’s not just operating systems. 123 00:07:14,683 --> 00:07:17,155 Also applications can be aware 124 00:07:17,180 --> 00:07:19,402 of your hardware serial numbers, 125 00:07:19,580 --> 00:07:23,175 which again, through a money trail can be tied back to you. 126 00:07:23,786 --> 00:07:24,974 Another consideration: 127 00:07:25,006 --> 00:07:28,618 if you're using a live CD operating system like Tails, 128 00:07:28,643 --> 00:07:31,597 or maybe you're dual booting on the same hardware 129 00:07:31,647 --> 00:07:34,244 that you are running Windows, or OSX, 130 00:07:34,269 --> 00:07:36,184 or a paid operating system, 131 00:07:36,209 --> 00:07:40,220 you are sharing the hardware IDs with every operating system. 132 00:07:40,276 --> 00:07:43,502 So you're not completely unique even though you're dual booting 133 00:07:43,595 --> 00:07:45,806 or you're using a live operating system. 134 00:07:45,921 --> 00:07:49,833 If Tails is compromised, if the dual boot system is compromised, 135 00:07:49,929 --> 00:07:52,003 and your hardware ID is recorded, 136 00:07:52,101 --> 00:07:54,722 the seller, again, could link this back to you. 137 00:07:54,747 --> 00:07:57,032 Your adversary could link it back to you. 138 00:07:57,135 --> 00:08:00,678 This is the problem of hardware serial numbers 139 00:08:00,730 --> 00:08:02,536 for privacy and anonymity. 140 00:08:03,460 --> 00:08:07,869 So, if we care about non-attribution and being anonymous, 141 00:08:07,937 --> 00:08:11,698 how do we mitigate the hardware serial number issue 142 00:08:11,723 --> 00:08:14,469 and the leaking of these hardware serial numbers? 143 00:08:14,651 --> 00:08:17,301 Well, it’s potentially possible to alter 144 00:08:17,367 --> 00:08:20,880 the unique identifiers with special proprietary tools. 145 00:08:20,937 --> 00:08:22,782 Much like we did with the Mac address, 146 00:08:22,937 --> 00:08:26,650 you can find tools to change some of these hardware serial numbers. 147 00:08:27,270 --> 00:08:29,643 If you look here, you can see an old post for some tools 148 00:08:29,675 --> 00:08:32,499 that can enable you to change the hardware serial IDs. 149 00:08:32,889 --> 00:08:35,756 Check out this post. A couple of the main ones 150 00:08:36,294 --> 00:08:38,966 is VolumeID that it shows on this post, 151 00:08:38,991 --> 00:08:41,307 which you can get from Sysinternals, 152 00:08:41,395 --> 00:08:42,871 which works for Windows. 153 00:08:43,405 --> 00:08:44,924 And there’s also Chameleon. 154 00:08:45,008 --> 00:08:47,373 Chameleon can change the hard-coded serial numbers 155 00:08:47,413 --> 00:08:51,451 of hard drives and network adapters on Windows. 156 00:08:51,913 --> 00:08:53,520 So these might be useful for you. 157 00:08:54,159 --> 00:08:58,605 The next mitigation is to have anonymously purchased 158 00:08:58,675 --> 00:09:00,385 the devices that you use. 159 00:09:00,433 --> 00:09:04,288 This will mitigate the risk of an adversary deanonymizing you 160 00:09:04,335 --> 00:09:05,819 as there is no money trail. 161 00:09:06,825 --> 00:09:09,807 Another strong mitigation is using virtual machines 162 00:09:09,816 --> 00:09:12,136 for isolation and compartmentalization. 163 00:09:12,460 --> 00:09:16,048 Virtual machines have different physical machine IDs 164 00:09:16,254 --> 00:09:18,346 and there is no traceable connection 165 00:09:18,356 --> 00:09:21,428 to the real physical machine’s unique hardware IDs 166 00:09:21,508 --> 00:09:24,843 unless there is a breakout to the host, which is unlikely. 167 00:09:25,429 --> 00:09:29,315 Check out what the unique IDs are within the virtual machines you have 168 00:09:29,408 --> 00:09:31,987 and compare them to your host operating system. 169 00:09:32,011 --> 00:09:33,392 They should be different. 170 00:09:33,749 --> 00:09:36,681 So when in a virtual machine, you don’t need to worry 171 00:09:36,746 --> 00:09:39,231 about these hardware serial numbers. 172 00:09:40,675 --> 00:09:42,570 Moving on from hardware serial numbers, 173 00:09:42,618 --> 00:09:47,105 let’s explore some other isolation and compartmentalization methods 174 00:09:47,167 --> 00:09:49,029 that are implemented physically. 175 00:09:49,262 --> 00:09:52,516 You can use a separate phone or Burner phone, 176 00:09:52,541 --> 00:09:53,915 which we talk about later. 177 00:09:54,117 --> 00:09:59,008 You can store your files, emails, and data physically separate, 178 00:09:59,627 --> 00:10:04,465 maybe on an external USB drive, a DVD, or in the Cloud, 179 00:10:04,512 --> 00:10:06,798 out of the sphere of influence of your adversary. 180 00:10:07,214 --> 00:10:10,400 Law enforcement agencies are having particular problems 181 00:10:10,425 --> 00:10:14,758 getting access physically to remote content out of their jurisdiction. 182 00:10:15,484 --> 00:10:19,274 You can use security tokens, hardware security modules, 183 00:10:19,299 --> 00:10:21,981 and store encryption keys separately. 184 00:10:22,897 --> 00:10:26,749 Nitrokey is an example of something you can use to do that. 185 00:10:26,960 --> 00:10:30,720 YubiKey is also an example. We’ll discuss more on these later. 186 00:10:31,238 --> 00:10:34,789 You can store backups offsite for physical isolation. 187 00:10:35,262 --> 00:10:37,071 You can do network isolation, 188 00:10:37,167 --> 00:10:40,195 separating trusted devices and untrusted devices 189 00:10:40,220 --> 00:10:44,103 using LANs, VLANs, utilizing routers, switches and firewalls. 190 00:10:44,230 --> 00:10:46,103 We cover this in its own section later. 191 00:10:46,516 --> 00:10:50,286 And you can even use a separate physical location to operate, 192 00:10:50,311 --> 00:10:53,444 such as using an internet café for separate aliases. 193 00:10:53,575 --> 00:10:56,472 And we discuss more on these topics later 194 00:10:56,497 --> 00:10:57,950 as we go through the course. 195 00:10:58,238 --> 00:11:02,634 Isolation and compartmentalization can extend to anything physical 196 00:11:02,722 --> 00:11:05,045 to create layers of defenses. 197 00:11:05,587 --> 00:11:08,421 Consider using physical isolation for your security, 198 00:11:08,487 --> 00:11:10,855 and make sure that your physical devices 199 00:11:10,905 --> 00:11:13,926 are properly isolated by unique IDs 200 00:11:13,974 --> 00:11:17,539 in order that you can stay anonymous and have non-attribution.