Seeking Expert Advice for Securing My New Lenovo Laptop

[ivan1911]

I'm not as tech savvy as some of you here but I have a friend who is and I remember that he said a few things on that topic ”¦

1. If someone has physical access to your computer and plans and wants to steal your data , they will . So best not to leave your computer unattended .
2. General rule of thumb is that Linux is best.
3. More secure almost always equals less comfort so you have to understand the level of risk you're in decide what you want and who you want to protect yourself from.. isp , government etc or thieves and hackers”¦

He also said that generally iPhone + Mac is much better then android and windows , and that it is enough for most people with basic privacy settings..

 

[diatessaron]

You have to switch to Linux, and that Lenovo laptop has a hardware backdoor into it but at least it isn't American, the most you will get is have your crypto and ID stolen, but you won't go to jail.

 

[void]

Simon4466 said:
This hasnt been true for years, again something like linux mint will have 0 practical issues with all peripherals I can think of (except if they need special windows only drivers of course), but you can always dual boot for windows and use the windows install only for low risk activities.
Click to expand...

I installed Mint 22 two weeks ago on a older Dell XPS 13 (btw one of the few laptops that officially supported linux - Ubuntu if I remember correctly) - Bluetooth devices like headphones or watch one big pain in the a*s, same with wifi printer, sleep/hibernation support sucks, power management no way

with Proxmox or Vmware workstation (free for personal use now) one can achieve a lot and take the best from both Windows and Linux worlds - but it requires time (lots of time)

I'm repeatedly personally trying Linux on desktop for last 20 years, it's still not ready and I'm no rookie (I'm managing tens of mostly debian servers) - mission impossible for a mediocre user

everything of value should be in the server-side infrastructure and one can freely use various disposable and valueless devices (putting aside the value of the given hardware of course)

 

[sergeylim88]

topic already discussed many times
mac is def better option than win, for non state actors
win + applocker + standard acc is also OK (pretty much to prevent anything not approved from running, ofcourse there could be exploit for it, who knows)

you were also told about bloatware, disabling macros...before i even added:
- changing DNS to DNS over HTTPS (browser option) and setting Google/CloudFlare as default DNS
- disable JS in browser, unless approved (to prevent popups from loading malicious web site)
- multiple VeraCrypt containers, just if one gets compromised, others are still encrypted (so do not auto mount them, or mount them all at the same time)

but for what you are after (by later post), i think your best bet is learning shortcut WIN + L
security on a machine with battery is uhhhh, well...if they take it, they will have it with completely powered with all ram content unencrypted...they will have plenty of time to disassemble laptop while being powered (if possible), spray ram modules...

 

[EliasIT]

sergeylim88 said:
security on a machine with battery is uhhhh, well...if they take it, they will have it with completely powered with all ram content unencrypted...they will have plenty of time to disassemble laptop while being powered (if possible), spray ram modules...
Click to expand...

I agree, but to have a complete backup stored somewhere in an external hosting center may indeed help together with VerCrypt.

What do you mean with "spray ram modules" why ?

0xDEADBEEF said:
First things first, debloat windows 11. Microsoft has lost their mind with the amount of bullsh*t preinstalled. [1] For this you can use GitHub - Raphire/Win11Debloat: A simple, easy to use PowerShell script to remove pre-installed apps from Windows, disable telemetry, remove Bing from Windows search as well as perform various other changes to declutter and improve your Windows experience. This script works for both Windows 10 and Windows 11.. There are a lot of other scripts, but this one did not break any useful system functionality for me.
Click to expand...

Can I also use Bulk Crap Uninstaller (BCUninstaller) ? I just installed it from SourceForce on a test PC - it finds a lot at clean it automatically, It is free and easy to use?

Last edited: Sep 15, 2024
Toggle signature
If money is your hope for independence you will never have it. The only real security that a man will have in this world is a reserve of knowledge, experience, and ability!
My personal favorite thread posted in the Mentor Group. Group of investment companies to avoid licensing.

 

[0xDEADBEEF]

EliasIT said:
Can I also use Bulk Crap Uninstaller (BCUninstaller) ? I just installed it from SourceForce on a test PC - it finds a lot at clean it automatically, It is free and easy to use?
Click to expand...

I have never used it myself, but it looks fine.

 

[spoonerkenmionz]

Check out Windows AME, it offers various versions for specific needs that will deactivate unnecessary Microsoft Services Ameliorated

 

[daniels27]

EliasIT said:
What do you mean with "spray ram modules" why ?
Click to expand...

I think he is referring to RAM tracing and other methods to access data externally while your computer is still powered on in enemy hands:
https://scanlime.org/2009/09/dsi-ram-tracing/

sergeylim88 said:
security on a machine with battery is uhhhh, well...if they take it, they will have it with completely powered with all ram content unencrypted...they will have plenty of time to disassemble laptop while being powered (if possible), spray ram modules...
Click to expand...

You may want to use a Redkey or something attached to a wrist band. If set up properly with the patent of @JohnnyDoe
https://www.offshorecorptalk.com/threads/patent-for-secure-erasing-of-data.42666/All data will be gone if somebody takes your computer.

Last edited: Sep 15, 2024

 

[avalanche]

If someone skilled is targeting you you're pretty much doomed no matter what you do.

to protect against random attacks you can just use the least popular version of any OS, something that nobody builds viruses for.

 

[diro]

I must admit that I'm learning a lot just by following this thread. I've been testing many of the mentioned methods and software/apps on a separate computer, and within just a few hours, it has already transformed the PC into a much faster and better machine. Thanks to everyone!

 

[daniels27]

How about the following .reg file?

Windows Registry Editor Version 5.00

# Settings > System > Notifications
# Disable all
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications]
"ToastEnabled"=dword:0

# Settings > System > Remote Desktop
# Off
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000001

# Control Panel > File Explorer Options > View
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
# + Always show icons, never thumbnails
"UseCompactMode"=dword:00000001
# - Display icon on thumbnails
"IconsOnly"=dword:00000001
# - Hide extensions for known file types
"HideFileExt"=dword:00000000
# - Hide folder merge conflicts
"ShowInfoTip"=dword:00000000
# - Show preview handlers in preview pane
"ShowPreviewHandlers"=dword:00000000

# Settings > System > About > Advanced system settings > Performance
# + Adjust for best performance
# + Smooth edges of screen fonts
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects]
"VisualFXSetting"=dword:3
# Animate controls and elements inside windows
# Fade or slide menus into view
# Fade or slide ToolTips into view
# Fade out menu items after clicking
# Show shadows under mouse pointer
# Show shadows under windows
# Slide open combo boxes
# Smooth-scroll list boxes
[HKEY_CURRENT_USER\Control Panel\Desktop]
"UserPreferencesMask"=hex(2):90,12,03,80,10,00,00,00
# Animate windows when minimizing and maximizing
[HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics]
"MinAnimate"="0"
# Animations in the taskbar
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"TaskbarAnimations"=dword:0
# Show thumbnails instead of icons
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"IconsOnly"=dword:1
# Show translucent selection rectangle
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ListviewAlphaSelect"=dword:0
# Use drop shadows for icon labels on the desktop
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ListviewShadow"=dword:0
# Enable Peek
[HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM]
"EnableAeroPeek"=dword:0
# Save taskbar thumbnail previews
[HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM]
"AlwaysHibernateThumbnails"=dword:0
# Show window contents while dragging
[HKEY_CURRENT_USER\Control Panel\Desktop]
"DragFullWindows"="0"
# Smooth edges of screen fonts
#[HKEY_CURRENT_USER\Control Panel\Desktop]
#"FontSmoothing"=dword:0

# Disable Thumbnail Cache
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"DisableThumbnailCache"=dword:00000001

# Disable Folder Type Recognition
[-HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU]
[-HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags]
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell]
"FolderType"="NotSpecified"

# Disable problem reporting on crash
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting]
"Disabled"=dword:00000001

# Disable Cortana
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
"AllowCortana"=dword:00000000

# Disable Cortana Websearch
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search]
"BingSearchEnabled"=dword:00000000
"CortanaConsent"=dword:00000000

# Disable Widgets
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh]
"AllowNewsAndInterests"=dword:00000000

# Disable Copilot
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsCopilot]
"TurnOffWindowsCopilot"=dword:1
Click to expand...

and the following to uninstall all apps which do not allow to be uninstalled with the mouse

Get-AppxPackage -Name *Microsoft.Messaging* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.People* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.WindowsCamera* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.GetHelp* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.WindowsMaps* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.YourPhone* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.XboxGameOverlay* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.XboxGamingOverlay* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.Windows.Photos* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.549981C3F5F10* | Remove-AppxPackage
Get-AppxPackage -Name *windowsstore* | Remove-AppxPackage
Click to expand...

 

[Houdini]

void said:
- for performance reasons use HDD level encryption (your NVMe drive will support OPAL standard most likely), if you're paranoid or have a solid reason use Veracrypt instead or (better) on top (for special partition with hyper sensitive stuff or file-based container)
Click to expand...

Is it a build in function in Windows or how are you doing it?

0xDEADBEEF said:
First things first, debloat windows 11. Microsoft has lost their mind with the amount of bullsh*t preinstalled. [1] For this you can use GitHub - Raphire/Win11Debloat: A simple, easy to use PowerShell script to remove pre-installed apps from Windows, disable telemetry, remove Bing from Windows search as well as perform various other changes to declutter and improve your Windows experience. This script works for both Windows 10 and Windows 11.. There are a lot of other scripts, but this one did not break any useful system functionality for me.
Click to expand...

very cool tool.

0xDEADBEEF said:
Also Defender EDR (MDE) keeps track of your vulnerabilities as well.
Click to expand...

this replace the used NOD32 by elias right?

0xDEADBEEF said:
Bitlocker is indeed included from the Pro edition, which will be more than sufficient.
Click to expand...

is included in Windows 11 Pro if I read the details correct?

Last edited: Sep 15, 2024

 

[void]

Houdini said:
Is it a build in function in Windows or how are you doing it?
Click to expand...

most straightforward approach is using the technology via Bitlocker (which I would not personally recommend but it's an option)

way better is using sedutil tool which will allow you to install PBA (PreBootAuthentication) utility to shadow MBR partition of the drive - when the NVMe drive with OPAL support is powered on this tools boots and allows you to submit your passphrase to the drive controller which unlocks given range (see the setup documentation) and "makes the drive readable" until next power off

then a conventional OS is loaded from the "encrypted" drive without even knowing about it

the most basic setup (totally fine for vast majority of users) is pretty simple and basically about following the cookbook

it's worth noting that these drives are encrypted "by default" and you're just changing the current password it's encrypted with (simplified but true from user perspective) which makes this technology so flexible

nice perk is zero impact on CPU load as all is done by the drive itself

as somebody (probably @0xDEADBEEF) already warned in another thread you're trusting the hardware manufacturer here when it comes to potential back doors implemented - this is something to consider and decided by yourself

 

[Houdini]

void said:
as somebody (probably @0xDEADBEEF) already warned in another thread you're trusting the hardware manufacturer here when it comes to potential back doors implemented - this is something to consider and decided by yourself
Click to expand...

In the old days you could just do a formatting of the drive and start over, isn't that possible any longer on a laptop, the backdoors stay open ?

 

[void]

Houdini said:
In the old days you could just do a formatting of the drive and start over, isn't that possible any longer on a laptop, the backdoors stay open ?
Click to expand...

actually formatting of old IDE/SATA drives is about erasing the partition table or other data structures of the drives - that's why so many utilities implementing different strategies of overwriting the data exist(ed)

if you don't trust you hw manufactures then DIY 🙂 or make sure you don't have to (possible with disk data by using Veracrypt paying with your CPU load and moving the trust to Veracrypt developers 🙂) or get back to pen&paper

 

[daniels27]

Houdini said:
In the old days you could just do a formatting of the drive and start over, isn't that possible any longer on a laptop, the backdoors stay open ?
Click to expand...

The backdoors are not *on* but *in* the hard drive. In other words, they are on the chip that comes with it. They use weak encryption. They have some sort of mainenance port etc.

And overwriting data is another issues. HDD are relatively easy in that sense as you can just write all blocks and cylinders. But SSD have a chip which decides where it wants to store the data (or not). It can completely fool you like with the 512 GB flash drives from China for $2 which show that amount of space on Windows, but actually only have 2 MB capacity. You can write a whole movie there, but the data is simply being wirtten nowhere and when you try to read it, the chip just spit out 0x00000000 or @0xDEADBEEF if you are lucky 🙂

Last edited: Sep 15, 2024

 

[Houdini]

daniels27 said:
The backdoors are not *on* but *in* the hard drive. In other words, they are on the chip that comes with it. They use weak encryption. They have some sort of mainenance port etc.
Click to expand...

ahhh so it is a weak point of the hardware and you would need to replace the hard drive to get rid of the back door?

 

[daniels27]

void said:
as somebody (probably @0xDEADBEEF) already warned in another thread you're trusting the hardware manufacturer here when it comes to potential back doors implemented - this is something to consider and decided by yourself
Click to expand...

Houdini said:
ahhh so it is a weak point of the hardware and you would need to replace the hard drive to get rid of the back door?
Click to expand...

You probably would have to switch the manufacturer. If one hard drive has a backdoor built-in from delivery, most of them will have it. We currently do not know what all devices have backdoors, but there have been many issues in the past from EUSSR to China and as a result, US does no longer allow purchases of any Huawei devices.

You can check this one here:
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

Various peripheral devices available in the SoC may provide special hardware registers that can be used by the CPU to operate these devices. For this to work, these hardware registers are mapped to the memory accessible by the CPU and are known as “memory-mapped I/O (MMIO)“.

Address ranges for MMIOs of peripheral devices in Apple products (iPhones, Macs, and others) are stored in a special file format: DeviceTree. Device tree files can be extracted from the firmware, and their contents can be viewed with the help of the dt utility.

While analyzing the exploit used in the Operation Triangulation attack, I discovered that most of the MMIOs used by the attackers to bypass the hardware-based kernel memory protection do not belong to any MMIO ranges defined in the device tree. The exploit targets Apple A12”“A16 Bionic SoCs, targeting unknown MMIO blocks of registers that are located at the following addresses: 0x206040000, 0x206140000, and 0x206150000.

The prompted me to try something. I checked different device tree files for different devices and different firmware files: no luck. I checked publicly available source code: no luck. I checked the kernel images, kernel extensions, iboot, and coprocessor firmware in search of a direct reference to these addresses: nothing.

How could it be that that the exploit used MMIOs that were not used by the firmware? How did the attackers find out about them? What peripheral device(s) do these MMIO addresses belong to?

It occurred to me that I should check what other known MMIOs were located in the area close to these unknown MMIO blocks. That approach was successful.
Click to expand...

We do not know if the backdoor was intended by Apple or not. But in any case, it shows you very well, that you simply cannot trust any hardware vendor that their devices are free from backdoors when delivered.

Last edited: Sep 15, 2024

 

[sergeylim88]

bitlocker only with pre boot pin How to Enable a Pre-Boot BitLocker PIN on Windows
or with pre boot BIOS password (if option available)

 

[sergeylim88]

also you should consider disabling your usb/firewire/thunderbolt/lan... ports in bios, while being outside the safe environment
no matter the fact your autorun feature is disable for usb drives, it can still quack like a duck

Last edited: Sep 15, 2024