Seeking Expert Advice for Securing My New Lenovo Laptop

[ivan1911]

I’m not as tech savvy as some of you here but I have a friend who is and I remember that he said a few things on that topic …

1. If someone has physical access to your computer and plans and wants to steal your data , they will . So best not to leave your computer unattended .
2. General rule of thumb is that Linux is best.
3. More secure almost always equals less comfort so you have to understand the level of risk you’re in decide what you want and who you want to protect yourself from.. isp , government etc or thieves and hackers…

He also said that generally iPhone + Mac is much better then android and windows , and that it is enough for most people with basic privacy settings..

 

[diatessaron]

You have to switch to Linux, and that Lenovo laptop has a hardware backdoor into it but at least it isn't American, the most you will get is have your crypto and ID stolen, but you won't go to jail.

 

[void]

This hasnt been true for years, again something like linux mint will have 0 practical issues with all peripherals I can think of (except if they need special windows only drivers of course), but you can always dual boot for windows and use the windows install only for low risk activities.

I installed Mint 22 two weeks ago on a older Dell XPS 13 (btw one of the few laptops that officially supported linux - Ubuntu if I remember correctly) - Bluetooth devices like headphones or watch one big pain in the a*s, same with wifi printer, sleep/hibernation support sucks, power management no way

with Proxmox or Vmware workstation (free for personal use now) one can achieve a lot and take the best from both Windows and Linux worlds - but it requires time (lots of time)

I'm repeatedly personally trying Linux on desktop for last 20 years, it's still not ready and I'm no rookie (I'm managing tens of mostly debian servers) - mission impossible for a mediocre user

everything of value should be in the server-side infrastructure and one can freely use various disposable and valueless devices (putting aside the value of the given hardware of course)

 

[sergeylim88]

topic already discussed many times
mac is def better option than win, for non state actors
win + applocker + standard acc is also OK (pretty much to prevent anything not approved from running, ofcourse there could be exploit for it, who knows)

you were also told about bloatware, disabling macros...before i even added:
- changing DNS to DNS over HTTPS (browser option) and setting Google/CloudFlare as default DNS
- disable JS in browser, unless approved (to prevent popups from loading malicious web site)
- multiple VeraCrypt containers, just if one gets compromised, others are still encrypted (so do not auto mount them, or mount them all at the same time)

but for what you are after (by later post), i think your best bet is learning shortcut WIN + L
security on a machine with battery is uhhhh, well...if they take it, they will have it with completely powered with all ram content unencrypted...they will have plenty of time to disassemble laptop while being powered (if possible), spray ram modules...

 

[EliasIT]

security on a machine with battery is uhhhh, well...if they take it, they will have it with completely powered with all ram content unencrypted...they will have plenty of time to disassemble laptop while being powered (if possible), spray ram modules...

I agree, but to have a complete backup stored somewhere in an external hosting center may indeed help together with VerCrypt.

What do you mean with "spray ram modules" why ?

First things first, debloat windows 11. Microsoft has lost their mind with the amount of bullsh*t preinstalled. [1] For this you can use GitHub - Raphire/Win11Debloat: A simple, easy to use PowerShell script to remove pre-installed apps from Windows, disable telemetry, remove Bing from Windows search as well as perform various other changes to declutter and improve your Windows experience. This script works for both Windows 10 and Windows 11.. There are a lot of other scripts, but this one did not break any useful system functionality for me.

Can I also use Bulk Crap Uninstaller (BCUninstaller) ? I just installed it from SourceForce on a test PC - it finds a lot at clean it automatically, It is free and easy to use?

 

[0xDEADBEEF]

Can I also use Bulk Crap Uninstaller (BCUninstaller) ? I just installed it from SourceForce on a test PC - it finds a lot at clean it automatically, It is free and easy to use?

I have never used it myself, but it looks fine.

 

[spoonerkenmionz]

Check out Windows AME, it offers various versions for specific needs that will deactivate unnecessary Microsoft Services Ameliorated

 

[daniels27]

What do you mean with "spray ram modules" why ?

I think he is referring to RAM tracing and other methods to access data externally while your computer is still powered on in enemy hands:

DSi RAM tracing – scanlime

scanlime.org

security on a machine with battery is uhhhh, well...if they take it, they will have it with completely powered with all ram content unencrypted...they will have plenty of time to disassemble laptop while being powered (if possible), spray ram modules...

You may want to use a Redkey or something attached to a wrist band. If set up properly with the patent of @JohnnyDoe

Patent for secure erasing of data

I’m selling the rights of an invention (patent pending with the USPTO) that securely erases data from any device. Contact me if interested in buying or brokering it to buyers. This is how it works: Try to do a forensic recovery on that chip smi(&%

www.offshorecorptalk.com

All data will be gone if somebody takes your computer.

 

[avalanche]

If someone skilled is targeting you you're pretty much doomed no matter what you do.

to protect against random attacks you can just use the least popular version of any OS, something that nobody builds viruses for.

 

[diro]

I must admit that I’m learning a lot just by following this thread. I’ve been testing many of the mentioned methods and software/apps on a separate computer, and within just a few hours, it has already transformed the PC into a much faster and better machine. Thanks to everyone!

 

[daniels27]

How about the following .reg file?

Windows Registry Editor Version 5.00

# Settings > System > Notifications
# Disable all
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\PushNotifications]
"ToastEnabled"=dword:0

# Settings > System > Remote Desktop
# Off
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000001

# Control Panel > File Explorer Options > View
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
# + Always show icons, never thumbnails
"UseCompactMode"=dword:00000001
# - Display icon on thumbnails
"IconsOnly"=dword:00000001
# - Hide extensions for known file types
"HideFileExt"=dword:00000000
# - Hide folder merge conflicts
"ShowInfoTip"=dword:00000000
# - Show preview handlers in preview pane
"ShowPreviewHandlers"=dword:00000000

# Settings > System > About > Advanced system settings > Performance
# + Adjust for best performance
# + Smooth edges of screen fonts
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects]
"VisualFXSetting"=dword:3
# Animate controls and elements inside windows
# Fade or slide menus into view
# Fade or slide ToolTips into view
# Fade out menu items after clicking
# Show shadows under mouse pointer
# Show shadows under windows
# Slide open combo boxes
# Smooth-scroll list boxes
[HKEY_CURRENT_USER\Control Panel\Desktop]
"UserPreferencesMask"=hex(2):90,12,03,80,10,00,00,00
# Animate windows when minimizing and maximizing
[HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics]
"MinAnimate"="0"
# Animations in the taskbar
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"TaskbarAnimations"=dword:0
# Show thumbnails instead of icons
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"IconsOnly"=dword:1
# Show translucent selection rectangle
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ListviewAlphaSelect"=dword:0
# Use drop shadows for icon labels on the desktop
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ListviewShadow"=dword:0
# Enable Peek
[HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM]
"EnableAeroPeek"=dword:0
# Save taskbar thumbnail previews
[HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM]
"AlwaysHibernateThumbnails"=dword:0
# Show window contents while dragging
[HKEY_CURRENT_USER\Control Panel\Desktop]
"DragFullWindows"="0"
# Smooth edges of screen fonts
#[HKEY_CURRENT_USER\Control Panel\Desktop]
#"FontSmoothing"=dword:0

# Disable Thumbnail Cache
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"DisableThumbnailCache"=dword:00000001

# Disable Folder Type Recognition
[-HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU]
[-HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags]
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell]
"FolderType"="NotSpecified"

# Disable problem reporting on crash
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting]
"Disabled"=dword:00000001

# Disable Cortana
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
"AllowCortana"=dword:00000000

# Disable Cortana Websearch
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search]
"BingSearchEnabled"=dword:00000000
"CortanaConsent"=dword:00000000

# Disable Widgets
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh]
"AllowNewsAndInterests"=dword:00000000

# Disable Copilot
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsCopilot]
"TurnOffWindowsCopilot"=dword:1

and the following to uninstall all apps which do not allow to be uninstalled with the mouse

Get-AppxPackage -Name *Microsoft.Messaging* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.People* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.WindowsCamera* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.GetHelp* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.WindowsMaps* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.YourPhone* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.XboxGameOverlay* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.XboxGamingOverlay* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.Windows.Photos* | Remove-AppxPackage
Get-AppxPackage -Name *Microsoft.549981C3F5F10* | Remove-AppxPackage
Get-AppxPackage -Name *windowsstore* | Remove-AppxPackage

 

[Houdini]

- for performance reasons use HDD level encryption (your NVMe drive will support OPAL standard most likely), if you're paranoid or have a solid reason use Veracrypt instead or (better) on top (for special partition with hyper sensitive stuff or file-based container)

Is it a build in function in Windows or how are you doing it?

First things first, debloat windows 11. Microsoft has lost their mind with the amount of bullsh*t preinstalled. [1] For this you can use GitHub - Raphire/Win11Debloat: A simple, easy to use PowerShell script to remove pre-installed apps from Windows, disable telemetry, remove Bing from Windows search as well as perform various other changes to declutter and improve your Windows experience. This script works for both Windows 10 and Windows 11.. There are a lot of other scripts, but this one did not break any useful system functionality for me.

very cool tool.

Also Defender EDR (MDE) keeps track of your vulnerabilities as well.

this replace the used NOD32 by elias right?

Bitlocker is indeed included from the Pro edition, which will be more than sufficient.

is included in Windows 11 Pro if I read the details correct?

 

[void]

Is it a build in function in Windows or how are you doing it?

most straightforward approach is using the technology via Bitlocker (which I would not personally recommend but it's an option)

way better is using sedutil tool which will allow you to install PBA (PreBootAuthentication) utility to shadow MBR partition of the drive - when the NVMe drive with OPAL support is powered on this tools boots and allows you to submit your passphrase to the drive controller which unlocks given range (see the setup documentation) and "makes the drive readable" until next power off

then a conventional OS is loaded from the "encrypted" drive without even knowing about it

the most basic setup (totally fine for vast majority of users) is pretty simple and basically about following the cookbook

it's worth noting that these drives are encrypted "by default" and you're just changing the current password it's encrypted with (simplified but true from user perspective) which makes this technology so flexible

nice perk is zero impact on CPU load as all is done by the drive itself

as somebody (probably @0xDEADBEEF) already warned in another thread you're trusting the hardware manufacturer here when it comes to potential back doors implemented - this is something to consider and decided by yourself

 

[Houdini]

as somebody (probably @0xDEADBEEF) already warned in another thread you're trusting the hardware manufacturer here when it comes to potential back doors implemented - this is something to consider and decided by yourself

In the old days you could just do a formatting of the drive and start over, isn't that possible any longer on a laptop, the backdoors stay open ?

 

[void]

In the old days you could just do a formatting of the drive and start over, isn't that possible any longer on a laptop, the backdoors stay open ?

actually formatting of old IDE/SATA drives is about erasing the partition table or other data structures of the drives - that's why so many utilities implementing different strategies of overwriting the data exist(ed)

if you don't trust you hw manufactures then DIY or make sure you don't have to (possible with disk data by using Veracrypt paying with your CPU load and moving the trust to Veracrypt developers ) or get back to pen&paper

 

[daniels27]

In the old days you could just do a formatting of the drive and start over, isn't that possible any longer on a laptop, the backdoors stay open ?

The backdoors are not *on* but *in* the hard drive. In other words, they are on the chip that comes with it. They use weak encryption. They have some sort of mainenance port etc.

And overwriting data is another issues. HDD are relatively easy in that sense as you can just write all blocks and cylinders. But SSD have a chip which decides where it wants to store the data (or not). It can completely fool you like with the 512 GB flash drives from China for $2 which show that amount of space on Windows, but actually only have 2 MB capacity. You can write a whole movie there, but the data is simply being wirtten nowhere and when you try to read it, the chip just spit out 0x00000000 or @0xDEADBEEF if you are lucky

 

[Houdini]

The backdoors are not *on* but *in* the hard drive. In other words, they are on the chip that comes with it. They use weak encryption. They have some sort of mainenance port etc.

ahhh so it is a weak point of the hardware and you would need to replace the hard drive to get rid of the back door?

 

[daniels27]

as somebody (probably @0xDEADBEEF) already warned in another thread you're trusting the hardware manufacturer here when it comes to potential back doors implemented - this is something to consider and decided by yourself

ahhh so it is a weak point of the hardware and you would need to replace the hard drive to get rid of the back door?

You probably would have to switch the manufacturer. If one hard drive has a backdoor built-in from delivery, most of them will have it. We currently do not know what all devices have backdoors, but there have been many issues in the past from EUSSR to China and as a result, US does no longer allow purchases of any Huawei devices.

You can check this one here:

Operation Triangulation: The last (hardware) mystery

Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs.

securelist.com

Various peripheral devices available in the SoC may provide special hardware registers that can be used by the CPU to operate these devices. For this to work, these hardware registers are mapped to the memory accessible by the CPU and are known as “memory-mapped I/O (MMIO)“.

Address ranges for MMIOs of peripheral devices in Apple products (iPhones, Macs, and others) are stored in a special file format: DeviceTree. Device tree files can be extracted from the firmware, and their contents can be viewed with the help of the dt utility.

While analyzing the exploit used in the Operation Triangulation attack, I discovered that most of the MMIOs used by the attackers to bypass the hardware-based kernel memory protection do not belong to any MMIO ranges defined in the device tree. The exploit targets Apple A12–A16 Bionic SoCs, targeting unknown MMIO blocks of registers that are located at the following addresses: 0x206040000, 0x206140000, and 0x206150000.

The prompted me to try something. I checked different device tree files for different devices and different firmware files: no luck. I checked publicly available source code: no luck. I checked the kernel images, kernel extensions, iboot, and coprocessor firmware in search of a direct reference to these addresses: nothing.

How could it be that that the exploit used MMIOs that were not used by the firmware? How did the attackers find out about them? What peripheral device(s) do these MMIO addresses belong to?

It occurred to me that I should check what other known MMIOs were located in the area close to these unknown MMIO blocks. That approach was successful.

We do not know if the backdoor was intended by Apple or not. But in any case, it shows you very well, that you simply cannot trust any hardware vendor that their devices are free from backdoors when delivered.

 

[sergeylim88]

bitlocker only with pre boot pin How to Enable a Pre-Boot BitLocker PIN on Windows
or with pre boot BIOS password (if option available)

 

[sergeylim88]

also you should consider disabling your usb/firewire/thunderbolt/lan... ports in bios, while being outside the safe environment
no matter the fact your autorun feature is disable for usb drives, it can still quack like a duck