Re: [Full-disclosure] round and round they go
hrm. sigh. Normal moles not being able to grasp trivial knowledge. *cough* Airports are duh known conduits of business travellers with lots of data, first question: do those travellers use encryption? from my experience, most people are just ignorant when it comes to security. how many notebooks are stolen to do industrial espionage? any statistics? anyway, you're right - if they do use encryption and if they felt safe, they have to feel a little less safe from now on. that means: if in doubt, you should not carry too much important data on your notebook. (a VPN access might help...) and you might just turn your notebook OFF, instead of putting it to sleep. thus increasing the possibility of targeting a more valuable target. So your statement that only ordinary criminals steal at airports is shortsighted. If anything a common criminal isnt going to try and steal at a place with a fucking million security cameras around. hmm, ok, who would do so? would you say, it is easy to grab a notebook in an airport lounge and leave the airport before anyone notices or security folks get after you? You hardly need a barrel of liquid nitrogen - If you could summon not a barrel but more of a can of clue you would be better off. ok, so what you have to do is: grab the notebook while it's powered on or in an ACPI sleep state. (maybe hit the victim in the toilet or something.) get out of the airport into a car and disappear quickly. in your car you might have a *can* of liquid nitrogen or just a bunch of screwdrivers and an ice spray. (the DRAMs might not be easily accessible.) you need a computer with the same slots and be sure that the DRAMs have compatible timing... and gloves, by the way... possible, but complicated. still, there are comparatively *simple* countermeasures. use glue. use TWO encrypted drives (one for your personal data and one for your secret business data). use an RFID- or bluetooth device to secure your notebook. and then there are anti-tempering methods. i have heard there are secure memory modules which erase themselves quickly... or just don't let them snatch your computer! n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html (cooling down DRAMs keeps their contents for longer time, even during reboot.) well, this shows how important mechanical security still is, even with all the crypto-stuff out there. if you e.g. just *glued* your RAM modules into your motherboard, the option left would be booting a malicious OS. a BIOS-password might put delays on that. so, if it is really secret put your PC in a locked steel box! as a dircet countermeasure you might as well consider a simple temperature sensor next to your DRAMs, releasing [evil self-destruction hack] when temperatures drop below 0°C. thermite does a good job on destroying HDDs but it's very dangerous. it's probably more easy to use this device then: http://www.wiebetech.com/products/HotPlug.php looking at these two methods, i notice how they (whoever) seem to aim not only on physical access but also more and more on surprising the crypto-user. they might use the methods mentioned above or just hit you with a flashbang, so you can't press the lock key anymore. this worries me more than any it-related security flaw. i don't want the police to behave like that. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
I found the article interesting, but I wonder about it's practicality. If you have physical access to the box you never really need to power down the box in the first place and generally if the box is already on, I think most people would prefer to attack a service to get on the system directly. But there are some special cases where these techniques will likely be very useful. For me, I've always disliked the practice of doing live forensic discovery. I'd much rather get a clean disk dump than to poke around on the system first, but losing RAM sucks. Maybe now IR/Forensic guys can get the best of both worlds? They can yank the power to save the disk state and dump memory by using the techniques described in the article. :) On Fri, Feb 22, 2008 at 8:32 AM, niclas [EMAIL PROTECTED] wrote: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html (cooling down DRAMs keeps their contents for longer time, even during reboot.) well, this shows how important mechanical security still is, even with all the crypto-stuff out there. if you e.g. just *glued* your RAM modules into your motherboard, the option left would be booting a malicious OS. a BIOS-password might put delays on that. so, if it is really secret put your PC in a locked steel box! as a dircet countermeasure you might as well consider a simple temperature sensor next to your DRAMs, releasing [evil self-destruction hack] when temperatures drop below 0°C. thermite does a good job on destroying HDDs but it's very dangerous. it's probably more easy to use this device then: http://www.wiebetech.com/products/HotPlug.php looking at these two methods, i notice how they (whoever) seem to aim not only on physical access but also more and more on surprising the crypto-user. they might use the methods mentioned above or just hit you with a flashbang, so you can't press the lock key anymore. this worries me more than any it-related security flaw. i don't want the police to behave like that. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Matthew Wollenweber [EMAIL PROTECTED] | [EMAIL PROTECTED] www.cyberwart.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go, keys in ram are ripe for picking...
Countermeasures and their Limitations FIPS 140-1 [http://www.itl.nist.gov/fipspubs/fip140-1.htm] addresses this. [snip] *SECURITY LEVEL 4* In addition to the requirements for Security Levels 1, 2 and 3, the following requirements shall also apply to a multiple-chip embedded cryptographic module for Security Level 4. * The contents of the module shall be completely contained within a tamper detection envelope (e.g., a flexible mylar printed circuit with a serpentine geometric pattern of conductors or a wire- wound package or a non-flexible, brittle circuit) which will detect tampering by means such as drilling, milling, grinding or dissolving of the potting material or cover. * The module shall contain tamper response and zeroization circuitry. The circuitry shall continuously monitor the tamper detection envelope for tampering, and upon the detection of tampering, shall immediately zeroize all plaintext cryptographic keys and other unprotected critical security parameters (see Section 4.8.5). The circuitry shall be operational whenever plaintext cryptographic keys or other unprotected critical security parameters are contained within the cryptographic module. * The module shall either include environmental failure protection (EFP) features or undergo environmental failure testing (EFT) as specified in Section 4.5.4. [snip] Consider the IBM 4758 [http://www-03.ibm.com/security/cryptocards/pcicc/overproduct.shtml] as a good example of how it's implemented. Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
I would think a more realistic scenario might be a person working at an airport shutting their system down then getting it stolen vs a forensic examiner yanking the cord on purpose. Just an observation. - Original Message - From: matthew wollenweber [mailto:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Sent: Fri, 22 Feb 2008 09:57:55 -0500 Subject: Re: [Full-disclosure] round and round they go I found the article interesting, but I wonder about it's practicality. If you have physical access to the box you never really need to power down the box in the first place and generally if the box is already on, I think most people would prefer to attack a service to get on the system directly. But there are some special cases where these techniques will likely be very useful. For me, I've always disliked the practice of doing live forensic discovery. I'd much rather get a clean disk dump than to poke around on the system first, but losing RAM sucks. Maybe now IR/Forensic guys can get the best of both worlds? They can yank the power to save the disk state and dump memory by using the techniques described in the article. :) On Fri, Feb 22, 2008 at 8:32 AM, niclas [EMAIL PROTECTED] wrote: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html (cooling down DRAMs keeps their contents for longer time, even during reboot.) well, this shows how important mechanical security still is, even with all the crypto-stuff out there. if you e.g. just *glued* your RAM modules into your motherboard, the option left would be booting a malicious OS. a BIOS-password might put delays on that. so, if it is really secret put your PC in a locked steel box! as a dircet countermeasure you might as well consider a simple temperature sensor next to your DRAMs, releasing [evil self-destruction hack] when temperatures drop below 0?C. thermite does a good job on destroying HDDs but it's very dangerous. it's probably more easy to use this device then: http://www.wiebetech.com/products/HotPlug.php looking at these two methods, i notice how they (whoever) seem to aim not only on physical access but also more and more on surprising the crypto-user. they might use the methods mentioned above or just hit you with a flashbang, so you can't press the lock key anymore. this worries me more than any it-related security flaw. i don't want the police to behave like that. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Matthew Wollenweber [EMAIL PROTECTED] | [EMAIL PROTECTED] www.cyberwart.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go, keys in ram are ripe for picking...
On Fri, Feb 22, 2008 at 10:05 AM, Michael Holstein [EMAIL PROTECTED] wrote: ... FIPS 140-1 [http://www.itl.nist.gov/fipspubs/fip140-1.htm] addresses this. ... * The contents of the module shall be completely contained within a tamper detection envelope... * The module shall contain tamper response and zeroization circuitry. ... * The module shall either include environmental failure protection (EFP) features or undergo environmental failure testing (EFT) .. i'm fond of tamper resistant / evident packaging, but this is usually applied to persistent key storage rather than working system memory. works well for authentication tokens and such, even if these methods can also be bypassed with some effort. (see http://flylogic.net/ and their disassemblies at http://flylogic.net/blog ) tamper resistant cases are bit more fun, like the blackbox [0] pelican padlock'ed with zeroization / panic button. however, after reading this paper, it appears that secure overwrite of all key scrubbed memory and other sensitive locations would be preferable to simple power off, even if the case is a pain to open... a fun attack, to be sure. 0. DefCon 13 black box challenge http://blog.makezine.com/archive/2005/07/_defcon_the_jan.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
I would think a more realistic scenario might be a person working at an airport shutting their system down then getting it stolen vs a forensic examiner yanking the cord on purpose. Just an observation. if somebody steals your notebook at the air port the chance of this person just beeing an ordinary criminal not interested in your data is very high. and if you just shut down your notebook, the DRAMs are still warm, decreasing the time window for an ice-spray-attack. so, unless the notebook is thrown into a barrel of liquid nitrogen... n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
hrm. sigh. Normal moles not being able to grasp trivial knowledge. Airports are duh known conduits of business travellers with lots of data, thus increasing the possibility of targeting a more valuable target. So your statement that only ordinary criminals steal at airports is shortsighted. If anything a common criminal isnt going to try and steal at a place with a fucking million security cameras around. You obviously dont have enough of a grasp of the techniques to understand this thread so drop back off. You hardly need a barrel of liquid nitrogen - If you could summon not a barrel but more of a can of clue you would be better off. Jay - Original Message - From: niclas [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Cc: [EMAIL PROTECTED],[EMAIL PROTECTED] Sent: Sat, 23 Feb 2008 01:16:48 +0100 Subject: Re: [Full-disclosure] round and round they go I would think a more realistic scenario might be a person working at an airport shutting their system down then getting it stolen vs a forensic examiner yanking the cord on purpose. Just an observation. if somebody steals your notebook at the air port the chance of this person just beeing an ordinary criminal not interested in your data is very high. and if you just shut down your notebook, the DRAMs are still warm, decreasing the time window for an ice-spray-attack. so, unless the notebook is thrown into a barrel of liquid nitrogen... n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] round and round they go
http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go, keys in ram are ripe for picking...
On Thu, Feb 21, 2008 at 12:43 PM, Elazar Broad [EMAIL PROTECTED] wrote: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html Lest We Remember: Cold Boot Attacks on Encryption Keys the best part is: ''' Countermeasures and their Limitations Memory imaging attacks are difficult to defend against because cryptographic keys that are in active use need to be stored somewhere. Our suggested countermeasures focus on discarding or obscuring encryption keys before an adversary might gain physical access, preventing memory-dumping software from being executed on the machine, physically protecting DRAM chips, and possibly making the contents of memory decay more readily. ''' executive summary: - don't let malware read keys from memory. (ah, security, so many holes, so many weak links...) - the ability to scrub keys out of memory is ideal, but likely fallible. can you hit that panic button fast enough? - boot from secure media. you're booting from a read-only iso into that FDE protected OS, right? - avoid pre-computation of key schedules. high throughput hardware crypto implementations are great for this. i love padlock engines... - key expansion: i'm not familiar with any FDE that does this. anyone? note that if you're not using key scrubbing in your disk encryption (loop-aes?) you've got bigger remanence problems to worry about: Data Remanence in Semiconductor Devices http://www.cypherpunks.to/~peter/usenix01.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/