Ruh roh, Shaggy -- you remember that
disk encryption attack that involved cooling off your target's RAM and yanking it to get a bitdump before the contents faded? Well, it looks like things just got a lot simpler for would-be attackers -- check out this USB flash key designed by security researcher Robert Wesley McGrew, which can boot your machine and dump the RAM to itself without altering its contents. That means you no longer need to actually pull the DIMMs or carry around an air duster; all an attacker needs is enough time to reboot your machine and copy the contents of your RAM. Of course, that takes time -- McGrew says things are running quite slowly right now, but he suspects his test machine is dropping down to USB 1.0 speeds. That's still not too reassuring -- looks like we'll be spending even more time with our machines from now on.
[Via
Hack a Day]
posted Mar 4th 2008 6:58AM
could they use this technic to decrypt bluray discs?
Yes and no. This technique is only necessary to retrieve keys after the original user shuts down their PC and you want to access their keys that are still resident in memory.
When playing an encrypted movie you could probably get the keys while the PC is still running. There's no need to get fancy and freeze chips etc.
technique*
Everyone's making such a big deal out of these attacks, and it's true that at the moment they are a problem; however, the problem is so trivial for OS makers to fix (overwrite the password in memory with a random string before shutdown/sleep).
RaynorWolfcastle: Then how do you deal with the situation when the attacker simply pull the power and battery?
::overwrite the password in memory with a random string before shutdown/sleep
That's not a complete fix/that's already imlemented by most vendors (TrueCrypt comes to mind), and hopefully implemented by OS designers as well.
Also note that if you ditch the key when you enter sleep mode you have to unmount all partitions/containers that were mounted when you initially entered sleep mode. This creates real issues when you sleep while applications have files open on those partitions (potential filesystem corruption).
That doesn't help at all against the user doing a cold reboot, however. That is surely what they would do in this case, to capture as much as possible of your currently operating memory.
@cibyr: The password should be overwritten when you enter sleep mode or shutdown. Once your computer is in sleep mode, the password's already gone. Also, sleep mode is a low power mode anyway, so your computer won't be doing anything, unmount all drives and remount them when the user logs back in.
The only case is when a user simply locks his computer while running a task that needs access to a secure partition. In reality, this probably isn't such a good idea in the first place if you have such precious data on that partition.
There are probably cases where the attack would work that isn't covered by these two scenarios, but these are probably the most common ones.
You could have atleast cropped the Virtual Machine titlebar and status bar off.
All its doing in that screenshot is dumping the RAM which will not contain any decryption key.
OOOOH RIGHT!!!
I remember this!
Every single decryption key is stored in the special decryption key slot, which is COMPLETELY INACCESSIBLE to the computer!
Think first before saying something dumb.
None of the virtual machines currently support the TPM bios which is what loads the decryption key into the RAM.
All that the above screenshot is doing is dumping the VIRTUAL RAM which contains no decryption key, and the virtual disk probably isnt even encrypted.
I'm guessing they did that because you cant take a screen shot in syslinux!
I was waiting for the "Good thing you bought a Macbook Air, which doesn't accept many USB flash keys." at the end.
Don't worry, I'm sure most USB flash drives wont fit in that tight spot. So its still more secure. =)
1.make Bootable flash key that makes disk encryption attacks super-simple
2.?????
3.profit!
4. Invest the profits into a new joke.
Didn't the original "cool the ram" video show that technique as well? I vaguely remember them dumping the RAM with a USB device as well...
Yes it did, this is not really news. Been done. Its only news if the guy is releasing the source code.
This is fun but not realistic stuff.
It would be very poor security procedure to allow a PC to boot off a USB or CD/DVD. Yes, you can alter the BIOS of many PCs to allow this but, changing BIOS settings of a powerd down PC requires opening the case.
By the way, good security should require that the case be locked.
Really scary would be portable application that could be run on a locked down PC.
Charlie Balch
Professor of CIS
Arizona Western College
Yeah um,
In the real world very few companies(and even fewer individuals) actually even alter bios settings, most of which these days allow booting from usb by default, even fewer companies go further to put on a bios password, and even fewer still bother locking their cases.
I admit to having been in the ivory tower for the last five years. I do not recall reading stats on what most companies are doing for security. Perhaps articles like this one will a wake-up call for some basic security measures that do not take much effort.
Major computer vendors might even advertise that they are shipping with basic features by default. I find it kind of cool that I can boot off a floppy or a flash but how many regular users would care?
Charlie
All this is good and well, but the argument still holds: if you have physical access to the machine, you can do a lot of things. Better not let it get that far. If you're really paranoid about security, there are some simple methods, including removable disks (stored in safes), and handcuffs so you don't leave your laptop unattended.
On a related note, common sense would dictate that the best solution to this is to always mount an encrypted partition no more often than it is needed. This doesn't help with the OS partition, but if you keep your home directory, temporary files, etc seperate, it would help for those.
If you can boot the machine that means you must have physical access to the machine. Why not just install a hardware key logger and get the passphrase? Why beat down the heavy front door when you can sneak in the side? Other tactics would need to be employed for notebooks.
I think I'll set my computer to do BIOS RAM checking as well as locking the BIOS so it will NOT boot from USB. It will take precious milliseconds for the culprit to switch that DIP switch to clear BIOS, right?
Just put a bomb in your pc. If you think you've lost it.. blow it up :p. Problem solved.
Yes but can this decrypt my butt.
Is disabling boot from USB out of the question ? Many bioses allow that. Even changing the boot order and then password protecting the BIOS would probably be enough for most systems, though there's probably a few that don't allow such.
But all it will take is a bios update to fix that.
Interesting, but not too earth shattering...
I guess it's a better time than ever to have my BIOS locked down with a 12 character password even I don't remember off the top of my head because I just use my finger.
There's a sure-fire, hack-proof solution: full disk encryption on the hard drive.
- the cryptographic key never leaves the hard drive
- it's stored on an ASIC in the hard drive with no probe points
- any attempt to remove the ASIC from the drive package locks the drive and cuts power to the chip, erasing its memory
For those serious about security, stop messing with bandaids and lock it down tight. Here's a more detailed description of this: http://www.seagate.com/docs/pdf/security/Princeton_RC514_1_0702.pdf
storageeffect.com
I've posted several times on hard drive encryption vs. other methods:
http://storageeffect.com/category/data-security/
This thing has been in the news for quite a while, it is strange that this shows up on Engadget only now.
The attack itself is interesting and high-tech, I enjoy the process of explaining my friends how it works and I am glad that today they work on this kind of stuff in universities.
However, I believe the story is a bit overhyped, because you can protect yourself very well if you follow some reasonable security guidelines. By "reasonable" I mean "guidelines that won't force you to change your entire life and habits". One has to rationally study the problem and figure out that the chance of becoming a victim can be minimized to acceptable rates.
This story provides some tips: http://www.lazybit.com/index.php/2008/02/27/protect-cold-reboot-attack-encryption?blog=2