The FDE key recovery method

There is a lot of hype about stealing the encryption key for FDE from memory even after shutdown. I've held off on posting about this for a couple days for the verdict from both sides to come in, and I've been doing some thinking about all this. Security Focus highlighted Microsoft's (typical) response, essentially saying 'You don't need to worry about it so much.' They cite multiple ways to increase your security posture, namely using a USB key or entering a PIN (or both) to resume from hibernate or suspend. Meh. To me, that's not really relevant. They go on to say that for this attack to be valid, a few things have to happen: the attacker has physical access, the laptop would be in sleep mode (or recently hibernated or shut down), no multifactor PBA, and the attacker wants that data.

I think no multifactor PBA is a fine excuse for Microsoft, but there is no PBA for some encryption methods (dm-crypt, I mean you). The laptop must be sleeping -- not entirely accurate since the key can be recovered after 10 minutes after shutdown. I would be interested to know what the mode time is for recovering the encryption key. 30 minutes?

Microsoft is saying that there must be a balance between security, usability, and risk. I don't accept this. A system can be secure, usable, and low risk, it's just not cost effective to make it. How about booby trapping the RAM the way RSA booby traps their key fobs? Maybe there should be a BIOS-integrated process to purge the encryption key from RAM when the system goes down? Or maybe just password protect your BIOS and prevent USB or external boot!?!

There are some really good comments on the hack-a-day article and Wired's article is worth reading.

Selling FTP access

rwnin's recent post got me thinking about an article I read yesterday. Essentially, online thieves are selling access to FTP servers of well known companies (read: some are Alexa.com top 500 companies). Really ties in well with rwnin's post -- the definition of value really depends on your perspective. Hosting malware on legitimate sites is big business (or so it seems).

This also highlights (again) the importance of a good security staff. Yes reading logs can suck, but you need to do it! If the security admins, or even the server admins, were reading those FTP logs, they'd be like 'wtf!' Am I beating a dead horse with this 'good security people' mantra? I used to think it was just some of us who were overworked and couldn't do the real security work. Is it everyone, everywhere? Someone please tell me, because that's pretty discouraging.

The evolving security process

I've been swamped at work and been getting distracted by some other things... but I read something for the second time today that made me stop and think. The whole point of the post above is that the ideology, or rather the methodology currently used for defending corporate networks and (more generally) fixing vulns is utterly flawed. Space Rogue agrees, and frankly so do I. I've been saying this almost as long as I've been active in security: the problem, 9 times out of 10, is the user. Improve the user's security perspective, you improve your network security, right?

After reading the article again, I still agree -- user awareness and training should be the number 1 priority, and a lot of the patching, vuln analysis, etc. is BS because the benefit doesn't outweigh the costs. But I am reminded of a thread that came through the security focus mailing list recently that highlights the problem of user training. There were a lot of replies to the thread, and the overarching answer was that some people just don't care. That's exactly the problem with user training -- not only can you not quantify the benefit for the C-level execs, but there is some percentage of the workforce that is either unhappy, uncaring, or otherwise ignorant. Malicious users are so much more of a problem than hackers in my mind. The amount of stuff one user can find on a medium sized corporate network on his/her lunch hour is astonishing. Especially if the security staff is small or the architecture is old and needs updating.

The other problem is that training, especially something like security training, is such a bore. Some might be happy just to get out of the cube, but I bet the majority think it's just another annoyance sent down to the peons from the board. I know when attend my annual security awareness training it's a total drag.

At the same time, the point is still valid -- the method is flawed. Why waste so much time implementing things like ridiculous password requirements or bleeding edge 100% patching or even AV really? These days if a domain admin gets a virus, it's probably going to spread unless the AV architecture is perfect (or at least pretty great). I am reminded of another recent post, this time by Jeremiah Grossman, on the importance of your security staff. If you're understaffed, just about everything you do for security is an effort in futility since you'll just fall farther and farther behind in whatever you're trying to get done. Then you have to waste more time figuring out what you're going to do about all the work you have and prioritize what you're doing day-to-day. What a waste! Why concentrate on the BS work when so many more important things need to get done?

The answer to this is not an easy one. Management doesn't like spending money on security because it's not a cost center, and they don't like spending money on training because it's hard to quantify, just like security. On the other side, a lot of security people would lose their jobs if the ideology changed to something more proactive and logical, so... will the methodology ever change? Doubtful, since even one security breach can cost millions, and a company always wants to spin the incident as an isolated event, the work of some evil, skilled hacker who ultimately will elude authorities forever. At least, it won't change any time soon. The moral of the story is we need a security enlightenment. As things migrate more and more to the web, we really need to rethink how we've practiced security in the past. As the types of networks and applications we have change, so do the goals of hackers and malicious users. The same 90's era thinking won't hold up for much longer.

This music makes me want to puke

Ever hear a really bad song that makes you want to hurl? For me, it's anything by that crappy boy band O-Town. If you've never experienced this joy, now you can. The tube induces a sound so horrible, it makes anyone unfortunate enough to be within range sick to his/her stomach. What a cool idea for defense! Too bad all you need are those noise canceling headphones :)

Pakistan hands out some advice

Some officials in Pakistan had some strong words to say regarding the US policies on nuclear weapons. Not only were these officials critical of the recent nuke mix up, but were also openly critical of the US attitude towards Pakistan's nuclear policies as well as the US political/ideological state. I wanted to post this up because I think these officials have really hit on something here.

When I heard about this 'mistake' (read: unknowingly flying a bunch of nukes to another military base), I was utterly appalled. For something like that to happen, tens of people must have not done their jobs. Yes work can be monotonous, but when you work with nukes (and another dangerous materials/weapons/etc) you better bring your A game every single day.

Some of the criticism is worth thinking about, some of their logic is flawed (ie: why they justify selling nuclear secrets to other countries), but the article really highlights a significant shortcoming with regard to this incident. This should be taken seriously.

Caller ID spoofing

I read an article on digg today about caller ID spoofing. This guy makes it sound so easy, so I googled a bit and found that it really is pretty easy. Spoofcard is the service he used and seems to be the primo in providing this capability. Telespoof is one of their competitors. There's a program called Asterisk for Linux that let's you spoof caller ID if you've got VoIP.

I wonder if you can do this with a vonage account? Probably violates the terms and conditions.

A voice for electronic voting

Mike Elgan wrote an article in favor of electronic voting machines. In the article, he is critical of the attitudes of Americans toward electronic voting machines, and is criticizes the current electronic voting process. He proposes a new system where no information is stored on the machine per se. Instead, the voter's choices are printed out after voting, the voter is asked to verify the information on the paper matches what is on the screen, and, upon selecting 'yes', the data is instantly sent to be tallied, then the data is purged. The paper is deposited into a ballet box outside for a redundant paper trail.

It seems that Mike believes that storing data is the problem; however, it's not storing the data, it's transmitting the data or having voter visibility that is the problem. Back when some guys at Princeton demonstrated a few ways to hack a Diebold voting machine, they showed how their 'virus' could print out data that corresponds to the voter's actual votes, but modifies the data internally. The problem is the same here, although the attack vector has changed. Instead of opening the machine and uploading a virus via SD card, an attacker would need to find a new way of getting into the voting machine. I'm not sure I feel comfortable giving voting machines network access. All those schools that are polling places might not have the best networks.

I don't have a solution, but it is clear we need to rethink this.

Another loss of privacy

Security Focus published a story about DHS and customs searching the laptops, PDAs, and other electronics of travelers. I am a bit shocked actually that there's no regulation or law governing these searches. If someone came up to me in an airport and said, "I'm with DHS. I need your laptop." I'd probably (eventually) hand it over, but would refuse to divulge any passwords or other information that could assist them in any way.

I understand the mandate of keeping our borders secure and cracking down on child pornography or other illegal material that gets transported via electronic mediums, but for some unknown person to copy my hard drive information, which does contain personally identifiable and sensitive information, that's a liability for my security. As the article says, where do the copies go? How are they destroyed? Are they destroyed? What about this woman who hasn't seen her laptop for a year??

Laptop aside, what about my phone and ipod or other electronics I might carry? I can password protect my phone before traveling, I guess that works, but how do you secure a music player? Is a password on my phone enough?

This all begs the question, "What happens if you refuse to cooperate, refuse to disclose a password?" Search without a warrant or probable cause should be absolutely illegal. This is a blatant violation of a person's right to privacy and we as citizens should not stand for it.

Windows Live CAPTCHA dead too...

Less than a few weeks after the Yahoo! CAPTCHA was cracked, down falls the Windows Live CAPTCHA with an automated tool that hits about 35% accuracy. Is Google next? What's the solution? Here are some ideas (some not so good). The main problems seem to be providing a limited number of choices for answers (opening to brute force), and making an easy test for the blind or differently-abled users.

You're a phoney! PHONEY!

Schneier picked up a story on cloned trucks, that is, getting an 18 wheeler, the decals for a normal Wal-Mart semi, cloning the truck, getting a driver, putting him in a Wal-Mart uniform, getting fake (Wal-Mart) plates, the loading it up with coke and ganja. Now that's a great idea. I wonder how much money the kingpins make from using these kinds of schemes.

What I thought was most surprising was the US Border Patrol truck. I mean, really... I know that most people wouldn't question the authenticity, but that's just playing with fire. And what's up with the crappy ripoffs? If you're going to do something illegal, you'd better do it right.

I'll keep my eyes open from now on -- and if I see (800) 2-ADVICE, I'm calling the cops.

Truecrypt 5 is out!

Sweet! At long last, there's a full disk encryption solution with pre-boot authentication for Linux! Wait a second... that feature's only available for Windows???

I've been looking for a free, open source solution to FDE with PBA for Linux without any luck. Yes, I know dm-crypt w/ LUKS can do (almost) FDE without PBA, and you either need an external boot partition or an unencrypted one. Not great choices. I don't understand why there's no solution out there! I'm no expert in encryption or cryptography at all, so I'm totally unqualified to make any kind of statements on the feasibility of PBA, but if the MBR gets overwritten with the crypto backend's MBR, which essentially demands a passphrase to boot, you copy the real MBR to a secondary one (chainloading?) and once the passphrase is verified, call that MBR.

The tricky part (for me at least) is how you verify the passphrase while not storing it in plaintext or otherwise unencrypted. If you're making calls into an encrypted filesystem before providing a valid passphrase, or using some other kind of hashing mechanism to determine a match, that seems like a security risk, no?. Passphrase verification for PBA systems may be trivial, I have not done my research (or googling) on this, but I can't believe it's significantly harder in Linux vs. Windows. Using PBA would allow the boot partition to be encrypted as well -- pure FDE.

I know Linux lags behind with some of the new(er) technologies out there, but this has been around for a while, so I must be missing some key piece of the puzzle. I need to do some research.