From heise:
Scientists at Princeton University have demonstrated how encryption keys can be retrieved from memory if the attacker has physical access to a computer which is switched on or in standby, by making use of a well known phenomenon – the relatively slow decay of DRAM data when power is removed.
So, has harddisk encryption become obsolete? For general data loss or the common thief, it's an effective defense. But for the determined hacker, it's not a total defense. Use a data classification and for the people with access to the most confidential information, limit the use of standby and hibernate.
See also:
- Lest We Remember: Cold Boot Attacks on Encryption Keys (PDF), research report by J.Alex Halderman et al.
Suddenly, I remembered the possibility of doing memory forensics through the firewire interface:
The ability to read and write to another computer's physical memory through the FireWire interface was first exploited by Quinn "The Eskimo" in 2002. His program FireStarter allowed to remotely manipulate the contents of a target Mac's display. For his hack Quinn was awarded the first price at the MacHack Best Hack Contest 2002.
Michael Becher, Maximillian Dornseif and Christian N. Klein explained in their talk 0wn3d by an iPod at PacSec 2004 how FireWire could be used in a forensically sound memory acquisition procedure.
Adam Boileau (aka "Metlstorm") solved the problem of accessing a computer running Microsoft Windows in his presentation at RUXCON 2006. He also released some Python modules and memory acquisition tools.
Remember that you don't need onboard firewire ports but you can just use a PCI or PCMCIA card. Plug and play. :-)
Also have a look at this CCCamp presentation:- Cryptographic key recovery from Linux memory dumps: Does dm-crypt and cryptoloop provide expected security when facing modern computer forensics techniques? by Torbjörn Pettersson
Update (25/02/2007): Microsoft responded (MSDN Blog) to the whole story. They take the same stance that encryption has not become useless. You can disable standby (or sleep as they call it) and use additional authentication coming back from hibernate. The risk of a targeted physical attack with these skills is rather low. Read more.
For example BitLocker provides several options that allow for a user (or more likely Administrator) to increase their security protections but at the cost of somewhat lowering ease-of-use. BitLocker supports options that will not allow a machine to boot – or resume from hibernate – until the user can:
- Enter a PIN
- Insert a USB stick that contains a secret Key
- … and as of Windows Vista SP1 both enter a PIN and insert the USB stick!
We provide best practice guidance in the Data Encryption Toolkit that describes the various manners in which the above choices can be made and also provides advice to help improve security, such as disabling ‘sleep mode’ – forcing a user to hibernate and thus allowing memory to lose the ghost images discussed. These power management settings can all be configured centrally using Group Policy Objects.
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment