Feb
27
A joint group of people from
Princeton have recently managed to prove the fact that RAM chips, when cooled to a very low temperature, can continue to retain the contents of RAM for up to several minutes after they have been physically removed from a computer.
The group, then built their own tools and programs to read off the contents of the memory after the computers were rebooted - proving that disk encryption technologies (such as Truecrypt for instance) can be defied. This is demonstrated in a video posted on youtube (see extended body of article)
The concept can also be also easily demonstrated following a simple experiment outlined on the groups page
here.
Q. What can users do to protect themselves?
A. The most effective way for users to protect themselves is to fully shut down their computers several minutes before any situation in which the computers’ physical security could be compromised. On most systems, locking the screen or switching to “suspend” or “hibernate” mode does not provide adequate protection. (Exceptions exist; some systems may not be protected even when powered off. Check with the developer of your disk encryption software for further guidance.)
Following up this, according to Ivan Krstic, director of security architecture at OLPC (One Laptop per Child) - the recently announced MacBook Air is resistant to what is now known as the "Cold-Boot Encyption Attack" simply because the machines DDR2 RAM (2gb) is soldered on and cannot be physically removed. In addition, if Apple release an EFI firmware upgrade to zero the contents of the RAM at every boot, then the MacBook
"...would become one of the only—if not the only—mainstream laptop featuring full-disk encryption that's highly-resistant to the troublesome Princeton attack."
(
source)
Microsoft also reacts to this vis-a-vis their BitLocker technology in Vista.
Ryan Naraine reports on this here.
Microsoft suggests that the most secure method to use BitLocker is in hibernate mode and with multi-factor authentication.
According to Robert Hensing, a software engineer in Microsoft's SWI (Secure Windows Initiative) team, this class of attack is not new and was actually raised at the 2006 Hack in the Box conference in Kuala Lumpur, Malaysia.
The Register also has their views on this...BitLocker, meet BitUnlocker.
A question directed to Digital Forensic experts - Is this a blessing in disguise? What's your take on it?
Update: More information on the discussion can be found
here
Continue reading "Recovering passwords from RAM"
Posted by Donald Tabone
Feb
27
We acclaim another step in the right direction, in line with the scope of http://maltainfosec.org
In a bid to combat cyber exploitation of children, IT Minister Austin Gatt yesterday announced an intensive awareness campaign as students marked Safer Internet Day.
Dr Gatt also launched an information package, which will be distributed to all students from Year Four in primary schools right up to Year Five in secondary schools, as well as their teachers and parents.
Over 43,000 information packages and interactive CDs will start being distributed to parents and students this week, while posters, DVDs and CDs will be circulated in schools.
Attending an event organised by Aġenzija Appoġġ at the Playmobil Funpark in Ħal Far, Dr Gatt said that while children's education was sacred for the government, so was their security.
Echoing a post on the Times of Malta 27th Feb 2008
Posted by Donald Tabone
Feb
21
Our
post on
PassPack last week attracted quite a bit of attention. We were able to have an interesting discussion over security concerns that have to do with most (and probably all) online password managers. Similar to PassPack there are other services like
Clipperz and
Just1Key, all of which would be subject to the same concerns that we raised - the basic question of trusting a 3rd party server with your passwords. If you missed out, check out the
post to learn about the actual concerns.
One solution that PassPack
seem to be seriously considering is the option to license their server technology to 3rd parties. In the case of a company that buys a license and installs PassPack on an internal server, this would shift trust concerns from the service provider (happens to be PassPack) to the company's own systems administrators. This assumes that proper code review is done by whoever is concerned.
We also picked on the
One time passwords feature in PassPack, and why it is not a panacea solution to the keyloggers problem. The conclusion was that PassPack needs to clearly inform the users that passwords need to be generated ahead of time. Without doubt, making use of public computers such as the ones found in internet cafe's or kiosks, is a bad idea by itself. There are too many layers which an attacker can target - the computer's memory, the web browser by replacing the logout button with one that does nothing, and so on.
All that said - PassPack has a lot of potential, they put a lot of focus on both the user experience and security. Upcoming features such as being
able to share passwords with other users can definitely be useful (although that is a bad practice and should be avoided most of the times).
From our part, we look forward to seeing how PassPack and similar services will change the way we threat our passwords.
Posted by Sandro Gauci
Feb
14
Valentine’s Day isn’t stopping controllers of the Storm Trojan from using the holiday theme to trick users into downloading the malware.
Continue reading "Happy Valentine’s Day from: The Storm Trojan"
Posted by Giannella De Leonardo
Feb
13
Note: We posted a followup on this.
PassPack is a new service that addresses the ever
growing problem of passwords.
PassPack is an online password manager for people who travel or change computers often. Unlike other password managers, PassPack is available 24/7 via internet, nothing to download or install.
Great! Problem solved.
But how do they achieve this?
With AES encryption (the same as used by the US Government) and an SSL Secure Connection, your data travels safely over the internet. But let's suppose a hypothetical "bad-guy" gets into our servers, all he'd find would be a bunch of illegible data (not even PassPack can read your data).
What caught my eye was the part where they state that not even PassPack can read your data, which reminded me of the
Hushmail incident. The free
secure email service makes claims that:
By using Hushmail, you can be assured that your data will be protected from that kind of broad government surveillance.
Which is simply not the case. In fact later on in their FAQ, Hushmail have a section which explains that they have to comply with the law just like everyone else. Same with PassPack - the encrypted data on their servers cannot be accessed off their servers without the password. The problem is that, if need be, PassPack is able to read your password and then use it to decrypt your information.
So what about the other claims?
Disposable Logins (OTP)
A Disposable Login is a one time Pass and Packing Key combination: you use it once, then it's thrown it away.
Disposable Logins come in handy when traveling and you need to use a public computer.
With Disposable Logins, you can outsmart keyloggers. Even if your disposable Pass and Packing Key were to get "captured", it doesn't matter: they won't work again.
Well - not today's loggers! Nowadays, both
commercial and
underground/malware keyloggers support screen capturing. This means that if you are in an internet cafe, there always is the chance that not only are your keystokes monitored, but also your all your activity on the computer, including screen captures and mouse clicks.
But it is not all bad - I do like PassPack's idea of tackling the problem of multiple passwords. Some of the features that they offer are also pretty interesting such as the "Anti-Phishing Welcome Message". While this is not nothing new and Yahoo and others have been using such features, it is good to see them more widespread. However, as you might have guessed, I won't be handing out my google, hotmail or amazon passwords to PassPack.
Posted by Sandro Gauci
Feb
13
On February 1st, 2008 Microsoft offered $44.6 billion for Yahoo. A truly desperate attempt to catch Google.
Posted by Donald Tabone
Feb
7
As reported on MaltaMedia Dec 27,2007
In June 2005 Malta, as a Beneficiary Country, signed a Twinning Agreement entitled Capacity Building Programme in Information Security with the United Kingdom, as a European Union Member State for a period of 28 months.
The project implementation was entrusted to Malta Information Technology and Training Services Ltd (MITTS Ltd) as the Government’s designated INFOSEC Authority under the direction and guidance from the Ministry for Investment, Industry and Information Technology (MIIIT). The UK Twinning Partner was entrusted to Northern Ireland Public Sector Enterprises
(NI-CO) in conjunction with
QinetiQ Ltd which is an international defence and security company.
The purpose of this Twinning Agreement was to increase the understanding and facilitate the implementation of the EU Council Security Regulations 2001/264/EC issued on the 19th of March 2001 and to support Information Security measures in the Government of Malta Public Service to enable adherence to these regulations, which is a compulsory condition for all the Member States and thus of the Acquis Communautaire. In this light the project saw to the basic, advanced and specialised training of officials in the Public Service, government agencies and entities in particular areas related to Network Security, Wireless Security and Digital Forensics.
Study visits were organised for Maltese personnel to travel to various European countries to view operational security processes in practice with the aim of sharing good practices and acquire knowledge from other EU Member States.
The Twinning Agreement came to an end in October 2007 and has been mainly financed by the European Union.
The full article can be read here.
Posted by Donald Tabone
Feb
7
The new truecrypt supports
full disk encryption with preboot authentication - yay for the truecrypt team! Another feature that I have personally been waiting for was Mac OS X support. Since OS X support had been on the to do list for such a long time, thanks to the
OS X Crypt guys for showing that it is possible to have Truecrypt for mac
Check out whats new
here.
For an instructional video go
here.
Posted by Sandro Gauci
Feb
5
Have you been ever scammed on eBay? If so, read on...
Ask eBay users about auction fraud and payment scams, and you'll hear different stories with the same theme: While eBay can be a great marketplace, both buyers and sellers need to beware.
Continue reading "How to buy and sell on eBay scam-free"
Posted by Donald Tabone
Feb
5
For those of you wondering what the title is on about, I invite you
download this PDF presentation (E. H. Spafford 2001, 2002) and you'll know exactly what it refers to.
Albeit rather outdated, this 26 page presentation by the Center for Education and Research in Information Assurance and Security (CERIAS) talks about valid myths and misconceptions that these days still surround us.
After presenting a (humorous) pictorial time-line of the evolution of computers, he talks some of the causes of security problems, followed by their effect and a bunch of myths that we somehow are lead to believe. In that so, he then continues to explain the reality of things the way they actually are.
How about security expertise? Spafford again shows us the reality of things amidst general misconceptions that continue to float around us.
Still valid today --- Spafford concludes with the following points which we acclaim
- Security is an unattainable absolute.
- We should be seeking high levels of trust, based on sound methods of assurance.
- Assurance is an on-going process, not a set of add-on features.
Like I very often like to evangalise during security awareness sessions I hold from time-to-time, hopefully we are now a bit more aware that...
- Security is not simple.
- Security is not an add-on.
- Quality and security are closely linked.
- Training and knowledge are critical to counter superstition and folklore … but trends and lack of resources mean we are likely to face many challenges.
Posted by Donald Tabone
Twitter
