Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


As expected, memory vulnerabilities are exploited to crack encryption
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

As expected, memory vulnerabilities are exploited to crack encryption

MaouniqueMaounique Host Rep, Veteran
edited January 2013 in General

As I was saying a few times, whoever gets access to the memory of a computer where trucrypt or other encryption tools are running will get access to the keys and will be able to read the encrypted files.
Now we have a commercial app that does just that for windows.
http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly-capable-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/
Even if there isnt one for linux yet you can be sure the capabilities exist.
A few recommendations to avoid this exploitation:
1. Don't leave your containers mounted after you finished working with them.
2. Turn off hibernation and dont use swap on a computer that is used to mount those.
3. Dont mount them on a VM out there, even on one in your computer since many virtualizations for desktop and even specialized servers have the bad habit of saving the memory on disk (hint-vmware).
4. If you have to use that often, save them on a mounted storage (NFS/iSCSI/SMB/etc) and only mount it with a special machine, a VM that doesnt save memory would be ideal, without swap and without hibernation enabled then expose it further to your workstation. Also remember to unmount it and turn off the machine after done.
If the attacker can read your memory or you have files saved on the drive containing the memory, it is game over.

Comments

  • oh, great...

  • There have been pretty easy to use tools to do this for quite some time now. The bottom line is that physical access trumps pretty much everything.

  • KuJoeKuJoe Member, Host Rep

    Another good idea is to not host sensative data where somebody else has physical access to it. :)

  • MaouniqueMaounique Host Rep, Veteran
    edited January 2013

    @NickM said: There have been pretty easy to use tools to do this for quite some time now. The bottom line is that physical access trumps pretty much everything.

    Even if the attacker has physical access, even if there is a raid on you when you dont expect it, even if you have the data stored remotely, you can still defend against it most of the time by following at least some of the advices I posted.
    As for the tools, right, it was possible for some time, but now there are easy tools for windows, something that even cops can use if really bright.

  • jarjar Patron Provider, Top Host, Veteran

    Thanks for sharing. The answer to it all lies in AI, I'm convinced. Bring on skynet!

  • Here we go!

  • See! This is why everyone needs to use TOR!

  • IntcsIntcs Member
    edited January 2013

    @NickM said: The bottom line is that physical access trumps pretty much everything.

    That's wise =)

    I used to trust how secure is "strong ecryption" more.. Perhaps for a regular system as well, using a strong encryption key in a media hidden from physical access, use a good password and only memorize it, and don't get hacked through network and controled by someone else, at least for the system that's connected to encrypted data.. That might make encrypted data on that system more secure.

    @Maounique: On my Windows system I always use hibernation while it's connected to an encrypted external drive! And have a screen lock so that if someone had physical access they might have to reboot at least once and then everything returns secure, lol!

    Furthermore to what you've actually enlightened me: What if he even tried to restore the hibernation dump file from disk at any time? Which I can bet windows (especially xp) doesn't encrypt data on it but instead contains readable data! Isn't it? That needs some consideration of hibernation on XP, 7, 8..etc and whether or not they encrypt the dump file with RAM data, and in Linux hibernation as well.. Otherwise we might search for a third party software that does hibernation more safely both on a VPS or PC, is there any? :(

  • MaouniqueMaounique Host Rep, Veteran

    @Intcs said: @Maounique: On my Windows system I always use hibernation while it's connected to an encrypted external drive! And have a screen lock so that if someone had physical access they might have to reboot at least once and then everything returns secure, lol!

    Furthermore to what you've actually enlightened me: What if he even tried to restore the hibernation dump file from disk at any time? Which I can bet windows (especially xp) doesn't encrypt data on it but instead contains readable data! Isn't it? That needs some consideration of hibernation on XP, 7, 8..etc and whether or not they encrypt the dump file with RAM data, and in Linux hibernation as well.. Otherwise we might search for a third party software that does hibernation more safely both on a VPS or PC, is there any? :(

    There are 2 problems and ways of attack, one that uses the hibernation file you understood and another using the computer's memory. An attacker will not need to reboot even if you disable hibernation, will just read the memory. There are ways to attach firewire and usb devices to read memory directly or, if that is impossible for some reason, can always take it out and put it fast into another computer or device, because memory is not wiped when powered off, it slowly goes deleted in as long as 10 minutes if kept in a cold place.
    If you leave the computer open with the encrypted device mounted, a resourceful attacker will read your files one way or the other and leaving the hibernation on it makes it easy for even someone which does not have special devices to read memory on the spot.
    You will need to unmount the encrypted container/device as soon as you finished with it if you fear an attacker might have access to your computer.
    In this case, you will probably have keyloggers to read your password too, use a password only when you encrypted the system disk to boot it, after that use various files NOT on the computer (from other mounted containers, from internet or from some usb device, preferably some combination, use cascading algorithms even if it slows down the access.

  • If someone (a government agency?) is determined enough to get your files and is willing turn off your computer, remove the memory, put it in a portable refrigerator, etc... you have much bigger things to worry about :)
    In the end they could just send you to guantanamo where they can "convince" you to give up all the encryption keys and other information they need.

  • It's cute to see everyone be so pretentious and pretend that anyone gives enough of a fuck about them to try and access their data, lol.

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2013

    @gubbyte said: It's cute to see everyone be so pretentious and pretend that anyone gives enough of a fuck about them to try and access their data, lol.

    Couldn't care less about most of mine, but clients... gotta stay interested in this stuff for their benefit.

  • MrXMrX Member

    There is no cracking taking place here. The encryption algorithms are still secure. The weakness lies in the implementation and storing keys in memory. This is hardly news. The only newsworthy thing here is that it's been simplified now.

  • Well nothing no here, those are some standard attacks "against" disk encryption. Commercial tools have been avaible for this since a few years IIRC

  • IntcsIntcs Member
    edited January 2013

    @Maounique said: There are 2 problems and ways of attack, one that uses the hibernation file you understood and another using the computer's memory. An attacker will not need to reboot even if you disable hibernation, will just read the memory. There are ways to attach firewire and usb devices to read memory directly or, if that is impossible for some reason, can always take it out and put it fast into another computer or device, because memory is not wiped when powered off, it slowly goes deleted in as long as 10 minutes if kept in a cold place.

    If you leave the computer open with the encrypted device mounted, a resourceful attacker will read your files one way or the other and leaving the hibernation on it makes it easy for even someone which does not have special devices to read memory on the spot.
    You will need to unmount the encrypted container/device as soon as you finished with it if you fear an attacker might have access to your computer.
    In this case, you will probably have keyloggers to read your password too, use a password only when you encrypted the system disk to boot it, after that use various files NOT on the computer (from other mounted containers, from internet or from some usb device, preferably some combination, use cascading algorithms even if it slows down the access.

    Thanks for all the tips..

    I'm curious about hibernation since as you know, there are restore methods for deleted files, and if nothing was written over it's disk space it's simply a 100% possibility of restoring hibernation data, so I think unencrypted hibernation dump on my disk means I need to run a prolonged disk wipe frequently, or otherwise Memory data might be available and so decryption of data as it appears..

    Actually all of my encrypted data isn't that important, but just has personal and family stuff over long years which I don't like someone else to have, let's say once my pc gets stolen, while no problem for money in that case I care much of personal data. I've worked once in a maintenance center for one big and known PC manufacturer, and I was surprised of how techie was curious of viewing photos and files in customers PCs! Since that time I started of making all my personal data not accessible to others, to the level of some projects, designs and even less important data with personal flavor. I just thought it's my data and I like to be the one who decide who can view it. I still don't use encryption on VPS files though..

    So back on topic, as for unmounting frequently I used to never leave PC with encrypted drive mounted, connected to network while I'm away for long, but I keep it running (if not hibernated) offline from network/internet. And if a download/upload is needed overnight I leave it mostly on my netbook where no personal data is stored. That's to lessen the chance of an online access/control.

    USB access might have dificulty as my process control is active so initiate of a process through USB/other interface should need an approval, while the screen is password locked, I thought that's at least a basic level of security against it in my case where I fear most of it gets stolen. I'm running a firewall for network and process control, together with the antivirus, so I thought keylogger as well should have a hard time as two to three levels of access deny will face it, so I'm glad the door isn't that much opened :P. But it's a good idea to replace passwords with files however I need to decide of the storing place for it.

    Again, thank you ;)

  • MaouniqueMaounique Host Rep, Veteran
    edited January 2013

    I suggest you encrypt your system partition too, since the hibernation file is stored there. Of course, with another password.
    That will solve most problems, except the memory reading and that can only be solved if you shut down your computer when you are not there.
    You should encrypt your system partition anyway, because the swap often stores part of the open files also temp stores similar, archives temp space for unarchiving, etc.

    @rds100 said: In the end they could just send you to guantanamo where they can "convince" you to give up all the encryption keys and other information they need.

    Well, at least you made their life hard and something about that will get known when the guantanamo files will get leaked and you will be able to ask for compensations.
    If the police simply gets your files out of your negligence, they will continue at the next number in the street in impunity. Didnt find anything when they raided you ? Well, while they are on your street, why not try your neighbours, you have an open wi-fi, no, therefore anyone on a certain radius will be raidable, let the fun begin !

  • IntcsIntcs Member
    edited January 2013

    @Maounique said: I suggest you encrypt your system partition too, since the hibernation file is stored there. Of course, with another password.

    That will solve most problems, except the memory reading and that can only be solved if you shut down your computer when you are not there.
    You should encrypt your system partition anyway, because the swap often stores part of the open files also temp stores similar, archives temp space for unarchiving, etc.

    That's to be considered. But apology if that's not directly related to main point, I was considering if there should be serious measure taken to protect data from the encryption itself? Means for saving the encryption keys, password, files, and never ever get them lost and just cause a disaster by loosing all data, especially that that's a common disaster starts with Windows XP ntfs encryption to all other types. As I have a backup of all HDDs stored in a hidden external HDD, which isn't encrypted except with a password on the backup archive, I was thinking of changing that which isn't safe, but won't happen without confidence of never loosing the "keys".. Do you take care of that? ;)

  • MaouniqueMaounique Host Rep, Veteran
    edited January 2013

    Well, I personally remember the password for system partition (using diskcryptor for that) which i mount with USB keys, dont have the boot loader on the laptop itself, then everything else is encrypted using keyfiles on another device which has an encrypted container which I have backed up in various places. I use cascading algorithms for maximum safety in various combinations and my passwords are over 32 chars long. Most important, dont use them anywhere else.

  • IntcsIntcs Member
    edited January 2013

    Looks great, you have an encrypted environment, so well done I guess.. I have only one data vault on an external disk. Used to have other media like a flash drive encrypted but then cancelled it, so everything encrypted is currently on a large, single partitioned external disk. So I'll need to (1) Encrypt system partition (2) Have a secure place for keys and even 'rescue backups' used for decryption, probably online or with an online secured copy.

  • lzplzp Member
    edited January 2013

    @NickM said: There have been pretty easy to use tools to do this for quite some time now.

    I'm not sure why this thread was even made by OP - this is nothing new. I thought I'd finally be able to crack two TC containers that I made some ridiculous password for and then forgot immediately afterwards. No, it's just the same (useless) information from three years ago.

  • MaouniqueMaounique Host Rep, Veteran

    As you can see many ppl dont know how to defend against this kind of easy exploits of negligence.

Sign In or Register to comment.