Domain: jchost.net
Stories and comments across the archive that link to jchost.net.
Comments · 10
-
Re:Security Concerns
You know I've posted this on
/. like three or four times now and you'd think it'd be more common knowledge by now... but getting encryption keys from RAM is pretty trivial. It's called a cold boot attack.
http://citp.princeton.edu/memory/
http://en.wikipedia.org/wiki/Cold_boot_attack
This attack was sort of one that was under the hat of pentesters and hobbyists until a few months ago when it was rather a do-it-yourself thing, but then McGrew Security made a followup PoC - http://mcgrewsecurity.com/projects/msramdmp/ to the Princeton paper. I played with it right after it came out, and then awhile later threw up a tutorial on remote-exploit. Now, Mati Aharoni's a really smart guy and most assuredly knew about the PoC before I did, but shortly after the tutorial and some discussion on IRC, it's now in BackTrack 3 (http://www.remote-exploit.org/backtrack.html) as a syslinux boot option putting the attack within the reach of everyone.
http://tourian.jchost.net/shadow/liveusb/boot.png
Getting the encryption keys out of the ram dump isn't a point and click operation, but the code's out there and it compiles. People are walking around right now with this on their USB key, and it's the sort of attack that is a real problem that physical access and untrusted users present now. Even without the encryption keys, you've still got the contents of previous webpages, cookies, IM conversations, unencrypted files, and everything else in RAM. Disabling boot from USB doesn't matter much because you can just use a grub CD, and carry around a laptop drive and do dumps on multiple machines. Hell, if you felt like dealing with it you could make it a PXE image... even disabling both boot from USB and CD, most cases in public places(think Dell) can be quickly popped open with the power still on and the BIOS jumper tripped.
Things like this should make you really nervous if you were freaking out about Microsoft's little COFEE ( http://tech.slashdot.org/article.pl?sid=08/04/29/1441215&from=rss ) toy, since it's no more impressive than a customized "Gonzor's Payload" U3 USB Drive ( http://wiki.gonzor228.com/index.php/SBConfig ) with a Microsoft Sticker and this is quite a bit more, well, dirty. -
Re:DMA
You don't need special hardware, just do a cold boot attack with a USB key.
http://en.wikipedia.org/wiki/Cold_boot_attack
http://tourian.jchost.net/shadow/liveusb/memoryremanence.png -
Re:It'd be pretty hard to do
Without systems level access to that machine and some pretty expensive hardware tools, there's no reasonable way to hack it.
Wrong. Memory remanence.
http://en.wikipedia.org/wiki/Cold_boot_attack
http://tourian.jchost.net/shadow/liveusb/memoryremanence.png
Even if you're using TPM, your shit still hits RAM. -
Re:TPM != NGTCB
I've got news for you, you're putting way too much faith in BitLocker - it's trivially broken via memory remanence, an attach which there's a public PoC for.
http://tourian.jchost.net/shadow/liveusb/memoryremenance.png -
Re:... on the flip side
You already can, I can dump your RAM from my USB key already(After a reboot, even after removing the RAM from one computer and putting it in another) and go through for whatever I'd like, whether it's encryption keys, disk cache, or buffers from IM conversations. http://tourian.jchost.net/shadow/liveusb/boot.png http://tourian.jchost.net/shadow/liveusb/memoryremenance.png http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png http://citp.princeton.edu/memory/ http://mcgrewsecurity.com/projects/msramdmp/
-
Re:... on the flip side
You already can, I can dump your RAM from my USB key already(After a reboot, even after removing the RAM from one computer and putting it in another) and go through for whatever I'd like, whether it's encryption keys, disk cache, or buffers from IM conversations. http://tourian.jchost.net/shadow/liveusb/boot.png http://tourian.jchost.net/shadow/liveusb/memoryremenance.png http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png http://citp.princeton.edu/memory/ http://mcgrewsecurity.com/projects/msramdmp/
-
Re:... on the flip side
You already can, I can dump your RAM from my USB key already(After a reboot, even after removing the RAM from one computer and putting it in another) and go through for whatever I'd like, whether it's encryption keys, disk cache, or buffers from IM conversations. http://tourian.jchost.net/shadow/liveusb/boot.png http://tourian.jchost.net/shadow/liveusb/memoryremenance.png http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png http://citp.princeton.edu/memory/ http://mcgrewsecurity.com/projects/msramdmp/
-
This has already been done
This is not something new people, I can dump your RAM from my USB key already(After a reboot!) and go through for whatever I'd like.
http://tourian.jchost.net/shadow/liveusb/boot.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png
http://citp.princeton.edu/memory/
http://mcgrewsecurity.com/projects/msramdmp/ (The MS isn't for microsoft) -
This has already been done
This is not something new people, I can dump your RAM from my USB key already(After a reboot!) and go through for whatever I'd like.
http://tourian.jchost.net/shadow/liveusb/boot.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png
http://citp.princeton.edu/memory/
http://mcgrewsecurity.com/projects/msramdmp/ (The MS isn't for microsoft) -
This has already been done
This is not something new people, I can dump your RAM from my USB key already(After a reboot!) and go through for whatever I'd like.
http://tourian.jchost.net/shadow/liveusb/boot.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png
http://citp.princeton.edu/memory/
http://mcgrewsecurity.com/projects/msramdmp/ (The MS isn't for microsoft)