Domain: mcgrewsecurity.com
Stories and comments across the archive that link to mcgrewsecurity.com.
Comments · 8
-
Re:Bullshit!
?
Care to elaborate? It's really not very hard at all to put the RAM in another machine, and boot that machine with a little bootloader/program that just dumps to contents of RAM to a file.
The dude even linked to the tool and the technical explanation: http://www.mcgrewsecurity.com/tools/msramdmp/ -
Re:Security researchers or confidential informants
"The stigma of being a "confidential informant" is quite hazardous. Why do you think there's a Witness Protection Program?"
But... he is a security researcher, here's his security websites and his LinkedIn says he has a PhD in Computer Science and works at the Mississippi State University Center for Computer Security Research (CCSR).
I'd say he's qualified. I don't understand why parent automatically assumed he was just an informant. If you're a private detective and with PhD in Criminal Forensics and you see a felony take place wouldn't you call the police? Would /. then assume you're simply an informant instead of being the private detective that the article correctly identified you as being? -
Re:Trivial.
Heh, you're over estimating the level of skill involved.
There are some interesting discussions of how these services work here:
-
Re:Trivial.
Heh, you're over estimating the level of skill involved.
There are some interesting discussions of how these services work here:
-
How do they work?
If you're curious how these things work, here's a write-up of a typical example of one of these services.
-
Re:Security Concerns
You know I've posted this on
/. like three or four times now and you'd think it'd be more common knowledge by now... but getting encryption keys from RAM is pretty trivial. It's called a cold boot attack.
http://citp.princeton.edu/memory/
http://en.wikipedia.org/wiki/Cold_boot_attack
This attack was sort of one that was under the hat of pentesters and hobbyists until a few months ago when it was rather a do-it-yourself thing, but then McGrew Security made a followup PoC - http://mcgrewsecurity.com/projects/msramdmp/ to the Princeton paper. I played with it right after it came out, and then awhile later threw up a tutorial on remote-exploit. Now, Mati Aharoni's a really smart guy and most assuredly knew about the PoC before I did, but shortly after the tutorial and some discussion on IRC, it's now in BackTrack 3 (http://www.remote-exploit.org/backtrack.html) as a syslinux boot option putting the attack within the reach of everyone.
http://tourian.jchost.net/shadow/liveusb/boot.png
Getting the encryption keys out of the ram dump isn't a point and click operation, but the code's out there and it compiles. People are walking around right now with this on their USB key, and it's the sort of attack that is a real problem that physical access and untrusted users present now. Even without the encryption keys, you've still got the contents of previous webpages, cookies, IM conversations, unencrypted files, and everything else in RAM. Disabling boot from USB doesn't matter much because you can just use a grub CD, and carry around a laptop drive and do dumps on multiple machines. Hell, if you felt like dealing with it you could make it a PXE image... even disabling both boot from USB and CD, most cases in public places(think Dell) can be quickly popped open with the power still on and the BIOS jumper tripped.
Things like this should make you really nervous if you were freaking out about Microsoft's little COFEE ( http://tech.slashdot.org/article.pl?sid=08/04/29/1441215&from=rss ) toy, since it's no more impressive than a customized "Gonzor's Payload" U3 USB Drive ( http://wiki.gonzor228.com/index.php/SBConfig ) with a Microsoft Sticker and this is quite a bit more, well, dirty. -
Re:... on the flip side
You already can, I can dump your RAM from my USB key already(After a reboot, even after removing the RAM from one computer and putting it in another) and go through for whatever I'd like, whether it's encryption keys, disk cache, or buffers from IM conversations. http://tourian.jchost.net/shadow/liveusb/boot.png http://tourian.jchost.net/shadow/liveusb/memoryremenance.png http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png http://citp.princeton.edu/memory/ http://mcgrewsecurity.com/projects/msramdmp/
-
This has already been done
This is not something new people, I can dump your RAM from my USB key already(After a reboot!) and go through for whatever I'd like.
http://tourian.jchost.net/shadow/liveusb/boot.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance.png
http://tourian.jchost.net/shadow/liveusb/memoryremenance-filecarving.png
http://citp.princeton.edu/memory/
http://mcgrewsecurity.com/projects/msramdmp/ (The MS isn't for microsoft)