Passwords Can Sit on Hard Disks for Years

CygnusXII writes ""As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords. But even that is no guarantee of security." "

Zero the data

[Lord+Grey]

One way to achieve this is for all data in RAM to be automatically turned into a string of zeros once it is finished with - something he [Tal Garfinkel] says could be done with just a few extra lines of code in application programs.

My company worked on a project a few years ago that required this very thing. It wasn't just passwords, though: The customer demanded that all data passing through the applications be wiped as soon as possible.

The project was written in C++. We started out using a custom string class that performed its own memory management (with zeroing the buffer on deallocation), but then promptly ran into problems with the STL. We wound up writing a memory allocator that also cleans up after itself. Those two solutions took care of the vast majority of the data leakage "problem" -- the only thing left was reinitializing stack variables within functions.

Perhaps the ultimate solution would be to encrypt data as it is entered, before it is saved into RAM, and arrange for programs that use it to decrypt it first.

The same customer actually requested this first. The problems associated with it were were terrible, especially in a multithreaded application. Plus, performance basically sucked. Wiping the data afterwards seemed to have the same end result, the performance was still good, and the customer was happy.

BTW, the memory allocator and string class both made their way into the company's downloadable core library (MIT license).

Re:Zero the data

[Lord+Grey]

Can you really be sure that the data is wiped? What if the memory is swapped to a page file or swap partition, later swapped back into memory and then you only erase what's in the RAM?

You can either lock the RAM page so it doesn't swap, or force the page to write back out to swap after zeroing. The former is far easier (unless you want to do a lot of painful coding) and, if I remember correctly, was what was done with the project I talked about. I don't think the page locking/unlocking made it into the downloadable library, though.

Mac OS X and Pastor

[andy55]

Ah, funny this story was posted--I just had to address this issue the other day. I run Mac OS X and I happened to be doing a fresh install, moving all my data over from an old HD. Before this, I had always stored my slew of account info in a text file in an obscure and unlabeled file (I know, I know--very careless of me--that's way I was ready to change my ways!).

Mac OS X's built-in "Keychain" services/util isn't streamlined for repeated user use, not to mention it doesn't have several auxiliary/free-form fields (that are also fully encrypted with the password field). After some research and trying a few of the freeware and shareware apps out there, I came across Pastor, a freeware, super-lightweight and user-friendly app that basically lets you maintain a catalog of username, pass, and about 6 auxiliary fields, stored in an encrypted file (when you go to open a file, it prompts you for the password and decodes it on the fly). If for some reason you don't dig this particular app, there's a couple others like it as well with increasingly levels of features (I happen to prefer lightweight).

So I went w/ this model and it's had great payoffs--when I need a particular login, I click on an alias to my main password (Pastor) file, enter the file's password to decrypt it, look for what I need (it alphabetizes), and I'm all set--meanwhile, there's absolutely no risk of security--I love it.

Repairs

[pubjames]

One thing that worries me is sending machines away to get repaired.

I have a Sony Vaio laptop which I had to send to be repaired. I phoned the support number to tell them I was going to take the hard disc out before sending it. They said that if I did I would be charged for a new hard disc (at a hugely inflated price) and they wouldn't repair it without one.

I once sent a PC for repair and the teenage dork who repaired it actually said I had some great games on my machine and that he had played them. In another case in the UK, some padeophile was caught (was it Garry Glitter?) when he sent his PC in for repair. Now, I'm all for catching kiddie fiddlers, but that is not the way to do it.

I don't want the repair staff looking through the stuff on my hard disc. There should be a standard industry guarantee that this won't happen, or a privacy law about it or something.

Encrypt your disk

[PSUspud]

When I read the headline, I was alarmed. But
then I read the article, and all my worries went away.
I encrypt my swap partition, and that fixes the problem.

It's not hard, and since it's swap (i.e., data
you don't need for very long), you don't even need
to remember a password (your computer uses a random
one every time is sets up the swap). Really, it's
pretty easy -- see the HOWTO at http://www.tldp.org/HOWTO/Disk-Encryption-HOWTO/
and keep your goatsex links and pictures confidential.

Re:Hehe

[Jokkey]

The article does go into a bit more detail than that... They use a program called TaintBochs (probably hacked from the open source emulater Bochs) to track sensitive data and find out where exactly it goes and how long it's there. This sounds to me like a nifty hack, and they're actually doing research to come up with quantitative results on how long data sticks around, instead of just saying, "Um, yeah, stuff gets swapped out."

Rubbish!

[arvindn]

Article says:

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.

That's a flat out lie.

$ man mlock

MLOCK(2) Linux Programmer's Manual MLOCK(2)

NAME

mlock - disable paging for some parts of memory

SYNOPSIS

#include

int mlock(const void *addr, size_t len);

DESCRIPTION

mlock disables paging for the memory in the range starting at addr with length len bytes.

OpenSSH uses paging protection. It also zeroes out the password in memory. Immediately upon hashing it. I've seen the code.

Authors are at Stanford? Paper at USENIX? Can't believe this shit.

Re:Rubbish!

[evilviper]

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.

That's a flat out lie.

$ man mlock

And if I remember correctly, you need root access to use mlock(). Now then, how do you feel about running Mozilla/Firefox as root? Mozilla and any other applications you might possibly type a password into... GPG has the same issue: http://www.gnupg.org/documentation/faqs.html#q6.1



Meanwhile, for quite some time, OpenBSD has had the "swapencrypt" sysctl option, which causes everything swapped to disk to be encrypted with a random key that is stored only temporarily in RAM, never on disk... thereby taking away any possibility of getting usable data out of the swap partition.

For more info: click here.

Re:OpenBSD

[Big+Jason]

Umm, no.

vm.swapencrypt.enable is set to 0 (zero) by default, take a look at your /etc/sysctl.conf

Re:Hehe

[operagost]

Too bad he didn't discover the setting in Windows XP that clears the pagefile on shutdown. Instead, he plays programmer and suggests that only a few measly lines of code will fix the problem; and no one will mind the huge performance hit because computers are so fast already.

Even if you aren't running Windows, other OSes like OS/2 will recreate a fresh pagefile on every boot.

Re:No Guarantee of Security?!?!

[Lehk228]

Knoppix doesn't touch the hard drive at all, that is the whole point of a live CD, so no it doesn't use any swap

Re:No Guarantee of Security?!?!

[harrkev]

Actually, you only need to overwrite once to make it invisible to the computer over the IDE cable.

There ARE methods to get data off of a hard drive platter that has been overwritten only once, but this requires the hard drive to be removed from the computer and physicly disassembled, and is quite expensive.

Re:Protective measures

[evilviper]

4. Only use credit cards that keep you free of liability for any fraud.

Despite the FUD TV ads the credit-card companies want you to believe, THERE ARE NO OTHER KINDS OF CREDIT CARDS IN THE USA. It is federal law that you cannot be held liable for unauthorized charges on your credit card. Actually, I believe you may be required to pay up to $50, but that is really a trivial ammount.

So, don't believe the hype.

Re:Cleaning hard disks of passwords etc

[evilviper]

2) To delete things properly, turn off paging and disk caching, reboot,

And unless you have massive ammounts of RAM, your system will refuse to do anything...

I turned off the swaping on a Windows 2000 system that had 256MB of RAM, and rebooted, only to find that I couldn't do anything at all. The system started-up, but no programs could be opened. I could even get to the command-prompt, or the control panel to turn the page-file back on. Result, one completely destroyed and unsavable Windows system.

Don't recomend doing things that you've never done yourself and/or don't know enough of the details about how it works...

Re:Hehe

[lone_marauder]

IOW, tho the security issue exists, it's not exactly something to lose sleep over -- because if someone wants to compromise your security, why not get current data right from today's data input, instead of possibly-obsolete data of unknown relevance!

Because that Asian rape spam that popped up into your preview pane 2 years ago may not be a daily occurence. The FBI loves pulling up ancient JPG fragments from swap in their ongoing efforts to protect children.

Despite what you may have heard, the legality of pornography is of no relevance to prosecutors and judges; the first time the question of age comes up with regard to the subject of any particular photograph is when the jury is looking at poster size blowups of whatever they scraped off your hard drive.

To prevent fascism (or at least thwart it), do the following. Set the not-commonly-known "clear swapfile at shutdown" windows registry key:
HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown to 1
Wipe your empty space and slack space regularly with something like eraser. (Interestingly, I don't know of a way to accomplish these things when using Linux as a desktop OS. If anyone knows of a way to clear the swap partition on shutdown or to clear not only free space on the hard drive, but also cluster tips (file slack), please let me know.) When finished using a hard drive, or any time you have cause to format it, boot up to rescue mode from any Linux distro's boot CD and dd if=/dev/zero of=/dev/hda (or whatever device your hard drive happens to be).

I have had access to the tools the bad guys (FBI, et. al.) use to extract evidence from your hard drive, and have seen that these procedures work brilliantly. Of course, I've also seen prosecutors derive character witness testimony from the very fact of using a program like eraser (only bad guys know this much about how to hide computer evidence!), so YMMV.

If you don't happen to live in the United States, treasure your freedom and fight to protect it.