Cold Boot Attack Utilities Released At HOPE Conference

An anonymous reader writes "Jacob Appelbaum, one of the security researchers who worked on the cold boot attacks to recover encryption keys from memory even after reboot, has announced the release of the complete source code for the utilities at The Last HOPE in New York City. The hope (obligatory pun) is that the release of these tools will help to improve awareness of this attack vector and enable the development of countermeasures and mitigation techniques in both software and hardware. The full research paper (PDF) is also available."

RE: Editor/Submitter

[Ihmhi]

I think the editor and submitter both need to read this.

There are some ways to minimize the problem

[Psionicist]

The way I see this, you should simply not store keys in memory (that is have your encrypted file system mounted) when you not need access to the files. A correct program will overwrite the keys when the file system is dismounted.

The purpose of full disk encryption (or system encryption in TrueCrypt is), in my opinion, not meant as a "one password to protect everything". It's just an extra measure to secure temporary files, the swap file and other tracks the OS and applications may spread around. You should still encrypt your really secret files separately, and use basic precautions such as secure file erasure when you've used them.

That said, I still don't think this attack is so important. If you have the file system mounted, and an attacker gains access to your computer, the files are already there!

Re:There are some ways to minimize the problem

The whole point of this is unclean shutdown. How is your computer going to overwrite the keys in memory when someone pulls the plug?

Sometimes the mere presence of a file, encrypted or not, is "incriminating" enough. Ask Kevin Mitnick about NSA.TXT on a floppy he had - it was a listing of a host with the registered users at the National Computer Security Archive, and that got quickly spun to "having compromised the security of the NSA".

Sometimes you want to hid the existence of information, not just the information.

because the fix would have to be in-hardware

[Animaether]

and not just the machine hardware, but rather the RAM stick itself.

Essentially the exploit relies on data that is in RAM to still exist, even if it's just for a few seconds, if you take it out of the machine.

You could add a 'write random crap to RAM' thing to your shutdown procedure, but that won't help if they simply power the machine off.
The machine hardware could write random crap to RAM when it is powered down, but that won't help if they simply yank the RAM stick out while the machine is still running.

So the RAM stick itself would have to detect that it is no longer connected to any motherboard and, using a charge kept in a capacitor, for example, flash itself with random crap.. or whatever.

Keep in mind that this 'exploit' is quite difficult to execute, requiring not just physical access to the machine - but to the RAM. While the machine is running (or was running within the last N seconds, at least). In the vast majority of environments, that's going to be extremely difficult.. unless you own (or operate) that machine and you have no particular way of being caught.

Re:because the fix would have to be in-hardware

[Minwee]

Most server class machines have intrusion detection sensors which will trigger an alarm when the case is opened. They're hardly foolproof, but if you were concerned about this sort of attack then responding appropriately to a "Your Door Is Ajar" event would be a reasonable place to start.

Re:Memory wiper?

[jonbryce]

You cool the chips down in the running computer with a spray duster, pull them out, and put them in a computer that you control.

No software solution can be used to stop you doing this, it has to be a hardware based solution.

Capturing machines with full disk encryption

[Animats]

Here's the existing approach to this problem.

1. Send in SWAT team. Stop user from turning off computer.
2. Bring in HotPlug kit and UPS.
3. Plug "Mouse Jiggler" into USB port to keep no-activity timeout from causing logout.
4. Turn on UPS.
5. Plug HotPlug unit into UPS.
6. Plug HotPlug unit output plug (a male plug which is a power output) into power strip, or, if necessary, remove wall outlet plate and connect clamp-on connectors to hot wires.
7. Unplug power strip from line power. HotPlug unit will switch in power from UPS.
8. Plug power strip into UPS. HotPlug unit will recognize this and deenergize its output plug.
9. Unplug HotPlug output plug and input plug. Computer is now running entirely on UPS.
10. Carry computer and UPS to forensics lab before UPS battery runs down.
11. Plug in UPS to keep battery charged.
12. Access disk as desired.

Re:Capturing machines with full disk encryption

[Chris+Burkhardt]

13. Try not to get hit by truck as you maneuver Frogger machine across street.

Re:Capturing machines with full disk encryption

[Eternauta3k]

looks like a forced login every 10 minutes is a good idea for people working with really sensitive data.

108 minutes is more like it

Re:Tamper proof case, anyone?

[kesuki]

thermite packed around the ram seems the best way to go. then if they tamper with the case, it triggers a 'tramper switch' the thermite goes off, and boom just a molten blob of goo. also, if you're going to have a self destruct on the ram, you may as well do the HDD as well, and you might as well throw in a manual switch along with the 'tamper switch' in case the FBI comes knocking, and have a good plan for how to circumvent your 'tamper switch'.

thermite is a bit extreme, but if you want your data irretrievably destroyed, there is nothing like thermite.