Brooders.net

Princeton have a great Youtube video and material on retrieving secret keys used in hard disk encryption called “Lest we remember: Cold boot attacks on Encryption keys”.

My quick summary of their material:

• Memory takes some time to erase after a power shutdown
• Putting a laptop to sleep still provides some power to memory
• Keys can be recovered from memory
• Disk encryption is probably vulnerable is a user puts their laptop to sleep (as keys are stored in memory)

While disk encryption will still increase security from casual or opportunistic theft of a laptop, it may not provide much protection from a targetted attack.

This seems a little ironic that software used to protect a laptop contents when it’s stolen or lost may not actually do so depending on if users shutdown or sleep. I can vouch that with Windows Vista on a laptop, bootup and shutdown takes way longer than putting the laptop to sleep. So, are your users taking convenient shortcuts to save time?

Anyway, back to Princeton, from their Abstract:

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard.
…
We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials.

Youtube link to ‘Lest we remember: Cold boot attacks on Encryption keys’

Physical access is always key to security. This style attack would suggest that sensitive information is still vulnerable if stored on a laptop. This then becomes a game of risk and probability for an organisation:

• What is the chance of a targetted attack?
• Is laptop theft occuring for corporate espionage or by drug addicts trying to get cash?
• Is more “perception” damage caused by unprotected laptop theft? (I.e. Saying it’s encrypted reduces negative perception)
• What is the value of the data on the laptop?
• Is the information time sensitive? (e.g. Corporate Buyout within the month)
• Is the information privacy related information which once released can not be changed (e.g. Date of Birth, Tax File Numbers, social security numbers)
• What is the chance of a laptop thief knowning about recovering keys used in disk encryption?
• What is the window of exploit once a laptop has been lost/stolen?

This is a great example of how physical access can really undermine security, even if encryption is used.

The Princeton site and material relating to this attack can be found at http://citp.princeton.edu/memory/

Following on from Security Consulting is corporate ’speed dating’, I’ll now pose the idea that:

A Security Consultant is a Corporate Nomad.

Possibly that’s any consultant .. but due to the short time frames of Application Security Testing, I think it’s more prevalent.

Having been in the new job 2.5 months, and people asking me do I enjoy it?, what’s it like? So my answer …

Yes, I really really like it. I’m like an observer. I turn up, plug in, start looking around. Pretend to be a bad guy, look for ways of getting around the system, without fear of being caught .. because I’ve been invited to look at it. You’re not their to make friends, just to do a job. There is something quite mercenary about it that I like.

The nomad part is more about not spending that much time in the office. Maybe a day a week. It’s mostly moving from one job to the next. It always amazes me when I’m at clients, there seem to be a lot of people thinking and tapping away at keyboards or chatting on the phone - who knows what they’re actually doing. Every so often I’m back in the office, actually seeing the people in my company. I do speak to, skype, IM and email them .. but somedays it does just feel like you’re doing your own thing.

On a tangental note, I think I will learn more about programming in the next 6 months, than I did in the last few years. Each application is different, the functionality (finance, investment, buying goods, selling goods, etc) and different user interfaces.

So .. for the moment, I am quite content as a high tech nomad.

Last time we noticed it Traffic Wardens with headmounted Cameras.

Now this time it’s actually the police.

The article Britain to arm bobbies with helmet cams goes into detail:

LONDON — Britain is taking its surveillance to a new level, strapping video cameras to the helmets of its famed bobbies — a move the government says will cut down on paperwork and help prosecute criminals. By providing dramatic footage of victims, suspects and witnesses, judges and jurors will be able to “see and hear the incident through the eyes and ears of the officer at the scene,” Minister of State for Security Tony McNulty said.

I guess this raises similiar questions to the traffic wardens:

1. Will this change the bevahiour of the officers for the better? They know are being watched.
2. In the case of more people’s “word” against the police .. would this video be the ultimate truth ?
3. Would there be an over-reliance on video evidence
4. Who watches the watchers? - Does the public have the right to film the police in the same manner
5. Would a criminal who’d been caught on film resort to extreme violence to destroy the video filming gear and hurt the officer in the progress?

I am not sure the “always on” cop, knowing they’re recording in the public eye, is a good thing. What problem is it solving, reducing paperwork or collecting evidence? I wonder how many things could be taken out of context? Does a defendent have the right for the material to be played in full? Would it be allowed to be edited?

( Via Oreillynet - UK Rolls Out Police Headcams )

Most of the time we never really think about technology we’ve been using for a long time. The BBC article The man who invented the cash machine, takes a step back to look at the first ATMs.

This is a classic, about the first ATM “cards”:

Plastic cards had not been invented, so Mr Shepherd-Barron’s machine used cheques that were impregnated with carbon 14, a mildly radioactive substance.

The machine detected it, then matched the cheque against a Pin number.

But why only four digits?

One by-product of inventing the first cash machine was the concept of the Pin number.

Mr Shepherd-Barron came up with the idea when he realised that he could remember his six-figure army number. But he decided to check that with his wife, Caroline.

“Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,” he laughs.

Mind you, some banks use 6 digits .. but as mentioned in the comments on Schneiers post (link below) maybe other banks don’t know how to use the extra digits?

So .. how many digits can people remember? I guess with four digits .. there only a 3 in 10,000 chance of guessing it before the card gets swallowed by the ATM .. that’s not too bad. So could most people memorise a 5 or 6 digit PIN to make it more secure?

( Via Why an ATM PIN Has Four Digits - Shneier )