Brooders.net

Princeton have a great Youtube video and material on retrieving secret keys used in hard disk encryption called “Lest we remember: Cold boot attacks on Encryption keys”.

My quick summary of their material:

• Memory takes some time to erase after a power shutdown
• Putting a laptop to sleep still provides some power to memory
• Keys can be recovered from memory
• Disk encryption is probably vulnerable is a user puts their laptop to sleep (as keys are stored in memory)

While disk encryption will still increase security from casual or opportunistic theft of a laptop, it may not provide much protection from a targetted attack.

This seems a little ironic that software used to protect a laptop contents when it’s stolen or lost may not actually do so depending on if users shutdown or sleep. I can vouch that with Windows Vista on a laptop, bootup and shutdown takes way longer than putting the laptop to sleep. So, are your users taking convenient shortcuts to save time?

Anyway, back to Princeton, from their Abstract:

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard.
…
We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials.

Youtube link to ‘Lest we remember: Cold boot attacks on Encryption keys’

Physical access is always key to security. This style attack would suggest that sensitive information is still vulnerable if stored on a laptop. This then becomes a game of risk and probability for an organisation:

• What is the chance of a targetted attack?
• Is laptop theft occuring for corporate espionage or by drug addicts trying to get cash?
• Is more “perception” damage caused by unprotected laptop theft? (I.e. Saying it’s encrypted reduces negative perception)
• What is the value of the data on the laptop?
• Is the information time sensitive? (e.g. Corporate Buyout within the month)
• Is the information privacy related information which once released can not be changed (e.g. Date of Birth, Tax File Numbers, social security numbers)
• What is the chance of a laptop thief knowning about recovering keys used in disk encryption?
• What is the window of exploit once a laptop has been lost/stolen?

This is a great example of how physical access can really undermine security, even if encryption is used.

The Princeton site and material relating to this attack can be found at http://citp.princeton.edu/memory/

Following on from
Low-Cost Multi-point Interactive Whiteboards Using the Wiimote

Johnny has demo’ed his head tracking coolness with the WiiRemote.

Youtube: http://au.youtube.com/watch?v=Jd3-eiid-Uw

This level of interactivity with technology creates a more natural user interface, a closer interaction between people and their machine.

Johnny’s site: http://johnnylee.net/

This is cool.

Previously, we’ve seen some Cool Multitouch screen technology from Jeff Han:

• Jeff Han @ TED 2007
• More Jeff Han Multi-touch Screens
• Digital Tabletops - Putting Humanity back into the Interface
• Touch Interfaces for Computers

But now, Johnny Lee has juryrigged a Wii remote and a projector to provide a low cost (or at least lower ) alternative.

Johnny Lee has several Wii projects including this multitouch one.

So it’s not quite “Minority Report”, but the interface is getting a whole lot closer to being touchable like it’s an actual desktop.

( Via Multitouch your computer @ Studenttabletpc.com)

Following on from Security Consulting is corporate ’speed dating’, I’ll now pose the idea that:

A Security Consultant is a Corporate Nomad.

Possibly that’s any consultant .. but due to the short time frames of Application Security Testing, I think it’s more prevalent.

Having been in the new job 2.5 months, and people asking me do I enjoy it?, what’s it like? So my answer …

Yes, I really really like it. I’m like an observer. I turn up, plug in, start looking around. Pretend to be a bad guy, look for ways of getting around the system, without fear of being caught .. because I’ve been invited to look at it. You’re not their to make friends, just to do a job. There is something quite mercenary about it that I like.

The nomad part is more about not spending that much time in the office. Maybe a day a week. It’s mostly moving from one job to the next. It always amazes me when I’m at clients, there seem to be a lot of people thinking and tapping away at keyboards or chatting on the phone - who knows what they’re actually doing. Every so often I’m back in the office, actually seeing the people in my company. I do speak to, skype, IM and email them .. but somedays it does just feel like you’re doing your own thing.

On a tangental note, I think I will learn more about programming in the next 6 months, than I did in the last few years. Each application is different, the functionality (finance, investment, buying goods, selling goods, etc) and different user interfaces.

So .. for the moment, I am quite content as a high tech nomad.