USB & Firewall System Attacks Surface: Disable Your External Media Ports
It appears as though, more than ever before, if you lose physical sight, and especially control, of your notebook, your data could be hosed. This is even more so now that tools that attack disk-based crypto are surfacing at an alarming rate.
March 5, 2008
It appears as though, more than ever before, if you lose physical sight, and especially control, of your notebook, your data could be hosed. This is even more so now that tools that attack disk-based crypto are surfacing at an alarming rate.It hasn't been too long since we covered the so-called "cold boot" attacks outlined by several security researchers. The paper, available here, details how encryption keys can be snatched from RAM.
A couple of days ago a researcher released a tool, msramdmp, which is available here, and details how to grab data from RAM.
Today, Kelly Jackson Higgins details, on our sister site, DarkReading, in this story, about additional tools coming to the fore that make it possible for attackers to use Firewire drives to commandeer locked Windows systems.
From the story:
"That Firewire port is, as designed, literally there to let you plug things into your laptop memory banks," says Thomas Ptacek, principal with Matasano Security. "When you think of Firewire, you really should just think of a cable coming directly out of your system's DRAM banks. That's basically all Firewire is."
Ptacek says this tool raises the bar in physical hacking. "People think about physical hacking as something you have to do with a screwdriver and 20 minutes, under cover of darkness. Attacks like Adam's can be done in the time it takes you to pick up a sheet of paper off the office printer," he says.
In the story, Ptacek advises users that the best defense is to disable their Firewire ports. That may be good advice for enterprises with lots of sensitive data on notebooks. It's probably not practical for anyone doing video editing, or managing large graphic files. And while it's not a perfect solution, it's better than nothing. So it's probably a good time for larger enterprises to evaluate whether or not external ports should be disabled, especially for execs and others carrying sensitive information.
The best defense, obviously, is not to lose sight of notebooks. It's also probably time to start calling full disk encryption vendors and ask how they're mitigating the risk to these attacks.
But I wouldn't expect much, as Thomas Claburn reminds us, in this story, of one of Microsoft's 10 Immutable Laws of Security:
"If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."
About the Author
You May Also Like