Full-Disk Encryption Works

According to researchers, full-disk encryption is hampering police forensics.

The authors of the report suggest there are some things law enforcement can do, but they all must happen prior to a drive being buttoned up by encryption. Specifically, they say that law enforcement should stop turning computers off to bring them to another location for study, doing so only causes the need for a password to be entered to read the encrypted data. Also, in some cases, doing so causes the data to be automatically destroyed. Fortunately, there are some tools forensics experts can use to gather data if it sits untouched, such as copying everything in memory to a separate disk. The team also suggests that law enforcement look first to see if the drive has been encrypted before scanning it with their own software, as doing so will likely result in a lot of wasted time.

Paper, behind a paywall.

Posted on December 1, 2011 at 1:44 PM • 51 Comments

Comments

Carl 'SAI' MitchellDecember 1, 2011 2:47 PM

The only secure encryption systems are the open-source encryption systems. Cryptography is complex, and peer-review of the source is necessary. The implementation must be correct for the algorithm to work properly and be secure. You can't trust it if you can't perform an audit (or pay a qualified, trusted person to perform an audit for you.)

elehtonenDecember 1, 2011 3:02 PM

Carl: I'm with you, but even the best systems can fail with a lousy implementation. Give a classically-trained chef a recipe (provided they'll accept it) and what you give and what you get might not be too similar. Perhaps close. Peer-review has to go through both the algorithms and the implementation, and even then, no guarantees. (Remember the old axiom: There is no perfect crypto, just one that holds up long enough that the information it hides no longer has value.)

AndrewDecember 1, 2011 3:21 PM

There is a company (sorry, I've lost the link) that sells a nifty device that allows you to unplug a computer from the wall without it ever losing power. That way you can cart it down to HQ without it powering off.

Dave WalkerDecember 1, 2011 4:59 PM

Interesting, but not too surprising; properly-implemented strong crypto is - well - strong :-).

It's good to see the crypto is holding up even though it's encrypting a lot of known plaintext - to wit, the entire set of OS binaries. I suspect that after the Farmer / Venema "pipe" book, vendors started to pay closer attention to block placement.

I'd always look first at the keystore; if it's not a motherboard TPM or a Flagstone drive, there's possibly more scope for recovery...

Clive RobinsonDecember 1, 2011 5:21 PM

The big problem with most FDE is where the encryption key is stored and how.

We have discussed this one or two times in the past, but people realy need to realise that the key cannot be stored in memory...

And yes as I've said before there are ways to do this efficiently but you have to know how to do it.

Oh and sadly I don't expect MS or Apple or Oracle OS's supporting it any time ever let alone soon.

The way the NSA tends to do FDE is with an In-Line Media Encryptor, which is basicaly a box that sits between the disk and the computer and has appropriate key handeling and managment built in from the start not as an "after sales market add on".

Which brings me onto another issue, although FDE appears to be hampering some forensic investigators, they don't have the resources that some commercial let alone govenment organisations have. What is noticable about some FDE systems is that they might have "encryption" but the do not have the right "modes" of usage.

The result is in some cases the potential to have two pieces of known plaintext (ie headers to just about any MS Office file) stored under what is effectivly the same or only slightly different keymat... Which can leave a gaping hole...

Then again you also. have to think not in terms of "plaintext recovery" but "traffic analysis", in a lot of cases you don't need the plaintext, only to know when and what size of activity has occured, some FDE systems still give fairly easy access to file meta data which makes this sort of analysis quite easy.

Disk Encryption is not a simple problem to solve and has lots of "gotchas" for the unwary, at the moment forensic examiners are realy at the bottom of the food chain on extraction of information from encrypted media...

Dr. I. Needtob AtheDecember 1, 2011 6:09 PM

Suppose all the drives (including the system drive) in a Windows 7 computer were fully encrypted with TrueCrypt and a very long, strong, password.

Suppose also that Windows was set up to require a moderately strong password in order to resume operation after time runs out and the screen saver kicks in.

Would you guys consider this to be a secure system? Aside from guessing the Windows password, would there be a way to bypass Windows security and get access to the computer's files without shutting off or resetting the computer?

Of course, shutting off or resetting the computer would bring TrueCrypt and its strong password into play and ensure strong protection from that point on, but suppose an attacker was aware of the TrueCrypt encryption and knew that as long as he left the computer on, he only needed to get past the Windows password to get access. Would there be a way for him to do that?

Thanks.

RHDecember 1, 2011 7:01 PM

@Needtobe: Yes, there is ALWAYS a way, its just a question of how hard it is.

I would consider what you have described to be "secure", but its weak to mouse wigglers. And all physical boxes that are not designed to be tamper resistent are attackable. In particular, I'm thinking your setup wouldn't do well against an adversary who is willing to put leads on every pin of your memory DIMMS and read your key right off the chips.

There is also the chilled memory attacks where the attacker chills the memory to decrease the loss rate, then reboots the machine to a CD that dumps the memory to a drive.

Its all a question of resources. Even with "secure" systems like smart cards with aluminum dust over their salted ICs can be defeated with sufficient application of funding.

Note that the voting safety mechanisms often don't try to prevent attack (its too hard to do so), and instead merely try to make such an attack detectable.

aikimarkDecember 1, 2011 7:42 PM

@Andrew,
It was probably this Hot Plug product:
http://www.wiebetech.com/products/HotPlug.php

======
There is also mouse-jiggling software that you can run from a thumb drive, preventing the screen saver from activating. (several sources)

I thought someone would have already invented a proximity device to thwart a raid by a forensics team. You would wear a device that would ping the USB device(s). When the USB devices don't receive a ping at the appointed time or the ping originates beyond a preset distance, then the USB device causes the PC to lock.

Fnord PrefectDecember 1, 2011 7:59 PM

@aikimark: ISTR this being done with Bluetooth devices and a screensaver, used to lock the screen when someone took their phone away from their desk.

RobertTDecember 1, 2011 9:30 PM

@Needtob Athe
"Would you guys consider this to be a secure system? "

As others have said it depends on a lot of things
1) Who is your adversary?
2) Is it possible your PC is infected, keylogger, worm, virus
3) Is it possible that you have been observed (filmed) entering the disk key phrase?
4) many laptops emit a unique RF signature as the decrypt key is entered. Because the PC is in a waiting state, the Rf emissions change depending on which key is pressed, thus the key sequence can be recovered. If the adversary has recorded this RF emissions signature, than he has a good chance of entering the key within a few hundred tries.

5) where is the decrypt key stored?

6) If the key is static, than it is possible that you can have RAM data "burn-in", so if you power up the PC without resetting the RAM then the key will just be in the correct location...magic!


SethDecember 2, 2011 2:58 AM

I believe the Rohos logon key product also supports bluetooth proximity style logins via Apple & Android smartphones.

Also, doesn't simply turning your computer off thwart most of the more exotic attacks, such as cold boot, et al?

LisaDecember 2, 2011 3:19 AM

It is a shame that TrueCrypt does not support FDE (Full Disk Encryption) on the Mac! :(

MacOSX 10.7 (Lion) does have built-in FDE, but who knows if there are any back-doors that were built into it.

PGPdisk is produced by another American company, and cannot be considered any more trustworthy.

With the secrecy spying provisions in the patriot act, it is really hard to trust any American based company these days.

Especially with IP and trade secrets, since the #1 mandate for many government secret service agencies worldwide (including the CIA & NSA) is corporate espionage, due the fact that economics is integral to national security.

I also would not trust Chinese, Korean, Japanese, British, French, German, Iranian, and Israeli based corporate software, since there has been reported incidents of corporate espionage by their govenment secret service agencies.

Dirk PraetDecember 2, 2011 3:24 AM

@ martinr

"I would expect the European court of human rights to have their very own opinion about the validity of that UK law to reveal keys to UK authorities."

Are you in any way implying that the UK is playing nice with the EU ?

On topic: whereas a determined and resourceful adversary will almost always find a way (or a law) to get the job done, properly implemented crypto will give him a serious run for his money. I am however more concerned by the growing tendency of governments and vendors alike to have backdoors and trojans built in that for all practical purposes void the entire exercise. Carrier IQ anyone ?

AdamDecember 2, 2011 6:02 AM

That WiebeTech thing looks interesting. What I think would be interesting is what countermeasures someone could come up with. E.g. mouse jiggles too much, challenge for passphrase and then shutdown if not supplied in 30 seconds, or perhaps build some kind of dead man's switch where laptop / PC is listening for some signal emanating from a nearby device and if it fails to receive it then challenge for passphrase and shutdown.

cronosDecember 2, 2011 7:27 AM

I saw a simple device that can be used to prevent a PC from shutting down in transit: a power cord with a male plug on each end. You use it by plugging one end of the cord into a luggable UPS and the other end into a power strip that the PC runs off. Then unplug the power strip from the wall/mains and the PC doesn't miss a beat.

If the PC is plugged straight into the wall the situation is harder but still doable. I would make alligator clips for the end of my special cable, pull the PC plug slightly out from the wall, connect the clips, then pull the PC plug completely from the wall. Not easy. But either way the PC will keep running.

I've used said cable to keep critical systems running when switching electrical circuits, such as electrical rewiring jobs in an industrial setting. It should work equally well for law enforcement or government security forces.

ParanoidDecember 2, 2011 8:05 AM

Isn't it common for hard drives to have accelerometers these days? I imagine it would be possible to have a computer scramble its RAM and power down when it detects it is being moved, to defend against the Hot Plug thing.

pogostickonrollerskateDecember 2, 2011 9:01 AM

@Paranoid

thats a good idea. it looks like s.m.a.r.t. reports what you speak of at 0xDC, 0xDD, 0xBF. if i could throw something together in bash then surely someone legitimate could make an even better background app.

paulDecember 2, 2011 9:44 AM

Too many -- or too sensitive -- a set of anti-forensics countermeasures, and you end up subjecting yourself to denial-of-service attacks.

I find the language of the article a little troubling, as it assumes that the people with encrypted disks who are being investigated are criminals, and that the encryption is preventing evidence of guilt from being found. IFF the person under investigation were to be guilty of the crimes that formed the basis of a a statement in response to which a warrant were issued, then proper use of encryption would thwart prosecution. But using that as the lead buries the really important bit -- as people have noted: don't turn off the #@$@$ computer when you seize it.

Do computers still have case interlocks, or would it be useful to do the hot-plugging inside, say in an unused card slot or on a spare molex connector?

Danny MoulesDecember 2, 2011 10:02 AM

"Are you in any way implying that the UK is playing nice with the EU ?"

@Dirk Praet - They don't need to. EU court judgments take precedence over UK court judgments in this area. The UK is obliged to obey and, I believe without exception, always does in practice.

NobodySpecialDecember 2, 2011 10:15 AM

The bigger worry these days is probably smartphones.
Not only can you not run 3rd party system level software , like Truecrypt, but even if you did trust the system's own encryption - there are carrier installed rootkits that will grab the password as you enter it.

And these devices hold a lot more information about you than your desktop PC

Bob TDecember 2, 2011 12:56 PM

Well, the main reason that everyone should use encryption is to preserve the idea of being secure in our persons, paper and effects from government intrusion. If people did that, it would be protected by the courts hands down as a protection of privacy and against self incrimination. As it is, without it's common use, judges feel free to let the government run over what they see as only offenders being likely users.

Secondly, the bigger reason for encryption in this country is from loss or theft. I mean, it's fun to sit and think about defying big brother, but if we get to the point of having a government that will beat me to get my password, I'll already have reached a level as an enemy of the state that what's on a particular hard drive will be a moot point. The important thing being that I protect information which might incriminate others that would still be free. "They'll get my hard drive when they pry it from my cold dead fingers." :)

Clive RobinsonDecember 2, 2011 1:22 PM

@ Bob T,

"They'll get my hard drive when they pry it from my cold dead fingers."

Hmm more likely "cold wet fingers" these days after you've had a few lessons in "Faceup Facecloth Surfing"...

Which by the way is why "deniable encryption" was invented to keep you safe, warm and dry ;)

LeeDecember 2, 2011 1:37 PM

If the device is up and running then what the forensics person needs to get at the contents is in memory. Conveniently, certain devices and technology will get Direct Memory Access no matter what you have done to harden the device.

Physical access means only time remains as a challenge.

If the machine is powered down when the investigator gets it, time will be long. Often it's quicker to ask the owner!!

Clive RobinsonDecember 2, 2011 2:09 PM

@ Dr. I. Needtob Athe,

"... past the Windows password to get access. Would there be a way for him to do that?"

Simple answer is once they have the hardware with ease.

Like most comercial OS's it is not setup with regard to physical security. As RobertT has outlined there are various ways. And as Nick P has pointed out in the past certain standard I/O ports prevalent on some systems that have DMA are almost custom made to "image memory" easily.

Thus you cannot store the encryption or decryption key in memory in "plaintext form" without it being vulnerable.

Supprisingly this is not a difficult problem to overcome when you actually look at how most block ciphers work.

Since DES put in an appearance the "Fiestel Round" has been the most favourd method of thoroughly mixing the key material and plaintext to produce robust ciphertext.

If you look at most block ciphers they have two main parts "the rounds" and "the round subkey scheduling" which expands the N bit key upto M bit round keys. So once the key has been expanded there is no requirment to keep the original key in memory and it can be deleted.

However storring the round sub key's does not get you much more security, the trick is to store them in a differential format where a sub key is split into a number of parts that have to be reconstructed to get the round sub-key.

Now if you have a CPU which has sufficient registers then the round sub-key can be constructed as required inside the CPU as it is performing the round function.

The trick is how to store the differential keys in a random way that varies each and every time a sub key is constructed, such that getting access to the memory where the sub-keys are stored does not realy help an attacker.

The details of how to do this are not difficult to work out but they are tedious to explain in full, so a simple (but not very secure) example will suffice.

You have the valid round sub-key in a CPU register and a truly randomly generated number (TRGN) in another register, by using the TRGN in some way you can split the round sub-key into two or more parts (for simplicities of explination you use ADD mod N to reconstruct). You save the two parts in memory and throw away the TRGN without it ever appearing outside the CPU.

However the places the round sub key parts are stored are moved round something akin to a circular buffer where the pointers remain in the CPU along with another TRGN which is used to derive the actuall locations in the buffer (this is the bit that is very very tedious to explain so I won't bother).

The result is provided you know the pointers and their TRNG then you can reconstruct the round sub-keys, without you have the tedious task of trying to reconstruct the keys in the right way in the right order which would be hard work at best. With a further minor twiddle you can make it a long long way from hardwork.

So provided you have a method by which the critical CPU registers cannot be accessed by manipulating the memory you have a system that is a starting point towards being more secure.

Sadly this last constraint is not present in most commodity CPU's.

DavidDecember 2, 2011 7:56 PM

I see there are some who are way ahead of me on defeating attempts to move a powered computer, but I think a simpler defense would be to simply have the computer respond to being disconnected from its network by unmounting interesting volumes. This is hardly an inconvenience to me, for if I've lost network connectivity for non-sinister reasons, I have another problem to fix anyway that unmounting the drive will not exacerbate.

Clive RobinsonDecember 3, 2011 1:47 PM

@ NobodySpecial,

"The bigger worry these days is probably smartphones"

It would appear that the worry goes on...

In the case of Android,

http://phandroid.com/2011/11/30/more-android-security-issues-exposed-this-time-from-apps-already-installed-on-your-device/

http://securitywatch.pcmag.com/google/291249-serious-new-android-privacy-leak-demonstrated

It appears that although the android sandbox on paper atleast is superior to Apples iOS, as always the devil is in the details.

Not that this is any real surprise if you have a hunt around for a copy of the book by Bruce and Niels Ferguson ("Practical Cryptography" 1st edition "Cryptography Engineering" 2nd edition http://www.schneier.com/book-practical.html ) you will find the main theme is avoiding implementation errors.

emdxDecember 3, 2011 7:51 PM

RE: the hot-unplug-without-losing-power gizmo.

Have you guys seen a french power plug?

http://www.samaudio.fr/img/prise-electrique.jpg

It's over-engineered so it is nearly impossible to access a hot metal surface (and the latest standard has synchronized hole covers so you can't even shove a nail in the holes, you have to enter both holes at the same time); I don't see very well how a computer could be unplugged without losing power. In addition, the ground pin is male on the socket and engages in a hole on the power cable so the ground is connected well before the power is.

Of course, in that case, you can strip the hot wire and patch into it...

virtualkeyboardDecember 5, 2011 4:58 AM

@NobodySpecial: smartphones. Not only can you not run 3rd party system level software , like Truecrypt

You can: http://www.whispersys.com/whispercore.html

@NobodySpecial: but even if you did trust the system's own encryption - there are carrier installed rootkits that will grab the password as you enter it.

Time to add a virtual keyboard to Truecrypt loader; the mouse position may be the position of the brightest point of real-time camera image, a click may mean to stay one second on the same key. That would be cumbersome to grab, especially if the keymap would change every X seconds.

MynameDecember 5, 2011 4:21 PM

so, couldn't you just wire glue a copper wire over the top of the memory chips, run it outside the box, and ground it by touch or clip to drop dram voltage to 0?

wouldn't help the dma angle, but should drain mem registers.

would work like a memory cooler also.

Jonathan WilsonDecember 6, 2011 3:48 AM

One idea I had for data storage requirements where the device doesn't move would be to build (or have built) a special safe. It would contain special air vents/fan built into the safe (designed so they don't allow access to the inside of the safe but do allow airflow for cooling the device inside). It would also contain a power socket and Ethernet port on the inside of the safe wired through the safe (again in a way that doesn't compromise the safe) to cords/ports on the back of the safe that allow it to be plugged in. The safe would be bolted to the walls/floor so it cant be physically moved.
Depending on the situation the locking mechanism for the safe could be a double combination (with multiple people having parts of the combination required to open the safe), a combination combined with a high-security key (the kind that are very hard to pick) stored offsite or some other mechanism.

The device inside the safe would be designed so that any loss of power or network would un-mount the encrypted disk and stop any access to the data without the input of a password (which would presumably be high-strength and difficult to guess). It would also be designed so that no physical access to the device is required for normal use. Even more secure would be to have the password input be done through a mechanism that cant be logged by normal keystroke loggers (hardware or software)

Clive RobinsonDecember 6, 2011 7:52 AM

@ Jonathan Wilson,

"One idea I had for data storage requirements where the device doesn't move would be to build (or have built) a special safe."

Been there done that and know the recipe, and have mentioned on this blog before.

With regards to what you are thinking,

"It would contain special air vents/fan built into the safe (designed so they don't allow access to the inside of the safe but do allow airflow for cooling the device inside)."

Not a good idea, you'd be surprised just how small and flexible tools are these days, if you know what to buy and have the funds much of the stuff you need can be got out of a surgical devices catalog for the likes of key hole and other minimal incision medical/surgical procedure.

The way to do it is with two blocks of high thermal conductivity metal (copper aluminium etc ) that you mount on the safe back wall one inside and one outside with thermal paste to ensure good thermal conductivity through the safe wall from one to the other. The one on the outside you mount suitable cooling equipment (fans etc etc) the one inside you use thermal pipes to the heat generating parts (just as you see in a number of PC products).

Oh and don't forget to add thermal activated shutdown etc.

The next bit is the hard bit,

"I would also contain a power socket and Ethernet port on the inside of the safe wired through the safe (again in a way that doesn't compromise the safe)"

The way I've done it is not perhaps the way most people would do it and not easy as it involves molten glass and welding steel plates to the inside and outside of the safe. You can get acceptable results using short lengths of "pyro cable" and solder/weld the glands in place.

Having done that you then need to deal with the issues of isolating the power supplies. The simplest way is to go out and buy an "online" UPS strip the bits out and add appropriate isolating and filtering components on the inside, specificaly to stop HiPot, HiJoule Impulse and RF based EM attacks (hopefully the metal of the safe will stop most magnetic field attacks). Pay very very carefull attention to how you do the earthing etc, which is why full galvanic issolation is helpful.

Having done this you need to add other features to prevent unwanted ingress via cutting torch, grinding cutters and drills. I won't go into the specifics but a nice 1cm lining between the safe walls and the inner EMC sleave of thermite based around copper (not iron) oxide and with added flare material (fine particulate PTFE etc) and appropriate detection/ignition takes care of that job. The quantity of thermite is important, too little wont destroy the chips and platters in the drives and control circuitry, too much will melt the safe wall and alow it to run out before it has destroyed the drives and chips etc. Back in the good old days to much was easily solved with an asbestos lining between the thermite and the safe wall, these days you have to make up a custom "fire clay" liner, but carefully cut plain ceramic tiles and thermal grout (as used in the construction of small furnaces) will do the job.

Now we get to the weak bit of all safes the door and it's furniture,

"Depending on the situation the locking mechanism for the safe could be a double combination (with multiple people safe could be a double combination (with multiple people having parts of the combination required to open the safe), a combination combined with a high-security key (the kind that are very hard to pick) stored offsite or some other mechanism."

Forget the use of mechanical locks it's what most safe crackers go after for good reason, that is they are very much the weakest link in the chain. You need to go for an electronic lock that drives appropriate dead bolts in the door edges which also has an anti shock deadlock system. In one such system the deadbolts are mounted against springs and a loop of wire rope is used to retract them, however the loop is supported by fragile glass plates, if they break then the loop cannot be drawn in sufficiently to pull back the dead bolts.

There are a number of physical traps and detectors such as vibration, movment that you need to add that will trigger wiping of key material etc.

As for AES KeyMat etc one way to put this in is via an asymetric key system using multiple (M of N) shared keys from out of jurisdiction locations.

However the system software etc becomes a weak point without care. First off all major software has bugs as a given. A second given is you won't know most of them, and your advisory is going to know atleast one of them you don't (ie a zero day). Thus the design has to mitigate this. A third more important given these days is that of side channels such as timing side channels leaking KeyMat, plaintext and other security related information.

Mitigation of many of these issues can be a challenge, however one way is to actually use two systems with a strongly mediated link between the two.

ChrisDecember 6, 2011 11:32 AM

emdx: I haven't seen the plug, but the solution is relatively easy: crowbar the socket from the wall (or, if that's not an option, remove the wallboard from the wall and find the cable) and jumper into the wire on the back before cutting it. (You could strip the actual computer power plug, but you would have to be really careful not to ground the hot wire while you did it. Easier to just yank the socket from the wall, so long as you don't care about damage to the property.)

BnadDecember 7, 2011 11:50 PM

Re keeping power flowing to a computer as it's unplugged...
Couldn't that be done by induction? Just wrap some wires & iron around the power cable--the syncing of the induced current with the plugged-in current can be done by an external computer control, then you unplug and the synced induced current takes over without a hiccup.

haxxsmaxxDecember 9, 2011 4:59 PM

let's use some real life examples of FDE and how it works, and doesn't.


Max Vision is the obvious first example. He used DriveCrypt an Israeli made commercial product that uses 1344 bit 'military grade' encryption. This was because in 2005 truecrypt was still in development infancy and not largely trusted.

He encrypted both his associate's laptop, and his huge raid array servers he kept in his safe house. The servers were powered on when he was busted, so getting the key was only a matter of time. His associate's laptop was never broken according to court documents because it was off, and Max had altered it to turn off hibernate mode, system restore, and other dangerous windows features that can compromise encryption.

Max was smart enough to have a clean disk which to hold the his FreeBSD/OpenBSD o/s (FDE) and then the dangerous evidence was all separate partitions FDE to prevent a rootkit bootloader attack or other side channel/whatever methods. But yeah.. pointless since his system was on and the key in memory when the USSS walked in.

Next up is Maksik legendary Ukranian criminal hacker. He used FDE, but the USSS was able to get at his laptop when he wasn't around, cloned the disc, and then installed a malicious rootkit/bootloader so the next time he booted the machine, it would send in clear text his master password to the feds who were across the hall in the hotel he was staying in. The rest of the passwords he gave up voluntarily in a Turkish prison... this is known as 'Rubber Hose Cryptography' meaning if you don't hand over your keys, sadistic cops simply torture you until you do.

The only method to avoid rubber hose crypto, or jail for not revealing your keys is to use the Truecrypt plausible deniability Making multiple hidden containers, so if under threat you simply open up the decoy containers.. there's no way to prove there's another container hidden inside. Picture yourself picked up by the Syrian police, and they find truecrypt in your bootloader. Out come the rubber hoses and alligator clips. Now, you're going to die anyways so may as well give them the decoy container password instead of the real password that gives up your entire network of resistance associates. It helps to seed your container with something mildly illegal.. otherwise they won't believe you went to all that trouble to protect an empty text file.

what you need, is something better than disk encryption. you need to store highly sensitive data on an external USB drive specifically designed with hardware encryption.. something like CryptoStick 2 (not out yet) or IronKey. on this crypto key you store your truecrypt containers, and hidden containers. since these keys are designed to be resistant to all physical and brute force attacks it is completely impossible to find your hidden container and read it without employing the rubber hose or legal threats, like they have in the UK.

other ways crypto has been compromised:

-global hackers under surveillance by USSS who threw out drives. these drives were cleaned using Darik's boot & nuke, which is useless in today's forensics. the center for magnetic research can read the edge of the drives, and bad blocks, and manufacturer protected areas and still get information... like keys which they did, and then used as a dictionary to brute force the hacker's current laptop when it was seized. most people don't use truly secure passwords, and usually their phrase can be figured out with just a partial available.

personally, i use cryptostick + ironkey + truecrypt FDE + containers on the ironkey, and i GPG encrypt all the info inside the containers. i only ever access the USB drives using a live CD bypassing the regular drive to avoid keylogging.. and enter in the passwords using a screen keyboard to defeat potential hardware keylogging (like what happened to the Ukranian hacker).

when i'm not using the USB sticks i don't leave them lying around, i hide them like a cunning prisoner would. if somebody runs in to steal my laptop/server then they don't get the time to search the place to find the drives.

lately i've been thinking of employing some other encryption on top of truecrypt, like LUKS, mainly because i don't 100% trust them and their completely invisible developers. true, code is open to review but who's to say it isn't a giant honeypot (tinfoil hat).

so truecrypt (FDE) AES 256 + hardware encrypted USB (AES) + truecrypt containers (Blowfish) + LUKS encrypted + GPG.


Clive RobinsonDecember 10, 2011 1:13 AM

@ haxxsmaxx,

"Let's use some real life examples of FDE and how it works and doesn't"

One of the things you forgot to mention is "dead mens switches" which these days can come in all sorts of flavours.

However

"... array servers he kept in his safe house. The servers were powered on when he was busted, so getting the key was only a matter of time"

That's where not having the key on the server realy helps (AKA Client side encryption).

Most times when crypto fails the reason it has failed is simple and would have been easily avoided with a little thought.

For instance a laptop has a hard drive that is encrypted, and has the key or part of the key in memory. Now obviously if the laptop remains powered up in some way then given a relativly short time the key will be obtained...

Now the obvious soloutions are,

1, don't keep the key in memory on the laptop
2, ensure the key can be erased quickly and easily at a moments notice.

The problem with 1 is most OS's need the key there because of the bad habit of swaping, so as a first step find an OS that does not page or swap to hard disk (not to difficult these days with CD run versions of Linux etc)

However as noted above by myself and others RAM has a habit of being persistent so you need to make sure it only remembers garbage persistently (I explain ways to do that above).

Now the next question is how do you deal with the gun at your head, or other methods of persuasion when you are in the process of operating the equipment?

This is where a dead mans switch either hits the reset button, kicks out the power or runs a memory cleaner etc.

There are a number of ways to do this from a foot peddle switch, a near field card on a bit of string tied to your wrist or even a bluetooth device or java button style ring. If you get it right just simply raising your hands will trigger the key auto destruct, or if you are truely paranoid and have real secrets to keep that effect others lives a foot switch or knee button where if you relax or twitch the circuit is broken, Thus if the do put one through the back of your head it's gained them nothing...

haxxsmaxxDecember 12, 2011 4:55 PM

@Clive Robinson

Max Vision did have a dead man's switch (a few of them in fact) and thought out multiple escape and shutdown/delete methods long before he started his hacking empire but like all superhackers he started getting complacent with his success, felt invincible and decided to crash out on his safe house bunk instead of powering down the equipment. He slept through their door banging and only woke up once guns were drawn and the room was full of agents... no time to get at his dead man's switch. A team from Carnegie Mellon University was waiting outside to empty his server(s) memory and get all his keys.

Lesson learned is get the cord attached to your wrist like you said or turn everything off.

As for swap, OpenBSD does have encrypted swap but it didn't help Max who was using FreeBSD w/encrypted swap memory.

Clive RobinsonDecember 13, 2011 1:00 AM

@ Haxxsmaxx,

"... but like all superhackers he started getting complacent with his success, felt invincible and decided to ..."

Opps major fail, he forgot the maxim of "Eternal Vigilance".

It also sounds like for some reason he was to tight fisted to secure his own "safe house" perimiter with alarms (though they may have been bypassed).

There are a couple of reasons I did not turn to crime, "Eternal Vigilance" being one, the other being as my father pointed out to me "If you are bright enough to carry out the perfect crime you are bright enough to earn more money honestly".

Now I know one or two people disagree with the point about being "bright enough" but I always think they have not thought it through far enough.

Many people can do the first few basic steps of the "perfect crime",

1, Idea,
2, Planning,
3, Preperation,
4, Execution.

Of which the first is not illegal (otherwise most reading this blog would be locked up ;)

Even the second step is arguably not a criminal act and a requirment for good security on the old maxim of "think like a poacher to catch a poacher".

It is the third stage where you "show intent" and often have to involve others which is where "conspiracy to..." comes into play. It is also where things start to go wrong with "perfect crime plans" due to human failings.

As history has shown us usually criminals do not actually trust each other sufficiently to work effectivly as a team, and certainly not under preasure and many will "rat out" at the first signs of trouble. Hence another old maxim "No honour amongst thieves". The notable exceptions to this "lack of trust" issue often being the criminals of fame. and also why the Mafia etc are reputed as having significant "looking after" policies for those caught, backed up by hard line "vengence" policies for defectors.

It is these human failings that also brings us into the failings of the fourth stage where the crime is commited. Unlike agents of the government such as the military and LEA's criminals do not generaly do sufficient training to deal with the unexpected. Hence the old army maxim about "Battle plans don't survive first contact with the enemy". Nothing can be "perfectly planned" to cover all eventualities, thus any team has to have the trust in other team members to act reliably and predictably when things start to go wrong as they eventually will.

But lets assume things do go according to plan and the criminal team end up with their objective, what happens then.

Often this is where it goes wrong because the criminals have not planed beyond the execution phase and to be frank behave very very stupidly in many many cases.

Dealing with the proceeds of crime is fraught with difficulties, often way more than actually executing the crime. And if the crime was significant the LEO's will be looking for the processing of the proceeds, and putting preasure on those likley to "recieve stolen goods".

Also the team members are likley to be "flushed with successc and all "pumped up" and need to unwind and often behave just as soldiers or LEO's do they go out and celebrate etc. Big mistake, because unlike soldiers and LEO's they are now "wanted men". Then there is that peculier thing about the difference between a hero and a zero "you're only a hero if people know what you've done". That is people "big it up" and "brag" because of "a sence of entitlement" which gives rise to "war stories" to impress people with. Unlike the rest of society for criminals it generaly does not "pay to advertise" because some people will want to "bring a bragger down a peg or two" and "grass them up".

But there is another problem with many criminals and it's "easy money" syndrome, they often suffer from poor impulse control and start to live above their recognisable income level which is a red flag issue for the authorities. Another aspect of this is even when they put in place a "legend" to account for the income the "burn rate" is such they have to go back and do more crime and build up an MO by which they will eventually hang themselves.

In the UK something like 90% of crimes that are prosecuted come about because the criminals have been stupid after the execution phase in one way or another.

The effort and money involved with safely dealing with the proceads of crime is quite high and this has another asspect it's like a "fixed cost", that has to be covered by the proceads of crime year on year. The only two working solutions to this are very far out tails on the distribution curve. That is you do one very large "Big Crime" to cover the cost for the rest of your life, or you go for "the economies of scale" solution by doing hundreds if not thousands of very small crimes every year, where the cost of each crime is below a nominal threshold of "investigation cost".

Now "investigation cost" is a funny thing because it has a very very large political element for LEA's. A flashy "big crime" is newsworthy so has to be not just investigated but "be seen to be investigated" and thus must also "be seen to be solved". Thus the actuall real monetary cost of investigation could actuall excead the proceads of the crime and suffer badly from the "bad money folows good" problem of "sunk costs" in that the more money spent on the investigation the more monet that "has to be spent" to keep up the political appearences. Traditional small crime has a similar political element, it becomes a nuisance or crime wave, which is then "newsworthy" and suffers the same problems.

Thus the type of crime you do must also have political considerations. As has been noted in the past "only the insurance companies care about victimless crime" whilst not entirely true it is an indicator that crimes of violence or crimes with identifiable victims are newsworthy, especialy if the victims arouse public sympathy (children, little old ladies, pets etc). But you have to be carefull because even victimless crime can attract fame / notoriety, and this is another red flag for the authorities causing a sharp rise in the political element of "investigation cost".

Finding a "big crime" with no identifiable victims and little or no newsworthyness is possable but usualy requires specialised skills. One area is "white collar" crime where an insider takes an organisation for a very large sum due to poor internal controls. Whilst it might be newsworthy it's rarely in the organisations interest to have such a crime become public because the reputational loss might well exceed the direct loss of the crime. As Nick Leason and others have shown it is possible with specialised insider knowledge to commit billion dollar crimes against financial institutions and they only came to light because the size of the loss could not be hidden by the organisation.

But does that get you off the hook, sadly no, often such organisations will turn to specialised recovery oparatives, who earn a fee on "monies recovered" they are like bounty hunters and some of these individuals and organisations are better than LEO's. Some of their techniques are far from legal and they have (as in the case of Kroll Associates) considerably over steped the mark causing significant collateral damage including death and significant injury, which becomes public and causes the reputational damage that the original hireing organisation wished to avoid. Sometimes the organisations decide to investigate themselves, but as seen by the example of HP that can aslo go very bad and cause significant reputational damage, if not criminal investigation and legal censure.

However sometimes their are "Game Changers" such as the Internet, and certain types of small value crime do pay (faux Anti-Virus) even when those involved get caught and fined, but they usualy get followed by changes in legislation pushed through such as "anti-spam" legislation.

But few last because their success makes them a target and the political element needs a head on a pole to hang above the parapet so that "Justice can be seen to be done" even though it probably has not been done in actuality.

Oh one area where crime does appear to pay over and over is politics it's self. We have of recent times seen various dictators toppled, in some cases they would have been alowed to walk off into the sunset with their ill gotten gains, but they had to much self delusion and ended up dead as a result of it. It will be interesting to see how it plays out in Russia over the next few months, but for obvious reasons I don't want to be there whilst it happens.

RobertTDecember 13, 2011 3:36 AM

@Clive R
Another popular "perfect crime" is insider trading, especially if hacking is the source of your insider information. the crime is only perfect if the jurisdiction that you live in does not recognize insider trading as a crime, such as "New Zealand" or Hong Kong so live in NZ trade from Nz but extract information from other regions.


Clive RobinsonDecember 13, 2011 10:35 AM

@ RobertT,

"so live in NZ trade from Nz but extract information from other regions"

Hey ho just one more reason to consider living there over and above, nice wine, weather, landscape, lower levels of stress and cost of living releative to income...

I did once consider moving to HK but, the hand back to Communist China concerned me. I do however have relatives living there and they definatly give me the impression I was over cautious...

Clive RobinsonNovember 5, 2012 2:00 PM

@ Peter t,

Why is open source software considered to be better?

What do you mean by better?

All software open or closed source can be considered good or bad depending on how you weight various asspects.

For instance some closed source software in vertical markets is very well supported better than many equivalent Open Source projects. However there are well known Open Source projects that are better supported than many well known commercial closed source products.

You have to weigh up what is important or not for each individual class of application.

When it comes to encryption programs I would certainly err on the side of caution and go for as much information as you can get. In this respect Open Source "could" be better as you have access to the source, however this is only an advantage if and only if you or those you trust can actually evaluate the code correctly. Even then you can only evaluate to the limit of your current knowledge, which may be out of date tomorrow...

What appears to be the case is that currently Open Source code is less of a low hanging fruit than closed source comercial software, even though the source is available. Which tends to sugest that having the source is not of necessity a requirment for looming fro/finding suitable attack vectors. So the argument between which is better between Open&Closed software may not be of relevance to attackers.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..