Hardware

Evil Maid: Road warriors beware

Road warriors, do you know where your notebook is? You better, or Evil Maid may get the best of you and your computer.

Joanna Rutkowska, founder and CEO of Invisible Things Lab is a well-known security researcher. You may remember Ms. Rutkowska as co-developer of the Blue Pill, a rootkit using virtualization to remain undetectable.

Well, Ms. Rutkowska has upset the order of things once again. Alex Tereshkin, Principle Researcher at Invisible Things Lab, and Ms. Rutkowska have perfected malcode that defeats whole-drive encryption. They named the malware Evil Maid. The name may seem odd, but it's appropriate. Evil Maid requires attackers to physically interface with computers and hotels full of road warriors are perfect targets.

How it works

As a part-time road warrior I firmly believe in TrueCrypt. Yet, Ms. Rutkowska has me questioning my resolve. To explain why, let's say I am on the road. After seeing my client, I return to the hotel and begin writing this article. In a few hours, it's time to meet the client for dinner. So, I turn the notebook off and go to the hotel restaurant.

I'm not sure why, but someone really wants to see what I am writing. So he pays a hotel employee to sneak into my room and do the following:

  • The attacker starts out by booting my computer from the Evil Maid USB Stick.
  • After booting, an application called "Evil Maid Sniffer" is installed on the TrueCrypt loader, as shown below (courtesy of Ms. Rutkowska):

  • The attacker turns the notebook off and leaves.
  • I come back later that evening and decide to write some more.
  • As soon as I power up the notebook, the Evil Maid Sniffer application records my TrueCrypt passphrase, storing the information on a pre-arranged portion of the hard disk.
  • None the wiser, I continue writing. After awhile, I decide I'm thirsty. So I turn the notebook off and head to the bar for a drink.
  • Seeing an opportunity, the attacker sneaks back into my room, boots the notebook using the Evil Maid USB Stick.
  • The application detects that TrueCrypt loader is infected and displays the passphrase as shown below (courtesy of Ms. Rutkowska):

  • The attacker restarts my notebook, enters the correct passphrase decrypting the hard drive, and copies my article.

You can see why it is called the Evil Maid attack; it's perfect for hotel environments. Ms. Rutkowska also mentioned that the notebook could be stolen once the passphrase is known.

Possible defenses

Mr. Bruce Schneier in his latest security blog has an interesting comment about Evil Maid:

"This attack exploits the same basic vulnerability as the "Cold Boot" attack from last year, and the "Stoned Boot" attack from earlier this year, and there's no real defense to this sort of thing. As soon as you give up physical control of your computer, all bets are off."

TrueCrypt has documentation that agrees with this assessment. Mr. Schneier goes on to point out that of all possible fixes, the following is probably the best:

"A few readers have pointed out that BitLocker can prevent these sorts of attacks if the computer has a TPM on the motherboard."

The reason for creating Evil Maid

Ms. Rutkowska agrees with Mr. Schneier and has been trying to convince developers at TrueCrypt to implement a TPM version of TrueCrypt:

"Personally I would love to see TrueCrypt implementing TPM-based trusted boot for its loader, but, well, what can I do? Keep bothering TrueCrypt developers with Evil Maid attacks and hope they will eventually consider implementing TPM support."

Until that happens, it appears the only absolute solution is to ensure the computer's physical security at all times. That said, I noticed many interesting potential solutions in the comments after Mr. Schneier's post about Evil Maid.

Final thoughts

It seems that whole-disk encryption is not the panacea most people think it is. It protects against someone trying to obtain data after stealing the computer. All bets are off, if an attacker has physical access to the computer on more than one occasion.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

113 comments
Neon Samurai
Neon Samurai

What are the chances that this will convince a few business or gov offices to stop putting things like databases on mobile machines when it should be kept housed in the database server behind an authenticating interface? I also have the solution to this: http://www.thinkgeek.com/homeoffice/gear/c1f4/

art
art

If all bets are off when an attacker physically possesses the computer, why even bother with encryption? It slows the computer down, even if slightly. If you forget the passphrase you are screwed. Then I remembered the old saying from my dad and the physical world: Locks are meant to keep honest people honest; thieves can always circumvent them.

Ocie3
Ocie3

Thanks for the article, Michael, and even more for the links. :-) The first step in the attack is to boot the targeted computer from the USB stick. Accordingly, the following question and reply is posted on Ms. Rutkowska's blog (in the FAQ section): [b]Q: I've disabled boot from USB in BIOS and my BIOS is password protected, am I protected against EM?[/b] No. Taking out your HDD, hooking it up to a USB enclosure case and later installing it back to your laptop increases the attack time by some 5-15 minutes at most. A maid has to carry her own laptop to do this though. [i](She also needs the tools to open up the respective machines and to disconnect and remove the HDD, then re-install it. Even more time and effort will be required if the laptop is locked, and secured in locked luggage and/or a strongbox. - ed.)[/i] Ms. Rutkowska doesn't mention HDDs for which a "hardware password" is required before anything can access them. Since that is implemented in the HDD controller, the feature goes with the drive, so removing it and installing it in another computer will not overcome the need for that password. In the final analysis, since Truecrypt has not implemented the Trusted Platform Module (the mainboard in your laptop has one, right?), Ms. Rutkowska suggests the Poor Man's Solution in her remarks: ".... We call it Disk Hasher. It's a bootable Linux-based USB stick that can be configured in quite a flexible way to calculate hashes of selected disk sectors and partitions. The correct hashes are stored also on the stick (of course everything is encrypted with a custom laptop-specific passphrase). We use this stick to verify the unencrypted portions of our laptops (typically the first 63 sectors of sda, and also the whole /boot partition in case of Linux-based laptops where we use LUKS/dm-crypt)." For full details, such as how the Poor Man's Solution can be defeated, I recommend reading the complete entry on her blog. :-) http://theinvisiblethings.blogspot.com/ _

news
news

If I understand this correctly, regardless of the hack (which is impressive) this relies on the ability to boot to some form of external device to work. Being that the case, isn't the simple solution is to lock your bios, and disable all boot devices other then the hard drive. Granted, I'm just writing this off the relatively brief description indicated in the article. Further, if you have physical access to the laptop, it's only a matter of time prior to cracking the bios access. That is not a 1 minute job, unless you all have way better hacking tools then I do (which a few of you probably do). :>

leedsfan88
leedsfan88

sorry if this is a stupid question, but are they companies out there creating Malware legally? And as it seems from the above article there is why?

BrianMWatson
BrianMWatson

Am I the only one who things the obvious has been overlooked?!? If the attack depends on booting, then don't turn the machine off - just log off and log on as a user with guest privileges (so that the privileged logon and/or user independent encryption isn't compromised). If an attacker were to gain physical access and initiate the attack, it would be obvious the machine was rebooted and action could then be taken to ensure subsequent physical access is denied (another dependency of this particular attack).

The 'G-Man.'
The 'G-Man.'

you would not be leaving your laptop in an unsecure location. Unsecure being that you do not know who has access to the location.

Deadly Ernest
Deadly Ernest

headed down, let me explain another option that I use. It's simple, it's easy, and reasonably cheap. I don't give a rats rear end about who steals the netbook or notebook or what, I keep the data file on two USB sticks in my pocket, two so I have a back up. If I want to get real paranoid (and I have in the past) I carry another USB stick with an OS that boots from the USB and use that to boot and type what I need to type, again saving to the data USB sticks. Evil Maid, Evil Genius, it doesn't matter what they put on the computer if I boot from another OS and save to the USB stick. PS The same trick can also be done by booting from a Live CD / DVD. edit - typo in title

mukababi
mukababi

you disable all the stuff (USB ports, CD/DVD booting, etc.) you can in your bios and then password protect your bios when on the road. Unless things have changed, the only way to beat this is to guess the password or disassemble the machine to perform a hard reset of the BIOS password. Of course, if someone is willing to sneak into your room to get at your data, they would be willing to just grab the laptop, period. Or here's one, pull the laptop drive out, use a $15 kit to make it a USB drive on the laptop you brought, then clonezilla the desired system drive to your USB drive....leave everything the way it was and take the copy to crack at home over a JD and coke.

turtle975
turtle975

Well, I thought I was a little paranoid when I locked up my laptop in the room safe every time I left the room, but that is what I did (even before reading this). I was more worried about physical theft at the time. Good info. Thanks!

basil.cinnamon
basil.cinnamon

Wait, if the bios has stick booting disabled, and the bios is passworded, the maid can't boot it, right?

Michael Kassner
Michael Kassner

I had a small safe in my room at college and in the service. It seemed to attract more attention.

charlb
charlb

I agree with most of you, if you left your laptop unsecured anywhere you have the risk of loosing data or even a laptop. The whey I would go about using evil maid is to just to take the laptop and then just use the software on my own time to gain access I guess the up side of evil maid is if you have employees who have encrypted there drives and have forgotten there passwords or has left the company you have a tool to get the data back So any ideas were to get the tool from

Ocie3
Ocie3

a pry-bar. But if you use the bar to pry a window open, so that you can enter a home and steal property from the owner, that is a crime and you can be arrested, tried and, if convicted, punished. The same rule applies to software. What is malware? There is no adequate legal definition for it. It is not against the law to test software on a computer that you own and thus discover its vulnerabilities. "Testing" the software that is installed on someone else's computer, without their prior knowledge and consent, can lead to your arrest and conviction for criminal trespass, at the least.

seanferd
seanferd

The subject Evil maid would not qualify as malware, but a tool like any other. Many tools that are out there can be used to something good, or something bad. In this case, Evil Maid is Proof Of Concept code created to demonstrate that the drive encryption scheme is not truly secure. Someone else could easily write similar code to be used in such a manner, if it has not been done already. Now, if code like Evil Maid were put into a delivery package with a trojan and rootkit and an installer or what have you, then set into the wild so that it infects systems and USB drives, executes the Evil Maid function, sends the key back to the malware creator or otherwise then accesses the disk and sends data back (somehow) - then it would be malware. The whole point of the exercise is to show it can be done, so that companies claiming they have secure encryption products will remove this vulnerability. Or so that users will know and change their method of securing data. I mostly agree with Deadly Ernest, although I think more along the lines that evil uses of anything should be considered illegal, rather than the mere existence of some thing.

santeewelding
santeewelding

But in sore need of refinement. Create all the malware you want, "legally". Trespass and thieve by means of it, though, and you cross the line where the rest of us take offense. Why? I leave that to you as an exercise.

Michael Kassner
Michael Kassner

I obviously did not portray something right. Oh. There are no stupid questions on any of my articles as well. All questions are appreciated.

Michael Kassner
Michael Kassner

Remember this is an MS machine, I doubt that anyone would blink twice about Windows rebooting. Second, you are skilled in what you do, what about others that are confused about IT, yet have very personal or sensitive information on their computers. Actually, I was hesitant to take this post on. How many people do you know, even use full-disk encryption?

Ocie3
Ocie3

just keep a sharp eye out for pickpockets and for magnets. :-)

MrRich
MrRich

One possibility would be if you use hibernate. (Granted you probably don't) But if you did, the data that's loaded when the laptop goes into hibernate mode can be skimmed. The evil of TPM is that it pretty much guarantees Microsoft that you are not running a bootleg OS. But it has legitimate merits for drive encryption.

Michael Kassner
Michael Kassner

I am not sure how practical this exploit is, but I felt it important enough to point it out.

Ocie3
Ocie3

that can be defeated if the maid carries a laptop with her, then removes the HDD from the targeted computer and installs it in her laptop, from which she can boot from the USB stick. After Evil Maid is installed on the HDD, the maid re-installs it into the targeted computer.

ssirvin
ssirvin

If you can't boot into it, it won't work, from what I've read here.

rcfoulk
rcfoulk

My first thought exactly. If they cannot boot from a USB device (presuming that had been disabled in BIOS) and BIOS access is password protected they would be SOL.

Michael Kassner
Michael Kassner

I believe so, but final say would have to be actually trying it.

Ocie3
Ocie3

Evil Maid is, after it is installed on the target computer, to run in the background and capture the user's input during the boot process, with the goal of obtaining the "keyword" that is used by TrueCrypt to encrypt the entire disk drive. If a hard disk drive is encrypted, then no one who steals the laptop can read any of the data that is stored on it. Evil Maid does not decrypt the data, so it is useless on a stolen laptop. Evil Maid must be used to capture the "decryption keyword" for the hard disk drive [b]before[/b] the laptop is stolen. Then the contents of the hard disk drive can be accessed, because the thief knows the keyword that he must enter during the hardware boot process.

santeewelding
santeewelding

We be passing laws against a rock on the ground that I can put to use braining someone, or other.

leedsfan88
leedsfan88

Thanks for all your replies, after reading them i understand. I was under the impression that the creators created the software for purposes other that testing their own software faults. Cheers again

Deadly Ernest
Deadly Ernest

asking is it legal to create such software, and if it's legal why is it legal to create software to attack and steal information. Apart from things needed by the spy people and some law enforcement people, I can't see any legal or valid reason for such software.

Deadly Ernest
Deadly Ernest

daily basis, and they have to be on the road a lot too. All their data is fully encrypted and on pocket sized external hard drives. The real kinky part is their laptops, all top of the range jobs. The hard drive has an OS and it's only job is to register and video, to a concealed directory, anyone who boots the system up from the hard drive; it does have some fake data on it to make people think they got in. The daily operation is the approved users boot from DVD, use a USB stick for virtual memory, and all data is on the external USB hard drive. The DVD, external hard drive, and USB stick are never to leave their person. Now, THAT'S security in action. Since they started those security measures they've had no data leakage, and found several cases of people accessing laptops when they shouldn't.

Deadly Ernest
Deadly Ernest

would need magic arms that twist a bit to get to the sticks.

Deadly Ernest
Deadly Ernest

their long term aim is to lock you permanently into using MS and approved partners software and hardware only, and also stop you from communicating with people NOT locked in. Now that's a monopoly intention of great concern.

saghaulor
saghaulor

Well, it's a step in the right direction for criminals. Also, I'm sure there's plenty of scenarios where a laptop is left unguarded on several occasions.

Michael Kassner
Michael Kassner

As another member pointed out. Any additional step is added burden to the attacker. But, depending on how determined the attacker, how important the information is, or how much money is involved will decide the outcome.

MrRich
MrRich

Unless they discharge the BIOS battery. Definitely a pain to do on a laptop (changed one last night), but this is a motivated criminal. Wants those CC and SSN numbers you shouldn't have on your laptop... Etc.

Evilroyd
Evilroyd

I agree with the idea that if you disable the ability to boot from a USB device in the BIOS and then use a good password to the BIOS, that should stop 99% of the attempts. Now we all know that there's ways to reset the password but we're dealing with hotel maids and such who are in the business to make a few extra bucks. Most of them are not computer literate and it probably taxes their abilities to boot to a USB device and run the necessary commands. If they run into something like a BIOS password and the inablility to boot to the device, my guess as an ex-cop is that they'll move on to the next potential victim instead of wasting their time. It's much like having an alarm on your home. A burgler would just as soon go next door where there is no alarm as to mess with one that has one. Just my nickles worth...... - steve

saghaulor
saghaulor

I wouldn't bet on it. Once a nefarious individual has physical access to your computer, it's all over. There is no such thing as security, just a system of progressively more difficult hurdles for individuals to leap over to reach their goal. If what you have means that much to a criminal, no hurdle is tall enough. When there is a will, there is a way. http://www.go4expert.com/forums/showthread.php?t=114 http://blog.taragana.com/index.php/archive/how-to-hack-bios-password-of-laptops/

Ocie3
Ocie3

legal to test the software and/or hardware that you have either created yourself, or legally obtained, to determine whether it has any flaws, including security vulnerabilities. It is legal to create any software and/or hardware that you want or need to conduct such tests. There is no reason to make such research illegal, else only the criminals will know what is wrong and how to exploit it, and we will never know the vulnerabilities that we need to correct in order to stop further criminal exploitation of them. However, testing the software and/or hardware that is installed on another person's computer, without their prior knowledge and consent, [b]is[/b] ordinarily illegal. Especially when, for example, that "testing" transfers money from their bank account to someone else's, such as yours.

Ocie3
Ocie3

is worse than the curse.

Deadly Ernest
Deadly Ernest

The biggest part over the Palladium fight was the refusal by Intel and MS to design the systems so the owners can turn them off at will and can override them at will. Now why would a nice company refuse to allow a thing like that - shades of big brother. A few years back, I even wrote a story about the possible long term effects of such a system - called A New Computing World - and available through www.lulu.com and www.dpdotcom.com if you're interested. In the mid 1990s I predicted MS would introduce on-line validation and verification for updates, everyone said I was crazy, but XP on-line validation came in, and a few years later WGA; how good the rest of my predictions go depends a lot on how people react to MS and Intel.

Ocie3
Ocie3

The principal foundation for Secure Computing is, as far as I know, a Microsoft Windows operating system, an identifiable CPU that has a serial number which can be read by software, and a Trusted Platform Module installed on the mainboard. I don't know whether there are multiple manufacturers of the TPM, but Intel probably makes them. Intel introduced (unique) serial numbers when they began making the Pentium CPU. Reportedly, if memory serves, it was Microsoft's idea, as a tool against software piracy. When that became known, there was a general uproar amongst the microcomputer-using public, because of the implicit threat to privacy, as well as personal safety. If the owner and/or user of a computer became known, then the Pentium serial number would become PII. Every dictatorial regime on the planet would love that, wouldn't they? (TOR be damned!) Intel responded that accessing the serial number would be "turned off by default" so that it could not be read -- unless, of course, someone knew how to "turn it on" (probably by using an executable machine instruction, thus activate it without physical access to the computer). You may recall MSK Security, who included the CPU serial number as one datum in a hash that their software creates to uniquely identify, thus authenticate, the computer that someone is using "for online banking". When I asked about that, Mr. Karimian said that they had not encountered any difficulty in obtaining the CPU serial number from anyone's computer, except from those who use an Apple Macintosh. So I suppose that AMD is serializing their CPU chips, too, and making the serial number available to software. If an Apple computer has an Intel CPU, then I would suppose that the feature remains "off". Maybe I am paranoid, but am I paranoid enough?

Deadly Ernest
Deadly Ernest

The concern is the TRUSTED Computing Group, here's some wiki reading about the group and most of their long term aims: http://en.wikipedia.org/wiki/Trusted_Computing http://en.wikipedia.org/wiki/Next-Generation_Secure_Computing_Base http://en.wikipedia.org/wiki/Trusted_Platform_Module Here's some lovely quotes for you: quote Users unable to modify software A user who wanted to switch to a competing program might find that it would be impossible for that new program to read old data, as the information would be "locked in" to the old program. It could also make it impossible for the user to read or modify their data except as specifically permitted by the software. Remote attestation could cause other problems. Currently web sites can be visited using a number of web browsers, though certain websites may be formatted such that some browsers cannot decipher their code. Some browsers have found a way to get around that problem by emulating other browsers. With remote attestation a website could check the internet browser being used and refuse to display on any browser other than the specified one (like Internet Explorer), so even emulating the browser would not work. Users unable to override Some opponents of Trusted Computing advocate allowing owner overrides to allow the computer to use the secure I/O path to make sure the owner is physically present, to then bypass restrictions. Such an override would allow remote attestation to a user's specification, e.g., to create certificates that say Internet Explorer is running, even if a different browser is used. Instead of preventing software change, remote attestation would indicate when the software has been changed without owner's permission. Trusted Computing Group members have refused to implement owner override.[20] Proponents of trusted computing believe that Owner override defeats the trust in other computers since remote attestation can be forged by the owner. Owner override offers the security and enforcement benefits to a machine owner, but does not allow him to trust other computers, because their owners could waive rules or restrictions on their own computers. Under this scenario, once data is sent to someone else's computer, whether it be a diary, a DRM music file, or a joint project, that other person controls what security, if any, their computer will enforce on their copy of those data. This has the potential to undermine the applications of trusted computing to enforce Digital Rights Management, control cheating in online games and attest to remote computations for grid computing. Loss of anonymity Because a Trusted Computing equipped computer is able to uniquely attest to its own identity, it will be possible for vendors and others who possess the ability to use the attestation feature to zero in on the identity of the user of TC-enabled software with a high degree of certainty. Such a capability is contingent on the reasonable chance that the user at some time provides user-identifying information, whether voluntarily or indirectly. One common way that information can be obtained and linked is when a user registers a computer just after purchase. Another common way is when a user provides identifying information to the website of an affiliate of the vendor. While proponents of TC point out that online purchases and credit transactions could potentially be more secure as a result of the remote attestation capability, this may cause the computer user to lose expectations of anonymity when using the Internet. Critics point out that this could have a chilling effect on political free speech, the ability of journalists to use anonymous sources, whistle blowing, political blogging and other areas where the public needs protection from retaliation through anonymity. The TPM specification offers features and suggested implementations that are meant to address the anonymity requirement. By using a third-party Privacy Certification Authority (PCA), the information that identifies the computer could be held by a trusted third party. Additionally, the use of direct anonymous attestation (DAA), introduced in TPM v1.2, allows a client to perform attestation while not revealing any personally identifiable or machine information. Interoperability Trusted Computing requests that all software and hardware vendors will follow the technical specifications released by the Trusted Computing Group in order to allow interoperability between different trusted software stacks. However, even now there are interoperability problems between the TrouSerS trusted software stack (released as open source software by IBM) and Hewlett-Packard's stack.[22] Another problem is the fact that the technical specifications are still changing, so it is unclear which is the standard implementation of the trusted stack. [edit] Shutting out of competing products People have voiced concerns that trusted computing could be used to keep or discourage users from running software created by companies outside of a small industry group. Microsoft has received a great deal of bad press surrounding their Palladium software architecture, evoking comments such as "Few pieces of vaporware have evoked a higher level of fear and uncertainty than Microsoft's Palladium", "Palladium is a plot to take over cyberspace", and "Palladium will keep us from running any software not personally approved by Bill Gates".[23] The concerns about trusted computing being used to shut out competition exist within a broader framework of consumers being concerned about using bundling of products to obscure prices of products and to engage in anti-competitive practices.[2] Trusted computing is seen as harmful or problematic to small and open source software developers.[24] [edit] Trust In order to trust anything that is authenticated by or encrypted by a TPM or a Trusted computer one has to trust the company that made that chip, the company that designed the chip, those companies allowed to make software for the chip, and the ability and interest of those companies to not compromise the process.[citation needed] It is also critical that one be able to trust that the hardware manufacturers and software developers properly implement trusted computing standards. Incorrect implementation could be hidden from users, and thus could undermine the integrity of the whole system without users being aware of the flaw.[25] end quotes Now do you get the picture of where they're headed. This type of set up has been raised by MS and Intel a few times, and the IT community has shot it down each time, to date. But they keep adding aspects of it to the mix - on-line verification, WGA, Bitlocker etc. As I said elsewhere, in the past the public knock back of this concept has usually been followed, shortly there after, by a large increase of virus attacks and trojans. And a little later the general public aren't as unaccepting of the idea as they had been.

Deadly Ernest
Deadly Ernest

history you know. When they get to where they want to go, you have no choice about the software you buy if you wish to continue in the SC environment or communicate with people in the SC environment. The SCG movement has been around for nearly fifteen years now, lead by MS and Intel, with a few more joining as time goes on. Over the years they've changed the name of the group a few times and changed the publicly available advertising material, but have NEVER repudiated the initial stated aims. 1. A Secured Computer user will use only SCG approved software and hardware. 2. The hardware will have TPM and the software the matching code. 3. Each system will create a unique ID code based on an algorithm of the TPM, CPU, and the OS serial numbers. All this data will be recorded at the SCG central database. 4. All communications from the SCG system will include the ID code. 5. All messages received will have the ID code checked against the SCG database, unless it's already on the local list of common contacts. 6. Messages without a valid SCG ID code will be ignored as spam. 7. All systems and software will be centrally registered and updated from the SCG central database, to ensure legality. If any doubt about legality, that application will be closed down until the central database is amended to show legality. 8. A SCG system will not allow the installation of new software that is not registered as approved software on the SCG central database. The system will not activate the software until the central database shows the copy as being a registered legal copy, which may happen as part of the installation process. 9. All software to be activated, within days of being installed, via the central database. Once they get the full SCG environment in, you WILL be fully locked into MS, and approved partners, for all software and hardware purchase and only able to communicate with other persons so locked in. Now do you understand why I don't like the SCG and TPM path? The interesting point is in the past they got howled down by the general community. Their main claim to go this way is to lock out the distribution of virus attacks, trojans, and spam, as all messages can be easily traced back to source. An interesting side point is each time, in the past, when the full proposal got the chop by the general IT community, the number of virus and trojan attacks increased sharply soon afterwards. Also, the SCG agenda is sliding in the back door, a bit at a time: On-line activation; Check of registration prior to updates - WGA; System information feedback to MS without owner knowledge; TPM chips in systems without clear advice on their inclusion to users, and none TPM CPUs harder to get; Use of the TPM for security improvements - Bitlocker anyone? Still think I'm being paranoid, Michael?

Michael Kassner
Michael Kassner

I am confused. You did not have to buy a MS product, right?

Deadly Ernest
Deadly Ernest

locked in - that's why. If MS want to control the computer I use, then they can pay for it, not take the money out of my pocket and then tell me how to use it, what applications I can use, and who9 I can communicate with - and that's where the Secured Computing Group is aimed, and TPM is one of their current front line tools in the movement there.

santeewelding
santeewelding

Unless you have become of mighty importance and filthy rich while I wasn't looking.

Deadly Ernest
Deadly Ernest

USB drives locked down as a security measure to limit the copying of data. Some people are in a Lose - Lose situation on this one.

saghaulor
saghaulor

+1 What the scenario may be is wholly irrelevant. How the technology works, and what are the methods of prevention are what is important.

jyoung
jyoung

We can instruct them on how to do it, but, we can't live their life for them. If they still lose it, it's time to fire them and find their replacement.

Neon Samurai
Neon Samurai

The USB also goes in the computer bag beside the business card and pens. Wouldn't want to loose that little USB and beside the computer makes most sense to non-security folk.

Neon Samurai
Neon Samurai

Today, injecting a preboot sniffer may only be viable for a targeted high value attack. It will get easier and more effective eventually bringing it into the viable range of lower criminals. The only question is which encryption providers will respond with a solution.

jyoung
jyoung

That's why we educate them. Set them up with the necessary equipment and instruct them on procedure. Create policies and enforce them. There should be no excuse. We had the stolen laptop scenario come to life at my last job. A top level exec "didn't think" he still had the sensitive HR info on his laptop and it disappeared one day. Thousands of employee records were on that laptop. Now they equip and educate their people. The thumb drives and laptops are encrypted. The department I worked in was already doing this because of what happened to a US Gov employee. IMHO, employees should be held responsible for the data they may be carrying. Policies are created and should be strictly enforced. If the data is compromised because they are inept and/or negligent, they should face automatic termination. I realize a top exec may be exempt, although, there should be some form of punishment.

RipVan
RipVan

...and what data is on your laptop. That determines how bad someone wants it, and to what extremes they will go. Forget trying to invent HOW it will be done when you don't need to steal the data. When someone has the need to steal it, THAT is when the scenario will arise. And whatever does happen, it may even seem more implausible than the "maid" scenario. But people will slap themselves on the head (and let out an annoyed grunt) and say "...of course!!! Why didn't anyone conceive that possibility...")

Ocie3
Ocie3

Joanna Rutkowska suggested. (As you wrote: "Furthermore, who's to say that I can't remove the drive and infect it from another machine, bypassing the BIOS password; if that is indeed possible.")

Ocie3
Ocie3

"BIOS password" when you wrote: Quote: "As for the boot password, google "Lost CMOS Password" and you will find a plethora of quick methods for entry. Boot passwords are a placebo." They are reasonably effective at discouraging casual exploration by idle minds.

Michael Kassner
Michael Kassner

How many top execs or .gov workers do you think are as skilled as you about this. Yet, they carry notebooks containing precious data all over the place.

Michael Kassner
Michael Kassner

I think about the dumb mistakes high-ranking officials make with regards to securing yours and my personal information. Hence, my personal crusade to inform and remove excuses.

Michael Kassner
Michael Kassner

Yet, information is power. Did you know that full-disk encryption could be defeated? I didn't and I wanted to pass along that it was indeed possible.

jyoung
jyoung

Keep the important files on an encrypted USB stick of your own and keep it with you always. They can futz around with or steal the laptop all they wish. If the files they're after aren't stored on the laptop, they have no prize. Be sure to clear any temp files before finishing.

saghaulor
saghaulor

Mr. Kassner, Obviously you think in a more plausible manner than I do. Haha. Of course, why wouldn't the hacker pay the maid? Simple enough. But the rest of my thought experiment still applies. It's not far fetched to think of profit seeking black hat hackers casing hotels, or gyms, or what have you, to find patrons that frequent them who are likely to have information that is valuable.

rcfoulk
rcfoulk

is to be quick and get away. First, this level of effort frankly is rediculous unless there is some serious targetting of the intended laptop with likely specific hopes for the nature of the information to be obtained. This is a bit over the top for day-to-day idenity theft. If such and infection could be accomplished quickly plausability goes up. If one needed to resolve other issues like cracking a BIOS password then exposure risk increases which means that someone is more likely to move to another target. Most machines have a hardware reset for the BIOS PW too but I doubt if someone would want to wip out a screw driver and have at that approach. There are ways around virtually any inhibiting effort. The goal is to make it sufficiently difficult that most won't bother. So to that extent the simple approach of using a BIOS password makes good sense.

Michael Kassner
Michael Kassner

I guess, I look at this attack is one that would be in the arsenal of business or .gov espionage. Those have targeted victims and Evil Maid is a possibility.

Michael Kassner
Michael Kassner

An attacker paid the maid to open the door and that was all?

saghaulor
saghaulor

While I am prone to agree with you, think outside the box a little further. Say for instance that I am a highly qualified hacker out to make some easy money. Now, I stumble upon something like Evil Maid. It would seem to me that now I should be trying to get a job as a maid in upscale hotels where big money clients are likely to patronize. Now, it seems that a BIOS password is rather innocuous, when considering I can decrypt your hard drive. Furthermore, who's to say that I can't remove the drive and infect it from another machine, bypassing the BIOS password; if that is indeed possible.

Evilroyd
Evilroyd

Ya, I guess I can see a competent computer person trailing around behind a hotel worker waiting to access a laptop left in a room.... NOT. Secondly, although there is tons of programs out there designed to gather CMOS password information. Everyone that I looked at needed to have access to the OS in order to run. So that would be easily averted if there was a password on it to begin with. Now, there are a lot of very smart people who have responded to this article and there are just as many ways to subvert almost any suggestion that is given. Again, I will go back to my analogy of whether a home has an alarm system or not. The burglar will not waste time on an alarmed home, unless there are very unusual circumstances, when there is a non-alarmed home nearby. But, if someone is that worried about their laptop then then need to carry it with them at all times. But, there's even a scenerio for that situation. What about someone coming up and mugging you for your wallet AND laptop. I guess in that case you'd better be carry some form of a defense weapon or at least have a bodyguard present. The bottom line is this; how important is my stuff and how much pain am I willing to endure to protect it. Personally, I think we all ought to be carrying a supressed full-automatic MP5 with a couple of spare 30-round magazines....:) - steve

mathew.gauvin
mathew.gauvin

"...we're dealing with hotel maids and such who are in the business to make a few extra bucks..." I think the 'Evil Maid' is a misnomer of sorts. It describes only one scenario. It would take nothing for a competant person to bribe a maid. Another scenario is a co-worker, family member or 'friend' who may gain physical access multiple times without raising any alarms. As for the boot password, google "Lost CMOS Password" and you will find a plethora of quick methods for entry. Boot passwords are a placebo.

saghaulor
saghaulor

I might add that I enjoy reading your articles.

Michael Kassner
Michael Kassner

Your statement: "Just a system of progressively more difficult hurdles for individuals to leap over to reach their goal." Well said

Editor's Picks