Sunday, December 9, 2012

Whole Disk Encryption

In computer security data breaches are unfortunate and unfortunately not all that uncommon.  In October of this year South Carolina Department of Revenue announced they were victims of a data breach. The breach was large in the amount of people affected and the breath of the breach. Breach consisted of 3.8 million residents of South Carolina. Social Security, credit cards, and bank account information was exposed. Additionally cyber criminals gained access to 44 servers, installed 33 pieces of malicious software and utilities. As bad as that news is gets worse; internal monitoring or audits did not notify the South Carolina Department of Revenue of its own data breach. It was not until law enforcement agencies brought 3 cases of identity theft to the department before they became aware that something might not be right.

One interesting thing that came out of the data breach is South Carolina Department of Revenue was in compliance with IRS rules of storing Social Security numbers. But compliance is not the same thing as security. While encryption is one of the main defense steps used to provide security it may not be enough. This is especially true if we use encryption without compliance or use it without additional monitoring or auditing.

Many companies are moving to entire disk encryption for laptops. The hope is to prevent a data breach if the laptop is stolen or lost. The South Carolina Department of Revenue data breach was not caused by a stolen or lost laptop. Other data breaches have been such as Department of Veterans were cause by a stolen laptop. The key point here is encryption alone is not security and it will be always be about defense in depth, which includes encryption, auditing, active monitoring, risk assessments, compliance, procedures, etc and just being open mined to the “what if”.

Lets take a closer look at whole disk encryption and the risks. The first risk is an always-present risk when using encryption; key management. When using whole disk encryption such as PGP whole disk the key is on the machine it is protecting. This key needs to be available at all times for disk access.  No problem we can store the key in memory. To comprise the key you need access to the machine and knowledge of where the key is in memory.  Second is if the computer is stolen or lost from a park car, airport, hotel room the computer if off so memory is no longer an issue, or is it.

The Princeton University’s Center for Information Technology Policy released a paper showing how whole-disk encryption can be cracked quickly and easily.

Princeton group’s attack on whole-disk encryption relies on the fact that computer memory (DRAM) is not wiped out when the system is powered off. Instead, it becomes unreliable, decaying over a period of time. The attack is as follows: get access to a laptop that is currently operating (so that the whole-disk encryption key is in memory), spray the RAM with an inverted compressed air can to cool it to -50 degrees Celsius, and power the system off. Cooling the memory slows the decay of memory. Second you will need to get a snapshot of the target computers memory. This snapshot can then be inspected to locate prospective cryptographic keys and try them on the target drive. Some knowledge of the particular whole-disk encryption product being used would be needed to find the exact spot in memory where the key is, and some error-correction techniques must be used in case a bit or two has been flipped due to memory decay, but it reduces the problem from cryptographically impossible to something that can be cracked in a few minutes or at worst hours. So is this the end of whole disk encryption? The answer to that question is no. But we do need to look at our procedures.

  • Do not use sleep/suspend-to-RAM when the computer is not actually in your hands — either power off or use hibernate mode. Best is power off several minutes before any situation in which the computers’ physical security could be compromised. In a sleep or suspend-to-RAM scenario, the whole-disk encryption key is still maintained in memory and can be recovered.

  • If you have a few truly critical files, use file encryption (such as Windows’s Encrypted File System or PGP’s file encryption) on those files with a different password than that used on the whole-disk encryption. Better yet keep critical information off mobile devices.

  • If laptop is lost or stolen do a risk assessment/audit of what was on that computer and increase monitoring on vulnerable data/systems that may be at risk.

  • Educate laptop users about the above risk and using whole disk encryption is a good solution but can be enhanced by the above steps.


Sunday, November 11, 2012

“A man’s home is his castle”

“A man’s home is his castle”. This aphorism invokes many emotions tied to our notions on privacy. Our courts have reached another decision when we travel from the physical world to our digital world. Daniel Reed in “Information Privacy: Changing Norms and Expectations” offers three ideas about the future of personal online information management. 

 The first two could be binary access specifications that can be embed into the content. The content would be encrypted so that only users who know the public encryption key of the content owner and use a viewer that has the binary access specifications built into it would be able to view the content. The two binary access specifications are… 

 1. Bounded lifetime. An end of life attribute that can be embedded into media content that I upload to the Internet. Any pictures of me during college or high school I might want to have an end of life once my college life is over. 

 2. Transitivity of access. An attribute that controls how far my content can travel. It allows me to say this content can be shared within my group of friends but my friends cannot share it outside of my group I tied to this content. 

 The usability of UI for privacy and security deserves far more attention than it is getting. This is not a vendor problem but belongs to content owners, individuals who view others content and system providers. Privacy specifications must be made far simpler and more intuitive. Content owners who post content to the Internet must understand their roles in privacy for themselves and others. Individuals who use or transmit content of others must understand the implications of their actions. Vendor or system providers must provide tools to control the ownership and privacy of our content. 

 Is anyone listening at Facebook, Yahoo, or Google???

ACM Blog Information-privacy-changing-norms-and-expectations/fulltext 

Monday, October 15, 2012

Tulsa TechFest/SQL Injection

This year's Tulsa TechFest was a great success, over 700 attendees. 

The security track had over 30 attendees per session. This made the security track one of the most successful tracks for the entire conference.

Great content on web security and digital forensics!! Great job speakers!!! Thank you!!!

I will be posting speakers content in the next few days. First content is Ted Ward’s SQL Injection presentation.

Monday, October 1, 2012

Tulsa TechFest

When: 2012 Friday, October 12th, 2012
Where: OSU-Tulsa, 700 North Greenwood Ave, Tulsa, OK 74106

9:00AM Topic: Digital Forensics: Advanced Threats and Changing Technologies
Recent years have brought about marked changes in the field of digital forensics forcing the practitioner to respond and adapt accordingly.  Frequently investigations will involve multiple agencies and cross domains coloring the way an investigation is conducted. New storage technologies require special handling to preserve evidence.  Evolving malware threats are forcing practitioners to examine unusual devices for evidence.
Speaker: Doug Gorden
Bio: Doug Gorden is an Information Security Analyst and a lead forensic specialist for ONEOK.  
He is also the owner / operator of Secure Investigative Services, a provider of digital forensic services.

10:30AM Topic: SQL Injection tools to help detect and prevent.
Speaker: Ted Ward
Bio: “Aviation antisubmarine warfare electronics technician” in the US Navy from 1987-1990
BS Computer Science Oklahoma State University Fall 1992 
Software developer at various companies from 1993-2002. PhD candidate Oklahoma State University expected graduation Fall 2013 and Author of open source applications AstroGrep and OSUQuiz.

1:00PM Topic: Web vulnerabilities and session hacks.
Speaker: David Crandell
Bio: Professor at Oklahoma State University Institute of Technology

2:30PM Topic: Demonstration of Digital Forensics
Speaker: Avansic
Bio: Avansic is a leading provider of e-discovery and digital forensics services to attorneys, litigation support teams, and business communities across the nation. We take a scientific approach to providing e-discovery, digital forensics, data preservation, online review, and expert consulting service. Avansic has its roots in academia; we were founded in 2004 by computer science professor Dr. Gavin W. Manes. Since then, we have created a reputation as a trustworthy, reliable and responsive specialist in e-discovery and forensics fields.

Sunday, September 16, 2012

2012 (ISC)2 Security Congress/ASIS

I just got back from Philadelphia, Pa where I gave my poster session about creating a foundation for secure coding.

Here is my abstract and Introduction...


Teaching secure coding in the Enterprise requires more than giving lectures to programmers about SQL injection, XSS and string vulnerabilities. It requires a new foundation and culture to be put in place for the IT Enterprise. This paper describes what foundation and culture changes need to take place before teaching secure coding.

            Despite technological advancements, software vulnerabilities have continued to grow at an alarming rate, with the cost of data breaches becoming more significant to all stakeholders, regardless of if they are public or private, large or small.  Because of the increased cost this situation has placed on the enterprise, security has moved from firewalls, IPS, IDC, et al, to include enterprise programmers to create more secure code.  There are many sources, both online and in print, that have coding guidelines, best practices, suggestions and tips for creating secure coding; however, as good as this information is, it is worthless if secure coding practices are not integrated into the framework of the enterprise.  Not integrating these practices into the framework of the enterprise could result in the loss of data, compromise to the system, loss of productivity, and financial loss.
            The purpose of this paper is not to present another secure coding guideline for developers or another methodology such as Microsoft Trust Computing SDLC or ALM, but rather to show how a layered approach is necessary so that the complete infrastructure is firmly in place before the enterprise moves to secure coding.  Part of this layered approach will be emphasizing the need for creating a culture that will place emphasis on secure coding in the first place.  I am well aware that what I am proposing is not new; it has been suggested before many times.  However, what is being taught today in the field of secure coding does not include the attendant infrastructure that an engineer would encounter in the real world; in short, secure coding is being taught in a vacuum, devoid of the complexities of the environment in which it will operate.  My objective for this paper is to bring teaching secure coding and the practice of creating secure coding out of the classroom and shows how to integrate it into the software development lifecycle (SDLC) of the enterprise.  Software development is no longer an individual task; it is now a very large and complex process involving several teams and team members.  Understanding these basic principles and applying them to the best practices of secure coding is the aim of my paper.

Download entire paper at