EvilMaid versus Full Disk Encryption (TrueCrypt and PGP)

The Evil Maid Attack is an attack type against whole system disk encryption in a form of a small bootable USB stick image that allows to perform the attack in an easy “plug-and-play” way. The whole infection process takes about 1 minute, and it’s well suited to be used by hotel maids.

The Invisible Things blog goes into great detail on how most whole disk encryption is vulnerable in a relatively simple way. The scenario we consider is when somebody left an encrypted laptop e.g. in a hotel room. Let’s assume the laptop uses full disk encryption like e.g. this provided by TrueCrypt or PGP Whole Disk Encryption. Many people believe, including some well known security experts, that it is advisable to fully power down your laptop when you use full disk encryption in order to prevent attacks via FireWire/PCMCIA or ”Coldboot” attacks.  So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else.

Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version).

Now we can safely steal/confiscate the user’s laptop, as we know how to decrypt it. End of story.

[Read more…]


Google Chrome OS screenshots leaked

Supposedly, a Google representative demonstrated a private beta build of the OS to an anonymous Acer parts supplier yesterday. The pictures were grabbed while the Google rep wasn’t  looking. Here’s the highlights:

  • The “elegant” install on the Acer Extensa 4620Z laptop took about 10 minutes and 1 restart
  • Reboots desktop-to-desktop in about 25 seconds
  • It was “amazingly fast” in its stripped-down beta form
  • The blue orb on the auto-hiding “Chrome Bar” along the bottom of the UI is essentially the start menu
  • Navigating the file system can be done in “exploration” (like Windows explorer) or “browser” (search based) modes
  • The Chrome Bar can also host a search bar if configured
  • Future Chrome OS netbooks will feature an iconified Chrome key on the keyboard similar to the Windows flag key

Source: http://chromeosleak.wordpress.com/


Google Officially Releasing an OS – Google Chrome Operating System

Rumors spread yesterday about how Google was going to make a “Chrome Operating System”. Of course there have been rumors of a Google OS for years now. In early 2006, Ars reported on Google’s denial that it was prepping an OS distribution of its own based on Ubuntu. More recently, the (relative) ease of porting Android to netbooks led to plenty of speculation that Google’s full computer OS, when it appeared, would be based on Android. It turns out that’s not the case… it’s NOT going to be Android (though Google won’t preclude third-party adopters from using Android).

Last night at 9:00pm Google’s official blog raised the flag indicating Google was getting into the OS race. So what is the OS? It’s being Google Chrome OS and the operating system will center on Google Chrome and be targeted for netbooks (initially). It will run on both x86 as well as ARM chips and we are working with multiple OEMs to bring a number of netbooks to market next year. While speculation was wild a few days ago about a Chrome OS, what wasn’t understood was how Chrome, a browser, could BE an OS…. a browser isn’t actually an operating system, what about hardware drivers, memory and processor management, and other red herrings. It turns out Google is cranking out a new windowing system on top of a Linux kernel – welp, that solves issues about drivers and such.

So what’s the intention here? Google intends that the web is the platform. All web-based applications will automatically work and new applications can be written using existing web technologies. And of course, these apps will run not only on Google Chrome OS, but on any standards-based browser on Windows, Mac and Linux thereby giving developers the largest user base of any platform. If you do a lot in the cloud now then as TechCrunch put it “Don’t worry about those desktop apps you think you need. Office? Meh. You’ve got Zoho and Google Apps. You won’t miss office. Chrome plus Gears plus Google Wave plus HTML 5 and web platforms like Flash and Silverlight all combine into a single wonderful computing device. The Internet Is Everything. All the OS has to do is boot the damn computer, get me to a browser as fast as possible and then stay the hell out of the way.”

The timing of this couldn’t be any more bitter sweet for Microsoft. Windows 7 RTM lands next week with the full release for October. I have to wonder if Google was trying to take a bit of wind out of Microsoft’s sails since on of the things touted was how well Windows 7 runs on netbooks. The Google Chrome OS will only become available for consumers in the second half of 2010 – not that far behind the release of Windows 7.

Does this spell the end of Microsoft Windows? I’d say don’t count them out yet. Chrome OS will be new and will essentially require cloud computing. Sure, for most things I could get by on that, and as the web gets faster, HTML 5 hits, etc we will be able to do more and more in the cloud. In addition to the Microsoft has been developing “Gazelle” as an alternative to Internet Explorer. The browser acts like a self-contained operating system (sounds like Chrome OS) and is designed to address the fact that browsers like IE and Chrome have not been built by design to handle multiple processes and web applications in a secure manner. The browser relies on a “browser kernel” (5,000 lines of C# code) that helps enforce security rules to prevent malicious access to the PC’s underlying operating system. Built by the Microsoft Research team, company officials have been dropping hints that they are ready to talk more about Gazelle recently – perhaps as the Worldwide Developers Conference.

Google’s official blog post on Google Chrome OS


L0phtCrack: Windows password cracker is back!

The legendary L0phtcrack password cracker is returning and in the form of a new version 6. L0phtCrack disappeared from the market after @stake, a company which was formed by L0pht Heavy Industries and others, was taken over by Symantec. At the beginning of this year the original L0phtCrack team bought back the software rights from Symantec and have now upgraded the tool.

L0phtCrack 6 is packed with powerful features such as scheduling, hash extraction from 64 bit Windows versions, multiprocessor algorithms, and networks monitoring and decoding. Yet it is still the easiest to use password auditing and recovery software available. Available in in L0phtcrack 6 is:

Password Scoring
L0phtCrack 6 provides a scoring metric to quickly assess password quality. Passwords are measured against current industry best practices, and are rated as Strong, Medium, Weak, or Fail.

Pre-computed Dictionary Support
Pre-computed password files is a must have feature in password auditing. L0phtCrack 6 supports pre-computed password hashes. Password audits now take minutes instead of hours or days.

Windows & Unix Password Support
L0phtCrack 6 imports and cracks Unix password files. Perform network audits from a single interface.

Remote password retrieval
L0phtCrack 6 has a built-in ability to import passwords from remote Windows, including 64-bit versions of Vista, Windows 7, and Unix machines, without requiring a third-party utility.

Scheduled Scans
System administrators can schedule routine audits with L0phtCrack 6. Audits can be performed daily, weekly, monthly, or just once, depending on the organization’s auditing requirements.

L0phtCrack 6 offers remediation assistance to system administrators on how to take action against accounts that have poor passwords. Accounts can be disabled, or the passwords can be set to expire from within the L0phtCrack 6 interface. Remediation works for Windows user accounts only.

Updated Vista/Windows 7 Style UI
The user interface is improved and updated. More information is available about each user account, including password age, lock-out status, and whether the account is disabled, expired, or never expires. Information on L0phtCrack 6’s current session is provided in an “immediate window” with a reporting tab providing up-to-the-minute status of the current auditing session.

Executive Level Reporting
L0phtCrack 6 has real-time reporting that is displayed in a separate, tabbed interface. Auditing results are displayed based on auditing method, risk severity, and password character sets.

Password Risk Status
Displays risk status in four different categories: Empty, High Risk, Medium Risk, and Low Risk.

Password Audit Method
Displays the completion of all four methods L0phtCrack 6 uses: Dictionary, Hybrid, Precomputed, and Brute Force.

Password Character Sets
Reports the completion of the various character sets being audited, including, Alpha, Alphanumeric, Alphanumeric/Symbol, Alphanumeric/Symbol/International.

Password Length Distribution
Reports the overall length of the discovered password by account.

Summary Report
Password Statistics as Locked, Disabled, Expired, or if the password is older than 180 days. Audit Summary
Number of Accounts cracked and the number of Domains audited.

Foreign Password Cracking
L0phtCrack 6 supports foreign character sets for Brute Force, as well as foreign dictionary files. Pull down menus change for language and character set. L0phtCrack 6 ships with several foreign dictionaries.

Visit L0phtcrack to read more or download the latest version. You can also read my previous article “Ophcrack Live CD – Crack Windows passwords in minutes“.


VMWare goes Open Source with VMware View Open Client

VMware has finally decided to open-source its client for virtual desktops, releasing it under the LGPL. This was in response to intense pressure from the growing number of Linux distros that include virtualization by default. From the post:

The CEO replacement who entered VMware last year was Paul Maritz, a long-time Microsoft executive with intimate familiarity with how Windows swallowed up entire categories of utility software as it grew up by simply wrapping free utilities into the operating system. Paul knows about that, and he had to have seen last year the dual threats to VMware of open source virtualization offerings and virtualization on board in operating systems. The VMware View Open Client allows businesses to host virtualized desktops in the data center, and users can access their desktops from any device. Going with an open source solution like this was VMware’s only choice, especially as Microsoft includes Hyper-V virtualization in Windows Server. I’m sure Maritz was very focused on the Microsoft threat, because he used to be behind similar threats. VMware can grab market share with this move, stave off Microsoft’s dominance, and offer support and services around its open source offering.’

You can get VMware View Open Client here, licensed under the Lesser GPL. It’s essentially a bet that customized user desktops are hosted in data centers, and that businesses will take to the idea that they can save money by centralizing custom solutions in data centers for desktop users to take advantage of through virtualization.