One of my folks at Anonymizer pointed me towards this site WiebeTech HotPlug as a follow up to my blog post yesterday about recovering data from RAM after it has been removed from power. The HotPlug tool is sold to law enforcement to enable seizure of a computer without ever turning it off. The system has several methods that allow a running computer to be transitioned to a portable UPS system without causing the computer to shut down or react in any way. It can then be transported to a lab with the OS still running.As an additional clever trick, they have a USB dongle called the “Mouse Jiggler” which simulates a mouse making constant small motions, thus preventing a screen saver from ever activating. This allows the attacker to take all the time he needs without worrying about a password protected screen saver, or any other inactivity based security trigger, activating.All this enables the attacker to get the computer back to controlled laboratory conditions before trying to access the machine or pulling the power to capture the RAM image. Yet another argument for not walking away from a running computer with sensitive information. 

Here is another article I picked up on the Qui Custodes blog of David Kaufman: Washington City Paper: Cover Story: Desk Job.This article describes a woman, without any special training, who was able to gain access to “secure” government buildings and steal money right from the desks and purses of the employees. Obviously this could have been documents and information if she had been involved with foreign intelligence. Her methods were simple. She was spotted frequently, but very few people were willing to confront her about her actions, choosing to avoid conflict. The moral here is: security is about everyone following up on everything that seems out of place or unusual. Better metal detectors, or bigger guns at the front door won’t do it. Security comes from the alert minds of everyone on the inside of the building being willing to ask direct questions.

Center for Information Technology Policy » Lest We Remember: Cold Boot Attacks on Encryption KeysThis  paper provides real experimental data on an interesting attack on computer security. Rather than focusing on cracking keys or breaking cryptosystems, it looks at recovering data and keys directly from computer RAM. The authors show that a computer’s RAM can be recovered with few errors several seconds after power has been removed, and that can be extended to several minutes if the memory is cooled well below zero.Squirting the chips with a can of compressed “air” can cool it enough to give you minutes of working time. Plenty of time to drop it in liquid nitrogen, which would give you over an hour with almost zero loss of information.The process for recovering the data from the memory chips is simple and requires no special equipment at all.The big threat here would be in situations where your computer is stolen in a sleep state. The password protection will make it very hard for an attacker to get access to the machine without a reboot, but the attacker has all the time in the world to cool the chips before pulling the power. From a behavior point of view, it says that you should take care to actually turn your computer OFF if it is going to be out of your physical possession, or if there is risk of it being seized without notice. Leaving your computer on and sleeping, but protected with a screen lock, is very risky against a aggressive and technical opponent.Thanks to David Kaufman for passing this along to me. 

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise

In a follow up to this post I wrote a few weeks ago, we now understand how the 1000 government email accounts were compromised. It turns out that he did it using TOR.

I have said for a long time that I am amazed that any one operates TOR servers other than government people and criminal/terrorist people. As the operator of a TOR server, you have access to the clear text of the data flowing through your server when you are the exit node (about 1/3 of the traffic typically). While the TOR documentation is clear about this vulnerability, it really understates it, and does not address what you should do about communicating with public services that do not provide an option to do end to end encryption of the information.

As a user of TOR, you are trusting the operators of the servers not to monitor your information. Dan Egerstad’s attack was simply to violate that trust. He actively monitored all of the traffic through his 5 TOR servers. He ran multiple servers to increase the amount of data he could collect. He identified the government accounts by searching the captured data for simple strings that would indicate the message was an email being sent or received in the clear, then further searching for key words that would indicate is was government or military related.

Many other TOR servers could currently be searching for financial, medical, trade secret, or other information.

With any privacy service, you need to trust the operators of that service. The theory was that you would not need to trust the operators of the TOR network. The reality is that, in real world use, you do have to trust them, but you typically know very little about them. There is almost no hurdle to establishing a new TOR server. Just about anyone with access to a server can set it up as a TOR server. You must assume that many of those people will not have your best interests at heart.

My personal approach is to work with people with a long track-record of trustworthy behavior. Anonymizer has been providing services for almost 12 years. I personally have been operating privacy services since 1992. In that time I have protected millions of people and billions of web pages and emails. Our track record for integrity is long and unblemished. I think that is the kind of basis one should use for deciding who to trust.

Hacks hit embassy, government e-mail accounts worldwide

Usernames and passwords for more than 100 e-mail
accounts at embassies and governments worldwide have been posted online.
Using the information, anyone can access the accounts that have been
compromised.

I am not sure how much needs to be said about this. In general email security is very lax. People often forget just how much information lives in their email accounts. Especially when using Exchange or IMAP type email, all of your old email archives will be compromised if your account is breached. When you consider all of the file attachments most of us get every day, there is probably little sensitive information any of us handle that is not contained in those email archives.

E-voting predicament: Not-so-secret ballots | CNET News.com

Once again it is proved that security and anonymity are not as simple as they look. In this case an E-Voting system enables anyone to recover the actual votes of every voter, by name. This system eliminates any privacy in the voting process.

The implications for vote buying, and retribution by family, employers, and others, are huge.

Report: “Sidejacking” session information over WiFi easy as pie

While this is not really news, it is a very nice description of a very widespread risk.
This issue here is that many websites simply use a serial number in a cookie to keep track of user sessions. The implicit behavior is that if you have the cookie, you are authenticated and logged in. The big problem is that most of these sites are also insecure. With the popularity of insecure WiFi networks, capturing those cookies has become very easy. Once an attacker has the cookie, he can act as you for all purposes on those websites.

The simplest solutions are: enable SSL on the website (if possible), only use WPA secured WiFi, use a VPN, or use Anonymizer with the encrypted surfing option enabled (which effectively makes all websites SSL protected).

April 2, 2007 - Fortify Software Documents Pervasive and Critical Vulnerability in Web 2.0

It looks like, in addition to the privacy risks of voluntarily revealing information through Web 2.0 sites, weaknesses in the most common frameworks will enable malicious attackers to gather even non-public data from these sites.

Web 2.0 generally refers to web sites that are either web applications or are based on community content. In either case they involve the users uploading substantial amounts of possible sensitive personal information to the sites. I predict that a great deal of damage may result from this in the long run.

As a followup to my discussion of risks of online tax filing, here is an article on security weaknesses at the IRS. Report: IRS bungles may imperil data
It does not appear that this is particularly connected to online filing, but rather an overall laxness in their security.

I was just sent a link to an improved attack on WEP for WiFi. WEP (Wired Equivalent Privacy) is no such thing. Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann at the technical university Darmstadt in Germany have a paper and proof of concept implementation of an improved attack on WEP. This attack should be able to compromise WEP security in under a minute under normal conditions with an inexpensive laptop.

In reality over half of deployed wireless nodes have no security enabled at all, so WEP is certainly an improvement on that. A much better solution exists called WPA. It is available on almost all WiFi devices, and should be used wherever possible. While WPA is not perfect, there are no efficient attacks against WPA, however experts are still not confident in its security. If you have a high security application, stick with a wire, and/or use a strong VPN within the WiFI connection. I am a belt and suspenders kind of guy, so I like to use multiple layers of security whenever possible.