Lazybit

Sometimes it happens that you type a password, the system tells you it's wrong, but you are absolutely sure it is not, and that you know what you're doing.

The problem is that what you think you type is not always what gets typed.

Here is a checklist you should go through, to make sure you've got everything covered; some items may sound trivial, but you should take them seriously:

• CapsLock is pressed
  • or the LED of the keyboard is broken and you can't see that the button is pressed
  • or maybe there is a program that artificially changes the state of the LED
• Keyboard layout - you think you're typing Latin characters, but are you?
  • check if another language is currently set as the default one
  • don't be fooled by languages that use the same character sets - the German "qwertz" and the English "qwerty" will appear identical, until you press 'y' or 'z'
  • what if you're using the same language but with a different layout? (ex: "English - Dvorak" and "English - Qwerty" will both look as "EN" in the language bar)
• Keyboard mechanics
  • the Shift button sometimes presses itself
  • someone changed the buttons on the keyboard so it appears that you press on 'A' but a 'D' is typed instead

The optimal solution

If everything fails, or you are not skilled enough to check the system settings and the keyboard's internals, open up Notepad, and type your password.

Once you see that what you typed is what you thought you typed, use copy/paste to transfer the password into the entry box.

This will allow you to deal with every single item in the checklist.

What if it is still not accepted?

If you've made sure that the password is typed correctly, but the system still won't accept it, it is possible that the administrator changed it (so it's an issue on their end, not on your's).

Contact the person who controls the system you are logging on to, and ask them whether the password was changed, reset, or de-activated.

If you watch the evolution of security systems, you are probably aware of the study that explains and demonstrates how private data can be extracted from the system's memory, by forcing a reboot or extracting the RAM modules.

This is an intriguing research, because it shows how far a sophisticated attacker can get. What makes this even more interesting is the fact that there is empirical evidence that shows that it works not only on paper.

Like other encryption programs, Private Disk is permanently decrypting and encrypting some data whenever files on the virtual disk are read or written. Naturally, the keys must be somewhere in the system's memory, therefore our software can become the target of such an attack.

Why should I not worry about this?

Although the attack can have practical results, there are things that can be done about it.

Imagine that you are an attacker that stumbled upon a computer with valuable data protected by Private Disk. If the keys are in memory, it means that the encrypted disk is mounted - and if so, why not just copy the data from it while no one's watching?

Why is it easier to disassemble a computer in order to make the RAM modules easily accessible, then take the memory out and connect it to another computer? When you're done - you'll put the RAM back but the system will be shut down, so the owner will figure out that something is fishy when they return.

Why is it easier to force a system reboot, configure the BIOS to boot from an external device, then dump the contents of the RAM to the external device for future analysis? As in the previous case, the system will be in a different state when the owner returns, so they will realize that an attack has just occurred.

Besides, there are many things that have to be taken into account, and the attacker can only hope that luck will be on their side; for instance:

• is there a guarantee that upon a system reset, there will be no password prompt when entering the BIOS settings?
• what makes the attacker sure that the BIOS is configured to allow booting from any external device?
• why would it be easy for someone to disassemble a computer and take the RAM out (or reset the BIOS settings)?

Of course, all of these problems have solutions: disassembling a system can be done very quick if you're good at it, and resetting the BIOS settings is a matter of time. But all of this is only useful in one condition - the computer that was left unattended contains a virtual disk in a mountedstate.

This is what brings us to the solution, which is just a set of best practices, which are well known for a long time; once you cycle through each item, ask yourself "which of these I hear for the first time?".

End users

• Password protect the BIOS;
• Don't allow the system to be booted up from anything other than the internal drive (no external devices, CDs, or network booting);
• Dismount your encrypted disks if they are not in use;
• Turn the computer off when it is not in use for a long time (cut your electricity bill, save your planet).

Company owners, administrators, and leaders of the IT department

• Do not allow full physical access to corporate workstations;
• Make sure that every employee understands that a stranger walking around with a canister of liquid nitrogen (to cool down the extracted RAM modules to keep their contents intact longer) is not a common phenomenon, and this should be reported immediately;
• Make it impossible for a stranger to enter the office when no one is around;
• Use surveillance equipment to monitor remote locations (this implies that the sly attacker managed to get past the guards who found nothing suspicious about a "smoking" canister of liquid nitrogen in the hands of a stranger who visits the office past working hours and ends up doing something in the server room after unlocking multiple doors with the power of thought).

Developers

• Do not keep the keys in the memory when you don't need them, overwrite the memory with some other data as soon as the keys are not required.

As you can see, none of the above is new. Of course, this does not mean that the new attack method is useless, but it makes it clear that simple measures can be taken in order to protect your assets. Moreover, all these measures are either free (features such as "disconnect encrypted disks when the system hibernates" in Private Disk, or "Automatic lockdown" in Password Carrier are there for ages), or are already in place (guards, locks, security cameras, etc).

Finally, I must point out that I can hardly imagine a thief who prefers to try this new high-tech wizardry, when it is known that the encrypted disk is already mounted, so all that has to be done is simply copy the data and walk away (which is obviously the path of least resistance).

Summary - the end of the world is postponed yet another time, and you can protect yourself by following a short list of best practices. How is this news?

Make IT secure!

A new beta of Password Carrier is now available, it brings Vista compatibility into the game; 32-bit and 64-bit versions of Windows Vista are both supported.

Other changes:

• An error was fixed - at times the program would fail if the number of collected credentials would exceed a certain threshold;
• Inactivity is now shown via a tray-icon (the program locks itself if the computer is left unattended)

How to update

Simply extract the contents of the archive to the removable disk, overwriting the current files of the program. Make sure you do not delete any of your .dka files (the profiles that contain your identities, and the credentials associated with each identity).

The beta is in a stable state, there are no known issues with it. The program is now an official release, and can be retrieved from dekart.com.

***

Why Password Carrier

Password Carrier is not just another form filler, it is much more than that, because:

• it was designed with security in mind - the collected data are encrypted with AES-256;
• biometric authentication can be used as a third authentication (along with "something you have" - the USB key, and "something you know" - the PIN);
• it is absolutely portable - works on any Windows system, does not require administrative privileges;
• all the private data are always with you, and updates happen on-the-fly - newly memorized passwords can be used on other computers, not only on the one on which they were captured;
• Password Carrier understands the meanings of the fields - so that if the design of the web-page is updated, it will still be able to figure out where to type in the data.

Earlier I explained how blue screens of death can be countered, today I will describe an alternative approach, which achieves the same result using different means.

Normally, the blue screen of death contains a driver name, and some addresses; if you're lucky, removing that driver will do the trick. But what if there is no driver name on the BSoD? And what if you don't have all the skills to play with crashdumps and debuggers?

In this case, Autoruns comes to the rescue. This is a graphical tool that allows you to disable/enable drivers in a very easy way.

The strategy:

1. Boot into safe mode (since the system is crashing when you attempt to boot normally);
2. Start Autoruns, and switch to the Drivers tab;
3. Go through the list, and uncheck the drivers that are suspicious;
4. Close the program, restart and boot normally

The steps above will be repeated until the system is able to boot correctly.

When that happens, remember what were the last changes you applied, and try to enable some drivers back - until you figure out which one of them was causing the issue.

The advantage of this method is that you can keep unchecking drivers without knowing what they do, because undoing any change is as easy as checking an item back (this is one of the coolest things about Autoruns).

What makes a driver suspicious?

When temporarily disabling a driver, you are not yet sure whether the driver in question is the culprit, so an educated guess is your best option. Start by unchecking:

• Non-Microsoft drivers (see the info in the Publisher column);
• Drivers that have a description that sounds like something you don't need;
• Drivers that don't have a publisher name, nor a description;
• Drivers the path to which points to an unknown location.

In the example above, I highlighted Private Disk's drivers, you can see the description and the vendor name - this illustrates how one can easily spot the modules related to an application.

Note: if you have a driver from 'Micr0soft' or "MlCROSOFT" (i.e. something that mimics the name of a well-known vendor), it is most likely a piece of malware, so you should not only disable it, but also figure out how it got in your system in the first place.

How to find the blue screening driver faster?

Usually one's technical knowledge provides sufficient data for a good guesstimate, but what if you have no clue where to start, and there are a lot of suspect items? In this case, try the binary search:

• Disable half of the items in the list of suspects;
• Reboot; if the problem persists - it is caused by an item in the other half;
• Go back, undo the previous changes and uncheck the items in the other half instead;
• Reboot; if the problem is gone - one of the disabled items was the problematic one;
• Go back, enable half of the half back;
• Reboot... repeat the previous steps.

The trick is in narrowing down the problem to as few items as possible. At each step the list of suspects is cut in two, so eventually you are left with one single item.

How to tune my Windows performance with Autoruns?

If you switch to the other tabs, you'll see a lot of other stuff that loads automatically when the system boots (drivers, services, applications in the registry, various shell extensions, etc). You can go ahead and uncheck the items that look suspicious - this will cut boot times, and make the system faster once it is loaded (since less stuff is loaded into RAM).

Beware of the fact that if you uncheck the wrong stuff, certain functionality will be lost, and the system may become partially unusable. Therefore be careful with the changes you apply:

• If not sure what an item means, look it up on the Internet;
• If something went wrong and you cannot boot, boot into Safe Mode and use Autoruns to check the item back.

If you're looking for a way to re-install the smart card service on Windows XP, this story is your new best friend!

Summary

1. Prepare a Windows XP installation disc
2. Download WinXP-scardsvr-install.zip
3. Read the included readme.txt
4. Examine install.bat in order to see what it does
5. Run the BAT file

Steps 3 and 4 are optional, but if you're someone who tinkers with the service, I'm sure you want to know what's in there.

Explanations

• First of all you should make sure the service is completely removed. sc delete scardsvr is the standard and official way to remove the service (it is interesting that Microsoft provides a way to remove a service, but there is no known mechanism to re-install one).
• Copy scardsvr.inf to %windir%\inf
• Run sysocmgr.exe /i:caller.inf, this will invoke a wizard that will use the data inside scardsvr.inf to perform various actions (such as modifying registry keys, and copying files)

• Uncheck Smart card service and press Next to remove the files and registry entries
• Run the command again, the same window will be shown, check Smart card service and press Next (you will be asked to insert the Windows XP installation CD)
• Perform a system restart, after checking the service manager (by running services.msc) and making sure the Smart card service startup is set to Automatic

If you examine scardsvr.inf you will see that it contains references to a list of files and registry keys. These actions could be performed manually, the effect would be the same; but using an .inf file is much easier.