Lazybit

If you watch the evolution of security systems, you are probably aware of the study that explains and demonstrates how private data can be extracted from the system's memory, by forcing a reboot or extracting the RAM modules.

This is an intriguing research, because it shows how far a sophisticated attacker can get. What makes this even more interesting is the fact that there is empirical evidence that shows that it works not only on paper.

Like other encryption programs, Private Disk is permanently decrypting and encrypting some data whenever files on the virtual disk are read or written. Naturally, the keys must be somewhere in the system's memory, therefore our software can become the target of such an attack.

Why should I not worry about this?

Although the attack can have practical results, there are things that can be done about it.

Imagine that you are an attacker that stumbled upon a computer with valuable data protected by Private Disk. If the keys are in memory, it means that the encrypted disk is mounted - and if so, why not just copy the data from it while no one's watching?

Why is it easier to disassemble a computer in order to make the RAM modules easily accessible, then take the memory out and connect it to another computer? When you're done - you'll put the RAM back but the system will be shut down, so the owner will figure out that something is fishy when they return.

Why is it easier to force a system reboot, configure the BIOS to boot from an external device, then dump the contents of the RAM to the external device for future analysis? As in the previous case, the system will be in a different state when the owner returns, so they will realize that an attack has just occurred.

Besides, there are many things that have to be taken into account, and the attacker can only hope that luck will be on their side; for instance:

• is there a guarantee that upon a system reset, there will be no password prompt when entering the BIOS settings?
• what makes the attacker sure that the BIOS is configured to allow booting from any external device?
• why would it be easy for someone to disassemble a computer and take the RAM out (or reset the BIOS settings)?

Of course, all of these problems have solutions: disassembling a system can be done very quick if you're good at it, and resetting the BIOS settings is a matter of time. But all of this is only useful in one condition - the computer that was left unattended contains a virtual disk in a mountedstate.

This is what brings us to the solution, which is just a set of best practices, which are well known for a long time; once you cycle through each item, ask yourself "which of these I hear for the first time?".

End users

• Password protect the BIOS;
• Don't allow the system to be booted up from anything other than the internal drive (no external devices, CDs, or network booting);
• Dismount your encrypted disks if they are not in use;
• Turn the computer off when it is not in use for a long time (cut your electricity bill, save your planet).

Company owners, administrators, and leaders of the IT department

• Do not allow full physical access to corporate workstations;
• Make sure that every employee understands that a stranger walking around with a canister of liquid nitrogen (to cool down the extracted RAM modules to keep their contents intact longer) is not a common phenomenon, and this should be reported immediately;
• Make it impossible for a stranger to enter the office when no one is around;
• Use surveillance equipment to monitor remote locations (this implies that the sly attacker managed to get past the guards who found nothing suspicious about a "smoking" canister of liquid nitrogen in the hands of a stranger who visits the office past working hours and ends up doing something in the server room after unlocking multiple doors with the power of thought).

Developers

• Do not keep the keys in the memory when you don't need them, overwrite the memory with some other data as soon as the keys are not required.

As you can see, none of the above is new. Of course, this does not mean that the new attack method is useless, but it makes it clear that simple measures can be taken in order to protect your assets. Moreover, all these measures are either free (features such as "disconnect encrypted disks when the system hibernates" in Private Disk, or "Automatic lockdown" in Password Carrier are there for ages), or are already in place (guards, locks, security cameras, etc).

Finally, I must point out that I can hardly imagine a thief who prefers to try this new high-tech wizardry, when it is known that the encrypted disk is already mounted, so all that has to be done is simply copy the data and walk away (which is obviously the path of least resistance).

Summary - the end of the world is postponed yet another time, and you can protect yourself by following a short list of best practices. How is this news?

Make IT secure!

A new beta of Password Carrier is now available, it brings Vista compatibility into the game; 32-bit and 64-bit versions of Windows Vista are both supported.

Other changes:

• An error was fixed - at times the program would fail if the number of collected credentials would exceed a certain threshold;
• Inactivity is now shown via a tray-icon (the program locks itself if the computer is left unattended)

How to update

Simply extract the contents of the archive to the removable disk, overwriting the current files of the program. Make sure you do not delete any of your .dka files (the profiles that contain your identities, and the credentials associated with each identity).

The beta is in a stable state, there are no known issues with it. The program is now an official release, and can be retrieved from dekart.com.

***

Why Password Carrier

Password Carrier is not just another form filler, it is much more than that, because:

• it was designed with security in mind - the collected data are encrypted with AES-256;
• biometric authentication can be used as a third authentication (along with "something you have" - the USB key, and "something you know" - the PIN);
• it is absolutely portable - works on any Windows system, does not require administrative privileges;
• all the private data are always with you, and updates happen on-the-fly - newly memorized passwords can be used on other computers, not only on the one on which they were captured;
• Password Carrier understands the meanings of the fields - so that if the design of the web-page is updated, it will still be able to figure out where to type in the data.

Earlier I explained how blue screens of death can be countered, today I will describe an alternative approach, which achieves the same result using different means.

Normally, the blue screen of death contains a driver name, and some addresses; if you're lucky, removing that driver will do the trick. But what if there is no driver name on the BSoD? And what if you don't have all the skills to play with crashdumps and debuggers?

In this case, Autoruns comes to the rescue. This is a graphical tool that allows you to disable/enable drivers in a very easy way.

The strategy:

1. Boot into safe mode (since the system is crashing when you attempt to boot normally);
2. Start Autoruns, and switch to the Drivers tab;
3. Go through the list, and uncheck the drivers that are suspicious;
4. Close the program, restart and boot normally

The steps above will be repeated until the system is able to boot correctly.

When that happens, remember what were the last changes you applied, and try to enable some drivers back - until you figure out which one of them was causing the issue.

The advantage of this method is that you can keep unchecking drivers without knowing what they do, because undoing any change is as easy as checking an item back (this is one of the coolest things about Autoruns).

What makes a driver suspicious?

When temporarily disabling a driver, you are not yet sure whether the driver in question is the culprit, so an educated guess is your best option. Start by unchecking:

• Non-Microsoft drivers (see the info in the Publisher column);
• Drivers that have a description that sounds like something you don't need;
• Drivers that don't have a publisher name, nor a description;
• Drivers the path to which points to an unknown location.

In the example above, I highlighted Private Disk's drivers, you can see the description and the vendor name - this illustrates how one can easily spot the modules related to an application.

Note: if you have a driver from 'Micr0soft' or "MlCROSOFT" (i.e. something that mimics the name of a well-known vendor), it is most likely a piece of malware, so you should not only disable it, but also figure out how it got in your system in the first place.

How to find the blue screening driver faster?

Usually one's technical knowledge provides sufficient data for a good guesstimate, but what if you have no clue where to start, and there are a lot of suspect items? In this case, try the binary search:

• Disable half of the items in the list of suspects;
• Reboot; if the problem persists - it is caused by an item in the other half;
• Go back, undo the previous changes and uncheck the items in the other half instead;
• Reboot; if the problem is gone - one of the disabled items was the problematic one;
• Go back, enable half of the half back;
• Reboot... repeat the previous steps.

The trick is in narrowing down the problem to as few items as possible. At each step the list of suspects is cut in two, so eventually you are left with one single item.

How to tune my Windows performance with Autoruns?

If you switch to the other tabs, you'll see a lot of other stuff that loads automatically when the system boots (drivers, services, applications in the registry, various shell extensions, etc). You can go ahead and uncheck the items that look suspicious - this will cut boot times, and make the system faster once it is loaded (since less stuff is loaded into RAM).

Beware of the fact that if you uncheck the wrong stuff, certain functionality will be lost, and the system may become partially unusable. Therefore be careful with the changes you apply:

• If not sure what an item means, look it up on the Internet;
• If something went wrong and you cannot boot, boot into Safe Mode and use Autoruns to check the item back.

If you're looking for a way to re-install the smart card service on Windows XP, this story is your new best friend!

Summary

1. Prepare a Windows XP installation disc
2. Download WinXP-scardsvr-install.zip
3. Read the included readme.txt
4. Examine install.bat in order to see what it does
5. Run the BAT file

Steps 3 and 4 are optional, but if you're someone who tinkers with the service, I'm sure you want to know what's in there.

Explanations

• First of all you should make sure the service is completely removed. sc delete scardsvr is the standard and official way to remove the service (it is interesting that Microsoft provides a way to remove a service, but there is no known mechanism to re-install one).
• Copy scardsvr.inf to %windir%\inf
• Run sysocmgr.exe /i:caller.inf, this will invoke a wizard that will use the data inside scardsvr.inf to perform various actions (such as modifying registry keys, and copying files)

• Uncheck Smart card service and press Next to remove the files and registry entries
• Run the command again, the same window will be shown, check Smart card service and press Next (you will be asked to insert the Windows XP installation CD)
• Perform a system restart, after checking the service manager (by running services.msc) and making sure the Smart card service startup is set to Automatic

If you examine scardsvr.inf you will see that it contains references to a list of files and registry keys. These actions could be performed manually, the effect would be the same; but using an .inf file is much easier.

I was asked what makes Private Disk better than the hardware-based encryption solution offered by another company. The name of the other solution will not mentioned, because it is not relevant - the arguments are valid in either case.

The discussion is about Private Disk vs. a hardware based encryption solution that is built into a 4 GB USB disk.

Note that some of the points were taken out of context, so they may sound a bit weird (us = Dekart, them = "the other company").

• They use the same algorithm for encryption, AES-256. Our implementation is certified by NIST (we also have certifications for the used hashing algorithms). Having a certification makes it clear that you're dealing with someone who is not just an amateur cryptographer; many other competing solutions use implementations that were not tested by an unbiased third party. So this makes a difference, because not all implementations are equally correct and effective.
• "The software needs to be able to access, for example, a private key. Software and hardware debuggers can monitor the software and capture the private key for rogue use".
  
  The fact that the keys are stored somewhere is obvious. Getting them out of there is non-trivial; I have recently answered a similar question on our forum.
  
  
  Since our solution uses a driver, the encryption key is stored in the system's kernel memory, which cannot be accessed by user-mode processes (unless a user-mode program 'asks' the driver to pass it some data and the driver complies; Private Disk is built in a way that the key is 'forgotten' immediately and only known to the driver, and there is no option in the driver to pass it back to anyone - even Private Disk itself).
  
  
  In their case, they don't use a driver, so there must be a user-mode program which takes your password and passes it to the device. That's the weak spot, so I would definitely start with that point. Analyzing the memory of a user-mode process requires much less skills than in the case of a driver (when I say "less" I don't mean "piece of cake", everything is relative).
  
  
  
  In other words, before the key reaches the device, it is subject to the same threats.
• They may also use "zero performance penalty" as a factor that makes a big difference. That's correct, software encryption will obviously take some CPU cycles, but with today's modern computers this is not that critical anymore. I am not saying that "Private Disk is very slow, but with a fast computer you won't notice anything anyway"; In fact I must point out that Private Disk is a very well-designed tool, it has a low memory footprint and it never was, nor it will ever be a performance hog. It is also able to run on Windows 9x machines, besides the modern Windows NT-based systems.
• Another point is that since we're providing everything in software - we can provide updates easier. When AES-256 becomes outdated, it's a matter of updating the program. In the case of hardware it's also a matter of "getting rid of" a device (multiply that by N - how many devices you have in the company).
• Flash memory has a finite number of write cycles (of course this problem is being dealt with, and technology evolves; and this finite number is big enough already) - so you might have to replace the device sooner, because you have to make sure the device is not 'worn out'.

Other significant things, Private Disk is better because:

• we provide backup functions - so you can have an encrypted backup outside the flash disk (for archive purposes)
• you can create images of very large sizes and store them anywhere (remote share, DVD, laptop... you name it). You are not tied to a flash disk;
• Private Disk can work with multiple encrypted drives at the same time, the drives can be of different sizes, file systems
• you can store database files inside a virtual disk, share them across the network - this would not be possible with the USB storage (too slow, too many write operations, size constraints)
• Private Disk can be configured in a way that allows different users to access the same image using different passwords
• Disk Firewall - this is something nobody else has - an application level filter that prevents other programs from accessing the contents of the protected disk. For instance, once the disk is mounted - a virus can infect it, or simply copy its contents elsewhere. In the case of Private Disk - this is impossible, because untrusted programs will be rejected. This brings data protection to an entirely new level - you don't need an antivirus or antispyware, because Disk Firewall takes care of that, and there is no need to update every day, or pay for updates.
• We provide helpful support. I once tried to find something out and contacted their helpdesk - never received a reply. Perhaps things would have been different if I indicated that I was planning to make a major purchase? There is a chance that their reply was marked as spam (though I checked my filter and nothing was there), so I don't really have the right to say their support team is not effective.
  

From the points above, the ones that matter the most to me (as an end user) are: Disk Firewall, and the ability to create encrypted disks of very large sizes (it will take a long time until USB flash disks are of at least 100 GB in size, and work as fast as a hard disk) - this gives me the chance to use encryption for serious activities (storing my mail archive on it, or a database, or the company's CVS repository, etc). Of course, people are different, so your mileage may vary.