Home » Blogs » DHReutter's blog

Some Short Thoughts

I'm in the middle of a heap of work, so I don't really have time for blogging. Still, there are some things that won't get out of my mind.

Regarding the DMA over FireWire thing: I'd like to see a tool the other way round: Whenever a FireWire device gets attached, my computer starts a counterattack by exploiting known holes on computers (DMA over FireWire) or iPods (ideas anybody?) to pwn the n00b.

In answer to Uwe's del.icio.us entries about Wiebetech's HotPlug device to transport computers without shutting them down: This is nice stuff to sell to law enforcement agencies, but let's face it: You don't want the user's software still running on the system. You want the content of the memory for keys etc. and the hard disk. Or else the little cleanup script executed by your victimterrorist will wreak havoc on the secret data you originally wanted to secure. It's the basic principle of not trusting software you didn't write, lest compile, or at least install by yourself. But, what the heck am I complaining? Incompetence is obviously the last thing that saves us from 1984.

The idea of having malware providing TOR exit nodes: Unless most informaticians agree that even doing a user good without him knowing is bad (this seems not to apply to sysadmins), this idea would promote not only TOR, which everybody should be using, but also a valid defense in court when illegal material has been accessed via one's account. If the virus is found in the system (and you had a virus scanner installed), you could still claim your connection has been hijacked. On the other hand, courts in Germany are still not sure how to handle this kind of defense. And whilst the one half of courts makes the owner of the internet access accountable, the other half says those persons have done everything they could do to deny illegal access and deems them innocent (read this article in German by a lawyer for a short summary of rulings). But nevertheless, the idea is still brilliant and I looking forward to the first implementation. By those guys, who offered the infamous course on 'Computer Viruses and Malware', eh?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Impossible

These days it seems impossible to completely protect yourself from attacks. if your not contending with viruses you have to worry about people getting at your stuff physically. It's a never ending game of cat and mouse.

  • By Caralluma (not verified) at 2009.09.08-17:14
  • reply

Vulnerability...

Thanks for the post, that was something good to know, I though I had a secured system, but seems like no matter how much you harden your system there are going to be vulnerabilities..
Also I would like to mention it is always good to take some time out for blogging in your hectic schedule helps you freshen a bit.. hehehehe..

  • By Wedding Bands (not verified) at 2009.03.03-12:05
  • reply

I have an iBook G4 running

I have an iBook G4 running Leopard, and I toasted my FireWire controller. This caused all sorts of problems, until it occurred to me to disable the FireWire drivers. You don't need to recompile the kernel: just remove all of the kexts in /System/Library/Extensions that contain the text "FireWire" in their name. Then, remove /System/Library/Extensions.mkext (or, in Leopard, this file will be automatically rebuilt when you remove the extensions).

Reboot, and your FireWire port is no more. Thus, if you are worried about security, and don't use FireWire, you can rest assured that it won't be a vector of attack.

Of course, expecting real security on any machine to which attackers have physical access is a bit foolish.

Power-on vs. Power-off

Regarding "You don't want the user's software still running on the system. You want the content of the memory for keys etc. and the hard disk"...

It depends. Until recently the classical forensic investigator always had to choose between "power-off box so that no software can wipe the hard drive" or "leave box running as we need some data from RAM". Either can be wrong or right, and you don't know beforehand (one reason why I believe the job of a forensic investigator can be pretty frustrating ;-)

But now, with RAM imaging via Firewire or "cold boot" attack, and with the Wiebetech Hotplug thing, an attacker can realistically and quite easily get both your RAM and your disk contents...
I guess the Wiebetech Hotplug method is even fully undetectable in software, so no malicious script whatsoever can react to that event... The "cold boot" attack is also undetectable (if you shutdown the box the hard way), only the Firewire imaging is detectable (but if you know about the issue, you could as well just completely disable Firewire).

OTOH, disabling physical DMA access (but leaving Firewire on) is indeed nice for "counter-attacks" on the "attacker" who plugs a Firewire cable into your box...

Uwe.

Preventive measures necessary

It all comes down to how important your data is and how much time and software are you ready to protect it with. Times have changed and seeing the advances in technology people get a energy drive by installing virus or hacking PC's. I feel the control freaks need to be thougt a proper lesson. Many companies install stringent firewalls and make sure to restrict any unauthorized access.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.