[HacktionLab] Hiding Stuff on your Computer
johnc at aktivix.org
Mon Jul 26 02:09:10 BST 2010
-----BEGIN PGP SIGNED MESSAGE-----
I think the section "Hiding Stuff on your Computer" i.e.
Needs to be completely revised lest we lull activists into a false sense
of security just because they've encrypted a directory or two on their
It's always been a pain to ensure the ongoing security of a computer
once an adversary has gained physical access to it, (e.g. the police
have seized it).
Here is a list of some of the problems I've come across, read about etc,
please feel free to add to this if I've missed anything. My knowledge of
cryptography and security is rather humble compared to some of persons
on this list.
Unencrypted Swap File/Page File:
I've written a little about this already but I'm going to recap: On all
modern operating systems Linux, Windows, OSX etc. There is a feature
called virtual memory. This feature basically allows programs running on
your computer to use a piece of your hard drive in a similar fashion to
how they use RAM. This kicks in when more memory is required than is
provided for by the RAM chips in your computer. On windows this
information is stored in the pagefile on your hard drive and on
Linux/BSD/OSX etc. it is stored on the swap partition. Unfortunately the
information isn't encrypted and stays there after you have shut down
your computer. There are freely available tools to search this file.
I've retrieved browsing history, wireless network keys etc. from this
data with ease. If you use the same password for these resources as for
your encrypted files then potentially your data could be unencrypted by
a person with physical access to your computer. The best way to protect
against this is to encrypt not just your confidential folder(s) but also
your swap folder/ pagefile as well. An even better solution is to
encrypt your whole hard drive. Various Linux versions have this feature
built into their installers and there are plenty of wiki's out there on
how to do this. If you're stuck with using Windows (why? ;-) ) TrueCrypt
encryption of your whole hard drive is probably the way to go.
Firewire memory dump attack:
This has been around for a few years now: If you have a firewire port on
your PC/laptop and it is enabled it is possible to dump all of the
contents of your RAM, Unlock your computer, (that is - if it is on and
the screen is locked),and also to capture cryptographic keys stored in
RAM. The easiest solution to this is by disabling Firewire in your BIOS,
(also known as IEE1394). Note: this has been demonstrated on macs and on
PC's running Linux and Windows.
Cold boot attack:
When you shut down your PC it can take minutes for the data in RAM to be
lost. You can extend this to hours by cooling, (see above). It is
possible to quickly cool and power down the RAM chips in a computer and
then boot up a tiny version of linux which will dump the contents of
memory to disk/ usb drive etc. You can then recover cryptographic keys
from this dump and unencrypt your confidential folder(s). This attack is
hard to protect against but there are some things you can do: Disable
hibernate and sleep to ensure ram is fully powered down when the
computer is not in use and also use a second external form of encryption
involving a usb drive or other external device.
For the uber-paranoid:
No system is fool-proof. If your computer/laptop has been
bugged/compromised in some way. It doesn't matter how good your
cryptography is if your keystrokes are being recorded!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the HacktionLab