Archive

Archive for the ‘Programming’ Category

Evil Maid, another nefarious trojan attack..

November 17, 2009 2 comments

Last month Joanna Rutkowska posted a very interesting article showing a practical “Evil Maid” attack against the open-source TrueCrypt FDE product.  The attack is reasonably simple, subvert the pre-boot authentication engine of the full-disk encryption product in question to add a password-sniffing routine, then wait for the unsuspecting user to authenticate to their machine and then retrieve the credentials at a later stage.

Evil Maid is simply hooking the pre-boot code of TrueCrypt and adding a routine to store the users password. Because the TrueCrypt code is quite simple, it’s a relatively easy thing to do, but the attack is theoretically valid regardless of this fact, just the effort to make the hook code increases with the sophistication of the pre-boot environment. Read more…

Hacking Exposed – Son of Scoop.pl

October 6, 2009 Leave a comment

After attending this mornings Hacking Exposed session at McAfee Focus 09, I was inspired to recreate Stuart McClure’s “Scoop.pl” script. I don’t have Python or Pearl installed on my machines, but I do have VBScript, and I do have Primalscript, so it seemed a simple thing to create this useful tool which helps you get the lowdown on what sites are present on a given URL. Read more…

Cold Boot Attacks Revisited (again).

September 16, 2009 2 comments

Following my recent post on FireWire Attacks, I thought I’d follow up on that other classic Full Disk Encryption exploit, The “Cold Boot Attack”.

Back in February 2008 a group of clever Princeton students published their infamous paper “Lest We Remember: Cold Boot Attacks on Encryption Keys“. Though the retention of data in RAM chips has been known since their invention, and certainly since at least 1978, The “Princeton Paper” reminded us that when you turn a computer off, it does not mean all the data from memory is instantly gone, and of course, if something important remained, like an encryption key, then your computer security might be vulnerable. Read more…

Firewire Attacks Revisited

September 14, 2009 4 comments

For those who follow these kinds of things, you’ll remember that back in 2004 an enterprising group of people (Maximilian DornseifMichael Becher, and Christian Klein) gave a series of talks on how to bypass many kinds of computer security using the FireWire ports. This attack, though obvious from reading the specification of the Firewire / i.LINK / IEEE 1394 bus, simply used a computer acting as a “rogue” device to read and modify any memory location on a target PC.

Yes, ANY memory location, and that’s quite supported, even required by the FireWire/iLink specification, which needs direct-memory-access for some devices (like iPODs) to function.

Enterprising people have written attacks that use this “exploit” to get around encryption products, and locked workstations on Mac, Linux and PC.

Read more…

Bitmask searches in LDAP, or How to exclude disabled users..

September 3, 2009 3 comments

Following on from my post on Bindings and connector settings, I thought I’d expand on how to use bit-mask searches in the connector Object filter.

Bit-masks are not complex for those who know Boolean arithmetic, and there are a million resources on the web to teach you that, but how to use them in an Active Directory search is obtuse to say the least.

To do a boolean  “AND” search, you use the tag “1.2.840.113556.1.4.803”, to do “OR” the tag is “1.2.840.113556.1.4.804”.

Easy eh? I guess I should give you a practical example. Read more…

10 Things you don’t want to know about Bitlocker…

August 28, 2009 18 comments

Nov 2015 Update – It seems bitlocker sans pre-boot has been trivially insecure for some time according to Synopsys hacker Ian Hakan, who found a simple way to change the Windows password and thus allow access to data even while Bitlocker was active. 

So, with the forthcoming release of Windows 7, the ugly beast known as “Bitlocker” has reared its head again.

For those of you who were around during the original release of Bitlocker, or as it was known then “Secure Startup”, you’ll remember that it was meant to completely eliminate the necessity for third party security software. Yes, Bitlocker was going to secure our machines against all forms of attack and make sure we never lost data again.

What happened?

Read more…

New S.M.A.R.T Monitor Tool for Hard Drive Health

August 21, 2009 3 comments
Simon's SmartInfo Monitor

Simon's SmartInfo Monitor

Further to my post on S.M.A.R.T, I got around to making a simple little HTA which uses my SMART class to display useful info on your drives. You can get it from CTOGoneWild. It gives you an example of how to make a useful HTA, and how to embed VBScript classes in a way where they can be used in either a normal VBScript, or a HTA itself. You can also find the SmartDump script which does much the same thing, but outputs to a file name (either set on the command line, or in the script itself).

Categories: Programming Tags:

About Bindings in McAfee Endpoint Encryption / SafeBoot

August 7, 2009 16 comments

A few people came to me this week and independently asked how to link EEM (SafeBoot) users to directory counterparts, or how to switch them to other directories or user names. Bindings are a key part of the EEM Encryption environment, as they allow automated user management to take place by tracking changes to the user identity in some other system, most commonly Active Directory. Read more…

TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited..

August 4, 2009 59 comments

Peter Kieissner

This weeks flame war between TrueCrypt and Peter Kleissner had me both upset and laughing at the same time.

For a start, hats off to young Peter (18 years old according to his site), who recently presented at Black Hat his concept for a “universal rootkit” exploit, which, using that older-than-he-is technology of MBR replacement, manages to subvert Windows in such a way as to be able to drop a payload into memory as the computer boots.

I’m not sure, but isn’t that what MBR viruses have done since day one? I guess Peter agrees because his new “Stoned Bootkit” rootkit is named “Stoned” in homage to one of the original MBR Viruses of  1987 Read more…

Google ChromeOS – Browser wars spill over into the OS world..

By now you’d have to be living in a cave not to have heard the press from Google re their new Chrome OS. First mentioned by Sundar Pichai on the GoogleBlog, news has been spreading like wildfire with even sites like BBC News picking up the story.

Why is this so important? Well, it’s one of those rare occasions when someone releases or announces something which could really change the way we use computers, and of course it’s also something that could really compete with Microsoft. Whether you accept Chrome OS will be a completely new OS, or whether you’re one who believes that Chrome OS is just going to be a user friendly redistribution of a *nix platform with a cool UI and application load, it’s still very interesting news. Read more…