Security's Everyman

Security's Everyman

Friday, April 11, 2008

Proof of risk

Update: First I want to apologize for not linking to Alex's site in my original posting. I wrote this over 2 days and 4 different editing points and still failed to get all my ducks in a row. Secondly, even though the article was posted at Alex wasn't the one who wrote it (no wonder he didn't remember writing it). It was written by JonesJ (whom I'm assuming is Jack Jones, based upon looking at the comments section).

I must say right off that Alex actually posted something similar to parts what I am going to say. I didn't just think about this after reading his post but had been thinking this very thing from the moment that the news of the DRAM being frozen to find encryption keys story hit. Actually I have held this belief for a long time but recent stories have made it "front lobe" thinking of late.

Lots of people get paid good money and receive grants to do research on various things. I think that this research is important and often critical to helping us improve security and how we secure data. What usually happens is that the researchers release their findings and the IT/Security world (OK just a few who tend to be vocal) shout it from the roof tops and bemoan how any day now we are all going to fall victim to this very attack. The vendors jump on the band wagon and talk about how their product X will prevent or fix this or at the minimum (although they don't admit that it's a minimum) keep you in compliance with every possible regulation that the government can think up.

What has to be do by companies before panicking is to determine what the risk of this attack happening to your company really is. Not only what is the risk but what is the potential cost if this happens. Will you lose IP that will seriously hurt the company? Will you risk having financial or PII data stolen? Will this happening seriously affect how your employees work?

In most of these cases the biggest question is "How likely is it that this attack will actually happen to us?" Is it worth the cost of putting in controls that will mitigate it? Can it be handled in a different way with technology that you currently use? Can you teach your users how to protect against it?

Lately there have been 3 "attacks" that have been in the news that have garnered lots of attention in the press and lots of blogs. At least 2 of the 3 have exploits that have been released (I'm not sure about the biometric key logger) that I want to touch on briefly.

The first is the study that proves how you can capture encryption keys and other data from RAM after the system has been powered off. This has potential to be a big deal. If FDE keys can be found hanging around in RAM then obviously the bad guys can use this against us, or can they? Ask it this way. How likely is it that this will happen to my users? Wait, even before that lets ask just what is it that has to happen in order for this to be exploited? How long does the data stay resident in RAM after you power off the system? What does the hacker have to do in order to get to the data? It turns out that the data only sticks around for a couple of seconds and that in order to preserve it the memory has to be quickly frozen and remain sufficiently cold long enough for the memory to be either removed from the system or the system to be powered back up. Then they attacker has to have the tools to read the contents of memory and figure out what is in there and how they can use it. How likely is it that when you power off your system that a hacker is going to be hiding in the next cube ready to pounce? Obviously laptops are the big threat here but even still a few simple tips to your users can eliminate this.
First, tell them to turn their system off instead of putting it in standby or Hibernate.
Second, tell them to turn the laptop off and let it power down while they gather up the rest of their stuff. Then by the time they are ready to leave the laptop has been powered off long enough to allow the data in RAM to dissipate enough to prevent this from being a problem. There is more to this. There are ways that the bad guys have a bit of an advantage and more that you and the user can do but this covers 99% of the risk.

The second thing is the Biometric Key logger that has recently been developed. As far as I know this has not been released into the wild. A British researcher has come up with a way to sniff biometrics and recreate the image. Again this is not good news but it's also not all bad. What has to happen in order for this to be a risk to your (or any) company? Besides the obvious that you have to be using Biometrics what other things have to happen in order for this to be worth an investment in time and money for your company? In my opinion this is a very low risk threat for most companies. In a few years when biometrics are more popular it may be a bigger risk but even for companies that use biometrics the risk of this happening is probably very low.

The last one I want to bring up is Winlockpwn This has potential to be a big problem for lots of companies now. Why? Because almost every computer and laptop in use today has a FireWire port that is active. This exploit allows you to connect a Linux system directly to the firewire port on a Windows system and get read/write access to memory. Can you say Total Pwnage? This one is not good news. There are lots of ways for hackers to get access to systems both in and out side your company walls. A few seconds is all it would take for malicious code to be loaded onto a system via this vulnerability. The good news is that most of us aren't using our firewire ports and they can be disabled when not needed.

So there you have it. A tale of 3 vulnerabilities that are putting lots of fear into the hearts of security professionals all over the globe. But in my opinion the fear is unnecessary and the exploits can be easily mitigated for most of us. So what is the moral of this little story? When you hear of the latest vulnerability, exploit or hack don't rush out and panic. Don't go spend the rest of your budget on some technology that isn't what you need. Don't go rushing to management with FUD. Take a step back and do a quick risk assessment for your environment and then make a well informed decision. Also before you go spending money unnecessarily take a look at what you already have in house that can be used to reduce this issue and make your life much easier.

Risk is key!

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.