Re: [ISN] ComputracePlus deletes stolen data

From: InfoSec News (isnat_private)
Date: Thu Jan 02 2003 - 08:05:08 PST

  • Next message: InfoSec News: "[ISN] Toward a More Secure 2003"

    Forwarded from: Chris Wilson <chrisat_private>
    Cc: Russell Coker <russellat_private>
    Dear Mr Coker, and fellow ISN readers,
    On Tue, 31 Dec 2002, InfoSec News wrote:
    > Forwarded from: Russell Coker <russellat_private>
    > Interesting that they claim their software-only solution can survive
    > fdisk and format.  I wonder if they will claim that it can survive the
    > installation of a different OS?
    > Something like TCPA MIGHT be able to do this, but nothing less will.
    I thought about this too, and I came up with one option: the BIOS.  
    We've seen viruses which can erase a Flash BIOS, so wouldn't it be
    possible to write a small virus (just a few kilobytes) living in the
    unused areas in the top of that Flash ROM, which knows how to hook in
    to various common BIOSes (AMI, Award and Phoenix cover over 99% of the
    market), scan for supported operating systems at boot and install
    itself into their partitions?
    Admittedly, I'm not aware of a case where this has been done, and it
    would certainly be tricky, but it cannot be dismissed as impossible
    just yet.  Look at what worm writers can do with less than a kilobytes
    of shellcode.
    The virus might not "support" any operating system other than Windows,
    but it could perhaps survive the installation of such an OS, lying
    dormant in the BIOS until such a time as a supported operating system
    is reinstalled, and then quietly reinject itself again.
    Once the virus code was running under Windows it would of course have
    access to the victim's, ahem, user's internet connection to detect
    whether the machine had been reported stolen.
    If it hasn't been done yet, perhaps it is a business idea for someone?
    I don't have time to implement it myself.
    > > Data Delete
    > Hasn't anyone ever heard of cryptography?
    Not really, many people think it's "a deadly cyber-weapon used by
    terrorists" or some such nonsense, and most people can't deal with the
    risk of losing their passphrase. Of course they sacrifice their own
    security for safety as a result, but such is life.
    > Surely if you want to steal someone's data then the first thing you
    > do is power the machine down and remove the hard drive to prevent
    > such erasure!
    Yeah, but how many machines (apart from MI5's laptops) are stolen
    _because_ of the data contained? I would venture that casual thieves
    often do not realise the value of the information they've stolen until
    they take a good look at the machine. By that time, such trivial
    defenses as Data Delete would have had time to operate. Let's also
    remember that luckily, most thieves did not come from the deep end of
    the gene pool or receive cyber-espionage training. =)
    > Conclusion, after you steal someone's laptop to get their data don't
    > immediately connect it to the Internet, copy the data off first!  
    > Don't boot from the same OS they used, put the hard drive in your
    > own machine (for best results mount the hard drive on a non-Windows
    > OS).
    True, and these solutions could never, ever protect against a
    determined thief. They have some value in the war against casual theft
    which is the biggest risk (in terms of frequency and publicity) for
    most users.
    > My observation is that "rm -rf /" is fast enough that even
    > experienced administrators often don't catch it while there's still
    > something left.  mkfs is even faster.
    Ever tried that under Windows? =)
    > As for "disguiseing your location with a false IP address", that's
    > an amusing claim.
    I certianly agree with this, since it's almost impossible to get a
    reply to a genuinely spoofed packet, so it would not do the thieves
    much good to surf with one.
    > Firstly IP addresses on their own aren't THAT useful for locating
    > people (think about NAT, think about ISPs in other countries that
    > won't accept court orders).
    Again, casual theft is the main target of these programs, whatever
    their creators may claim. I don't think many thieves would take their
    freshly-stolen laptop all the way to Morocco just to download their
    pr0n in peace.
    > Secondly if you want your program to trace it's location based on IP
    > addresses then you could give it "traceroute"  functionality and
    > have it send the complete trace log to the server.
    Yes, that would actually be a rather good way of tracing. But you
    don't need the complete trace. The next hop upstream (your ISP's
    dialup router)  is definitely not spoofing its packets, and if you can
    get its IP address by a one-hop traceroute and send it to someone,
    then that someone can run the rest of the trace themselves.
    > Of course it's undetectable.  It's so undetectable that even fdisk
    > can't find it...  :-#
    Undetectable != unremovable of course, and neither applies to the
    product, but fdisk isn't looking for "agents", especially not in the
    > A much better option is to encrypt all the disks and have the
    > encryption keys stored in a central office.
    > NB If using an encrypted file system on your laptop be sure to
    > permanently disable the "Hibernation" facility in the BIOS.  If a
    > thief can get a dump of all kernel memory to disk then the
    > encryption key will be available in there.
    OS vendors should probably wipe this area immediately after resuming
    from it, to prevent the accidental retention of sensitive information.
    Cheers, Chris.
    _ ___ __     _
     / __/ / ,__(_)_  | Chris Wilson <0000 at> - Cambs UK |
    / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
    \ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:50:08 PST