Monday, December 13, 2010

Passwords^10 : Passware scared us all

Originally my plan was to do several blog posts based on what I heard, saw and learned at Passwords^10. That still is my plan of course, but the president of Passware, Dmitry Sumin, scared me. *A LOT*. So first things first; this blog post is highly necessary - and maybe time critical to some of us as well.

A short time before the conference Nataly Koukoushkina, the marketing manager of Passware told me that they would demo their newest version of Passware Kit Forensic (version 10.3) at Passwords^10. Dmitry made his presentation and demo on thursday 9th for the very first time, while they posted their press release (direct link to PDF) at their website.

Lets say you are using Microsoft Bitlocker, or perhaps Truecrypt, to do full hard disk encryption. If you EVER allow your computer to enter hibernation mode, Passware Kit Forensic can be used to extract the decryption key necessary to access your hard drive from the hiberfil.sys file. That file is basically your physical memory saved to disk when you choose to hibernate your computer. And no, the TPM chip present in some laptops (at least in corporate environments) won't help you. The extraction can be done in minutes. Even more frightening: you can't really make that hiberfil.sys go away using standard operating tools, as it is off-limits for you. To be really secure it can't just be deleted either, it has to be wiped.

NEVER EVER EVER EVER allow hibernation for any computer, at least those that are more exposed to theft or other types of unauthorized physical access! Use sleep mode (keeping data in memory on low power consumption), or do a complete shutdown. WiredPig (Twitter/WiredPig) has already a writeup on this stuff, highly recommended reading. with more details to go.

Does this change my risk evaluation? Yes, it most certainly does.
Probability of computer being stolen or accessed without authorization? Probably no change.
Consequences if stolen? Much higher than before. Flip your coin: a simple criminal wanting a new laptop, or a (targeted) attack to get access to everything you and your employer have on that computer. And more.

Dmitry also showed an somewhat "old" trick; using Firewire to do live memory dumps, thus gaining access to your decryption keys (and anything else) you might have in your computers memory. A trick that most certainly gave a few "WOWs" in the audience, with people afterwards saying "I need to use superglue on my Firewire ports, as well as PCMCIA ports in order to prevent insertion of Firewire cards".

You can see all this, and more, by downloading the video recordings we've made available for free. They are currently hosted at the FTP server of the University in Bergen: (Big thank you to @haakonnilsen at UiB for that!). Torrents can also be found at in case you would like to help us distribute the files. :-)