Monday, May 21, 2012

Live Memory Password Aquisition

[ Screenshot of Passware Kit Forensic ]
Congratulations to Passware on their newest release of Passware Kit Forensic, now at version 11.7. This new release brings "instant" decryption of Microsoft Office 2007-2010 password protected documents through memory analysis, as well as some other interesting new features. I am quoted in their press release, available here (PDF):

 Lets take a look at these new features from a threat/risk perspective:

Live memory analysis, just like cold boot attacks etc are not new to infosec professionals. At Passwords^10 in December 2010, Passware demonstrated live memory aquisition through firewire and analysis to recover Bitlocker decryption keys. They also talked about the ability to recover similar information from hibernation files, obtained from drives where a hibernation file had been created before full-disk encryption had occured.

You can have a look at our video recording from that presentation here:

Similarly, Carsten Maartmanm-Moe (@breaknenter) demonstrated his 'Inception' tool at Passwords^11 in June 2011, conducting a Windows password 'blanking' hack through Firewire, as well as a cold boot attack for aquiring FDE decryption keys from live 'frozen' memory. His presentation got recorded as well:

Responses from the audience for both presentations, including myself, were simple: "I will now ASAP go home and apply superglue to my Firewire ports, as well as any pcmcia/expresscard ports I may have in my laptop."

Now there are other ways to block or reduce the risk of unauthorized data aquisition using these tools & techniques, but quite honestly; they are bound to kill of quite a bit of end-user usability & satisfaction.

I have for quite some time recommended customers to secure highly sensitive business documents by using strong passwords in Microsoft Office 2007+, which uses AES encryption. After Dmitry Sklyarov's (@elcomsoft) presentation at Passwords^11 (video, 720p, 902MB), it seems Adobe Acrobat Pro version 10 PDF format is pretty suitable as well for protecting information.

With the added feature of aquiring plaintext passwords for Office documents when they are present in memory (document is opened and 'unlocked'), Passware makes a big step forward in the field of information forensics, with a feature that is very welcome. I'm curious on what other passwords might be found in memory that can be extracted just as easily? Other FDE products? PDF file passwords? Cached PGP keyphrases?

From a threat perspective we need to update our risk analysis. The simple version: please close all sensitive documents before you activate your screen saver or putting your laptop into hibernate mode, and consider using pre-boot authentication at cold boot & resuming from hibernation, if possible.

(Still waiting to see some practical implemenations of biometric keystroke authentication in web applications or even pre-boot BIOS passwords. :-))

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.