Rambling on the Private Data Security - PowerPoint PPT Presentation

Loading...

PPT – Rambling on the Private Data Security PowerPoint presentation | free to view - id: 12859b-NzJhO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Rambling on the Private Data Security

Description:

... ordinary computer users with knowledges and tools to protect their private data. ... hole that is exploitable by a malware to lock the hard disk with password ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 39
Provided by: 80s
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Rambling on the Private Data Security


1
Rambling on the Private Data Security
  • Sun Bing
  • taoshaixiaoyao_at_hotmail.com
  • Syscan08 Hong Kong China
  • 30th May 2008

2
Preface
  • Nowadays Private Data Security has become a
    very hot topic, especially after the HK
    entertainment circles celebrity pornogate
    scandal, so its necessary to provide ordinary
    computer users with knowledges and tools to
    protect their private data.
  • A random talk on some Data Security related
    topics, which will mainly focus on the following
    subjects
  • Harddisk Lock Password
  • EFS vs. Windows Vista Bitlocker
  • WaterBox Software (Information Leakage
    Prevention)
  • Harddisk Protection/Recovery Software/Card

3
Harddisk Lock Password
  • ATA Security Mode Feature Set
  • Abusing the Security Feature Set
  • Harddisk Lock BIOS Configuration of Dell Latitude
    D620 Laptop
  • Cracking the Harddisk Lock Password

4
ATA Security Mode Feature Set
  • Security Mode Feature Set
  • A password system that restricts access to user
    data stored on a device. In addition, access to
    some configuration capabilities is restricted.
  • Password
  • User Password
  • Master Password
  • Master Password Capability
  • High
  • Maximum
  • Frozen Mode
  • The Security Freeze Lock command prevents changes
    to all Security states until a following power-on
    reset or hardware reset, the purpose of this
    command is to prevent password setting attacks on
    the security system.

5
ATA Security Mode Feature Set (Cont)
  • Commands
  • Security Set Password
  • Security Unlock (requires a password)
  • Security Erase Prepare
  • Security Erase Unit (requires a password)
  • Security Freeze Lock
  • Security Disable Password (requires a password)
  • Password Rules
  • See Table 6
  • Password Attempt Counter
  • Counter set to 5 after a power-on or hardware
    reset
  • PasswordAttemptCounterExceeded

6
Password Rules
7
Security States
8
Security State Transitions
9
Security State Transitions
10
Abusing the Security Feature Set
  • However the current BIOS version of most
    computers have no or only partial supports of
    this new security mode feature, which would be a
    very severe security hole that is exploitable by
    a malware to lock the hard disk with password
    stealthily to prevent any further hard disk
    access after the next power-off.
  • In such a circumstance, to prevent the Security
    Mode Feature Set from being abused, a
    third-party pre-boot software is needed, as the
    format of either a BIOS extension or a bootable
    CD, which will issue the ATA command Security
    Freeze Lock to the ATA controller/drive to
    freeze all security settings until the next cold
    boot.

11
Dell D620 HD PW BIOS Configuration
12
Cracking the Harddisk Lock Password
  • The harddisk will read the firmware area during
    the power-on process and determine whether it was
    locked or not, if locked then any other operation
    is not allowed before unlocking it with a correct
    password, since the passwords are stored in the
    negative tracks of the harddisk (a.k.a, firmware
    area) other than the drive circuit, it cant be
    cracked by simply changing the PCB.
  • It is said that someone can break this password
    protection by using the combination of PCB (Print
    Circuit Board) hot-swap and the supports of some
    professional harddisk repair tools (MHDD or
    PC3000 etc).

13
EFS vs. Windows Vista Bitlocker
  • EFS Introduction
  • EFS Cracking
  • Windows Vista Bitlocker Introduction
  • TPM Introduction
  • TPM Security Issues

14
EFS Introduction
  • EFS Encrypted File System
  • Important Keys Used
  • FEK File Encryption Key (DESX, AES, or 3DES)
  • Users Public/Private Key Pair (RSA)
  • Users Master Key (64 bytes)
  • A Key Derived From Users Password (3DES)
  • Components Involved
  • EFS NTFS Driver
  • KSecDD
  • Lsass (Lsasrv)
  • CSP

15
EFS Architecture
16
EFS DDF DRF
17
EFS Cracking
  • The Basic Concept of EFS Cracking
  • Users Password ? Derived Key ? Master Key ?
    Private Key ? FEK ? File Data Plaintext
  • Detailed Cracking Steps
  • Get the users password by SAM attacking.
    (pwdump, L0pht Crack etc)
  • Compute the derived key based on the users
    password.
  • Decrypt the master key. (UserProfile\Application
    Data\Microsoft\Protect\SID )
  • Decrypt the private key. (UserProfile\Applicatio
    n Data\Microsoft\Crypto\RSA\SID)
  • Decrypt the FEK.
  • Decrypt the file data.

18
Windows Vista Bitlocker Introduction
  • Bitlocker
  • Full drive volume encryption.
  • Integrity checking of early boot components.
  • Important Keys/Passwords Used
  • FVEK Full Volume Encryption Key
  • VMK Volume Master Key
  • PIN Personal Identification Number
  • Clear Key
  • Restore Key/Password
  • Startup Key
  • System Requirements
  • TPM v1.21
  • v1.2 TCG-compliant BIOS
  • USB Mass Storage Device Class supports
  • At least 2 volumes (OS/Boot System Volume)

19
Bitlocker Architecture
20
Encryption Keys In Bitlocker
21
Bitlocker Drive Encryption-Enabled Volume With
TPM Protection
22
Bitlocker Drive Encryption-Enabled Volume With
Enhanced Protection
23
TPM Introduction
  • TPM Trusted Platform Module
  • Protected capabilities
  • Integrity measurement
  • Integrity reporting
  • TPM Terminologies
  • TBB Trust Building Block
  • CRTM Core Root of Trust Measurement (BIOS
    Bootblock)
  • PCRs Platform Configuration Registers
  • Extend operation PCRn lt-- SHA-1 (PCRn
    measured data)
  • TPM BIOS Driver (MA/MP)

24
TPM Architecture
25
TPM Components Architecture
26
PCRs Usages Summary
27
Dell D620 TPM BIOS Configuration
28
Dell D620 TPM BIOS Configuration
29
TPM Security Issues
  • Three Conditions That Make the Chain of Hashes
    Trustyworthy
  • The first code running and extending PCRs after a
    platform reset (SRTM) is trustworthy and cannot
    be replaced.
  • The PCRs are not resetable without passing
    control to trusted code.
  • The chain is contiguous. There is no code in
    between that is executed but not hashed.
  • TPM Security
  • Bootloader bugs (Violates condition 3)
  • TPM reset (Violates condition 2)
  • BIOS attack (Violates condition 1, CRTM and TPM
    MP Driver patchable)
  • TPMKit? (BlackHat USA 2007)

30
TPM BIOS MP Driver
31
TPM BIOS Driver Header
32
MPTPMTransmit Prototype
33
Waterbox Harddisk Protection/Recovery Software
  • Waterbox Software Introduction
  • Waterbox Software Bypassing
  • Harddisk Protection/Recovery Software/Card
    Introduction
  • Harddisk Protection/Recovery Software Penetration

34
Waterbox Software Introduction
  • What Is A Waterbox Software?
  • Information leakage Prevention, a.k.a. Document
    Security Management (Protection) System.
  • Popular Waterbox Softwares
  • FileSECURE (AirZip)
  • FSD/FSF/FSN/Wrapsody (FASOO)
  • FD-DSM (Frontier Technology)
  • CDG (E-SAFENET)
  • InfoGuard (UNNOO)
  • NET-LOCK (Sagetech)
  • Implementation Technique Categories
  • Peripheral device network protocol control
  • File directory encryption
  • File format convertion
  • Remote file storage
  • Information filter
  • Application plugin
  • Kernel mode real-time transparent file
    encryption/decryption

35
Waterbox Software Bypassing
  • The Theory of Real-time Transparent File
    Encryption/Decryption
  • The file data are encrypted on disk, and the
    Waterbox will only decrypt/encrypt the file
    read/write requests that are issued within some
    specified process contexts, such as Winword.exe
  • Implementation Methods
  • User Mode File Win32/Native API hooking
    (Including Memory Mapping functions)
  • Kernel Mode FS Filter driver
  • Bypassing Steps
  • Inject a DLL into the process which can make the
    Waterbox decrypt files.
  • Open and read the desired encrypted files.
  • Pass the decrypted file contents to another
    process via shared memory.
  • Write the received file data to disk within that
    process.

36
Harddisk Protection/Recovery Software/Card
Introduction
  • What Can A Harddisk Protection/Recovery
    Software/Card Do?
  • Any modification made on the protected harddisk
    will be restored automatically upon the next
    system boot, many internet bar install this kind
    of softwares to prevent their PCs from being
    ruined by customers.
  • Popular Harddisk Protection/Recovery Softwares
  • DeepFreeze (Faronics)
  • PowerShadow
  • PowerUser/PowerServer
  • Returnil Virtual System (RVS)
  • Sandboxie

37
Harddisk Protection/Recovery Software Penetration
  • The Theory of Harddisk Protection/Recovery
  • The disk access requests made on the protected
    disk partitions are intercepted and redirected to
    other disk locations, for example a hidden
    reserved disk partition.
  • Implementation Methods
  • DOS time PCI/ISA Option ROM, intercept BIOS
    int13h.
  • Windows Disk Filter driver, attach on DR0 device
    object.
  • Penetration Techniques (Used by Machine Dog
    virus)
  • Detach the filter device object that was stacked
    on DR0.
  • Create a virtual disk volume object.
  • Passthrough instruction (DeviceIoControl).
  • Direct port I/O.

38
  • Thanks For Watching!Question Discussion Time
About PowerShow.com