rambling on the private data security l.
Skip this Video
Loading SlideShow in 5 Seconds..
Rambling on the Private Data Security PowerPoint Presentation
Download Presentation
Rambling on the Private Data Security

Loading in 2 Seconds...

play fullscreen
1 / 38

Rambling on the Private Data Security - PowerPoint PPT Presentation

  • Uploaded on

Rambling on the Private Data Security. Sun Bing taoshaixiaoyao@hotmail.com Syscan ’ 08 Hong Kong China 30 th May 2008. Preface.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Rambling on the Private Data Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Rambling on the Private Data Security Sun Bing taoshaixiaoyao@hotmail.com Syscan’08 Hong Kong China 30th May 2008

    2. Preface • Nowadays “Private Data Security” has become a very hot topic, especially after the HK entertainment circles celebrity pornogate scandal, so it’s necessary to provide ordinary computer users with knowledges and tools to protect their private data. • A random talk on some “Data Security” related topics, which will mainly focus on the following subjects: • Harddisk Lock Password • EFS vs. Windows Vista Bitlocker • WaterBox Software (Information Leakage Prevention) • Harddisk Protection/Recovery Software/Card

    3. Harddisk Lock Password • ATA Security Mode Feature Set • Abusing the Security Feature Set • Harddisk Lock BIOS Configuration of Dell Latitude D620 Laptop • Cracking the Harddisk Lock Password

    4. ATA Security Mode Feature Set • Security Mode Feature Set A password system that restricts access to user data stored on a device. In addition, access to some configuration capabilities is restricted. • Password • User Password • Master Password • Master Password Capability • High • Maximum • Frozen Mode The Security Freeze Lock command prevents changes to all Security states until a following power-on reset or hardware reset, the purpose of this command is to prevent password setting attacks on the security system.

    5. ATA Security Mode Feature Set (Cont) • Commands • Security Set Password • Security Unlock (requires a password) • Security Erase Prepare • Security Erase Unit (requires a password) • Security Freeze Lock • Security Disable Password (requires a password) • Password Rules See Table 6 • Password Attempt Counter • Counter: set to 5 after a power-on or hardware reset • PasswordAttemptCounterExceeded

    6. Password Rules

    7. Security States

    8. Security State Transitions

    9. Security State Transitions

    10. Abusing the Security Feature Set • However the current BIOS version of most computers have no or only partial supports of this new security mode feature, which would be a very severe security hole that is exploitable by a malware to lock the hard disk with password stealthily to prevent any further hard disk access after the next power-off. • In such a circumstance, to prevent the “Security Mode Feature Set” from being abused, a third-party pre-boot software is needed, as the format of either a BIOS extension or a bootable CD, which will issue the ATA command “Security Freeze Lock” to the ATA controller/drive to freeze all security settings until the next cold boot.

    11. Dell D620 HD PW BIOS Configuration

    12. Cracking the Harddisk Lock Password • The harddisk will read the firmware area during the power-on process and determine whether it was locked or not, if locked then any other operation is not allowed before unlocking it with a correct password, since the passwords are stored in the negative tracks of the harddisk (a.k.a, firmware area) other than the drive circuit, it can’t be cracked by simply changing the PCB. • It is said that someone can break this password protection by using the combination of PCB (Print Circuit Board) hot-swap and the supports of some professional harddisk repair tools (MHDD or PC3000 etc).

    13. EFS vs. Windows Vista Bitlocker • EFS Introduction • EFS Cracking • Windows Vista Bitlocker Introduction • TPM Introduction • TPM Security Issues

    14. EFS Introduction • EFS: Encrypted File System • Important Keys Used • FEK: File Encryption Key (DESX, AES, or 3DES) • User’s Public/Private Key Pair (RSA) • User’s Master Key (64 bytes) • A Key Derived From User’s Password (3DES) • Components Involved • EFS & NTFS Driver • KSecDD • Lsass (Lsasrv) • CSP

    15. EFS Architecture

    16. EFS DDF & DRF

    17. EFS Cracking • The Basic Concept of EFS Cracking: User’s Password  Derived Key  Master Key  Private Key  FEK  File Data Plaintext • Detailed Cracking Steps: • Get the user’s password by SAM attacking. (pwdump, L0pht Crack etc) • Compute the derived key based on the user’s password. • Decrypt the master key. (%UserProfile%\Application Data\Microsoft\Protect\SID ) • Decrypt the private key. (%UserProfile%\Application Data\Microsoft\Crypto\RSA\SID) • Decrypt the FEK. • Decrypt the file data.

    18. Windows Vista Bitlocker Introduction • Bitlocker: • Full drive volume encryption. • Integrity checking of early boot components. • Important Keys/Passwords Used: • FVEK: Full Volume Encryption Key • VMK: Volume Master Key • PIN: Personal Identification Number • Clear Key • Restore Key/Password • Startup Key • System Requirements: • TPM v1.21 • v1.2 TCG-compliant BIOS • USB Mass Storage Device Class supports • At least 2 volumes (OS/Boot & System Volume)

    19. Bitlocker Architecture

    20. Encryption Keys In Bitlocker

    21. Bitlocker Drive Encryption-Enabled Volume With TPM Protection

    22. Bitlocker Drive Encryption-Enabled Volume With Enhanced Protection

    23. TPM Introduction • TPM: Trusted Platform Module • Protected capabilities • Integrity measurement • Integrity reporting • TPM Terminologies • TBB: Trust Building Block • CRTM: Core Root of Trust Measurement (BIOS Bootblock) • PCRs: Platform Configuration Registers • Extend operation: PCR[n] <-- SHA-1 (PCR[n] + measured data) • TPM BIOS Driver (MA/MP)

    24. TPM Architecture

    25. TPM Components Architecture

    26. PCRs Usages Summary

    27. Dell D620 TPM BIOS Configuration

    28. Dell D620 TPM BIOS Configuration

    29. TPM Security Issues • Three Conditions That Make the Chain of Hashes Trustyworthy: • The first code running and extending PCRs after a platform reset (SRTM) is trustworthy and cannot be replaced. • The PCRs are not resetable without passing control to trusted code. • The chain is contiguous. There is no code in between that is executed but not hashed. • TPM Security: • Bootloader bugs (Violates condition 3) • TPM reset (Violates condition 2) • BIOS attack (Violates condition 1, CRTM and TPM MP Driver patchable) • TPMKit? (BlackHat USA 2007)

    30. TPM BIOS MP Driver

    31. TPM BIOS Driver Header

    32. MPTPMTransmit Prototype

    33. Waterbox & Harddisk Protection/Recovery Software • Waterbox Software Introduction • Waterbox Software Bypassing • Harddisk Protection/Recovery Software/Card Introduction • Harddisk Protection/Recovery Software Penetration

    34. Waterbox Software Introduction • What Is A Waterbox Software? Information leakage Prevention, a.k.a. Document Security Management (Protection) System. • Popular Waterbox Softwares • FileSECURE (AirZip) • FSD/FSF/FSN/Wrapsody (FASOO) • FD-DSM (Frontier Technology) • CDG (E-SAFENET) • InfoGuard (UNNOO) • NET-LOCK (Sagetech) • Implementation Technique Categories • Peripheral device & network protocol control • File & directory encryption • File format convertion • Remote file storage • Information filter • Application plugin • Kernel mode real-time transparent file encryption/decryption

    35. Waterbox Software Bypassing • The Theory of Real-time Transparent File Encryption/Decryption: The file data are encrypted on disk, and the Waterbox will only decrypt/encrypt the file read/write requests that are issued within some specified process contexts, such as Winword.exe… • Implementation Methods • User Mode: File Win32/Native API hooking (Including Memory Mapping functions) • Kernel Mode: FS Filter driver • Bypassing Steps: • Inject a DLL into the process which can make the Waterbox decrypt files. • Open and read the desired encrypted files. • Pass the decrypted file contents to another process via shared memory. • Write the received file data to disk within that process.

    36. Harddisk Protection/Recovery Software/Card Introduction • What Can A Harddisk Protection/Recovery Software/Card Do? Any modification made on the protected harddisk will be restored automatically upon the next system boot, many internet bar install this kind of softwares to prevent their PCs from being ruined by customers. • Popular Harddisk Protection/Recovery Softwares • DeepFreeze (Faronics) • PowerShadow • PowerUser/PowerServer • Returnil Virtual System (RVS) • Sandboxie

    37. Harddisk Protection/Recovery Software Penetration • The Theory of Harddisk Protection/Recovery: The disk access requests made on the protected disk partitions are intercepted and redirected to other disk locations, for example a hidden reserved disk partition. • Implementation Methods: • DOS time: PCI/ISA Option ROM, intercept BIOS int13h. • Windows: Disk Filter driver, attach on DR0 device object. • Penetration Techniques (Used by Machine Dog virus) • Detach the filter device object that was stacked on DR0. • Create a virtual disk volume object. • Passthrough instruction (DeviceIoControl). • Direct port I/O.

    38. Thanks For Watching!Question & Discussion Time