rambling on the private data security
DESCRIPTION
Rambling on the Private Data Security. Sun Bing [email protected] Syscan ’ 08 Hong Kong China 30 th May 2008. Preface. - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/2.jpg)
Preface Nowadays “Private Data Security” has become a v
ery hot topic, especially after the HK entertainment circles celebrity pornogate scandal, so it’s necessary to provide ordinary computer users with knowledges and tools to protect their private data.
A random talk on some “Data Security” related topics, which will mainly focus on the following subjects:
Harddisk Lock Password EFS vs. Windows Vista Bitlocker WaterBox Software (Information Leakage Prevention) Harddisk Protection/Recovery Software/Card
![Page 3: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/3.jpg)
Harddisk Lock Password ATA Security Mode Feature Set
Abusing the Security Feature Set
Harddisk Lock BIOS Configuration of Dell Latitude D620 Laptop
Cracking the Harddisk Lock Password
![Page 4: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/4.jpg)
ATA Security Mode Feature Set Security Mode Feature Set
A password system that restricts access to user data stored on a device. In addition, access to some configuration capabilities is restricted.
Password User Password Master Password
Master Password Capability High Maximum
Frozen ModeThe Security Freeze Lock command prevents changes to all Sec
urity states until a following power-on reset or hardware reset, the purpose of this command is to prevent password setting attacks on the security system.
![Page 5: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/5.jpg)
ATA Security Mode Feature Set (Cont) Commands
Security Set Password Security Unlock (requires a password) Security Erase Prepare Security Erase Unit (requires a password) Security Freeze Lock Security Disable Password (requires a password)
Password RulesSee Table 6
Password Attempt Counter Counter: set to 5 after a power-on or hardware reset PasswordAttemptCounterExceeded
![Page 6: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/6.jpg)
Password Rules
![Page 7: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/7.jpg)
Security States
![Page 8: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/8.jpg)
Security State Transitions
![Page 9: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/9.jpg)
Security State Transitions
![Page 10: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/10.jpg)
Abusing the Security Feature Set However the current BIOS version of most computers
have no or only partial supports of this new security mode feature, which would be a very severe security hole that is exploitable by a malware to lock the hard disk with password stealthily to prevent any further hard disk access after the next power-off.
In such a circumstance, to prevent the “Security Mode Feature Set” from being abused, a third-party pre-boot software is needed, as the format of either a BIOS extension or a bootable CD, which will issue the ATA command “Security Freeze Lock” to the ATA controller/drive to freeze all security settings until the next cold boot.
![Page 11: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/11.jpg)
Dell D620 HD PW BIOS Configuration
![Page 12: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/12.jpg)
Cracking the Harddisk Lock Password
The harddisk will read the firmware area during the power-on process and determine whether it was locked or not, if locked then any other operation is not allowed before unlocking it with a correct password, since the passwords are stored in the negative tracks of the harddisk (a.k.a, firmware area) other than the drive circuit, it can’t be cracked by simply changing the PCB.
It is said that someone can break this password protection by using the combination of PCB (Print Circuit Board) hot-swap and the supports of some professional harddisk repair tools (MHDD or PC3000 etc).
![Page 13: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/13.jpg)
EFS vs. Windows Vista Bitlocker
EFS Introduction
EFS Cracking
Windows Vista Bitlocker Introduction
TPM Introduction
TPM Security Issues
![Page 14: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/14.jpg)
EFS Introduction EFS: Encrypted File System
Important Keys Used FEK: File Encryption Key (DESX, AES, or 3DES) User’s Public/Private Key Pair (RSA) User’s Master Key (64 bytes) A Key Derived From User’s Password (3DES)
Components Involved EFS & NTFS Driver KSecDD Lsass (Lsasrv) CSP
![Page 15: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/15.jpg)
EFS Architecture
![Page 16: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/16.jpg)
EFS DDF & DRF
![Page 17: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/17.jpg)
EFS Cracking The Basic Concept of EFS Cracking:
User’s Password Derived Key Master Key Private Key FEK File Data Plaintext
Detailed Cracking Steps: Get the user’s password by SAM attacking. (pwdump, L0pht
Crack etc) Compute the derived key based on the user’s password. Decrypt the master key. (%UserProfile%\Application Data\Mic
rosoft\Protect\SID ) Decrypt the private key. (%UserProfile%\Application Data\Mic
rosoft\Crypto\RSA\SID) Decrypt the FEK. Decrypt the file data.
![Page 18: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/18.jpg)
Windows Vista Bitlocker Introduction Bitlocker:
1. Full drive volume encryption.2. Integrity checking of early boot components.
Important Keys/Passwords Used: FVEK: Full Volume Encryption Key VMK: Volume Master Key PIN: Personal Identification Number Clear Key Restore Key/Password Startup Key
System Requirements: TPM v1.21 v1.2 TCG-compliant BIOS USB Mass Storage Device Class supports At least 2 volumes (OS/Boot & System Volume)
![Page 19: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/19.jpg)
Bitlocker Architecture
![Page 20: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/20.jpg)
Encryption Keys In Bitlocker
![Page 21: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/21.jpg)
Bitlocker Drive Encryption-Enabled Volume With TPM Protection
![Page 22: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/22.jpg)
Bitlocker Drive Encryption-Enabled Volume With Enhanced Protection
![Page 23: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/23.jpg)
TPM Introduction TPM: Trusted Platform Module
Protected capabilities Integrity measurement Integrity reporting
TPM Terminologies TBB: Trust Building Block CRTM: Core Root of Trust Measurement (BIOS Bootblock) PCRs: Platform Configuration Registers Extend operation: PCR[n] <-- SHA-1 (PCR[n] + measured da
ta) TPM BIOS Driver (MA/MP)
![Page 24: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/24.jpg)
TPM Architecture
![Page 25: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/25.jpg)
TPM Components Architecture
![Page 26: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/26.jpg)
PCRs Usages Summary
![Page 27: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/27.jpg)
Dell D620 TPM BIOS Configuration
![Page 28: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/28.jpg)
Dell D620 TPM BIOS Configuration
![Page 29: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/29.jpg)
TPM Security Issues Three Conditions That Make the Chain of Hashes Trus
tyworthy:1. The first code running and extending PCRs after a platform r
eset (SRTM) is trustworthy and cannot be replaced.2. The PCRs are not resetable without passing control to truste
d code.3. The chain is contiguous. There is no code in between that is
executed but not hashed.
TPM Security: Bootloader bugs (Violates condition 3) TPM reset (Violates condition 2) BIOS attack (Violates condition 1, CRTM and TPM MP Driver p
atchable) TPMKit? (BlackHat USA 2007)
![Page 30: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/30.jpg)
TPM BIOS MP Driver
![Page 31: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/31.jpg)
TPM BIOS Driver Header
![Page 32: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/32.jpg)
MPTPMTransmit Prototype
![Page 33: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/33.jpg)
Waterbox & Harddisk Protection/Recovery Software
Waterbox Software Introduction
Waterbox Software Bypassing
Harddisk Protection/Recovery Software/Card Introduction
Harddisk Protection/Recovery Software Penetration
![Page 34: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/34.jpg)
Waterbox Software Introduction
What Is A Waterbox Software?Information leakage Prevention, a.k.a. Document Security Management (Pr
otection) System.
Popular Waterbox Softwares FileSECURE (AirZip) FSD/FSF/FSN/Wrapsody (FASOO) FD-DSM (Frontier Technology) CDG (E-SAFENET) InfoGuard (UNNOO) NET-LOCK (Sagetech)
Implementation Technique Categories Peripheral device & network protocol control File & directory encryption File format convertion Remote file storage Information filter Application plugin Kernel mode real-time transparent file encryption/decryption
![Page 35: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/35.jpg)
Waterbox Software Bypassing
The Theory of Real-time Transparent File Encryption/Decryption:The file data are encrypted on disk, and the Waterbox will only decrypt/e
ncrypt the file read/write requests that are issued within some specified process contexts, such as Winword.exe…
Implementation Methods User Mode: File Win32/Native API hooking (Including Memory Mappi
ng functions) Kernel Mode: FS Filter driver
Bypassing Steps:1. Inject a DLL into the process which can make the Waterbox decrypt f
iles. 2. Open and read the desired encrypted files.3. Pass the decrypted file contents to another process via shared mem
ory.4. Write the received file data to disk within that process.
![Page 36: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/36.jpg)
Harddisk Protection/Recovery Software/Card Introduction
What Can A Harddisk Protection/Recovery Software/Card Do?
Any modification made on the protected harddisk will be restored automatically upon the next system boot, many internet bar install this kind of softwares to prevent their PCs from being ruined by customers.
Popular Harddisk Protection/Recovery Softwares DeepFreeze (Faronics) PowerShadow PowerUser/PowerServer Returnil Virtual System (RVS) Sandboxie
![Page 37: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/37.jpg)
Harddisk Protection/Recovery Software Penetration
The Theory of Harddisk Protection/Recovery:The disk access requests made on the protected disk partitions a
re intercepted and redirected to other disk locations, for example a hidden reserved disk partition.
Implementation Methods: DOS time: PCI/ISA Option ROM, intercept BIOS int13h. Windows: Disk Filter driver, attach on DR0 device object.
Penetration Techniques (Used by Machine Dog virus)1. Detach the filter device object that was stacked on DR0. 2. Create a virtual disk volume object.3. Passthrough instruction (DeviceIoControl).4. Direct port I/O.
![Page 38: Rambling on the Private Data Security](https://reader035.vdocument.in/reader035/viewer/2022062718/56812da5550346895d92c852/html5/thumbnails/38.jpg)
Thanks For Watching !Question & Discussion
Time