Feeds

Next time you go to the loo, bring your locked laptop with you

DaisyDukes brings memory sniffing to the masses

Protecting against web application threats using SSL

CanSecWest This story was updated on Tuesday 1st April 2008 to correct inaccuracies about DaisyDukes. It works on memory dumps or live memory. At the moment, it is not memory dumper.

Building off recent research that showed how to extract encryption keys from a computer's memory, a penetration testing company has unveiled a prototype of a tool that sniffs out passwords, documents, and other sensitive data in a matter of minutes.

DaisyDukes is a series of scripts that operate on memory dumps that have already been taken or on live memory and can work alongside a USB-based memory dumper. A researcher can plug it into an unattended machine that is turned on but has been locked and reboot the machine off a compact operating system contained on the drive. Depending on the user's needs, the device can capture the entire contents of a computer's memory, or use DaisyDukes to sniff out and store only certain types of data - say a password to access the company network or a user's private encryption key.

It turns out both Windows and Linux retain "boatloads and boatloads" of passwords in memory, said Sherri Davidoff, a security analyst with IntelGuardians, the penetration-testing firm that developed the prototype tool. It's already been able to isolate passwords for Thunderbird, AOL Instant Messenger, GPG, SSH, Outlook, Putty and TrueCrypt, among others, and with additional research they believe they can find many more.

"The idea here is let's see if we can hit an office building, get in and out in 25 minutes or less and walk out with some interesting passwords," said Tom Liston, an IntelGuardians security consultant who along with Davidoff co-presented the tool at the CanSecWest security conference in Vancouver.

DaisyDukes builds off research released last month showing that keys used to encrypt data on hard drives could be extracted by booting the target computer over a network or USB drive and then reading the computer's random access memory (RAM). The researchers, from the Electronic Frontier Foundation, Princeton University and Wind River, discovered that the data can remain in memory sticks for minutes after a machine has been turned off.

The IntelGuardians researchers took things from there and discovered that encryption keys used in Windows Vista's BitLocker, Mac OS X's FileVault, and other disk encryption systems weren't the only potentially sensitive information that could be extracted. They found that passwords for certain applications are each surrounded by a distinct pattern or signature.

They then designed DaisyDukes, which can search for known signatures and extract the password in a quick and stealthy fashion. That makes it perfect for penetration testers, who get paid to test a company's security by actively trying to breach its physical and network defenses.

They have identified the password signatures for a dozen or so applications, and they're calling on other security pros to contribute to the project by adding their own list of signatures. Those contributions will appear in updates to the DaisyDukes tool. In addition, they plan to add features that allow DaisyDukes to pinpoint Word documents, chat logs, and other sensitive files.

For now, DaisyDukes remains very much a beta program, so it's not yet suitable for production. Eventually, its creators expect it to become a full-blown memory sniffer that can either dump memory and analyze the dumps, or simply boot off a USB thumb drive and search memory without dumping the entire contents.

But it already shows great promise. For one, the creators plan to make it highly compact, so the boot sequence won't overwrite old data stored in the computer's RAM. For another, it will be highly flexible, making it possible to sniff the password for a single application or grab the entire contents in memory.

And that could prove a game-changing development for penetration testers, who regularly walk into a customer's premises and look for opportunities to walk out with a laptop or server. Customers have grown accustomed to being unconcerned about such breaches when the purloined machines have disk encryption or are locked.

"Obviously, the paper on cold boot research has totally changed that landscape," Davidoff said. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.