Feeds

Next time you go to the loo, bring your locked laptop with you

DaisyDukes brings memory sniffing to the masses

The Power of One eBook: Top reasons to choose HP BladeSystem

CanSecWest This story was updated on Tuesday 1st April 2008 to correct inaccuracies about DaisyDukes. It works on memory dumps or live memory. At the moment, it is not memory dumper.

Building off recent research that showed how to extract encryption keys from a computer's memory, a penetration testing company has unveiled a prototype of a tool that sniffs out passwords, documents, and other sensitive data in a matter of minutes.

DaisyDukes is a series of scripts that operate on memory dumps that have already been taken or on live memory and can work alongside a USB-based memory dumper. A researcher can plug it into an unattended machine that is turned on but has been locked and reboot the machine off a compact operating system contained on the drive. Depending on the user's needs, the device can capture the entire contents of a computer's memory, or use DaisyDukes to sniff out and store only certain types of data - say a password to access the company network or a user's private encryption key.

It turns out both Windows and Linux retain "boatloads and boatloads" of passwords in memory, said Sherri Davidoff, a security analyst with IntelGuardians, the penetration-testing firm that developed the prototype tool. It's already been able to isolate passwords for Thunderbird, AOL Instant Messenger, GPG, SSH, Outlook, Putty and TrueCrypt, among others, and with additional research they believe they can find many more.

"The idea here is let's see if we can hit an office building, get in and out in 25 minutes or less and walk out with some interesting passwords," said Tom Liston, an IntelGuardians security consultant who along with Davidoff co-presented the tool at the CanSecWest security conference in Vancouver.

DaisyDukes builds off research released last month showing that keys used to encrypt data on hard drives could be extracted by booting the target computer over a network or USB drive and then reading the computer's random access memory (RAM). The researchers, from the Electronic Frontier Foundation, Princeton University and Wind River, discovered that the data can remain in memory sticks for minutes after a machine has been turned off.

The IntelGuardians researchers took things from there and discovered that encryption keys used in Windows Vista's BitLocker, Mac OS X's FileVault, and other disk encryption systems weren't the only potentially sensitive information that could be extracted. They found that passwords for certain applications are each surrounded by a distinct pattern or signature.

They then designed DaisyDukes, which can search for known signatures and extract the password in a quick and stealthy fashion. That makes it perfect for penetration testers, who get paid to test a company's security by actively trying to breach its physical and network defenses.

They have identified the password signatures for a dozen or so applications, and they're calling on other security pros to contribute to the project by adding their own list of signatures. Those contributions will appear in updates to the DaisyDukes tool. In addition, they plan to add features that allow DaisyDukes to pinpoint Word documents, chat logs, and other sensitive files.

For now, DaisyDukes remains very much a beta program, so it's not yet suitable for production. Eventually, its creators expect it to become a full-blown memory sniffer that can either dump memory and analyze the dumps, or simply boot off a USB thumb drive and search memory without dumping the entire contents.

But it already shows great promise. For one, the creators plan to make it highly compact, so the boot sequence won't overwrite old data stored in the computer's RAM. For another, it will be highly flexible, making it possible to sniff the password for a single application or grab the entire contents in memory.

And that could prove a game-changing development for penetration testers, who regularly walk into a customer's premises and look for opportunities to walk out with a laptop or server. Customers have grown accustomed to being unconcerned about such breaches when the purloined machines have disk encryption or are locked.

"Obviously, the paper on cold boot research has totally changed that landscape," Davidoff said. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.