Feeds

Next time you go to the loo, bring your locked laptop with you

DaisyDukes brings memory sniffing to the masses

Choosing a cloud hosting partner with confidence

CanSecWest This story was updated on Tuesday 1st April 2008 to correct inaccuracies about DaisyDukes. It works on memory dumps or live memory. At the moment, it is not memory dumper.

Building off recent research that showed how to extract encryption keys from a computer's memory, a penetration testing company has unveiled a prototype of a tool that sniffs out passwords, documents, and other sensitive data in a matter of minutes.

DaisyDukes is a series of scripts that operate on memory dumps that have already been taken or on live memory and can work alongside a USB-based memory dumper. A researcher can plug it into an unattended machine that is turned on but has been locked and reboot the machine off a compact operating system contained on the drive. Depending on the user's needs, the device can capture the entire contents of a computer's memory, or use DaisyDukes to sniff out and store only certain types of data - say a password to access the company network or a user's private encryption key.

It turns out both Windows and Linux retain "boatloads and boatloads" of passwords in memory, said Sherri Davidoff, a security analyst with IntelGuardians, the penetration-testing firm that developed the prototype tool. It's already been able to isolate passwords for Thunderbird, AOL Instant Messenger, GPG, SSH, Outlook, Putty and TrueCrypt, among others, and with additional research they believe they can find many more.

"The idea here is let's see if we can hit an office building, get in and out in 25 minutes or less and walk out with some interesting passwords," said Tom Liston, an IntelGuardians security consultant who along with Davidoff co-presented the tool at the CanSecWest security conference in Vancouver.

DaisyDukes builds off research released last month showing that keys used to encrypt data on hard drives could be extracted by booting the target computer over a network or USB drive and then reading the computer's random access memory (RAM). The researchers, from the Electronic Frontier Foundation, Princeton University and Wind River, discovered that the data can remain in memory sticks for minutes after a machine has been turned off.

The IntelGuardians researchers took things from there and discovered that encryption keys used in Windows Vista's BitLocker, Mac OS X's FileVault, and other disk encryption systems weren't the only potentially sensitive information that could be extracted. They found that passwords for certain applications are each surrounded by a distinct pattern or signature.

They then designed DaisyDukes, which can search for known signatures and extract the password in a quick and stealthy fashion. That makes it perfect for penetration testers, who get paid to test a company's security by actively trying to breach its physical and network defenses.

They have identified the password signatures for a dozen or so applications, and they're calling on other security pros to contribute to the project by adding their own list of signatures. Those contributions will appear in updates to the DaisyDukes tool. In addition, they plan to add features that allow DaisyDukes to pinpoint Word documents, chat logs, and other sensitive files.

For now, DaisyDukes remains very much a beta program, so it's not yet suitable for production. Eventually, its creators expect it to become a full-blown memory sniffer that can either dump memory and analyze the dumps, or simply boot off a USB thumb drive and search memory without dumping the entire contents.

But it already shows great promise. For one, the creators plan to make it highly compact, so the boot sequence won't overwrite old data stored in the computer's RAM. For another, it will be highly flexible, making it possible to sniff the password for a single application or grab the entire contents in memory.

And that could prove a game-changing development for penetration testers, who regularly walk into a customer's premises and look for opportunities to walk out with a laptop or server. Customers have grown accustomed to being unconcerned about such breaches when the purloined machines have disk encryption or are locked.

"Obviously, the paper on cold boot research has totally changed that landscape," Davidoff said. ®

Beginner's guide to SSL certificates

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
To Russia With Love: Snowden's pole-dancer girlfriend is living with him in Moscow
While the NSA is tapping your PC, he's tapping ... nevermind
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Slap for SnapChat web app in SNAP mishap: '200,000' snaps sapped
This is what happens if you hand your username and password to a 3rd-party
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.