Feeds

Next time you go to the loo, bring your locked laptop with you

DaisyDukes brings memory sniffing to the masses

5 things you didn’t know about cloud backup

CanSecWest This story was updated on Tuesday 1st April 2008 to correct inaccuracies about DaisyDukes. It works on memory dumps or live memory. At the moment, it is not memory dumper.

Building off recent research that showed how to extract encryption keys from a computer's memory, a penetration testing company has unveiled a prototype of a tool that sniffs out passwords, documents, and other sensitive data in a matter of minutes.

DaisyDukes is a series of scripts that operate on memory dumps that have already been taken or on live memory and can work alongside a USB-based memory dumper. A researcher can plug it into an unattended machine that is turned on but has been locked and reboot the machine off a compact operating system contained on the drive. Depending on the user's needs, the device can capture the entire contents of a computer's memory, or use DaisyDukes to sniff out and store only certain types of data - say a password to access the company network or a user's private encryption key.

It turns out both Windows and Linux retain "boatloads and boatloads" of passwords in memory, said Sherri Davidoff, a security analyst with IntelGuardians, the penetration-testing firm that developed the prototype tool. It's already been able to isolate passwords for Thunderbird, AOL Instant Messenger, GPG, SSH, Outlook, Putty and TrueCrypt, among others, and with additional research they believe they can find many more.

"The idea here is let's see if we can hit an office building, get in and out in 25 minutes or less and walk out with some interesting passwords," said Tom Liston, an IntelGuardians security consultant who along with Davidoff co-presented the tool at the CanSecWest security conference in Vancouver.

DaisyDukes builds off research released last month showing that keys used to encrypt data on hard drives could be extracted by booting the target computer over a network or USB drive and then reading the computer's random access memory (RAM). The researchers, from the Electronic Frontier Foundation, Princeton University and Wind River, discovered that the data can remain in memory sticks for minutes after a machine has been turned off.

The IntelGuardians researchers took things from there and discovered that encryption keys used in Windows Vista's BitLocker, Mac OS X's FileVault, and other disk encryption systems weren't the only potentially sensitive information that could be extracted. They found that passwords for certain applications are each surrounded by a distinct pattern or signature.

They then designed DaisyDukes, which can search for known signatures and extract the password in a quick and stealthy fashion. That makes it perfect for penetration testers, who get paid to test a company's security by actively trying to breach its physical and network defenses.

They have identified the password signatures for a dozen or so applications, and they're calling on other security pros to contribute to the project by adding their own list of signatures. Those contributions will appear in updates to the DaisyDukes tool. In addition, they plan to add features that allow DaisyDukes to pinpoint Word documents, chat logs, and other sensitive files.

For now, DaisyDukes remains very much a beta program, so it's not yet suitable for production. Eventually, its creators expect it to become a full-blown memory sniffer that can either dump memory and analyze the dumps, or simply boot off a USB thumb drive and search memory without dumping the entire contents.

But it already shows great promise. For one, the creators plan to make it highly compact, so the boot sequence won't overwrite old data stored in the computer's RAM. For another, it will be highly flexible, making it possible to sniff the password for a single application or grab the entire contents in memory.

And that could prove a game-changing development for penetration testers, who regularly walk into a customer's premises and look for opportunities to walk out with a laptop or server. Customers have grown accustomed to being unconcerned about such breaches when the purloined machines have disk encryption or are locked.

"Obviously, the paper on cold boot research has totally changed that landscape," Davidoff said. ®

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?