Ed Stoffel

While virtualization offers advantages over traditional software deployment, it also offers new security challenges. Processes that extend beyond the container's boundaries introduce risks that what happens in VM might not stay inside VM. Don Simard, the commercial solutions director at the U.S. National Security Agency, explained the problem to InfoWorld...

...NSA realized that this benefit of virtualization also introduced a new potential threat. After all, Simard said, "graphics cards and network cards today are really miniature computers that see everything in all the VMs." In other words, they could be used as spies across all the VMs, letting a single PC spy on multiple networks. Although he's not aware of any such spyware today, it's not a problem the NSA wants to experience or see happen in other intelligence agencies.

 Virtualization's secret security threats, InfoWorld

It looks like many disk encryption schemes are vulnerable if someone has physical access to your drive, thanks to researchers with Princeton University and the Electronic Frontier Foundation. They've discovered a flaw and published their findings...

The attack takes only a few minutes to conduct and uses the disk encryption key that's stored in the computer's RAM. The attack works because content as well as encryption keys stored in RAM linger in the system, even after the machine is powered off, enabling an attacker to use the key to collect any content still in RAM after reapplying power to the machine.

Sounds like it's best to use an encryption scheme that doesn't preserve anything in RAM once you shutdown... at least not in readable form.

 Researchers: Disk Encryption Not Secure, Wired

 Cold Boot Attacks on Encryption Keys, Center for Information Technology Policy, Princeton University

 Update: RAM Hijacks, Security Now, Episode 137

In a recent security audit of a typical American company, investigators found it to be child's play to obtain confidential information about the company's secrets. Positioned across the street, they intercepted a large number of telephone conversations transmitted in the clear because a significant number of employees were using wireless headsets.

To perform the work, we purchased a commercially available radio scanner. These devices are available at any local electronics retailer at prices ranging from $80 to several thousand dollars. We chose a scanner capable of monitoring frequencies from 900 to 928MHz and the 1.2GHz ranges, which is where many of the popular hands-free headsets operate. We took a position across the street from the facility and started up the scanner. Within seconds of turning on the device, we were able to listen to conversations that appeared to be coming from our client's employees. Several of these conversations discussed the business in detail, as well as very sensitive topics... Within minutes of this discovery, we contacted our customer and explained the vulnerability... To demonstrate the sensitivity of what we discovered, we used the conversations we recorded to social engineer our way into the facility.

 Transcript of Episode 130, Security Now

Opera Mini is a browser people are running on their PDAs. Problem is, they are modifying all the webpages, and decrypting your SSL traffic. Doing so, they're causing webpages pages you thought were secure to travel in the clear, exposing your passwords, credit card information, and everything you thought was encrypted on the net...

Steve Gibson: Now, the reason they're doing this is that this server that the Opera Mini browser connects to is really doing a lot of good work for the user. It is rewriting pages, web pages on the fly, rewriting JavaScript on the fly, essentially turning web pages that were never designed to be seen on a very small screen on a very lightweight and lower powered browser, making them work. ... If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile. Opera Mini users a transcoder server, as they call it, to translate HTML, CSS, JavaScript into a more compact format. It will also shrink any images to fit the screen of your handset. This translation step makes Opera Mini fast, small, and also very cheap to use. To be able to do this translation the Opera Mini server needs to have access to the unencrypted version of the web page. Therefore, no end-to-end encryption between the client and the remote web server is possible.

 Transcript of Episode 126, Security Now

Steve Gibson responds to an inquiry about the insecurity of wireless keyboards, informing listeners of Security Now that the Microsoft Wireless keyboards are so easy to intercept and decode, it's child's play:

Steve: Yup. Get a load of this. It's not a 1-bit shift register. It's a 1-byte static byte that is XORed with the data from the keyboard.

Leo: So would that be pretty easy to reverse engineer?

Steve: Leo, it'd be hard not to reverse engineer. It is horrifying. It's horrifying.

Leo: And this is true not just for Microsoft, but do other keyboards do it this way?

Steve: Well, apparently Logitech has recognized that this is a problem that's sooner or later going to get exposed. Microsoft's wireless keyboards do this. The 1000 series and the 2000 series have been examined. The 3000 and the 4000 have not been. But it appears to be the same for them. Logitech has, like, a secure connect...

Leo: They have an encrypted keyboard, yeah.

Steve: Yeah. And so they're boasting about that. But the extremely popular Microsoft keyboards, during the so-called "association phase," the keyboard chooses a random byte, one byte of randomness, and provides it to the reader. Then the keystrokes you type are XORed with that one byte. Which means, as we know, there are 256 possible combinations of one byte, that the one byte can have. All you have to do is suck in a bunch of characters, you know, wait a few minutes for someone to type 20 or 30, and then in a heartbeat you could check every possible byte. One of them will turn what they're typing into English or clear text or whatever language they're typing in. In that case, at that point, their keyboard is decrypted for all intents and purposes, deciphered. What this means, of course, is that in a situation where people are within sniffing distance, radio distance of a keyboard, you absolutely have to consider that it is not safe. Keyboards are using a low frequency, 27MHz, which is extremely easy to receive, meaning that in an apartment building, neighbors who have a wireless keyboard could have everything they're typing trivially decrypted, if it's at least on these Microsoft Series 1000 and 2000 keyboards, and probably other keyboards. So it's definitely a concern.

 Transcript of Episode 122, Security Now

This Thursday will mark the 52nd weekly podcast of Security Now, a show featuring Steve Gibson, on issues of computer security. Steve is the author of SpinRite, a hard-drive utility that works to prevent hard drive problems as well as repairing them when little else works. Steve also created the ShieldsUp utility, exposing the open-port flaws of Windows. In each podcast, Steve makes complex concepts understandable. It's a show computer experts shouldn't be without.

 Security Now Site

 Security Now RSS

Some of the most troublesome viruses are those at the root level. Lately, they hide themselves from directory listings by inserting themselves in an OS hive. Root kit revealers find them by comparing directory listings to their own low-level disk scan. The war recently escalated when root kits learned to reveal themselves to RKRs only, thereby concealing the fact that they are concealed. So now, good RKRs hide themselves from bad RKRs. Sysinternals offers a free Root Kit Revealer.

 Root Kit Revealer, Sysinternals

 Rootkits, Security Now, Steve Gibson

Now that folks are running "Root Kit Revealers", they're finding all sorts of things on their computers including security software and copy-protection schemes like Sony's. People aren't going to be happy when they start finding out the real reasons they're computer resources are dragging.

Update   Digging Out Sony's DRM Rootkit, Internet News, 11-2-05

Update   Computer Associates Joins Battle Against Sony Copy Protection Software, Information Week, 11-8-05

Update   Sony Sued for Rootkit Copy Protection, Information Week, 11-10-05