Re: ComputracePlus deletes stolen data

[InfoSec News <isn () c4i org>]

Forwarded from: Chris Wilson <chris () qwirx com>
Cc: Russell Coker <russell () coker com au>

Dear Mr Coker, and fellow ISN readers,

On Tue, 31 Dec 2002, InfoSec News wrote:

> Forwarded from: Russell Coker <russell () coker com au>
...
> Interesting that they claim their software-only solution can survive
> fdisk and format.  I wonder if they will claim that it can survive the
> installation of a different OS?
>
> Something like TCPA MIGHT be able to do this, but nothing less will.

I thought about this too, and I came up with one option: the BIOS.  
We've seen viruses which can erase a Flash BIOS, so wouldn't it be
possible to write a small virus (just a few kilobytes) living in the
unused areas in the top of that Flash ROM, which knows how to hook in
to various common BIOSes (AMI, Award and Phoenix cover over 99% of the
market), scan for supported operating systems at boot and install
itself into their partitions?

Admittedly, I'm not aware of a case where this has been done, and it
would certainly be tricky, but it cannot be dismissed as impossible
just yet.  Look at what worm writers can do with less than a kilobytes
of shellcode.

The virus might not "support" any operating system other than Windows,
but it could perhaps survive the installation of such an OS, lying
dormant in the BIOS until such a time as a supported operating system
is reinstalled, and then quietly reinject itself again.

Once the virus code was running under Windows it would of course have
access to the victim's, ahem, user's internet connection to detect
whether the machine had been reported stolen.

If it hasn't been done yet, perhaps it is a business idea for someone?
I don't have time to implement it myself.

> > Data Delete
>
> Hasn't anyone ever heard of cryptography?

Not really, many people think it's "a deadly cyber-weapon used by
terrorists" or some such nonsense, and most people can't deal with the
risk of losing their passphrase. Of course they sacrifice their own
security for safety as a result, but such is life.

> Surely if you want to steal someone's data then the first thing you
> do is power the machine down and remove the hard drive to prevent
> such erasure!

Yeah, but how many machines (apart from MI5's laptops) are stolen
_because_ of the data contained? I would venture that casual thieves
often do not realise the value of the information they've stolen until
they take a good look at the machine. By that time, such trivial
defenses as Data Delete would have had time to operate. Let's also
remember that luckily, most thieves did not come from the deep end of
the gene pool or receive cyber-espionage training. =)

> Conclusion, after you steal someone's laptop to get their data don't
> immediately connect it to the Internet, copy the data off first!  
> Don't boot from the same OS they used, put the hard drive in your
> own machine (for best results mount the hard drive on a non-Windows
> OS).

True, and these solutions could never, ever protect against a
determined thief. They have some value in the war against casual theft
which is the biggest risk (in terms of frequency and publicity) for
most users.

> My observation is that "rm -rf /" is fast enough that even
> experienced administrators often don't catch it while there's still
> something left.  mkfs is even faster.

Ever tried that under Windows? =)

> As for "disguiseing your location with a false IP address", that's
> an amusing claim.

I certianly agree with this, since it's almost impossible to get a
reply to a genuinely spoofed packet, so it would not do the thieves
much good to surf with one.

> Firstly IP addresses on their own aren't THAT useful for locating
> people (think about NAT, think about ISPs in other countries that
> won't accept court orders).

Again, casual theft is the main target of these programs, whatever
their creators may claim. I don't think many thieves would take their
freshly-stolen laptop all the way to Morocco just to download their
pr0n in peace.

> Secondly if you want your program to trace it's location based on IP
> addresses then you could give it "traceroute"  functionality and
> have it send the complete trace log to the server.

Yes, that would actually be a rather good way of tracing. But you
don't need the complete trace. The next hop upstream (your ISP's
dialup router)  is definitely not spoofing its packets, and if you can
get its IP address by a one-hop traceroute and send it to someone,
then that someone can run the rest of the trace themselves.

> Of course it's undetectable.  It's so undetectable that even fdisk
> can't find it...  :-#

Undetectable != unremovable of course, and neither applies to the
product, but fdisk isn't looking for "agents", especially not in the
BIOS.

> A much better option is to encrypt all the disks and have the
> encryption keys stored in a central office.

Absolutely.

> NB If using an encrypted file system on your laptop be sure to
> permanently disable the "Hibernation" facility in the BIOS.  If a
> thief can get a dump of all kernel memory to disk then the
> encryption key will be available in there.

OS vendors should probably wipe this area immediately after resuming
from it, to prevent the accidental retention of sensitive information.

Cheers, Chris.
-- 
_ ___ __     _
 / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.