2 years, 6 months ago
Is custom RAID software the future of Corporate Security abroad?
In an article from Two Minute Warning (http://2mw.mcafee.com/) today the vulnerability of laptops and corporate information security is a leading concern for everyone now.
---quoted in part---
Israeli Intel Installed Trojan on Syrian Laptop
...The Der Spiegel report claims that in late 2006 a senior Syrian diplomat staying in London left his laptop unattended in a hotel, giving Mossad an opportunity to install a Trojan on the computer that allowed communications to be monitored...
...Security expert Bruce Schneier highlighted the case in his blog, saying that it was similar to an attack carried out in earlier this year where an outside party installed malware on a separate boot loader segment on the hard drive so that it could access any files, even if encrypted. He calls it the "evil maid" attack. “Remember the evil maid attack: if an attacker gets hold of your computer temporarily, he can bypass your encryption software,” he said...
---end partial quote---
Anyone whose lost their Windows password before knows how quickly and meaningless having a password was in the first place.
BIOS passwords are very effective but anyone with physical access to your computer can switch the chip. So harder to bypass but still easy in the right hands.
RAID configurations break up your data and spread it out over multiple hard drives. Some of those setups make it impossible to access your data if the drive connectivity isn't there.
So it got me thinking, could a specially crafted RAID configuration be used to protect data more securely?
Theory 1: A "smaller than my hard drive" thumb drive keeps my supplemental RAID data on it, possibly even encrypted with a password. Without that specific thumb drive passing checksum the data is irretrievable. If anyone makes a change to either, the bits and bytes won't line up correctly and the data is lost.
Theory 2: If I'm connected to a company network (remotely) the missing bits from my data that is stored on the company servers is meshed and I can use my data again. But if the laptop is accessed without that connection, the data is useless. Even adding the smallest amount of data to the hard drive would interfere with the RAID algorithms.
NOTE: Most RAID configurations require equal sharing of the data. My idea is that only a smaller subset of the data is used for security purposes only.
Am I high? Is this idea of mine already in use? What are the blatant flaws in my proposal? Does my question not make sense because I used the wrong terms?
YOU DECIDE!
:)
---quoted in part---
Israeli Intel Installed Trojan on Syrian Laptop
...The Der Spiegel report claims that in late 2006 a senior Syrian diplomat staying in London left his laptop unattended in a hotel, giving Mossad an opportunity to install a Trojan on the computer that allowed communications to be monitored...
...Security expert Bruce Schneier highlighted the case in his blog, saying that it was similar to an attack carried out in earlier this year where an outside party installed malware on a separate boot loader segment on the hard drive so that it could access any files, even if encrypted. He calls it the "evil maid" attack. “Remember the evil maid attack: if an attacker gets hold of your computer temporarily, he can bypass your encryption software,” he said...
---end partial quote---
Anyone whose lost their Windows password before knows how quickly and meaningless having a password was in the first place.
BIOS passwords are very effective but anyone with physical access to your computer can switch the chip. So harder to bypass but still easy in the right hands.
RAID configurations break up your data and spread it out over multiple hard drives. Some of those setups make it impossible to access your data if the drive connectivity isn't there.
So it got me thinking, could a specially crafted RAID configuration be used to protect data more securely?
Theory 1: A "smaller than my hard drive" thumb drive keeps my supplemental RAID data on it, possibly even encrypted with a password. Without that specific thumb drive passing checksum the data is irretrievable. If anyone makes a change to either, the bits and bytes won't line up correctly and the data is lost.
Theory 2: If I'm connected to a company network (remotely) the missing bits from my data that is stored on the company servers is meshed and I can use my data again. But if the laptop is accessed without that connection, the data is useless. Even adding the smallest amount of data to the hard drive would interfere with the RAID algorithms.
NOTE: Most RAID configurations require equal sharing of the data. My idea is that only a smaller subset of the data is used for security purposes only.
Am I high? Is this idea of mine already in use? What are the blatant flaws in my proposal? Does my question not make sense because I used the wrong terms?
YOU DECIDE!
:)
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$5 Answers
I think your over thinking this an the nature of your question involves an assumed flaw that doesn't exist in the current technology just improper implementation. Full disk encryption is fantastic anti-theft and subsequent breach of confidential data technology. But at the end of the day leaving your equipment laying around invites tampering... and I'm not sure anything could help.
Here's how whole disk encryption usually works (example TrueCrypt).
1. The BIOS boots
2. After it checks things out it looks for the boot drive or media and launches the boot sector.
3. Truecrypt's bootloader loads... (this is an extremely tiny program and in a whole-disk encryption scheme nothing else except for this tiny program is on the drive unencrypted).
4. Truecrypt prompts you for a password. (This password is hashed using a pre-set hash but one that varies from system to system because of salt in the algorithm) The hash of the password is used to create or actually is the key to the high-level symmetric encryption on the drive.
5. Truecrypt then uses the key to decrypt just enough of the hard-drive to start the windows loading process and hand-off a custom key to the windows hard-drive driver. (Hence even when the system is running the drive remains encrypted at all times with the exception of the boot sector which is there in case you reboot).
Now there's no know flaw in this method short of a bad password. But since the boot-loader is unencrypted you could if you had access boot of a CD or USB drive and modify the boot-loader so that it had a way of recording the password when the person gets the computer back. They're faked out and just enter the creditials as always).
There's been folks that proposed that they've done this so that the password was hidden on the drive in a pre-determined place. Problem with that is they'd have to get hold of your computer again to pull the password off. Now the guy who recently claimed to have made it possible to do this claimed that in the future he'd make it possible for it to upload to the internet or infect the OS some how. That I kind of find hard to believe because the boot-loader sector is extremely small and it would half to be pretty sophisticated to do what he claims.
Truecrypt said pretty much its not there problem and I agree. You need to secure your computer or anybody could do anything to it. (Bug it; change a chip etc.) Ultimately you'd in this configuration lock down the BIOS with a password. And lock down the HDD with a hard-drive password which is part of the ATA spec. This would mean that a hacker/spy would have to change a chip out on the motherboard and change out the drive electronics even to get to the truecrypt boot loader. One locks out the BIOS configuration. The other locks down the Drive period....
Now apart from that I guess you'd have to have a validation engine (using hash or digital signature to validate the boot loader) this would have to be on an external USB drive or something that you'd keep with you. Or better yet the boot loader could be put on a USB key that you take with you or on a CD-ROM that you keep with you. Then even if the boot-loader was modified it wouldn't matter because it would never load.... you'd be using the one that you always carry with you. Of coarse if they got access to the whole system they could do anything. Modify the chips, bug it somehow, or even flip out the BIOS chip for a virus infected one.
TPM's are a good solution. There a hardware chip on board that does pretty much what truecrypt does but in hardware...So no software hack would work. I'd guess to that from what I'd hear each TPM uses some salt to create its algorithm to create the decryption key so even if a hacker flipped out chips that chip wouldn't probably decrypt the drive even with the right password. And due to the way its designed it would be pretty hard to break the chip out to copy the stored alogirthm. The TPM also runs a hash on all the hardware I believen and BIOS to make sure nothing's been modified during boot. Even if you could get the algorithm it still needs the password or fingerprint to create the hash/key for decryption.
But it all boils down to if they got access to your system they can do whatever and you'd have to have some way to make sure they hadn't. Better yet don't let it out of your sight or make sure its in a secure location.
Any how the RAID crypto idea is interesting but like I mentioned there's nothing wrong with what we got now it does what it's suppose to.. Plus it more or less exists. I'm sure there's a truecrypt like solution that runs on RAID. But in itself RAID doesn't really add anything to the equation unless you treated every other drive as like a seperate container for varying levels of confidentiality but that wouldn't really be raid.
Well got to go hope that helps. Anyother questions DQ me.
Here's how whole disk encryption usually works (example TrueCrypt).
1. The BIOS boots
2. After it checks things out it looks for the boot drive or media and launches the boot sector.
3. Truecrypt's bootloader loads... (this is an extremely tiny program and in a whole-disk encryption scheme nothing else except for this tiny program is on the drive unencrypted).
4. Truecrypt prompts you for a password. (This password is hashed using a pre-set hash but one that varies from system to system because of salt in the algorithm) The hash of the password is used to create or actually is the key to the high-level symmetric encryption on the drive.
5. Truecrypt then uses the key to decrypt just enough of the hard-drive to start the windows loading process and hand-off a custom key to the windows hard-drive driver. (Hence even when the system is running the drive remains encrypted at all times with the exception of the boot sector which is there in case you reboot).
Now there's no know flaw in this method short of a bad password. But since the boot-loader is unencrypted you could if you had access boot of a CD or USB drive and modify the boot-loader so that it had a way of recording the password when the person gets the computer back. They're faked out and just enter the creditials as always).
There's been folks that proposed that they've done this so that the password was hidden on the drive in a pre-determined place. Problem with that is they'd have to get hold of your computer again to pull the password off. Now the guy who recently claimed to have made it possible to do this claimed that in the future he'd make it possible for it to upload to the internet or infect the OS some how. That I kind of find hard to believe because the boot-loader sector is extremely small and it would half to be pretty sophisticated to do what he claims.
Truecrypt said pretty much its not there problem and I agree. You need to secure your computer or anybody could do anything to it. (Bug it; change a chip etc.) Ultimately you'd in this configuration lock down the BIOS with a password. And lock down the HDD with a hard-drive password which is part of the ATA spec. This would mean that a hacker/spy would have to change a chip out on the motherboard and change out the drive electronics even to get to the truecrypt boot loader. One locks out the BIOS configuration. The other locks down the Drive period....
Now apart from that I guess you'd have to have a validation engine (using hash or digital signature to validate the boot loader) this would have to be on an external USB drive or something that you'd keep with you. Or better yet the boot loader could be put on a USB key that you take with you or on a CD-ROM that you keep with you. Then even if the boot-loader was modified it wouldn't matter because it would never load.... you'd be using the one that you always carry with you. Of coarse if they got access to the whole system they could do anything. Modify the chips, bug it somehow, or even flip out the BIOS chip for a virus infected one.
TPM's are a good solution. There a hardware chip on board that does pretty much what truecrypt does but in hardware...So no software hack would work. I'd guess to that from what I'd hear each TPM uses some salt to create its algorithm to create the decryption key so even if a hacker flipped out chips that chip wouldn't probably decrypt the drive even with the right password. And due to the way its designed it would be pretty hard to break the chip out to copy the stored alogirthm. The TPM also runs a hash on all the hardware I believen and BIOS to make sure nothing's been modified during boot. Even if you could get the algorithm it still needs the password or fingerprint to create the hash/key for decryption.
But it all boils down to if they got access to your system they can do whatever and you'd have to have some way to make sure they hadn't. Better yet don't let it out of your sight or make sure its in a secure location.
Any how the RAID crypto idea is interesting but like I mentioned there's nothing wrong with what we got now it does what it's suppose to.. Plus it more or less exists. I'm sure there's a truecrypt like solution that runs on RAID. But in itself RAID doesn't really add anything to the equation unless you treated every other drive as like a seperate container for varying levels of confidentiality but that wouldn't really be raid.
Well got to go hope that helps. Anyother questions DQ me.
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$
I can see why you would think along this path, however; I have never heard of RAID being used to protect your data from access, it is designed to do the opposite. The algorithms are designed to reconstruct the data when there is a missing component.
If you used raid to keep render the data useless unless the USB portion were present, then loss of the USB device would render the data useless forever, unless there were a current backup of the raid set. Your idea has some merit, but carries the risk of full data loss. Also, a careless user who keeps the USB key and the laptop together is still vulnerable to unauthorized access.
In the case you sited, it was a careless user that caused the problem. If you walk away from a system that is signed in in a public place, you are asking for trouble. Human action or inaction is the biggest factor in most computer and network security breaches. Hundreds of laptops are left behind at airports each day, most go unclaimed. Some people just cannot be protected from their own carelessness.
Data that must remain secure should not be carried around on a laptop or downloaded to a desktop system. If secure data needs to be accessed from outside, there should be levels of security in the access stream on par with the sensitivity of the data.
Network access, especially from outside the firewall, should have the level of security necessary to protect the systems being accessed. This could include a smart USB device that is not stored with the laptop, but required to complete a network sign on.
The move towards thin clients and having just a browser on the desktop or portable device takes us back to the days of client access from dumb terminals. When all precious data remained on servers and tucked away in databases and stored on raid sets with authorization and authentication down to the individuals need to know, we had far fewer breaches.
If you used raid to keep render the data useless unless the USB portion were present, then loss of the USB device would render the data useless forever, unless there were a current backup of the raid set. Your idea has some merit, but carries the risk of full data loss. Also, a careless user who keeps the USB key and the laptop together is still vulnerable to unauthorized access.
In the case you sited, it was a careless user that caused the problem. If you walk away from a system that is signed in in a public place, you are asking for trouble. Human action or inaction is the biggest factor in most computer and network security breaches. Hundreds of laptops are left behind at airports each day, most go unclaimed. Some people just cannot be protected from their own carelessness.
Data that must remain secure should not be carried around on a laptop or downloaded to a desktop system. If secure data needs to be accessed from outside, there should be levels of security in the access stream on par with the sensitivity of the data.
Network access, especially from outside the firewall, should have the level of security necessary to protect the systems being accessed. This could include a smart USB device that is not stored with the laptop, but required to complete a network sign on.
The move towards thin clients and having just a browser on the desktop or portable device takes us back to the days of client access from dumb terminals. When all precious data remained on servers and tucked away in databases and stored on raid sets with authorization and authentication down to the individuals need to know, we had far fewer breaches.
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$
That is very complicated... why not just use good boot sector level encryption like Truecrypt?
I'm no expert but I think some info would be recoverable from a broken RAID Array (kind of depends on which RAID type) if only at the sector level... as far as I know the sector level information would still be readable, and you can find a heck of alot of information (especially if it's plain text) in one 32K disk sector.
I'm no expert but I think some info would be recoverable from a broken RAID Array (kind of depends on which RAID type) if only at the sector level... as far as I know the sector level information would still be readable, and you can find a heck of alot of information (especially if it's plain text) in one 32K disk sector.
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$
Hi,
It can be as I'm concerned :
OpenSolaris ,
OpenBSD
NetBSD
Microsoft
Linux
FreeBSD
Mac OS X Server
All operating systems are using a part or almost all of Raid 0 ,Raid 1 etc,
Check this one !
http://www.youtube.com/watch?v=cNIfTV9jy40
and hope you have a good time...
http://www.youtube.com/watch?v=DWNq5rAhZ9Y
It can be as I'm concerned :
OpenSolaris ,
OpenBSD
NetBSD
Microsoft
Linux
FreeBSD
Mac OS X Server
All operating systems are using a part or almost all of Raid 0 ,Raid 1 etc,
Check this one !
http://www.youtube.com/watch?v=cNIfTV9jy40
and hope you have a good time...
http://www.youtube.com/watch?v=DWNq5rAhZ9Y
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$
Here are a couple of article discussing raid software:
http://linux.yyz.us/why-software-raid.html
http://www.networkcomputing.com/servers-storage/dot-hills-virtual-raid-improves-software-raid.php
http://www.cyberciti.biz/tips/raid-hardware-vs-raid-software.html
hope this helps
http://linux.yyz.us/why-software-raid.html
http://www.networkcomputing.com/servers-storage/dot-hills-virtual-raid-improves-software-raid.php
http://www.cyberciti.biz/tips/raid-hardware-vs-raid-software.html
hope this helps
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$
Not at all. It's nice to see that someone takes IT security seriously.
I even have a password on my GPS device. Which may seem silly considering the fact that if it was stolen I could track it down anytime it's turned on.
I like that something already exists and users just don't use it - very typical.
I also like the idea of incomplete data on the main disk. Mostly because even brute force attacks work eventually. In some cases in 45 mins or less even with high encryption.
So with offloading strategic data (like parity), even if someone has access to your machine and succeeds in a brute force attack, the information just isn't there to read and adding ANY data to the drive would render it useless. NOTE: This requires using a RAID setup that can't function without all the disks. My idea is to simply reduce the size of the "missing disc" only for security purposes.
Good answer though. I think this horse has been beaten enough. :)
@silverhammer Here's what I do that is kind of like what you want.
I use Truecrypt on my boot drive (Windows Vista). But my valuable data such as email and my documents are on another drive in seperate encrypted volumes. So the password to boot only gets you into the OS. To get into the email volume which looks like a drive letter after truecrypt loads it requires another password. And My Documents require another password.
All my email is stored on for example drive letter (K:) which truecrypt mounts the volume and I use thunderbird portable which keeps all the private data in that location. (This custom thunderbird was orginally designed for USB drives so you could take your email with you).
Really private emails and documents have another layer of encryption such as Word (encryption) or with emails PGP/SMIME.
Hope that doesn't sound to paranoid but I'm a IT Security Professional so I need to keep up to date with this stuff.