Comments on: Breaking disk encryption with RAM dumps

By: mic

mic — Sun, 22 Mar 2009 14:21:05 +0000

If your data is seriously way to important to have compromised… Presenting, “The ultimate in data protection” Hmm not so imaginative, but how about a grenade ducktaped to your laptop and rigged up. “100% Guaranteed to erase all data ( and persons)!”. Or a smaller less catastrophic thing thats a little more Discrete. Thermite is phun…

By: dave

dave — Sun, 22 Mar 2009 12:48:18 +0000

i think we are looking at dedicated memory for the storage of keys as the only solution. this memory should be removable from the laptop so that the owner always takes it with them (its back to common sense here).

if attacker finds an unattended laptop the key isn’t there.

lookup IronKey usb drives surly this technology can be applied to external hard disks as well?

By: dick

dick — Tue, 10 Mar 2009 02:15:01 +0000

wouldn’t it help to just bury the hd (and PC) into a wall or ceiling and use rf links to mouse, keyboard, and monitor?

By: Tom

Tom — Wed, 25 Feb 2009 18:54:52 +0000

The Linux Gentoo variant Incognito (KDE env) has a file named halt.sh that runs at shutdown and overwrites memory with the command: /usr/bin/smem > /dev/null.

I am experimenting with modifying the halt script at shutdown in a Live CD environment of Ubuntu 8.10 (Gnome env). It looks like there is a configuration parameter that sets HALT=poweroff that might be able to be changed to HALT=halt, so that it might be possible to work it into the script to execute just before powering off (possibly manually).

By: Daniel Craig

Daniel Craig — Fri, 09 Jan 2009 16:59:15 +0000

Hey, I was looking around for a while searching for Encryption Disk Security Software and I happened upon this site and your post regarding ing disk encryption with RAM dumps – Hack a Day, I will definitely this to my Encryption Disk Security Software bookmarks!

By: Shawn

Shawn — Mon, 03 Mar 2008 00:35:46 +0000

Few thoughts and questions.

Who would need security from this - what about credit card or insurance companies that deal with full social security numbers on a daily basis?

Like everyone else has said, running a shutdown program to wipe the RAM requires power to the system. No power = no wipe = stolen info.

Biggest question is, are hard drives with a built-in security chip safe from something like this? I think Western Digital or Seagate have drives like this. The key is stored on the drive, not in RAM, so a different method is needed?

By: Eliseo

Eliseo — Thu, 28 Feb 2008 14:25:09 +0000

Informative Article… AWESOME.

By: Tracy Esau

Tracy Esau — Thu, 28 Feb 2008 12:56:23 +0000

i wanna get my hands on the juicy bit of the software….

By: NoMiNaL eKrAsH

NoMiNaL eKrAsH — Wed, 27 Feb 2008 00:11:03 +0000

What good would it do to run a bootloader for the “next” reboot and then clear the ram? If the ram is going to be taken out and chilled then recovered. A hardware device might be a solution, but how bout an automatic memory slot ejactor, or pin contact release
that won’t work for sleep or STR or disk hibernation. Some password recovery utilities use the same method of RAM recovery, not just registry or Hard drive flags and password or user policy and account ACL. We’re stuck with normal environmental conditions here. OS code would have to be written to send electrical shorts to the RAM in sleep modes (there goes your desktop)or the power off switch and mobo would have to have a circuit that shorts the ram…probably not good for the RAM…there is nothing that shows this would be effective. RAM is a charge coupled device, And even if the BIOS zeroed anything that would take time on computer shutdown, even if a computer was left on you can still yank the ram out in a powered state.

By: NoMiNaL eKrAsH

NoMiNaL eKrAsH — Wed, 27 Feb 2008 00:03:23 +0000

By: Chamunks

Chamunks — Mon, 25 Feb 2008 22:47:39 +0000

One last note: You could also go so far as to be as paranoid as to make it difficult to access the pins on the rams chips.

By: Chamunks

Chamunks — Mon, 25 Feb 2008 22:42:32 +0000

Theres a few things you could definitely do. Short term read up on your type of ram and find a way to do a little work around that detects an irregular “suspicious” power off and nukes the data on the chips. This could also be something to concidder you could build it into the ram to allways poll the system clock. If the clock stops ticking the ram sends itself bad data to skew its own contents this could be accomplished by adding a simple super capacitor that just stays charged all the time incase of a shutdown so that the ram can self clean and once again close a loop hole.

If your data is extremely sensitive though your going to need to find a way to secure these components so that they cannot be accessed without destroying the chip otherwise someone could just disable this mechanism before removing it.

By: AndyfromTucson

AndyfromTucson — Sun, 24 Feb 2008 18:36:02 +0000

Maybe I am missing something, but if you want to avoid this vulnerability just shut down your computer before you take/leave it somewhere where it could be stolen or accessed by someone unauthorized. If you have something that you want to keep super secret then its worth the time to shut down and then reboot whenever you stop using the computer.

By: plus.medic

plus.medic — Sun, 24 Feb 2008 03:17:55 +0000

What all you people are suggesting about wiping the RAM just won't work. The attacker needs to only cut the power, and then remove the RAM module and transfer it to another system. What good would some over-thought wipe-memory-on-boot program do you then?

The point is, if you leave your PC or laptop on unattended, you're screwed. This paper shows there needs to be a serious reengineering of current disk encryption utilities in order to neutralize this method of attack.

That, or maybe look at securing access to the internals of your PC or laptop. Maybe it's time for PC cases to be given ratings akin to safes? ;)

By: lmb

lmb — Sat, 23 Feb 2008 08:23:10 +0000

Underhill: You mean Memtestx86+? Its slow, but it overwrites ram. Doesn’t seem too complicated (in theory) to disable the read-back funtionality to speed this process up.