Silk Road forums
Discussion => Security => Topic started by: StExo on August 09, 2012, 01:48 am
-
<removed>
-
It may still be true, but it's not exactly breaking news:
by James Cullimore, 28 June, 2010
-
<removed>
-
They can't break the encryption or a very strong passphrase, but they can still pull your master key from RAM if the encrypted container (or partition) is mounted while the computer is running. Then there are remote exploits, plug in keyloggers, and other tricks beyond that. The article you mentioned does show that they can't just magically open encrypted files, at least not for run of the mill criminal cases.
-
They can't break the encryption or a very strong passphrase, but they can still pull your master key from RAM if the encrypted container (or partition) is mounted while the computer is running. Then there are remote exploits, plug in keyloggers, and other tricks beyond that. The article you mentioned does show that they can't just magically open encrypted files, at least not for run of the mill criminal cases.
They can also what is called a "cold boot attack."
In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine.
-
They can't break the encryption or a very strong passphrase, but they can still pull your master key from RAM if the encrypted container (or partition) is mounted while the computer is running. Then there are remote exploits, plug in keyloggers, and other tricks beyond that. The article you mentioned does show that they can't just magically open encrypted files, at least not for run of the mill criminal cases.
They can also what is called a "cold boot attack."
In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine.
Excellent post, thank you. I have always maitained that the best defence is to remain anonymous. By the time the cops are breaking down your door, you've already lost.
Guru
Well said Guru - of course the fact that full disk encryption may be your last layer of defence makes it all the more important!
To any interested parties, I sugges you use a Keyfile as well as a decent size password and try to practise plausible denial in encryption i.e encrypt a disk such that it the Truecrypt bootloader isn't stored on it so it's not immediately apparent it's been encrypted. (USB sticks lend themselves very well to this). You can also use a hidden partition so if you're compelled to hand over one password you can give the one way to your main volume, leaving your most confidential data safe.
V.
-
They can't break the encryption or a very strong passphrase, but they can still pull your master key from RAM if the encrypted container (or partition) is mounted while the computer is running. Then there are remote exploits, plug in keyloggers, and other tricks beyond that. The article you mentioned does show that they can't just magically open encrypted files, at least not for run of the mill criminal cases.
They can also what is called a "cold boot attack."
In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine.
Yup, that's when they "pull your master key from RAM if the encrypted container (or partition) is mounted while the computer is running" via a cold boot or other means :)
-
http://www.qfxsoftware.com/
They have a driver lvl keyboard encryption program that according to all the tests ive seen stump every keylogger out there. The only thing it doesnt protect against is screenreaders and hardware keyloggers (but your already fucked if its at that point).
-
if you are already to the point where you have a software keylogger you are just as fucked as if you had a screen reader anyway
-
Has anyone ever successfully used a cold boot attack in a real situation?
Decay time on modern memory under room temperature is something like 2-3 seconds, has anybody done it outside of a lab ?
-
It's pretty simple to do, actually: https://citp.princeton.edu/research/memory/
Cryogenically cooling the RAM will cause it to retain its contents for longer than usual. If the computer is on with the encrypted OS loaded, they don't have to power it off at all. Just reboot the PC and insert CD/flash drive containing your cracking tools. In the case of LE, they can just hot plug your machine into a special receptacle and take it to their lab.
-
Is there no way around it, for a normal pc ?
On my main workstation I have 4 Constellation ES for the main storage that have FDE.
I even have a gold key token that uses hardware encryption and should store the key on a chip not memory but its not really practical to use.
But most of the time when not working I use a laptop or a netbook, is there no way to protect against a cold boot attack ?
-
Is there no way around it, for a normal pc ?
On my main workstation I have 4 Constellation ES for the main storage that have FDE.
I even have a gold key token that uses hardware encryption and should store the key on a chip not memory but its not really practical to use.
But most of the time when not working I use a laptop or a netbook, is there no way to protect against a cold boot attack ?
use a sealed tablet.
-
You absolutely must have full disc encryption, or else whatever you're trying to keep encrypted will leak all over the OS and memory. This means no running TC in a virtual machine, not just relying on TC or LUKS containers, ect. Full Disc means full disc. Even better if your physical hard drive is just a giant /home and /tmp /usr storage and the entire boot is located on something else you can carry around or store safely to defend against 'evil maid attack' which is IRL known as: Secret Service breaks into your Dubai hotel room and tries to keylogger your laptop like they did to a Ukrainian hacker once.
The best place to learn about this, is from EFF.org, Blackhat, DEFCON, and other conference lectures all available online.
For instance if you look up Blackhat 2012 EUROPE - Defending Privacy at the U.S. Border on youtube, you'll get a good lecture on how Gutman wipes are now obsolete, how deleting data is completely impossible with modern logging file systems, how wear levelling flash drives will leak data even when fully encrypted, lot's of information.
Should also read court documents of busted hackers to get forensics information. Basically the vast majority of e-criminals do not use encryption (Sabu didn't.. wtfwtf). It's still very rare for a forensic scientist contracted by the police to ever find an encrypted drive or even a container. I bet half the vendors here still don't use it either, thinking pseudo-anonymity will protect them, or they're just too lazy like most e-criminals.
In the case of Max Vision and some other hackers, the cops/feds had intel before the raid that the guy used encryption, so they either watched with binos across the street for him to get up and take a piss with the comp on, kicking down the door and seizing it with keys in tact or they had a team ready to go to extract the memory as they did in Max Vision's case when he used Drivecrypt. They always have intel you have an encrypted drive. They know this because they either broke into your place or hotel when you weren't around and tried to sneak a peak at your data or one of your associates has fully ratted, and they always rat.
There's a 3rd option they have used: wait for you to go on vacation to some shitty 3rd world hellhole with no human rights laws or due process, and have the local police pick you up and torture you until you give up the password AKA Rubber Hose Cryptanalysis. This is by far the most used method, as many big time hackers and drug traffickers or internet gambling dons think they are untouchable in Turkey or Mexico when in reality the long arm of the US criminal department of intimidation and torture is never stopped by any bullshit non extradition treaties. Just bribe whatever local cops you want to pick up the gringo and have his balls busted until he cough up the evidence.
-
Anyone know of any tcg opal ssd drives?
I got Samsung PM830, Micro C400 and the incredibly priced Seagate pulsar.2 at $6000.
Any other options ?
-
Anyone know of any tcg opal ssd drives?
I got Samsung PM830, Micro C400 and the incredibly priced Seagate pulsar.2 at $6000.
Any other options ?
Don't bother encrypting anything on a SSD
Look up wear levelling
-
How does wear leveling affect hardware encrypted ssd's ?
-
How does wear leveling affect hardware encrypted ssd's ?
Oh, didn't realize they were hw encrypted.
They're still utterly useless. You have no clue if said company has properly implemented it because everything is closed source. Look up SandForce SSD 256-AES encrypted controllers, they were broken this year because no corporation knows what the fuck they are doing, and even if they do, probably have a skeleton master key to hand over to law enforcement in order to sell the drive in the states.
Slightly tinfoil hat, but the incompetence of hardware encryption products is definitely real.
-
Excellent post about physical security and situational awareness, derpsec. You pretty much covered it all. Sneak peak warrants, SSD drive data retention, and my favorite, rubber hose cryptanalysis. Big time vendors, SR's operators, and anyone handling their data should not let their devices leave their sight. You are absolutely correct about the circumstances under which FDE is defeated by law enforcement. If you don't appear to be a major player, they may simply confiscate your shit. In any case, should the cops come knocking, ensure that you have a way to cut the power to your machine as quickly as possible.
-
[snip]
Excellent post, thank you. I have always maitained that the best defence is to remain anonymous. By the time the cops are breaking down your door, you've already lost.
Guru
Exactly, as a famous cryptographer once said: “There are two types of cyptography: one that allows the Government to use brute force to break the code, and one that requires the Government to use brute force to break you”
-
[snip]
Excellent post, thank you. I have always maitained that the best defence is to remain anonymous. By the time the cops are breaking down your door, you've already lost.
Guru
Exactly, as a famous cryptographer once said: “There are two types of cyptography: one that allows the Government to use brute force to break the code, and one that requires the Government to use brute force to break you”
It's true, the best security you can have is to simply hide your encrypted drives rather than leaving them out in the open for LE to get. I hide all of my encrypted drives and only pull them out when I need to access SR/other onion sites.
-
Anyone know of any tcg opal ssd drives?
I got Samsung PM830, Micro C400 and the incredibly priced Seagate pulsar.2 at $6000.
Any other options ?
Don't bother encrypting anything on a SSD
Look up wear levelling
Encrypting an SSD shouldn't burn it out, it is still read and write operations just as if it were not encrypted, the only difference is that it must be decrypted in memory. Just make sure that you encrypt it first thing you do, because if you ever have it unencrypted you may not have much luck removing traces. In fact if you get an SSD the first thing you should do is encrypt it.
-
They can't break the encryption or a very strong passphrase, but they can still pull your master key from RAM if the encrypted container (or partition) is mounted while the computer is running. Then there are remote exploits, plug in keyloggers, and other tricks beyond that. The article you mentioned does show that they can't just magically open encrypted files, at least not for run of the mill criminal cases.
They can also what is called a "cold boot attack."
In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine.
Excellent post, thank you. I have always maitained that the best defence is to remain anonymous. By the time the cops are breaking down your door, you've already lost.
Guru
Tor is no different from being a graffer (graffiti writer). ;D
-
Would one be safe running Liberte linux booted off a usb stick? Supposedly it self destructs if removed from usb port while running and it is supposed to be completely encrypted.
-
Would one be safe running Liberte linux booted off a usb stick? Supposedly it self destructs if removed from usb port while running and it is supposed to be completely encrypted.
I've often wondered the same thing! Apparently Liberte erases your encryption keys from RAM when you remove the USB - I imagine a lot would depend on the interval between when you attempted to do so and when LE got their hands on your machine. Once they do they can cool the RAM chips down in order to make the data degrade more slowly.
V.
-
You want a foolproof system? Dont be a fool.
1. Create a hidden container on a external drive, place a dummy VM on the outside, then put your real VM inside, this keeps everything you do isolated from the main OS.
2. Create an OS disk, encrypted it fully, only use it for illegal purposes, never use the clearnet with this, ever. Also put a soft firewall on it in addition to your hw firewall just in case.
3. The only risk you have besides torture, cameras, or being a dumbass and walking away from your mounted container is hardware keyloggers. Use a laptop, or better yet a sealed tablet, problem solved.
4. Sit back, smoke a j and tell the man to go fuck himself.
---note, you wont want to just use an encrypted drive as you will have to use the unencrypted one regularly to keep up appearances, with a vm you can just claim you like to roll back when you're done testing for malware.
-
You want a foolproof system? Dont be a fool.
1. Create a hidden container on a external drive, place a dummy VM on the outside, then put your real VM inside, this keeps everything you do isolated from the main OS.
2. Create an OS disk, encrypted it fully, only use it for illegal purposes, never use the clearnet with this, ever. Also put a soft firewall on it in addition to your hw firewall just in case.
3. The only risk you have besides torture, cameras, or being a dumbass and walking away from your mounted container is hardware keyloggers. Use a laptop, or better yet a sealed tablet, problem solved.
4. Sit back, smoke a j and tell the man to go fuck himself.
---note, you wont want to just use an encrypted drive as you will have to use the unencrypted one regularly to keep up appearances, with a vm you can just claim you like to roll back when you're done testing for malware.
Or just get a usb stick encrypt it using Trucrypt and make a hidden partition, in the visible encrypted partition put an easy password and then put pictures of naked dudes or something weird like that (nothing illegal like cp you sickos) and then in the hidden partition put all your illegal stuff then just hide it and only pull it when you need to access your illegal stuff. I normally don't even keep mine at my house, some people are even paranoid to put in ziploc bag and stick it in a jar of peanut butter it all depends what you do but even LE find it and force you (which they can't in the US) to decrypt the encrypted drive you'll just decrypt the visible partition and be like "okay you got me I like naked dude monster cocks."