backtop


Print 53 comment(s) - last by lexluthermiest.. on Mar 14 at 3:11 PM

New Zealand hacker releases source code to utility that reads password directly from memory

Exploiting a little known feature built into Firewire port specifications, Adam Boileau released the source code to a utility authored in 2006 that allows anyone to bypass the Windows Authentication dialog box on any PC with a Firewire port.

The tool is a simple, 200-line script written in the Python programming language exploits features built into Firewire that allow direct access to a computer’s memory.  By targeting specific places that Windows consistently stores its vital authentication functions, Boileau’s tool is able to overwrite Windows’ secured code with patches that skip Windows’ password check entirely.

Boileau says he decided to release the script now, two years after it was initially unveiled, because Microsoft had not acted to patch the vulnerability. Boileau considers his tool a “party-trick demo script thats been lying around my [home folder] for two years gathering dust,” and considers it “a pity to write code and have no one use it.”

“Besides,” says Boileau, “according to Microsoft's definition, it never was a Security Vulnerability anyway – screensavers and login prompts are … about the Feeling of Security.”

Boileau also notes that he’s seen others successfully modify the script to hack Windows Vista’s password-check code, as well as use a laptop’s PCMCIA port to plug in a Firewire card and attack the laptop after Windows auto-installed the card’s drivers.

It’s important to note that Firewire’s provisions for direct memory access, called DMA, are useful in other contexts, like in the use of software debuggers. Nowadays, a sizable percentage of the world’s software checks for the presence of programs monitoring memory directly – which is what a debugger does – and will frequently act differently or refuse to start up if it detects their presence.

Firewire ports are therefore usable as high-speed debugging devices, allowing developers and hackers alike to passively monitor anywhere in a computer’s memory and make changes where needed, whether its reprogramming a password check or seeding buggy software with correct data. It might also allow forensic investigators to grab an encrypted hard drive’s decryption key directly from memory, while the computer is running.

Also important is that the same technique has been known to work on other operating systems, including Mac OS X and Linux – and in fact some people have used modified iPods to run Firewire DMA attacks on the fly.

Common security thought dictates that a computer is essentially lost if it is in your opponent’s possession, and that security on a physical machine will be subverted with time: for computers equipped with Firewire, the thought couldn’t be more true.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

BitLocker?
By Sunday Ironfoot on 3/8/2008 5:17:25 AM , Rating: 2
I'm pretty sure this wouldn't be able to beat Windows BitLocker, or any other 'full' hard drive encryption technology, correct me if I'm wrong?

http://en.wikipedia.org/wiki/Bitlocker




RE: BitLocker?
By Hare on 3/8/2008 8:19:39 AM , Rating: 2
It doesn't matter how much is encrypted since only your RAM is being read. I'm not 100% sure if the firewire hack works with bitlocker but I think it actually does.

At least the ram swap technique works

"Researchers claim they cracked an array of commonly-used encryption programs, including Microsoft's BitLocker, Apple's FileVault, TrueCrypt, and dm-crypt."
http://afp.google.com/article/ALeqM5i0t4sGyIOt776q...

Basically the firewire trick is the same. It enables a user to gain direct access to RAM and read the encryption keys.


RE: BitLocker?
By winterspan on 3/8/2008 8:13:58 PM , Rating: 2
That RAM swap thing is crap, since you don't have any time to actually do it without being able to deep freeze the RAM to slow the data decay. And you can't just dip it into liquid nitrogen without having it crack and explode.


RE: BitLocker?
By Hare on 3/9/2008 5:21:26 AM , Rating: 2
You can also use a usb drive (minilinux) to boot the machine and simply read the memory from there. There's no need to even open the case.


RE: BitLocker?
By Etern205 on 3/8/2008 4:49:25 PM , Rating: 2
Here is another link and BitLocker is defeated...

http://www.nytimes.com/2008/02/22/technology/22chi...


"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki