Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.03 MB, 366 trang )
72
How Can Sensitive Data Be Stolen From One’s Computer?
4.11.3
The fallacy of protection by hiding files from view
One can hide file names in Windows or DOS. In the case of Windows,
one simply right-clicks on a file, selects “properties,” and checks the
“hidden” attribute. In the case of DOS, one simply types attrib [file
name] +h. These schemes are not intended to hide anything from a
snoop, but merely to reduce the clutter of file names (and icons, in the
case of Windows). All a snoop has to do is undo this hiding process, which
does not even have to be done for each file. In Windows one can set the
properties of the Windows Explorer to display all files whether hidden or
not.
4.11.4
The fallacy of protection by hiding data in the slack
Placing a file intentionally in the slack (i.e., in the space between the endof-file and end-of-cluster; see Section 2.2.1) or deleting it (but not overwriting it) so that it can be retrieved by one later does not provide protection.
Any forensic examination routinely examines all data in the slack and the
free space.
4.11.5 The fallacy of protection by placing data in normally
unused locations of a disk
Placing data in tracks and sectors of a disk that are normally unused by an
operating system is an old trick that goes back to the days of the Apple II
computer. It was used by software games ostensibly to prevent users from
copying the disks. These disks used their own disk operating systems to read
those normally unused tracks; it did not take long before users did, too, in
order to copy those disks anyway. Most any determined forensic examination of a disk will access the data hidden this way, too.
4.11.6 The fallacy of protecting data by repartitioning a disk
for a smaller capacity than the disk really has
This scheme involves more work, and it might even fool some people
but not all of them. The idea is to take a disk of, say, 200 GB, and to
place the sensitive data in the sectors which correspond to the last, say,
80 GB of physical space. One can then repartition the hard disk
(through the FDISK command, which, contrary to popular belief, does
not erase anything, but merely makes it inaccessible to Windows) for
120 GB. This will leave the last 80 GB with the sensitive data largely
untouched (but the file names and allocation table will be severely
affected). An unsophisticated investigator may believe that the disk’s
capacity is indeed that claimed by the last partition and not see the hidden
data. This will not fool the experienced investigator, though. Recovering the
data hidden in this manner will require software that is not commonly
available.
4.11
Security protection steps that don’t work well enough
73
4.11.7 The fallacy of protection through password-protected
disk access
The large assortment of software programs that claim to password-protect
one’s computer at boot time or when it is left unattended (e.g., screenblankers) are also ineffective. In the simplest case, unless a user has disabled
the option of booting from a floppy disk (a dangerous proposition if one’s
hard disk crashes and one that is pointless anyway as an attacker can readily
modify the BIOS to allow booting from a floppy disk), any person could
bypass all these passwords and boot from a floppy disk. But even in the case
when a user seems to have taken all the password-related precautions to
prevent unauthorized access, these are ineffective against a forensic examination, which removes the disk from its computer, makes a copy of it (track
by track and sector by sector), and looks for data without ever having to go
through any of the protective barriers inserted by a user.
4.11.8 The fallacy of protection through the use of booby-trap
software
The same applies to booby-trapping software, such as Don’t Touch by
Cybertech Group. Such software typically expects the authorized user to
enter a sequence of keystrokes without any prompting when a computer is
turned on; if that sequence is not entered, then the software destroys a
specified file in which the authorized user is supposed to have stored the
sensitive data and then erases itself as well. This scheme, too, may protect
one from a nosy spouse or coworker, but not from a forensic examination
because the latter never activates any software in the suspect disk. Such
schemes could also backfire by causing an otherwise innocent computer
user to end up with an obstruction of justice charge in some cases.
4.11.9 The fallacy that overwriting a file removes all traces of
its existence
A file itself is only part of the information stored in a computer concerning
that file. Also present are the following:
1.
The file name (stored elsewhere).
Hint: Do not use revealing file names, just in case you forget to get rid
of the file name.
2.
Information about the file. Depending on which software were used,
this information can include who created it, when, when it was
modified, and so forth.
3.
Ostensibly temporary copies of that file created by the software in
case the computer crashed while the file was being worked on. Because the computer is not clairvoyant and does not know if a crash
will occur, some software products always create a temporary file.
74
How Can Sensitive Data Be Stolen From One’s Computer?
Even if that file is deleted, it is still very much available on the hard
disk until the space it occupied happens to be overwritten (or is deliberately overwritten).
Most important yet, most every hard disk sold today includes numerous
sectors held in reserve. When (not if) some normally used sector appears
marginal to the disk’s firmware (e.g., causes occasional read errors), its data
is copied to a sector held in reserve (without deleting it from the marginal
sector), its logical address is assigned to that new sector formerly held in
reserve, and that marginal sector is now “mothballed” with its data in it.
Because it no longer has a logical address, it is not accessible by any of the
many software products that purport to overwrite the disk.
4.11.10
The fallacy of encryption protection
Encryption, in and of itself, refers merely to the conversion of a readable file
to one that, at best, is unreadable by anyone other then the intended recipient(s). Encryption does not deal with the following key issues, for example:
1.
Is the unencrypted document or are references to it also left behind
on the disk?
2.
Is the encryption “key” used protected from unauthorized
individuals?
3.
Are there additional decryption keys (ADKs) in existence that the
originator does not know about? (This was the case in the late
August 1999 Advisory Circular by the highly respected CERT in connection with PGP. See Section 11.3.)
The reader is referred to Chapters 10 through 12 for a thorough discussion of commercial encryption.
4.11.11
Other protection fallacies that don’t deliver
Beyond the above classical illusions of protecting sensitive documents,
there can be a vast collection of tricks intended to protect sensitive files.
Don’t depend on them. Such tricks only deter the nontechnical casual
snoop unless (1) a file is truly encrypted or hidden using good steganography, and all evidence of the unencrypted and unsteganographed file is
totally eliminated (see Section 11.5), or (2) the magnetic media in question
are not where they can be found by an oppressive regime. Worse than their
being unreliable, such tricks make the individual using them that much
more likely to receive a thorough forensic analysis of his or her computer.
Such tricks are totally ineffective against a forensic analysis of a targeted
computer’s magnetic storage media. Ineffective tricks, which can also be
used in assorted combinations, include (but are not limited to) the
following:
4.11
Security protection steps that don’t work well enough
75
◗
Renaming a file (e.g., from supersecret.doc to virtue.exe): This is not only
ineffective but a bad idea because some forensic software (such as
Encase) flag some renamed files as having been renamed (e.g., abc.jpg
being renamed def.sys).
◗
Compressing a file (using the standard zip software).
Such schemes do not protect one from a forensic examination because
such an examination looks at all data on a disk, regardless of each file’s
name, location, degree of compression, compliance with any operating system or disk filing system or lack thereof, what else it is merged with, and so
forth.
Selected bibliography
Internet-accessible references on van Eck radiation
Anderson, R., and M. Kuhn, “Soft Tempest: Hidden Data Transmission Using
Electromagnetic Emanations,” http://www.cl.cam.ac.uk/~mgk25/ih98-tempest
.pdf.
“The Complete Unofficial TEMPEST Information Page,” http://www.eskimo
.com/ ~joelm/tempest.html. TEMPEST stands for Transient Electromagnetic
Pulse Emanation Standard.
“Electronic Eavesdropping Is Becoming Mere Child’s Play,” New Scientist, at
www.newscientist.com/ns/19991106/newsstory6.html.
Moller, E., “Protective Measures against Compromising Electro Magnetic
Radiation Emitted by Video Display Terminals,” Phrack, Vol. 4, no. 44, at
www.shmoo.com/tempest/PHRACK44-11.
“The Tempest Solution,” http://www.ionet.net/~everett/solution.html.
Printed references on van Eck radiation
McLellan, V., “The Complete Unofficial TEMPEST Information Page,” PC Week,
Vol. 4, March 10, 1987, p. 35(2).
Russell, D., and G. T. Gangemi, Sr., Computer Security Basics, Sebastopol, CA:
O’Reilly and Associates, 1991, Chapter 10 on TEMPEST. Available for purchase
from any bookstore and online from http://www.ora.com/catalog/csb.
Smulders, P., “The Threat of Information Theft by Reception of Electromagnetic
Radiation from RS-232 Cables,” Department of Electrical Engineering,
Eindhoven University of Technology, 1990, http://jya.com/re232.pdf.
Van Eck, W., “Electromagnetic Eavesdropping Machines for Christmas?”
Computers and Security, Vol. 7, No. 4, 1988, http://jya.com/bits.htm.
References on optical emanations
Kuhn, Markus G., “Optical Time Domain Eavesdropping Risks of CRT Displays,”
Proc. the 2002 IEEE Symp. Security Privacy, Berkeley, CA, May 12–15, 2002. Also
available online at http://www.cl.cam.ac.uk/nmgk25/..
76
How Can Sensitive Data Be Stolen From One’s Computer?
Loughry, J., and D. A. Umphress, “Information Leakage from Optical
Emanations,” Vol. 5, No. 3, August 2002, http://www.applied-math.org/optical
_tempest.pdf.
References
[1] http://www.shmoo.com/tempest/emr.pdf.
[2] Highland, H. J., “Electromagnetic Radiation Revisited,” Computers and Security,
Vol. 5, 1986, pp. 85–93, 181–184.
CHAPTER
5
Contents
Why Computer Privacy and
Anonymity?
5.1 Anonymity
5.2 Privacy
“Countering computer forensics? But aren’t you helping the
bad people?”
No! Quite to the contrary, this is helping the good people
ward off the bad people. It is also helping reduce crime by making it much harder for criminals to engage in identity theft or
for thieves to steal intellectual property and legally privileged
information such as medical information and attorney–client
communications.
Computer forensics is not done only by or for law enforcement; more often than not, it is done by anyone with the
means to do so for illegal purposes, such as stealing intellectual
property, passwords, and the like.
Just as there are legitimate uses for knives and for matches,
there are many legitimate uses for countering illegal computer
forensics, such as the following:
1.
Preventing the theft of intellectual property;
2.
Preventing the theft of proprietary business documents by
competitors;
3.
Preventing the compromise or outright theft of legally privileged information, such as patients’ medical records and
attorney–client privileged communications;
4.
Protecting a nontechnical freedom fighter in a patently
oppressive totalitarian regime;
5.
Protecting anyone from having information planted in his
or her computer that can be subsequently discovered;
6.
Helping lawyers defend their clients from frivolous accusations supported by contaminated evidence.
The wide availability of free and commercial software packages that promise to protect one from assorted types of
77
78
Why Computer Privacy and Anonymity?
unauthorized snooping are, in fact, doing most users a disservice because
they lull the buyer into a false sense of security that is worse than no
security: Someone who knows he or she has no security will be much
more careful with what is entrusted to a computer than someone who
thinks that there is security when in fact there is none. This cannot be
overemphasized.
Then there is also the philosophical issue that is implicit in most civilized
societies: If a youngster on a deserted island whispers sweet nothings to his
girlfriend’s ear, it is nobody else’s business to know what was said. And that
privacy should not be contingent upon the distance between the two or
upon the medium used to communicate, be it two paper-cups and a string
or a technologically advanced alternative.
Similarly, if a person on a deserted island wants to confide written
thoughts to his or her diary, civilized society has traditionally bestowed the
right of privacy to those thoughts. And that privacy should not be contingent upon the medium used to write one’s thoughts, be it paper and pencil
or its modern day equivalent, namely, a personal computer.
But, as members of societies, we don’t live on deserted islands. Being
part of a society entails numerous limitations of individual freedoms so that
each society can function. Indeed, a society has the self-evident right to protect itself from individual conduct which is out-and-out harmful, such as
murder, arson, and the like. Part of the implementation of such societal protection is to have early warning of a planned major crime so that such a
crime can be prevented. At a minimum, any society needs to have the
means to prevent the recurrence of a major crime by positively identifying
the perpetrator. Just as ballistics tests can show which gun fired a bullet
found in a dead body or whose DNA was at the scene of a major crime, computer forensics can and should be used if it can show conclusively who
planned or executed a major crime.
In this sense, this book is highly supportive of the law enforcer who is
trying to prevent a major crime, hence the lengthy chapters on effective
computer forensics.
The definition of a crime is in the mind of the beholder, however.
A totalitarian regime often criminalizes everything that those in power
don’t like, be it the expression of a dissenting political or religious thought
or even a joke that treats the ruler unfavorably. Also, what is a crime
one day may not be the next, and vice versa, as laws constantly change
in all societies. One cannot conveniently define as a criminal anyone
that any country’s court has branded as one; in recent history, some regimes
have made it a crime to talk about freedom, to listen to music by this or
that composer, to whistle this or that tune, and so on. If the word “criminal” is simplistically defined to include anyone convicted by any court
of a locally defined crime, then Christ and Gandhi would have to be
included, along with Bertrand Russell, Galileo, Luther, and most other key
intellectuals.
One should not forget Montesquieu’s words: “There is no greater tyranny than that which is perpetrated under the shield of law and in the
5.1
Anonymity
79
name of justice.” Or the words of William Pitt the Younger: “Necessity is the
plea for every infringement of human freedom.”
Last but not least, there is theft. According to the FBI, some 319,000 laptops were stolen in 1999. Most such thefts occur at airport security gates:
The laptop is placed by its owner on the X-ray machine’s conveyor belt; a
seemingly rushed traveler cuts to the front of the line to get through the
magnetometer, but is having difficulties with keys and related items on his
or her person. While that rushed traveler is being taken care of, his or her
accomplice on the other end of the security gate absconds with the laptop,
which has already passed through the X-ray machine. Most of these laptops
must have undoubtedly included data not intended for others’ eyes, such as
corporate proprietary information, personal medical and financial information, and the like. The value of the loss of such data to unauthorized eyes is
incalculable and usually far exceeds the value of the hardware lost. It would
be nothing short of irresponsible to allow this to happen to oneself.
One should also not forget that the mere proliferation of information
technology has made wholesale surveillance not only possible but also economically cost-effective. Even time-honored institutions that used to
respect privacy may well not do so any more; for example, the U.S. Census,
whose data was advertised as being protected, may not be so. According to
the New York Times, the Congressional Budget Office with the help of some
congressmen has been angling to get its hands on the census data to create
“linked data sets” on individuals using information from the Internal Revenue Service, Social Security Administration, and Census Bureau surveys to
help it evaluate proposed reforms in Medicare and Social Security (see
www.nytimes.com/2000/10/23/opinion/23MONK.html).
An often-repeated adage says that if one consults a lawyer and wants
justice, many a lawyer will often ask, “How much justice can you afford?” A
similar situation exists with privacy and security: how much privacy and
security can you afford?
5.1
Anonymity
While encryption protects the content of a file, message, or communication,
it does not protect the identity of who communicates with whom.
Unlike encryption, which protects the content of a file from forensic discovery either online or offline, anonymity by its nature—in the present context—relates to the transmittal of a document from the source to its
intended destination. What is to be hidden is not the content, but its author.
Far from being disreputable, anonymity is at the heart of civilized society, as evidenced from the following quotes by world-renown U.S. Supreme
Court justices:
◗
“Anonymity is a shield from the tyranny of the majority. . . . It thus
exemplifies the purpose behind the Bill of Rights, and of the First
Amendment in particular: to protect unpopular individuals from
80
Why Computer Privacy and Anonymity?
retaliation—and their ideas from suppression—at the hand of an
intolerant society.”
—Justice Stevens, McIntyre v. Ohio Elections Commission, 1996
◗
“Anonymous pamphlets, leaflets, brochures and even books have
played an important role in the progress of mankind. Persecuted groups
and sects from time to time throughout history have been able to criticize oppressive practices and laws either anonymously or not at all.”
—Justice Black, Talley v. California, 1960
◗
“After reviewing the weight of the historical evidence, it seems that the
Framers understood the First Amendment to protect an author’s right
to express his thoughts on political candidates or issues in an anonymous fashion.”
—Justice Thomas, McIntyre v. Ohio Elections Commission, 1996
Indeed, the use of anonymous and pseudonymous speech played a vital
role in the founding of the United States. When Thomas Paine’s “Common
Sense” was first released, it was signed “An Englishman.” Similarly, James
Madison, Alexander Hamilton, John Jay, Samuel Adams, and others carried
out the debate between Federalists and Anti-Federalists using pseudonyms.
President Harry S. Truman signed his influential 1947 essay, “The Sources of
Soviet Power,” as “X.” Finally, the use of a pseudonym, or nom de plume, in
literature has a time-honored history (e.g., Mark Twain was Samuel Clemens).
There are many flavors of anonymity, such as using a pseudonym or
assuming another identity. For the purposes of this discussion, we interpret
anonymity to include any technique that prevents any third party from discovering the true identity of an Internet user.
Anonymity is an obvious irritant to law enforcement and is criticized as
prima facie evidence of criminal intent. For a different perspective, consider
the following view by Julf Helsingius, expressed in an interview with Wired
magazine’s Joshua Quittner, coauthor of the high-tech thriller Mother’s Day.
Helsingius ran the world’s most popular remailer in Finland until he retired
in 1996.
Living in Finland, I got a pretty close view of how things were in the former
Soviet Union. If you actually owned a photocopier or even a typewriter
there, you would have to register it and they would take samples . . . so that
they could identify it later. . . . The fact that you have to register every means
of providing information to the public sort of parallels it, like saying you
have to sign everything on the Internet. [Law enforcers] always want to
track you down.
Quite often, anonymity actually furthers the cause of law enforcement: For
example, a whistle-blower may need to tip off law enforcement of a serious
ongoing or planned illegal activity by his or her employer; a suicidal or
homicidal individual may wish to obtain help and counseling, which he
5.1
Anonymity
81
would not seek without anonymity; a drug-addicted mother of a young
child may seek anonymous counseling to prevent her from using all of her
financial resources to support her habit. Even some police departments are
experimenting with establishing Web sites for anonymous tips about crimes;
this is nothing more than an online version of the time-honored practice of
anonymous crime-solver phone lines.
Less dramatic situations justifying anonymity include seeking employment through the Internet without jeopardizing one’s current job, expressing religious opinions in a community that is strongly opposed to them, or
placing a personal ad. Doctors who are members of the online community
often encourage their patients to connect with others and form support
groups on issues that they do not feel comfortable speaking about publicly,
It is essential to be able to express certain opinions without revealing one’s
identity. In a multitude of other situations, anonymity serves a very legitimate social function.
Conversely, as with anything else, anonymity can be abused by sociopaths, who are attracted by the notion of avoiding responsibility and
accountability for their actions
Many everyday activities that used to be anonymous leave electronic
trails behind today. Using the lure of discounts or other benefits, the common “preferred customer” card of supermarkets, bookstores, and other vendors allows those vendors to track one’s purchasing and renting preferences,
even if payments are made with cash. The same applies to the use of
frequent-flyer accounts, or to the use of frequent-anything accounts, and to
the ever-increasing use of credit cards in place of cash.
With the ubiquitous spread of Signaling System 7 in telephony, caller ID
information is available to the called party about the calling party. Blocking
caller ID does nothing, in the United States, to toll-free calls made to 800
area code numbers; because the called party pays for the incoming call, the
phone companies use Automatic Number Identification (ANI) to allow the
called party to know who is calling, even if the calling party has disabled the
outgoing caller ID feature.
E-mail records are now routinely subpoenaed by prosecutors and by
attorneys in both criminal and civil cases as evidence.
And the list goes on.
As a matter of principle, many individuals have therefore resorted to
technology to protect their privacy, often for privacy’s own sake.
Additionally, anonymity is a matter of life and death in many societies in
the case of responsible individuals expressing views that are unpopular, that
the ruling party perceives as a threat, that question the status quo, or that
debate religious or other topics.
5.1.1
Practical anonymity
A vast number of resources on practical anonymity are available on the
Internet. One of the most useful Web sites is www.privacyresources.org/
anonymity.htm.
82
Why Computer Privacy and Anonymity?
It is important to decide up front whom one wants to be anonymous
from:
1.
The recipient of e-mail that one is about to send;
2.
The readers of Usenet posts that one has elected to post to;
3.
The Web sites that one visits on the Internet;
4.
Someone in a repressive regime who is tapping one’s telephone line;
5.
One’s ISP;
6.
Someone else in one’s local network, if one is in use;
7.
A forensic investigator who gets hold of one’s computer.
Each of these requires a different set of procedures and/or software.
They are discussed, among other topics of equal relevance and concern, in
separate sections in Chapters 10 through 14.
5.2
Privacy
Civilization is the process toward a society of privacy. The savage’s whole existence is
public, ruled by the laws of the tribe. Civilization is the process of setting man free
from men.
—Ayn Rand, The Fountainhead
Privacy is the right of individuals to control the collection and use of information about themselves.
5.2.1
You cannot trust TRUSTe?
TRUSTe (http://www.truste.com) is a commercial organization that has set
itself up as the grantor of a sort of seal of approval for online commercial
entities that appear to meet some criteria for respecting the confidentiality
of customer-provided information.
Can one trust that? In a word, no. One of the main failings of this
scheme is that it cannot handle the cases of companies that go bankrupt and
sell their assets to meet their financial obligations; those assets often include
the databases of customer information that the bankrupt company had
assured its customers would never be sold to anyone. The company receiving those databases does not feel bound by any commitments made by the
bankrupt company. A typical example is the news item reported on the
Internet on October 27, 2000, to the effect that HealthCentral.com has
reportedly signed an agreement to purchase the assets of the floundering
online drugstore more.com, including its customer list, and its subsidiary,
ComfortLiving.com, for approximately $6 million.