1. Trang chủ >
  2. Công Nghệ Thông Tin >
  3. Hệ điều hành >

11 Security protection steps that don't work well enough

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.03 MB, 366 trang )


72



How Can Sensitive Data Be Stolen From One’s Computer?



4.11.3



The fallacy of protection by hiding files from view



One can hide file names in Windows or DOS. In the case of Windows,

one simply right-clicks on a file, selects “properties,” and checks the

“hidden” attribute. In the case of DOS, one simply types attrib [file

name] +h. These schemes are not intended to hide anything from a

snoop, but merely to reduce the clutter of file names (and icons, in the

case of Windows). All a snoop has to do is undo this hiding process, which

does not even have to be done for each file. In Windows one can set the

properties of the Windows Explorer to display all files whether hidden or

not.



4.11.4



The fallacy of protection by hiding data in the slack



Placing a file intentionally in the slack (i.e., in the space between the endof-file and end-of-cluster; see Section 2.2.1) or deleting it (but not overwriting it) so that it can be retrieved by one later does not provide protection.

Any forensic examination routinely examines all data in the slack and the

free space.



4.11.5 The fallacy of protection by placing data in normally

unused locations of a disk

Placing data in tracks and sectors of a disk that are normally unused by an

operating system is an old trick that goes back to the days of the Apple II

computer. It was used by software games ostensibly to prevent users from

copying the disks. These disks used their own disk operating systems to read

those normally unused tracks; it did not take long before users did, too, in

order to copy those disks anyway. Most any determined forensic examination of a disk will access the data hidden this way, too.



4.11.6 The fallacy of protecting data by repartitioning a disk

for a smaller capacity than the disk really has

This scheme involves more work, and it might even fool some people

but not all of them. The idea is to take a disk of, say, 200 GB, and to

place the sensitive data in the sectors which correspond to the last, say,

80 GB of physical space. One can then repartition the hard disk

(through the FDISK command, which, contrary to popular belief, does

not erase anything, but merely makes it inaccessible to Windows) for

120 GB. This will leave the last 80 GB with the sensitive data largely

untouched (but the file names and allocation table will be severely

affected). An unsophisticated investigator may believe that the disk’s

capacity is indeed that claimed by the last partition and not see the hidden

data. This will not fool the experienced investigator, though. Recovering the

data hidden in this manner will require software that is not commonly

available.



4.11



Security protection steps that don’t work well enough



73



4.11.7 The fallacy of protection through password-protected

disk access

The large assortment of software programs that claim to password-protect

one’s computer at boot time or when it is left unattended (e.g., screenblankers) are also ineffective. In the simplest case, unless a user has disabled

the option of booting from a floppy disk (a dangerous proposition if one’s

hard disk crashes and one that is pointless anyway as an attacker can readily

modify the BIOS to allow booting from a floppy disk), any person could

bypass all these passwords and boot from a floppy disk. But even in the case

when a user seems to have taken all the password-related precautions to

prevent unauthorized access, these are ineffective against a forensic examination, which removes the disk from its computer, makes a copy of it (track

by track and sector by sector), and looks for data without ever having to go

through any of the protective barriers inserted by a user.



4.11.8 The fallacy of protection through the use of booby-trap

software

The same applies to booby-trapping software, such as Don’t Touch by

Cybertech Group. Such software typically expects the authorized user to

enter a sequence of keystrokes without any prompting when a computer is

turned on; if that sequence is not entered, then the software destroys a

specified file in which the authorized user is supposed to have stored the

sensitive data and then erases itself as well. This scheme, too, may protect

one from a nosy spouse or coworker, but not from a forensic examination

because the latter never activates any software in the suspect disk. Such

schemes could also backfire by causing an otherwise innocent computer

user to end up with an obstruction of justice charge in some cases.



4.11.9 The fallacy that overwriting a file removes all traces of

its existence

A file itself is only part of the information stored in a computer concerning

that file. Also present are the following:

1.



The file name (stored elsewhere).

Hint: Do not use revealing file names, just in case you forget to get rid

of the file name.



2.



Information about the file. Depending on which software were used,

this information can include who created it, when, when it was

modified, and so forth.



3.



Ostensibly temporary copies of that file created by the software in

case the computer crashed while the file was being worked on. Because the computer is not clairvoyant and does not know if a crash

will occur, some software products always create a temporary file.



74



How Can Sensitive Data Be Stolen From One’s Computer?



Even if that file is deleted, it is still very much available on the hard

disk until the space it occupied happens to be overwritten (or is deliberately overwritten).

Most important yet, most every hard disk sold today includes numerous

sectors held in reserve. When (not if) some normally used sector appears

marginal to the disk’s firmware (e.g., causes occasional read errors), its data

is copied to a sector held in reserve (without deleting it from the marginal

sector), its logical address is assigned to that new sector formerly held in

reserve, and that marginal sector is now “mothballed” with its data in it.

Because it no longer has a logical address, it is not accessible by any of the

many software products that purport to overwrite the disk.



4.11.10



The fallacy of encryption protection



Encryption, in and of itself, refers merely to the conversion of a readable file

to one that, at best, is unreadable by anyone other then the intended recipient(s). Encryption does not deal with the following key issues, for example:

1.



Is the unencrypted document or are references to it also left behind

on the disk?



2.



Is the encryption “key” used protected from unauthorized

individuals?



3.



Are there additional decryption keys (ADKs) in existence that the

originator does not know about? (This was the case in the late

August 1999 Advisory Circular by the highly respected CERT in connection with PGP. See Section 11.3.)



The reader is referred to Chapters 10 through 12 for a thorough discussion of commercial encryption.



4.11.11



Other protection fallacies that don’t deliver



Beyond the above classical illusions of protecting sensitive documents,

there can be a vast collection of tricks intended to protect sensitive files.

Don’t depend on them. Such tricks only deter the nontechnical casual

snoop unless (1) a file is truly encrypted or hidden using good steganography, and all evidence of the unencrypted and unsteganographed file is

totally eliminated (see Section 11.5), or (2) the magnetic media in question

are not where they can be found by an oppressive regime. Worse than their

being unreliable, such tricks make the individual using them that much

more likely to receive a thorough forensic analysis of his or her computer.

Such tricks are totally ineffective against a forensic analysis of a targeted

computer’s magnetic storage media. Ineffective tricks, which can also be

used in assorted combinations, include (but are not limited to) the

following:



4.11



Security protection steps that don’t work well enough



75







Renaming a file (e.g., from supersecret.doc to virtue.exe): This is not only

ineffective but a bad idea because some forensic software (such as

Encase) flag some renamed files as having been renamed (e.g., abc.jpg

being renamed def.sys).







Compressing a file (using the standard zip software).



Such schemes do not protect one from a forensic examination because

such an examination looks at all data on a disk, regardless of each file’s

name, location, degree of compression, compliance with any operating system or disk filing system or lack thereof, what else it is merged with, and so

forth.



Selected bibliography

Internet-accessible references on van Eck radiation

Anderson, R., and M. Kuhn, “Soft Tempest: Hidden Data Transmission Using

Electromagnetic Emanations,” http://www.cl.cam.ac.uk/~mgk25/ih98-tempest

.pdf.

“The Complete Unofficial TEMPEST Information Page,” http://www.eskimo

.com/ ~joelm/tempest.html. TEMPEST stands for Transient Electromagnetic

Pulse Emanation Standard.

“Electronic Eavesdropping Is Becoming Mere Child’s Play,” New Scientist, at

www.newscientist.com/ns/19991106/newsstory6.html.

Moller, E., “Protective Measures against Compromising Electro Magnetic

Radiation Emitted by Video Display Terminals,” Phrack, Vol. 4, no. 44, at

www.shmoo.com/tempest/PHRACK44-11.

“The Tempest Solution,” http://www.ionet.net/~everett/solution.html.



Printed references on van Eck radiation

McLellan, V., “The Complete Unofficial TEMPEST Information Page,” PC Week,

Vol. 4, March 10, 1987, p. 35(2).

Russell, D., and G. T. Gangemi, Sr., Computer Security Basics, Sebastopol, CA:

O’Reilly and Associates, 1991, Chapter 10 on TEMPEST. Available for purchase

from any bookstore and online from http://www.ora.com/catalog/csb.

Smulders, P., “The Threat of Information Theft by Reception of Electromagnetic

Radiation from RS-232 Cables,” Department of Electrical Engineering,

Eindhoven University of Technology, 1990, http://jya.com/re232.pdf.

Van Eck, W., “Electromagnetic Eavesdropping Machines for Christmas?”

Computers and Security, Vol. 7, No. 4, 1988, http://jya.com/bits.htm.



References on optical emanations

Kuhn, Markus G., “Optical Time Domain Eavesdropping Risks of CRT Displays,”

Proc. the 2002 IEEE Symp. Security Privacy, Berkeley, CA, May 12–15, 2002. Also

available online at http://www.cl.cam.ac.uk/nmgk25/..



76



How Can Sensitive Data Be Stolen From One’s Computer?



Loughry, J., and D. A. Umphress, “Information Leakage from Optical

Emanations,” Vol. 5, No. 3, August 2002, http://www.applied-math.org/optical

_tempest.pdf.



References

[1] http://www.shmoo.com/tempest/emr.pdf.

[2] Highland, H. J., “Electromagnetic Radiation Revisited,” Computers and Security,

Vol. 5, 1986, pp. 85–93, 181–184.



CHAPTER



5

Contents



Why Computer Privacy and

Anonymity?



5.1 Anonymity

5.2 Privacy



“Countering computer forensics? But aren’t you helping the

bad people?”

No! Quite to the contrary, this is helping the good people

ward off the bad people. It is also helping reduce crime by making it much harder for criminals to engage in identity theft or

for thieves to steal intellectual property and legally privileged

information such as medical information and attorney–client

communications.

Computer forensics is not done only by or for law enforcement; more often than not, it is done by anyone with the

means to do so for illegal purposes, such as stealing intellectual

property, passwords, and the like.

Just as there are legitimate uses for knives and for matches,

there are many legitimate uses for countering illegal computer

forensics, such as the following:

1.



Preventing the theft of intellectual property;



2.



Preventing the theft of proprietary business documents by

competitors;



3.



Preventing the compromise or outright theft of legally privileged information, such as patients’ medical records and

attorney–client privileged communications;



4.



Protecting a nontechnical freedom fighter in a patently

oppressive totalitarian regime;



5.



Protecting anyone from having information planted in his

or her computer that can be subsequently discovered;



6.



Helping lawyers defend their clients from frivolous accusations supported by contaminated evidence.



The wide availability of free and commercial software packages that promise to protect one from assorted types of

77



78



Why Computer Privacy and Anonymity?



unauthorized snooping are, in fact, doing most users a disservice because

they lull the buyer into a false sense of security that is worse than no

security: Someone who knows he or she has no security will be much

more careful with what is entrusted to a computer than someone who

thinks that there is security when in fact there is none. This cannot be

overemphasized.

Then there is also the philosophical issue that is implicit in most civilized

societies: If a youngster on a deserted island whispers sweet nothings to his

girlfriend’s ear, it is nobody else’s business to know what was said. And that

privacy should not be contingent upon the distance between the two or

upon the medium used to communicate, be it two paper-cups and a string

or a technologically advanced alternative.

Similarly, if a person on a deserted island wants to confide written

thoughts to his or her diary, civilized society has traditionally bestowed the

right of privacy to those thoughts. And that privacy should not be contingent upon the medium used to write one’s thoughts, be it paper and pencil

or its modern day equivalent, namely, a personal computer.

But, as members of societies, we don’t live on deserted islands. Being

part of a society entails numerous limitations of individual freedoms so that

each society can function. Indeed, a society has the self-evident right to protect itself from individual conduct which is out-and-out harmful, such as

murder, arson, and the like. Part of the implementation of such societal protection is to have early warning of a planned major crime so that such a

crime can be prevented. At a minimum, any society needs to have the

means to prevent the recurrence of a major crime by positively identifying

the perpetrator. Just as ballistics tests can show which gun fired a bullet

found in a dead body or whose DNA was at the scene of a major crime, computer forensics can and should be used if it can show conclusively who

planned or executed a major crime.

In this sense, this book is highly supportive of the law enforcer who is

trying to prevent a major crime, hence the lengthy chapters on effective

computer forensics.

The definition of a crime is in the mind of the beholder, however.

A totalitarian regime often criminalizes everything that those in power

don’t like, be it the expression of a dissenting political or religious thought

or even a joke that treats the ruler unfavorably. Also, what is a crime

one day may not be the next, and vice versa, as laws constantly change

in all societies. One cannot conveniently define as a criminal anyone

that any country’s court has branded as one; in recent history, some regimes

have made it a crime to talk about freedom, to listen to music by this or

that composer, to whistle this or that tune, and so on. If the word “criminal” is simplistically defined to include anyone convicted by any court

of a locally defined crime, then Christ and Gandhi would have to be

included, along with Bertrand Russell, Galileo, Luther, and most other key

intellectuals.

One should not forget Montesquieu’s words: “There is no greater tyranny than that which is perpetrated under the shield of law and in the



5.1



Anonymity



79



name of justice.” Or the words of William Pitt the Younger: “Necessity is the

plea for every infringement of human freedom.”

Last but not least, there is theft. According to the FBI, some 319,000 laptops were stolen in 1999. Most such thefts occur at airport security gates:

The laptop is placed by its owner on the X-ray machine’s conveyor belt; a

seemingly rushed traveler cuts to the front of the line to get through the

magnetometer, but is having difficulties with keys and related items on his

or her person. While that rushed traveler is being taken care of, his or her

accomplice on the other end of the security gate absconds with the laptop,

which has already passed through the X-ray machine. Most of these laptops

must have undoubtedly included data not intended for others’ eyes, such as

corporate proprietary information, personal medical and financial information, and the like. The value of the loss of such data to unauthorized eyes is

incalculable and usually far exceeds the value of the hardware lost. It would

be nothing short of irresponsible to allow this to happen to oneself.

One should also not forget that the mere proliferation of information

technology has made wholesale surveillance not only possible but also economically cost-effective. Even time-honored institutions that used to

respect privacy may well not do so any more; for example, the U.S. Census,

whose data was advertised as being protected, may not be so. According to

the New York Times, the Congressional Budget Office with the help of some

congressmen has been angling to get its hands on the census data to create

“linked data sets” on individuals using information from the Internal Revenue Service, Social Security Administration, and Census Bureau surveys to

help it evaluate proposed reforms in Medicare and Social Security (see

www.nytimes.com/2000/10/23/opinion/23MONK.html).

An often-repeated adage says that if one consults a lawyer and wants

justice, many a lawyer will often ask, “How much justice can you afford?” A

similar situation exists with privacy and security: how much privacy and

security can you afford?



5.1



Anonymity

While encryption protects the content of a file, message, or communication,

it does not protect the identity of who communicates with whom.

Unlike encryption, which protects the content of a file from forensic discovery either online or offline, anonymity by its nature—in the present context—relates to the transmittal of a document from the source to its

intended destination. What is to be hidden is not the content, but its author.

Far from being disreputable, anonymity is at the heart of civilized society, as evidenced from the following quotes by world-renown U.S. Supreme

Court justices:





“Anonymity is a shield from the tyranny of the majority. . . . It thus

exemplifies the purpose behind the Bill of Rights, and of the First

Amendment in particular: to protect unpopular individuals from



80



Why Computer Privacy and Anonymity?



retaliation—and their ideas from suppression—at the hand of an

intolerant society.”

—Justice Stevens, McIntyre v. Ohio Elections Commission, 1996





“Anonymous pamphlets, leaflets, brochures and even books have

played an important role in the progress of mankind. Persecuted groups

and sects from time to time throughout history have been able to criticize oppressive practices and laws either anonymously or not at all.”

—Justice Black, Talley v. California, 1960







“After reviewing the weight of the historical evidence, it seems that the

Framers understood the First Amendment to protect an author’s right

to express his thoughts on political candidates or issues in an anonymous fashion.”

—Justice Thomas, McIntyre v. Ohio Elections Commission, 1996



Indeed, the use of anonymous and pseudonymous speech played a vital

role in the founding of the United States. When Thomas Paine’s “Common

Sense” was first released, it was signed “An Englishman.” Similarly, James

Madison, Alexander Hamilton, John Jay, Samuel Adams, and others carried

out the debate between Federalists and Anti-Federalists using pseudonyms.

President Harry S. Truman signed his influential 1947 essay, “The Sources of

Soviet Power,” as “X.” Finally, the use of a pseudonym, or nom de plume, in

literature has a time-honored history (e.g., Mark Twain was Samuel Clemens).

There are many flavors of anonymity, such as using a pseudonym or

assuming another identity. For the purposes of this discussion, we interpret

anonymity to include any technique that prevents any third party from discovering the true identity of an Internet user.

Anonymity is an obvious irritant to law enforcement and is criticized as

prima facie evidence of criminal intent. For a different perspective, consider

the following view by Julf Helsingius, expressed in an interview with Wired

magazine’s Joshua Quittner, coauthor of the high-tech thriller Mother’s Day.

Helsingius ran the world’s most popular remailer in Finland until he retired

in 1996.

Living in Finland, I got a pretty close view of how things were in the former

Soviet Union. If you actually owned a photocopier or even a typewriter

there, you would have to register it and they would take samples . . . so that

they could identify it later. . . . The fact that you have to register every means

of providing information to the public sort of parallels it, like saying you

have to sign everything on the Internet. [Law enforcers] always want to

track you down.



Quite often, anonymity actually furthers the cause of law enforcement: For

example, a whistle-blower may need to tip off law enforcement of a serious

ongoing or planned illegal activity by his or her employer; a suicidal or

homicidal individual may wish to obtain help and counseling, which he



5.1



Anonymity



81



would not seek without anonymity; a drug-addicted mother of a young

child may seek anonymous counseling to prevent her from using all of her

financial resources to support her habit. Even some police departments are

experimenting with establishing Web sites for anonymous tips about crimes;

this is nothing more than an online version of the time-honored practice of

anonymous crime-solver phone lines.

Less dramatic situations justifying anonymity include seeking employment through the Internet without jeopardizing one’s current job, expressing religious opinions in a community that is strongly opposed to them, or

placing a personal ad. Doctors who are members of the online community

often encourage their patients to connect with others and form support

groups on issues that they do not feel comfortable speaking about publicly,

It is essential to be able to express certain opinions without revealing one’s

identity. In a multitude of other situations, anonymity serves a very legitimate social function.

Conversely, as with anything else, anonymity can be abused by sociopaths, who are attracted by the notion of avoiding responsibility and

accountability for their actions

Many everyday activities that used to be anonymous leave electronic

trails behind today. Using the lure of discounts or other benefits, the common “preferred customer” card of supermarkets, bookstores, and other vendors allows those vendors to track one’s purchasing and renting preferences,

even if payments are made with cash. The same applies to the use of

frequent-flyer accounts, or to the use of frequent-anything accounts, and to

the ever-increasing use of credit cards in place of cash.

With the ubiquitous spread of Signaling System 7 in telephony, caller ID

information is available to the called party about the calling party. Blocking

caller ID does nothing, in the United States, to toll-free calls made to 800

area code numbers; because the called party pays for the incoming call, the

phone companies use Automatic Number Identification (ANI) to allow the

called party to know who is calling, even if the calling party has disabled the

outgoing caller ID feature.

E-mail records are now routinely subpoenaed by prosecutors and by

attorneys in both criminal and civil cases as evidence.

And the list goes on.

As a matter of principle, many individuals have therefore resorted to

technology to protect their privacy, often for privacy’s own sake.

Additionally, anonymity is a matter of life and death in many societies in

the case of responsible individuals expressing views that are unpopular, that

the ruling party perceives as a threat, that question the status quo, or that

debate religious or other topics.



5.1.1



Practical anonymity



A vast number of resources on practical anonymity are available on the

Internet. One of the most useful Web sites is www.privacyresources.org/

anonymity.htm.



82



Why Computer Privacy and Anonymity?



It is important to decide up front whom one wants to be anonymous

from:

1.



The recipient of e-mail that one is about to send;



2.



The readers of Usenet posts that one has elected to post to;



3.



The Web sites that one visits on the Internet;



4.



Someone in a repressive regime who is tapping one’s telephone line;



5.



One’s ISP;



6.



Someone else in one’s local network, if one is in use;



7.



A forensic investigator who gets hold of one’s computer.



Each of these requires a different set of procedures and/or software.

They are discussed, among other topics of equal relevance and concern, in

separate sections in Chapters 10 through 14.



5.2



Privacy

Civilization is the process toward a society of privacy. The savage’s whole existence is

public, ruled by the laws of the tribe. Civilization is the process of setting man free

from men.

—Ayn Rand, The Fountainhead

Privacy is the right of individuals to control the collection and use of information about themselves.



5.2.1



You cannot trust TRUSTe?



TRUSTe (http://www.truste.com) is a commercial organization that has set

itself up as the grantor of a sort of seal of approval for online commercial

entities that appear to meet some criteria for respecting the confidentiality

of customer-provided information.

Can one trust that? In a word, no. One of the main failings of this

scheme is that it cannot handle the cases of companies that go bankrupt and

sell their assets to meet their financial obligations; those assets often include

the databases of customer information that the bankrupt company had

assured its customers would never be sold to anyone. The company receiving those databases does not feel bound by any commitments made by the

bankrupt company. A typical example is the news item reported on the

Internet on October 27, 2000, to the effect that HealthCentral.com has

reportedly signed an agreement to purchase the assets of the floundering

online drugstore more.com, including its customer list, and its subsidiary,

ComfortLiving.com, for approximately $6 million.



Xem Thêm
Tải bản đầy đủ (.pdf) (366 trang)

×