BitLocker, Computers and Internet, Encryption, Microsoft, Security, Trust

commoditizing the shaft

Lorenzo Franceschi Bicchierai wrote about BitLocker and our conversations with government agencies. Excerpt below:

“Fuck, you guys are giving us the shaft,” the agent said, according to Biddle and the Microsoft engineer, who were both present at the meeting. (Though Biddle insisted he didn’t remember which agency he spoke with, he said he remembered this particular exchange.)

Biddle wasn’t intimidated. “No, we’re not giving you the shaft, we’re merely commoditizing the shaft,” he responded.

Biddle, a believer in what he refers to as “neutral technology,” never agreed to put a backdoor in BitLocker. And other Microsoft engineers, when rumors spread that there was one, later denied that was ever a possibility.

Full article:
Did the FBI Lean On Microsoft for Access to Its Encryption Software?

Standard
Android, apps, Computers and Internet, Encryption, Security, Trust

Code Identity and the Android Master Key Bug

Android invasion, Sydney, Australia

Android invasion, Sydney, Australia (Photo credit: Pranav Bhatt)

I was part of the effort to drag MSFT security into the modern era. It was extremely painful. I assumed (perhaps stupidly) that our highly-public lessons would mean other late-comers to the security party would look at our wrecked living room, burned furniture and bad tattoos and then not make the same mistakes we made in our irresponsible youth.

But perhaps no. This Android bug could prove to be extraordinarily bad.

Blowing hash and signing functions so that the underlying code can be changed without the hash and sigs changing is horrifyingly atrocious. This is the code equivalent of impersonating a person with a mask so good nobody, not even the real person themselves, can tell the difference.

The entire value of a chain of trust is that you are limiting the surface area of vulnerability to the code-signing and hashing itself. This bug, if it’s as described, destroys the chain. All bets are off. You’d be better off without the assertions and chain at all: Treat everyone as adversarial and move all critical operations off-device and into something you know you can trust.

I am not saying this automagically makes Android phones infinitely vulnerable to horrible deeds. It doesn’t. As of July 4th 2013 there are no known exploits in the wild that make use of this attack. To really hit something out of the park based on this bug the bad guys are going to need a way to get an offending app onto a phone. This means getting it through a heretofore unknown exploit in Google Play or onto the phone via side-loading or another distribution method.

So we’re all okay, right? Well, no. Not necessarily. Perimeter security – which is what Google uses to keep bad apps off of phones in the first place – is notoriously bad. It’s so bad that Google (and Apple, MSFT, and everybody else) use techniques like sandboxing (perimeters within perimeters), privilege, code signing and code validation to make up for its deficiencies.

Malicious software has an annoying habit of finding it’s way onto devices with considerably stronger perimeters than Android so validation of code that is on the system is critically important.

Unfortunately it’s not just the exploit that is distressing. One of the the things we eventually got good at at MSFT back when we routinely had our pants around our ankles on security was in our responses. There’s no way you can survive forever in an environment of constant adversarial attack if you don’t get much better at defending yourself technically AND much better at working with the public about what you’re doing.

In this blog post, Google advocate that companies “should fix critical vulnerabilities within 60 days”  and that “after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves”.

Google espouses 60 days to fix exploitable bugs and going public one week after private notification. According to Bluebox they told Google about this via bug  8219321 in February 2013. That’s a little bit more than 60 days ago. Seeing as it’s now July, I think (and I’m not very good at math, so bear with me here) that’s at least twice as many. It’s especially more than 7 days. I’m not sure how Google are following their own disclosure policy.

Let me speak from personal experience (again) that you need to be really good at dealing with the public on security stuff. If you are going to make clear and solid statements that have numbers in them (eg 60, 7) then you really REALLY need to make sure you are always on the right side of those numbers.

I am also not saying this automagically makes Google evil. As I said at the beginning of this post – I’ve been there when it was bad. Sometimes you are trying your hardest to be good but you’re tripping and falling down. People see you fucking up and assume it means you are evil when really you’re just trying to stay alive long enough to fix your broken shit and learn so you can be better.

I don’t wish anyone at Google any ill will over this. I’ve been there, it’s no fun.

Standard
BitLocker, Development, Encryption, Security, Trust

The Thames River Scenario and XKCD

This is a great comic, and I love XKCD.  Love it! However the attack referred to in this comic is one good crypto systems understand and counter.

I refer to it as “the thames river scenario”, and BitLocker (Windows Vista) will actually mitigate it if you want it to. 

Let’s back up for a second, and consider the scenario. I’ll simplify it for a second. There’s a key – called a password – that is needed to get at some information. PW are handy as a “thing you know” factor in authentication because we carry them around in our brains, but that is also the problem with them. Because they are in our brains they wind up being easy to remember, and anything easy to remember is easy to guess. Or to extract from someone’s brain… 

Most of us will never be tortured because someone wants the information off of our laptops. That’s because most of us don’t have the stuff on our laptops which people who feel the urge to torture want. However, there are people out there with things on their laptops that people want really really badly…

Meet Kumar. (Kumar isn’t a real person. I just made him up. However there are people like Kumar.)

Kumar works in the domestic intelligence in his central European country. He has been working very hard to crack a terrorist group  in his country, a group which he knows is responsible for at least 14 deaths and which has aspirations for many, many more.  We’ll call this group “El Patriots”, or EP for short. EP is at least thought to be funded by at least one foreign government, possibly more, because it seems better organized and more effective than it ought to be.

EP is also famous amongst the intelligence community for being cagey and extraordinarily secretive and very violent. They kill people. 

Kumar’s agency tracks EP in a variety of ways – cel phone data, GPS, data mining, and good old informants. Kumar is an affable and thoughtful man and thus he’s particularly effective at  “humint” – human intel, aka informants. The people he works with are often directly or indirectly involved in EP and usually speak to him because they think EP are evil and must be stopped, but also because they want money, or revenge, or like the excitement involved in being involved. 

Because Kumar is also organized, he keeps notes and lists about his network of informants – over 100 of them. He has spreadsheets, photos, files, extensive background checks, family trees, social networks… he knows a lot about these people and he keeps detailed notes about them because that’s his job. You never know if a trifling little fact – a mention that a suspected EP supplier stops at a certain coffee shop every Thursday after dropping his kids off at school – will turn out to be incredibly important. 

Kumar stores all of this information on his laptop. He uses data synching to keep as little of it as he can on the laptop, but there’s still quite a bit. If EP were to get the information on his laptop, people would die in a matter of days, perhaps even hours. Families living in other countries would be killed or kidnapped and tortured. It would be really bad.

When Kumar’s infosec team considered what security he needed on his laptop, they included Kumar in their threat model. They assumed they had a very skilled adversary with an essentially unlimited amount of money (foreign intelligence), and they assumed that this adversary actually knows that Kumar is an intelligence agent, so they and EP will be targetting Kumar’s laptop specifically because they are pretty sure that what’s on there is really worth stealing. Possibly worth killing for, possibly worth torturing for. 

So how do they protect that data? There are a variety of architectures to do this, but presuming that there’s data that Kumar needs on his laptop to SAVE lives, and at the same time that same data in the wrong hands will LOSE lives, then he’s going to need either access to the data locally or to actually possess the data locally to do the job of SAVING while minimizing the risk of LOSING. 

First off, encrypt the entire laptop. That’s a no brainer.

Then never rely on a single factor of authentication which is easy for Kumar to remember. PW = bad. It would be really lame if EP snatched the laptop and the PW turned out to be something they can brute-force in a few hours. 

If the hard drive is always encrypted, then the attacks shift to getting at the laptop in state where it is cheerfully giving up unencrypted data – eg when Kumar is logged in.

Aha! Kumar is now part of the threat model!

This has to happen sometimes, so you use policy enforcement to make sure that the system is in hibernate whenever the lid closes or it isn’t used for more than just a few minutes. That ensures that the keys used to managed the system aren’t in memory as well, where they are vulnerable. Reduce moments of “logged in” to when Kumar wants them to happen, like in a secure location. 

Okay, so what about Kumar? If they get Kumar along with the laptop, what happens then? Let’s say that Kumar is crossing a bridge in a foreign country and a van rolls up, out jump 3 armed men, they drag Kumar into the van and away they go… The best security system would mean that Kumar wouldn’t have to do ANYTHING and yet the laptop would be invulnerable. The hard part about this is that it implies the laptop is smarter than Kumar – it knows that Kumar has been snatched and so now it refuses to unlock even though Kumar is begging, pleading with it to open…

…this is hard. There are some really neat ideas for pulling this off, but as yet they tend to be so error prone that you might as well just not let Kumar carry the data (or access it) around. Dumb terminals on encrypted airgap copper networks in physically secure locations make SAVING lives too hard. 

Okay, so you are going to want to require multiple forms of authentication – eg one-time passwords, or smart cards, or biometrics are all examples…You want something that isn’t on the machine itself (needs to be separate, otherwise he can’t lock it if he’s, say, running away from the laptop which is now snatched). It needs to be small and portable, and it has to be impossible for Kumar to recreate, even under duress or subpoena.

You also want something that Kumar CAN’T give up. Thumb prints are terrible solutions for this – Kumar can’t stop someone from cutting his thumb off his dead body.  

I call this the “the thames river scenario” because it’s easy shorthand to encapsulate the situation. Kumar is on a bridge on the Thames and has a few seconds to render both himself and his laptop secure. In BitLocker the solution to this is to use a USB dongle containing a Very Large Key as an additional factor of authentication to the TPM and the PIN. Toss the USB dongle into the Thames and now there’s NO WAY that the system, which is in hibernation so there are no keys in memory (so no freon attacks)  can be unlocked. Kumar can’t unlock it, even if he wants to. Beat the crap out of him, it won’t matter. The key is huge and he couldn’t remember it even if he wanted to try. 

Smart crypto architects will note that there may be another key which can unlock it – a recovery key. But that is never with Kumar and Kumar doesn’t know it, can’t know it, has never even seen it. It’s printed on a piece of paper locked up in a very secure place inside Kumar’s intelligence agency and they won’t let it out, not even to save Kumar’s life.

So Kumar gets tortured, which is horrible and awful and bad. The only thing he can give up is what he remembers and the torturers now have to try and break him to get the data that he has in his head – eg names, addresses – out. It’s much harder. More people may die but then some evil-doers might die to as Kumar gives up names he knows of suspected EP members who aren’t his informants… Kumar is brave and dedicated and he knows if he talks then people die so feeds EP the wrong names, gives them false trails… in the end he coughs up everything he can remember but by then it’s less than it might otherwise be because the torturers are too violent and by the time Kumar is talking he’s so muddle headed and woozy he’s very compromised. EP has far less than they would have if they had the laptop. 

Note that in the less dramatic scenario where Kumar has his dongle in his pocket and the laptop in the briefcase and EP snatches the briefcase, they still can’t get in because he has the dongle.

If they get the dongle and laptop but no Kumar they still don’t have the PIN, which means, again, that they aren’t getting the data.

They need Kumar, concious and compliant (to get the PIN out of his head), the laptop, and the dongle. Not impossible, but now much much harder to pull off. Nearly as hard as we can make it. 

For us normal folks, BitLocker with TPM+USB+PIN is a bit much, but TPM+PIN w/hibernate is a good compromise.  

Good laptop encryption systems are capable of treating the possessor of the laptop as an adversary and are also capable of treating the rightful user of the laptop as no longer trustworthy. 

Be happy there are people like Kumar out there fighting the good fight against terrorist organizations who want to kill us, and be happy that there are good technologies out there which can help them.

Standard