Thursday, February 07, 2008

Data Inspections at the Border

I'm spending a little extra care in preparing for SANS Security 504 in Calgary, AB. Recently, there have been more stories about scary inspections. Essentially, some rulings are in favor of US border inspections (that is, it does not violate an expectation of privacy with no warrant needed) while some rulings support such searches in case of a suspicion.

Not that I'm against finding the dirt on the bad guys, but let's say your USB key or cell phone is duplicated so they can analyze it. Even if you wait while they examine it, how do you know the copy being analyzed is properly sanitized--that data may have been very sensitive and now you have no longer any control over that copy.

What kind of things can we do as individuals to protect ourselves?

The best solution is to simply do not take sensitive material with you.

Merely encrypting storage probably will not be sufficient. It will probably only aggravate the authorities and make the process timely and legally painful for yourself. That is not to say you shouldn't encrypt, but be prepared to deal with the consequences (such as logging on for the authorities so they can see your browsing history). The recent release of Truecrypt 5.0 or a Microsoft Vista installation protected by Bitlocker is just a start.

If you must bring something you would consider sensitive, you may want to use a steganographic technique. This isn't as useful if you are trying to hide large files, and there still is the possibility of pulling your sensitive data from swap files and derelict slack space in the file system.

You also might consider using EFS to encrypt folders instead of the whole partition. Then and inspection turns up regular information at a glance, and they might ignore the unknowns.

What do I plan to do?

First, I'm going to clean up my machine. I tend to visit a lot of "interesting" places that might trigger interest. I'll also not bring sensitive material on the machine itself--I will depend on the ability to use a VPN to download anything I require from my trusted network.

But to clean my machine, I'll delete cruft and old material, then use a few utilities to sanitize the empty space. Recent browsers try to help ease the pain of clearing cookies, cache, history, passwords, etc. I prefer never to save the passwords in the browser--I resort to keeping a PGP copy of a spreadsheet with the passwords/passphrases in case I can't remember. I keep a copy on my Bitlocker drive and on a USB key that has it's own AES-128 protection. Between having a couple of protections there--I tolerate what little risk is left.

If you are concerned about privacy on the filesystem--you may want to try bcwipe. Historically, these utilities have had issues with missing items in NTFS, but the only way to be sure is to test it for yourself with a forensically sound process. For most folks concerned about privacy, such a tools is sufficient.

I'm also thinking of keeping a clean bootable partition around just so I have something to show on request. I'll keep a bootable CD-ROM in the drive until I get around to that I'll probably also put a bootable CD-ROM in the drive so I can click around and show them a browser history without a lot of accidental issues.

I used to also disable page swaping, reboot, wipe freespace, defrag, wipe freespace again, re-enable paging, then reboot. I just felt safer knowing that in the worst case, it would take a professional forensic investigation instead of a cursory glance at some potentially misleading websites. I tend to do this less on my primary PC now that I use specialized virtual machines to do most everything, and do it on the virtual machines as I get around to it. :)

Recent Washington Post Article

Another Article with specifics and from page 2

"the government may conduct routine searches of persons entering the United States without probable cause, reasonable suspicion, or a warrant"

Friday, February 01, 2008

Changes to No eXecute (DEP) to Change Cutting Edge Microsoft Hacking

Microsoft will be releasing XP Service Pack 3, Vista Service Pack 1, and Server 2008 in the near future. One of the value added features is enhancements designed to allow more use of DEP. The idea is to get DEP protection to as much code as possible, working around legacy code using ATL.

So on the surface this sounds like it will protect more code--but does it now make disabling DEP easier for an attacker? Are more third party applications going to provide this as a configuration disable-DEP option and weaken the practical security posture of a system?

Michael Howard's blog

It will be interesting to see if this simplifies the now changing EIP via a vulnerability. If it doesn't make return2libc style exploits easier, it will at least make some more reliable (such as the
proof of concept for MS08-001). I'm hoping to spend some time on the details in the next couple of weeks, but teaching SANS Security 504 in Calgary, AB is my priority.