Friday, October 23, 2009

Mitigating the Evil Maid Attack

The security world is buzzing with news of the so-called "evil maid" attack. The basic warning is this: no matter how secure you think you are, you aren't. Full-disk encryption is now provably breakable, and without actually having to break the encryption itself. All you need to do is get ahold of a computer that has been shut down, boot to your own boot device, screw with the boot loader, and shut down again... and then come back after the computer has been turned on and logged into by the real user.

This attack has been called the evil maid attack because a hotel maid is in a perfect position to accomplish this. They have access to the room when you're not around, and leaving a "do not disturb" sign on your door is hardly a deterrent. If you stay at a hotel multiple nights in a row, and you leave your computer in your room while you're not around, you are leaving yourself at risk. You may be the subject of a targetted attack, where the attacker poses as a maid or otherwise gains access to your hotel room while you're out. Or an attacker may get an actual job as a maid at a high-profile hotel, where they know that plenty of secrets will always be passing their way, waiting to be stolen.

There are measures you can take to try and prevent this attack from occuring in the first place. Think of them in terms of both intrusion prevention, and intrusion detection. For instance, a BIOS password can be difficult at best to compromise on a laptop. This is an aspect of intrusion prevention. Of course, it is still possible to reset the BIOS password on a laptop, which will then give the attacker access to install the attack MBR. But if you turn on your computer and there is suddenly no password, when you previously had one, then you know that something is amiss. This is a form of intrusion detection.

You could always use a thumb drive to boot your machine, which would make an evil maid attack against your actual hard drive completely worthless. This introduces another aspect of computer security, which security experts will always disparage, called "security through obscurity". If the attacker doesn't know that you use this method, then they won't be able to attack against it. The problem with this method is, now you have to protect both your boot key, and your laptop. If you only use one thumb drive to boot your machine, and that drive somehow gets damaged (water, static electricity, EMF), then you lose the ability to use your computer.

You could change your password on every boot. Using traditional methods, this is is tedius, and inconvenient, and ignores the fact that the modified boot record might be prepared for it anyway. You could use a password dongle, but that suffers from the same limitations as the thumb drive.

You could leave your computer on, of course. If somebody shuts it down and messes with your boot record, then you'll at least be able to detect that. But then your computer is also susceptable to a cold boot attack, which doesn't require the attacker to return later, so that's out. Using a fingerprint scanner for authentication? Your fingerprints are probably everywhere on your computer already, and even the Mythbusters were able to fool these using little more than a photocopy.

So it would seem that leaving your computer off while you're not in the room is safer than leaving it on. Using alternative boot methods helps, but cannot completely prevent. Using a combination of methods is best, and while it may not provide 100% protection, it can slow down the attacker, and that may be enough.

Anybody else have any other methods that I missed?

Wednesday, October 21, 2009

Whiskerino 2009

"He that hath a beard is more than a youth, and he that hath no beard is less than a man." - William Shakespeare

The great Whiskerino 2009 is nigh at hand. In short, it is a beard-growing contest. The basic idea is, on November 1st, you shave. Everything comes off. And then you don't shave again until the end of February.

I have a lot of friends who have never seen me without a beard. When I met my wife, I had a goatee, and by the time our first child was born, I was sporting a full beard. Neither has ever seen me without facial hair. I'm a little worried my daughter won't recognize me.

I'm not that worried though. We had a dress code at cooking school that stated that you could have a beard or no beard, but you could not be in the stages of growing a beard. I knew that if we had a three-day weekend, I would have enough time to grow a long enough beard to be within the requirements of the dress code.

Of course I'm planning to enter the Whiskerino. I have a few friends that plan to as well. One rule is, you must post photos of your beard at least every 7 days, and more often towards the end. Never before has my beard been so well documented. I plan to post photos on my blog as well. For those who only read it via RSS, you're out of luck. I will be posting the photos on the side bar on my site.

If anybody out there has been contemplating growing a beard but waiting for the right time, the right time is now. Well, in a week and a half. I issue a challenge to all of my geek friends out there with the ability to grow facial hair. Even Shakespeare knew the importance of a Unix beard. Now is your beard's time to shine!