Evil Housekeeping

Many people, myself among them, have recommended that people who keep sensitive information on laptop PCs use a disk encryption product like the free TrueCrypt, PGP’s disk encryption, or Microsoft’s BitLocker, especially if they travel with the laptop.  This is a worthwhile security precaution: it will protect your data if your laptop is lost, confiscated,  or stolen, for example.  But it will not protect you against every kind of attack.

Joanna Rutkowska, the founder and CEO of Invisible Things Lab, has recently published a blog post on a so-called “evil maid” attack against a PC running with TrueCrypt. (The origin of the name, which I prefer to use as “evil housekeeper”, will be apparent a bit later.)   The software to carry out the attack is loaded onto a USB stick; here is how the attack works:

1. Security-conscious user is traveling with encrypted laptop.  After checking his E-mail in his hotel room, he goes downstairs to get something to eat, turning the laptop off first.
2. Evil housekeeper enters the room, and turns the laptop on, booting it from the USB stick. This boot image installs a low-level keyboard sniffer, which will capture the user’s TrueCrypt passphrase the next time (s)he starts up the PC.
3. The passphrase is then stored somewhere on the disk, or perhaps transmitted over the network to the evil housekeeper’s command post.

Ms. Rutkowska has, as is her wont, demonstrated that this is not just a theoretical possibility by creating an implementation of the attack suitable for use on a USB stick; it is available for download from her blog post.

This attack demonstrates a couple of important things to remember about PC system security:

• You need to make sure you understand what any given security solution can and cannot do for you.  Remember that security is a process or system, not a product.
• Having physical access to the machine, particularly during a period when it is also being legitimately used, trumps many otherwise good security measures.  Note that this attack, although it required physical access to the machine, does not require any hardware modification.

There are some defenses against this kind of attack.  Use of the Microsoft BitLocker encryption on a PC that also has a Trusted Platform Module [TPM] provides considerable, although not absolute, security against this kind of attack.   Ensuring that the PC is kept physically secure will also prevent this attack; and Ms. Rutkowska has some further suggestions in the blog post.

There is more that could be done, in the encryption software, to mitigate this kind of risk.  Better use of the TPM, and Trusted Computing facilities in general, would also help.  The moral of the story is that, if you must have sensitive data on your laptop, make sure you understand the range of possible threats, and what can be done to reduce the risk of data compromise.

Bruce Schneier has a post on this in his “Schneier on Security” blog; he also has an excellent summary article (dating from 2005!) on Trusted Computing and the role of the TPM.

Big Brother

Yesterday, I wrote about a presentation by Google Fellow Jeff Dean on Google’s hardware and software infrastructure.  I’ve just finished reading an article that talks about another organization, the National Security Agency [NSA], which is building an enormous infrastructure.  Oddly enough, this article is in the New York Review of Books, and is a review, by James Bamford, of Matthew Aid’s new book, The Secret Sentry: The Untold History of the National Security Agency. Now, I have not read the book — although it sounds fascinating — but I was struck by some of the information that is summarized in the review.  (Mr. Bamford, incidentally, has also published books on the NSA, most recently, The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America, which won an Investigative Reporters and Editors book award this year.)

The NSA’s headquarters is a very sizable establishment at Ft. Meade, in the Maryland suburbs of Washington DC.  It has long been rumored to have more computing power and employ more mathematicians than any other organization in the world, although it is the nature of intelligence agencies that these rumors will likely remain just that.  According to the article, though, the NSA is building two new super data centers, one in Utah, and one near San Antonio, Texas:

On a remote edge of Utah’s dry and arid high desert, where temperatures often zoom past 100 degrees, hard-hatted construction workers with top-secret clearances are preparing to build what may become America’s equivalent of Jorge Luis Borges’s “Library of Babel,” a place where the collection of information is both infinite and at the same time monstrous, where the entire world’s knowledge is stored, but not a single word is understood. At a million square feet, the mammoth $2 billion structure will be one-third larger than the US Capitol and will use the same amount of energy as every house in Salt Lake City combined.

Apparently, these new facilities are intended to be a repository for all the data that the NSA collects by means of electronic “snooping” on communications throughout the world.  (In theory, this surveillance is not supposed to be done in the United States without a warrant from the special Foreign Intelligence Court.)  The “signals intelligence” gathered includes telephone calls, E-mail, Web searches, on-line commerce, and much other miscellany.  The projected volume of this information is staggering:

Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report prepared by the MITRE Corporation, a Pentagon think tank. “As the sensors associated with the various surveillance missions improve,” says the report, referring to a variety of technical collection methods, “the data volumes are increasing with a projection that sensor data volume could potentially increase to the level of Yottabytes (10²⁴ Bytes) by 2015.”

Of course, there is no way on earth that anyone could actually look at all this data.  The best the NSA can hope to do is to screen it with software, to try to identify interesting bits for actual analysis.   But it’s still a difficult proposition, like trying to get a drink from a 48-inch water main. It’s far from obvious that collecting more data is the best way to improve the effectiveness of our national intelligence agencies, which have been repeatedly criticized for relying too much on technology, and not enough on “natural intelligence”, people who actually understand something about the areas of the world they are supposed to monitor.

The article cites a couple of instances in which the NSA and other intelligence agencies have missed the warning signs of a significant development.  One is historical: the Armed Forces Security Agency (AFSA, predecessor of the NSA) was taken by surprise when North Korean troops invaded South Korea in 1950, despite the massing of about 100,000 troops near the border; at the time, the AFSA did not possess a Korean language dictionary.  The more recent example is the terrorist attacks of September 11, 2001, which were not predicted, despite the fact that the NSA was monitoring communications by two of the lead hijackers, who were in the US preparing for the attacks. (In fact, the hijackers chose a motel in Laurel, Maryland as their command post, not far from Ft. Meade.)   It took very little time after the attacks for authorities to reconstruct what had happened: the information was there, but no one was able to “connect the dots”.

It is disturbing that so much information is being collected with minimal oversight and unknown provisions for the security of the information.  (It seems clear to me that access to these data bases would be a very attractive target for terrorists and other criminals.)   And it is really not clear that it helps very much.  From what one can tell from the published accounts, most of the  accused would-be terrorists arrested so far have been snared by good basic investigative and police work, rather than by electronic navel-gazing.

Bruce Schneier also has a post on this at his “Schenier on Security” blog.