Forensics on PDAs, notes from the field
Saint John of Cryptome has a particularly tasty link to http://csrc.nist.gov/publications/drafts.html#sp800-72 which describes the state of the art in PDA forensics. There is also a link to a CDROM of secure hashes of various "benign" and less benign programs that the NIST knows about. Including a list of "hacker" programs. Including stego. Pigs use this to discount commonly-distributed software when analyzing a disk (or, presumably, your PDA's flash). See http://www.nsrl.nist.gov/ also http://www.nsrl.nist.gov/Untraceable_Downloads.htm Obvious lesson: Steganography tool authors, your programs should use the worm/HIV trick of changing their signatures with every invocation. Much harder for the forensic fedz to recognize your tools. (As suspicious, of course). The NIST CDROM also doesn't seem to include source code amongst its sigs, so if you compile yourself, you may avoid their easy glance. Notes from the Field: My paper & image handling kiretsu job has a fellow working on secure Linux disk-drive delete --even if you pull the plug, on power up it finishes the job. Nice. Thank you, HIPAA, banks, etc.
On Wed, 11 Aug 2004, Major Variola (ret) wrote:
Obvious lesson: Steganography tool authors, your programs should use the worm/HIV trick of changing their signatures with every invocation. Much harder for the forensic fedz to recognize your tools. (As suspicious, of course).
It should be enough to do that at the installation time. The adversary in this model gets to analyze the file only once, and we want to make sure that nobody tampered with the file as a protection against other, more "active" threat models. What we want is to have a file and its hash, so we can make sure the file content is unchanged, but the hash has to be as globally-unique as possible.
The NIST CDROM also doesn't seem to include source code amongst its sigs, so if you compile yourself, you may avoid their easy glance.
A cool thing for this purpose could be a patch for gcc to produce unique code every time, perhaps using some of the polymorphic methods used by viruses. Just adding a chunk of data to make the hash unique will work against the current generation of the described tools. But we should plan to the future, what moves the adversary can do to counter this step. Then there's the matching of date/time of the files to "real-life" events. Perhaps a countermeasure could be a modified vfat filesystem which assigns free clusters randomly instead of sequentially (on a solid-state medium fragmentation does not matter), which avoids the reconstruction of the file saving order by matching the position of their clusters (for the price of making undelete difficult), and an absence of timestamps (01-01-1970 is a nice date anyway). The file delete function in the filesystem driver can be modified to file overwrite-and-delete, for the price of higher wear of the FlashEPROM medium. Linux-based (and open-architecture in general) PDAs should offer much higher thug-resistance.
On Thu, 12 Aug 2004, Thomas Shaddack wrote:
The NIST CDROM also doesn't seem to include source code amongst its sigs, so if you compile yourself, you may avoid their easy glance.
A cool thing for this purpose could be a patch for gcc to produce unique code every time, perhaps using some of the polymorphic methods used by viruses.
Just adding a chunk of data to make the hash unique will work against the current generation of the described tools. But we should plan to the future, what moves the adversary can do to counter this step.
We can do some in-depth changes of the executable, using the "Steganography in executable files" approach described here (and on Slashdot) recently. See eg. here: http://www.informit.com/articles/article.asp?p=102181&seqNum=6 The difference is we don't want to store anything to the file itself but just to change its content without changing its function. We can use the Hydan approach, using random data as what to store inside. Adding a command dd if=/dev/urandom count=<length/bs> | $HYDAN_STEGO $exefile (where $HYDAN_STEGO is the steganography-adding program and $exefile is the product of the compilation by an unmodified compiler) into the makefile of the project could make the signatures unique for every compilation. Same applies to installation scripts. As we shouldn't trust our tools completely, a suite of suitable test vectors should be run afterwards. This can be used in combination with executable packers (eg. UPX), or some wrappers for "copy-protection", which wrap and optionally encrypt the executable and refuse to run it when eg. a dongle (which can contain the key) is not present in the computer. It doesn't work for copyprotection too well, but can slow down the adversary (or making some of their attack methods impossible or impractical to use) in other scenarios. If the usage scenario is plausible, the deployment of the protection technology may "make sense", so its presence won't have to necessarily raise suspicion. (We have to always keep in mind that the presence of any given technology can be a factor on its own.) The adversary then has to resort to heuristic analysis of the code segments, or hashing data segments, or maintaining sets of characteristics of the executables other than the hashes of the complete file (code/data segments size, addresses of jumps...), or relying on the strings in the file, or other options, all of them more difficult than hashing a file, and potentially requiring better-trained forensics people...
A cool thing for this purpose could be a patch for gcc to produce unique code every time, perhaps using some of the polymorphic methods used by viruses.
The purpose would be that they do not figure out that you are using some security program, so they don't suspect that noise in the file or look for stego, right? The last time I checked the total number of PDA programs ever offered to public in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be trivially checked for. Any custom-compiled executable will stand out as a sore thumb. You will suffer considerably less bodily damage inducing you to spit the passphrase than to produce the source and the complier. Just use the fucking PGP. It's good for your genitals. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail
On Fri, 13 Aug 2004, Morlock Elloi wrote:
A cool thing for this purpose could be a patch for gcc to produce unique code every time, perhaps using some of the polymorphic methods used by viruses.
The purpose would be that they do not figure out that you are using some security program, so they don't suspect that noise in the file or look for stego, right?
In better case, this. In worse case, to force the adversary to face an unknown, unexpected situation they aren't trained to handle.
The last time I checked the total number of PDA programs ever offered to public in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be trivially checked for. Any custom-compiled executable will stand out as a sore thumb.
Until a Gentoo-like Linux distro for PDAs appears. Then custom-compiled code becomes quite common in that segment of consumers. Another possible way for wrecking the set of file signatures "in the wild" could be releasing a product (which then would have to become popular, so it has to be useful) to do a function modifying the executables - may be a code packer (flash space is still a premium in the PDAs), may be a realtime patcher (for eg. protecting against some generic code exploits), in extreme cases may be an otherwise benign trojan or worm.
You will suffer considerably less bodily damage inducing you to spit the passphrase than to produce the source and the complier.
Yes, but the same applies to your colleague. Would you like it to be easy for your colleague to betray you?
Just use the fucking PGP. It's good for your genitals.
Unless the adversary beats the passphrase from your colleague and then comes for you. Don't be so selfish. :)
On Fri, 13 Aug 2004, Morlock Elloi wrote:
The purpose would be that they do not figure out that you are using some security program, so they don't suspect that noise in the file or look for stego, right?
The last time I checked the total number of PDA programs ever offered to public in some way was around 10,000 (5,000 ? 100,000 ? Same thing.) That can be trivially checked for. Any custom-compiled executable will stand out as a sore thumb.
How? Not if you get something like a Sharp Zaurus and compile your own environment. "Hey, I want to get as much performance out of this shitty little ARM chip as I can."
You will suffer considerably less bodily damage inducing you to spit the passphrase than to produce the source and the complier.
What makes you think they'll have enough of a clue as to how to read the files off your PDA without booting it in the first place? 99% of these dorks use very expensive automated hardware tools that do nothing more than "dd" your data to their device, then run a scanner on it which looks for well known jpg's of kiddie porn. If you're suspected of something really big, or you're middle eastern, then you need to worry about PDA forensics. Otherwise, you're just another geek with a case of megalomania thinking you're important enough for the FedZ to give a shit about you.
Just use the fucking PGP. It's good for your genitals.
And PGP won't stand out because.... ? ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. -------------------------------------------------------------------------
On Fri, 13 Aug 2004, Sunder wrote:
If you're suspected of something really big, or you're middle eastern, then you need to worry about PDA forensics. Otherwise, you're just another geek with a case of megalomania thinking you're important enough for the FedZ to give a shit about you.
In the world of industrial espionage and divorce lawyers, the FedZ aren't the only threat model.
Right, in which case GPG (or any other decent crypto system) is just fine, or you wouldn't be looking for stego'ing it inside of binaries in the first place. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :"Our enemies are innovative and resourceful, and so are we. /|\ \|/ :They never stop thinking about new ways to harm our country /\|/\ <--*-->:and our people, and neither do we." -G. W. Bush, 2004.08.05 \/|\/ /|\ : \|/ + v + : War is Peace, freedom is slavery, Bush is President. ------------------------------------------------------------------------- On Fri, 13 Aug 2004, Thomas Shaddack wrote:
In the world of industrial espionage and divorce lawyers, the FedZ aren't the only threat model.
participants (4)
-
Major Variola (ret) -
Morlock Elloi -
Sunder -
Thomas Shaddack