Daily Hacker

Tuesday, 8 July 2014

Cold boot attack protection with YoNTMA

YoNTMA (You’ll Never Take Me Alive!) is an open source tool to enhance Windows Bitlocker and Mac FileVault full disk encryption. It has been designed to protect the user from cold boot attacks. A side channel attack where an intruder with physical access to a machine retrieves the encryption keys from RAM memory.

Cold boot attacks can be used to get access to a fully encrypted hard drive. They are very difficult to achieve once the computer has been shut down, data remanence lasts less than a minute after you power off your computer. In that time an attacker would have to open up the computer case, extract the RAM memory modules and cool them down with liquid nitrogen before extracting the keys.

Cold boot attacks are not normally carried out by law enforcement because of the complexity and timing needed, but a cold boot attack can be easily completed if a computer is only secured with a screen lock by a user that has gone for a quick bathroom break or cup of coffee, a self executable .bat forensics file, like Mandiant Memorize, could be executed to extract the RAM memory of a fully encrypted laptop plugging in a USB thumbdrive into the locked computer, YoNTMA aims to protect you from this.

You’ll Never Take Me Alive! runs in the background monitoring when your screen locks, if it detects that the power or Ethernet cable is disconnected while the machine is locked, YoNTMA immediately puts the computer into hibernation mode to remove the encryption keys from RAM, sending them to the page file on the hard drive to protect you from a thief stealing your fully encrypted laptop and extract the keys a while later. When a computer is hibernating it is not possible to execute a program from a CD drive USB port, it needs to wake up first.

I personally feel that, if your data is so important that you need full disk encryption, it doesn’t matter if you leave the computer for ten minutes or ten seconds, you should never leave it on with the screen lock and it should be you sending it to hibernation when you need a two minutes bathroom break. But if you are the forgetful kind of person, there is no harm running YoNTMA in your computer, small things sometimes save the day when you expect it less.

This tool will likely be the most useful for companies enforcing rules to lazy employees and not private citizens with discipline and attention to details when dealing with encrypted data.

No comments:

Post a Comment