On Fri, 7 Mar 2008, Erik Trulsson wrote:
I wonder what other expansion ports can allow such control over the host
computer. What about SCSI (which Firewire is partly based on in some
aspects)? Or eSATA? Or PCMCIA/PCCard?
Good question.
SCSI: I do not think you can coax the HBA to let you
How much should the average user worry about this? Not very much. Most
notebooks from average users don't even have Firewire on them and you
would have an easier time cracking them with a dictionary attack on
the password and other such things, which means that this attack
makes you no more
PROTECTED] On Behalf Of FD
Sent: Monday, March 10, 2008 11:50 AM
To: Larry Seltzer
Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
How much should the average user worry about this? Not very much. Most
notebooks from average users
Hi, I am new to this list.
I was reading your messages, and began to wonder; For a temporary fix action
why not just disable the ability to install new firewire devices? I know
that this does not fix the fundamental problem, but it could work as a
decent kludge.
I am reminded of the NSA
Larry Seltzer wrote:
WRT the DMA access over FireWire it's but a bad response since it
doesn't get the point!
1. Drive encryption won't help against reading the memory.
2. The typical user authentication won't help, we're at hardware level
here, and no OS needs to be involved.
3. The computer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Interesting thread, I'll come at it from a different perspective.
Computer forensics and incident response also has an application for
gaining access to physical memory. Discovering encryption keys from
memory and other volatile artifacts may be of
On Fri, Mar 07, 2008 at 02:44:12PM -0500, Larry Seltzer wrote:
Let's say the computer is off. You can turn it on, but that gets you to
a login screen. What can the Firewire device do?
Just about anything it wants to. It uses DMA (Direct Memory Access) which
can be initiated by any device on
Larry Seltzer wrote:
I actually do have a response fom Microsoft on the broader issue, but it
doesn't address these issues or even concded that there's necessarily
anything they can do about it. They instead speak of the same
precautions for physical access that they spoke of a couple weeks
WRT the DMA access over FireWire it's but a bad response since it
doesn't get the point!
1. Drive encryption won't help against reading the memory.
2. The typical user authentication won't help, we're at hardware level
here, and no OS needs to be involved.
3. The computer is up (and running;
You're mistaken in thinking that we're conflating sleep and hibernate
modes.
Microsoft's response of using two factor authentication is silly. It
doesn't actually stop our attacks. In certain circumstances, it may
shorten the window of attack for a specific type of user but it's mostly
irrelevant.
Larry, there is no disk involved on the problem, only memory.
So if the disk is encrypted or not, doesn't matter.
Regards,
Jardel Weyrich
On Sun, Mar 9, 2008 at 11:14 PM, Larry Seltzer [EMAIL PROTECTED]
wrote:
WRT the DMA access over FireWire it's but a bad response since it
doesn't get the
What points are you trying to stab at for an article?
You've hit on them pretty well. My own experience with DMA programming
was 20 years ago with real mode DOS drivers, but I was surprised to
learn from this thread that a DMA mass storage device on Linux, Mac and
Windows gets unimpeded access
Hi Larry,
- use drive
encryption, use 2-factor authentication, use hibernate instead of sleep,
use group policy to enforce them.
Uh... yeah. So how again does drive encryption help you against this
attack? Certain forms of 2-factor auth might help you, but all of the
kinds I've seen would
The funniest is using hibernate...
Did you perchance read: http://www.eff.org/press/archives/2008/02/21-0
??
Yeah, I made specific reference to that attack in my message. There's a
big difference between sleep mode and hibernate mode. In hibernate the
system is powered off. Even if the memory
Yeah, I made specific reference to that attack in my message. There's a
big difference between sleep mode and hibernate mode. In hibernate the
system is powered off. Even if the memory has some residual charge I'm
sure it's far less reliable than with sleep.
Yeah, but the whole point is if
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
What are the implications for firewire device compatibility of doing
this?
I am no expert on ieee1394, but I have read up a bit on this and
tested
Metlstorm's memory dumping tool and here's what I understand:
Firewire chipsets
key, then don't have autorun (which is default) automatically enabled
for the device.
Thanks to Blue Boar for pointing out that autorun doesn't have anything
to do with it if the attack device can have the drivers automatically
installed (and, of course, that the host controller is enabled).
Let's say the computer is off. You can turn it on, but that gets you to
a login screen. What can the Firewire device do?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
Let's say the computer is off. You can turn it on, but that gets you
to a login screen. What can the Firewire device do?
OK, I guess I misunderstood the original paper
(http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks
.pdf). It now looks to me like they are claiming they
Message-
From: [EMAIL PROTECTED] [mailto:full-
[EMAIL PROTECTED] On Behalf Of Larry Seltzer
Sent: Friday, March 07, 2008 11:51 AM
To: Bugtraq; Full Disclosure
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
Let's say the computer is off. You can turn it on, but that gets
On Fri, 07 Mar 2008 14:51:07 -0500, Larry Seltzer wrote:
Let's say the computer is off. You can turn it on, but that gets you
to a login screen. What can the Firewire device do?
OK, I guess I misunderstood the original paper
Roger, you should note that Adam's Hit by a Bus paper includes
information about how Linux users can load their OS' Firewire driver in
a way that should disallow physical memory DMA access, and close this
attack vector.
What are the implications for firewire device compatibility of doing
this?
...Windows would not do this. It would only open up access to devices
that it thought needed DMA. This is why Metlstorm had to make his Linux
machine behave like an iPod to fool Windows into spreading it's legs.
So the iPod software opens up the whole address space? I don't get it.
No, the
An anonymous list lurker asked me off-list to answer this question for
public gratification:
Can this feature be leveraged without drivers on the target system?
IOW, if one just unloads (or doesn't load) the firewire driver, is it
still exploitable?
No, I don't believe so. At least on Linux,
No, the iPod device signature makes Windows drivers think it should
allow DMA access for that device because it detect it as a disk device.
Other disk device signatures would likely work the same way, that's
just the one he happened to emulate.
Is it not possible for Windows (or any OS) to open
Is it not possible for Windows (or any OS) to open up DMA for a device
only to a certain range?
If not, what options are available?
I have various forms of RSI and don't feel like typing it again:
On Thu, Mar 06, 2008 at 12:00:09PM -0800, Tim wrote:
[...]
Of course this is not an
-Original Message-
From: Larry Seltzer [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 06, 2008 9:51 AM
To: Peter Watkins; Roger A. Grimes
Cc: Bernhard Mueller; Full Disclosure; Bugtraq
Subject: RE: Firewire Attack on Windows Vista
Roger, you should note that Adam's Hit by a Bus
Hi Glenn,
It should be realized though that fixing this is not necessarily a simple
thing, nor are architectural considerations missing.
I most probably understated the difficulty of implementing a safe
ieee1394 DMA driver earlier. However, it's one of those things where
the drivers ought to
: Thursday, March 06, 2008 3:36 PM
To: Tim
Cc: Full Disclosure; Bugtraq
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
No, the iPod device signature makes Windows drivers think it should
allow DMA access for that device because it detect it as a disk device.
Other disk device signatures
Hello,
In the light of recent discussions about firewire / DMA hacks, we would
like to throw in some of the results of our past research on this topic
(done mainly by Peter Panholzer) in the form of a short whitepaper. In
this paper, we demonstrate that the firewire unlock attack (as
implemented
Dear All,
That said the original work on this from metlstorm is in the news [1]
and can be found here : http://storm.net.nz/projects/16
[1] http://it.slashdot.org/article.pl?sid=08/03/04/1258210from=rss
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3
I believe their work is an expansion of this:
http://www.theage.com.au/news/security/hack-into-a-windows-pc-no-password-needed/2008/03/04/1204402423638.html,
which demonstrated the vuln. in XP (and, according to the paper, it's been
demonstrated with other OS's as well), and their work was
On Thu, 6 Mar 2008, Roger A. Grimes wrote:
As somewhat indicated in the paper itself, these types of physical
DMA attacks are possible against any PC-based OS, not just Windows.
If that's true, why is the paper titled around Windows Vista?
I guess it makes headlines faster. But isn't as
On Wed, Mar 05, 2008 at 04:30:35PM -0500, Roger A. Grimes wrote:
As somewhat indicated in the paper itself, these types of physical DMA
attacks are possible against any PC-based OS, not just Windows. If that's
true, why is the paper titled around Windows Vista?
I guess it makes headlines
Salut, Roger,
On Wed, 5 Mar 2008 16:30:35 -0500, Roger A. Grimes wrote:
As somewhat indicated in the paper itself, these types of physical
DMA attacks are possible against any PC-based OS, not just Windows.
If that's true, why is the paper titled around Windows Vista?
That's very easy:
35 matches
Mail list logo