Larry Seltzer wrote:
You're mistaken in thinking that we're conflating sleep and hibernate
modes.
Microsoft's response of using two factor authentication is silly. It
doesn't actually stop our attacks. In certain circumstances, it may
shorten the window of attack for a specific type of user
How much should the average user worry about this? Not very much. Most
notebooks from average users don't even have Firewire on them and you
would have an easier time cracking them with a dictionary attack on
the password and other such things, which means that this attack
makes you no more
Yeah, I made specific reference to that attack in my message. There's a
big difference between sleep mode and hibernate mode. In hibernate the
system is powered off. Even if the memory has some residual charge I'm
sure it's far less reliable than with sleep.
Yeah, but the whole point is if
Larry Seltzer wrote:
The funniest is using hibernate...
Did you perchance read: http://www.eff.org/press/archives/2008/02/21-0
??
Yeah, I made specific reference to that attack in my message. There's a
big difference between sleep mode and hibernate mode. In hibernate the
system is
WRT the DMA access over FireWire it's but a bad response since it
doesn't get the point!
1. Drive encryption won't help against reading the memory.
2. The typical user authentication won't help, we're at hardware level
here, and no OS needs to be involved.
3. The computer is up (and running;
Larry Seltzer wrote:
WRT the DMA access over FireWire it's but a bad response since it
doesn't get the point!
1. Drive encryption won't help against reading the memory.
2. The typical user authentication won't help, we're at hardware level
here, and no OS needs to be involved.
3. The computer
You're mistaken in thinking that we're conflating sleep and hibernate
modes.
Microsoft's response of using two factor authentication is silly. It
doesn't actually stop our attacks. In certain circumstances, it may
shorten the window of attack for a specific type of user but it's mostly
irrelevant.
On 2008-03-09 Larry Seltzer wrote:
WRT the DMA access over FireWire it's but a bad response since it
doesn't get the point!
1. Drive encryption won't help against reading the memory.
2. The typical user authentication won't help, we're at hardware level
here, and no OS needs to be
The funniest is using hibernate...
Did you perchance read: http://www.eff.org/press/archives/2008/02/21-0
??
Yeah, I made specific reference to that attack in my message. There's a
big difference between sleep mode and hibernate mode. In hibernate the
system is powered off. Even if the memory
What points are you trying to stab at for an article?
You've hit on them pretty well. My own experience with DMA programming
was 20 years ago with real mode DOS drivers, but I was surprised to
learn from this thread that a DMA mass storage device on Linux, Mac and
Windows gets unimpeded access
Hi Larry,
- use drive
encryption, use 2-factor authentication, use hibernate instead of sleep,
use group policy to enforce them.
Uh... yeah. So how again does drive encryption help you against this
attack? Certain forms of 2-factor auth might help you, but all of the
kinds I've seen would
...Windows would not do this. It would only open up access to devices
that it thought needed DMA. This is why Metlstorm had to make his Linux
machine behave like an iPod to fool Windows into spreading it's legs.
So the iPod software opens up the whole address space? I don't get it.
No, the
No, the iPod device signature makes Windows drivers think it should
allow DMA access for that device because it detect it as a disk device.
Other disk device signatures would likely work the same way, that's
just the one he happened to emulate.
Is it not possible for Windows (or any OS) to open
...Windows would not do this. It would only open up access to devices
that it thought needed DMA. This is why Metlstorm had to make his Linux
machine behave like an iPod to fool Windows into spreading it's legs.
So the iPod software opens up the whole address space? I don't get it.
Larry Seltzer
: Thursday, March 06, 2008 3:36 PM
To: Tim
Cc: Full Disclosure; Bugtraq
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
No, the iPod device signature makes Windows drivers think it should
allow DMA access for that device because it detect it as a disk device.
Other disk device signatures
What are the implications for firewire device compatibility of doing
this?
I am no expert on ieee1394, but I have read up a bit on this and tested
Metlstorm's memory dumping tool and here's what I understand:
Firewire chipsets allow drivers to configure a particular memory range
which is
Is it not possible for Windows (or any OS) to open up DMA for a device
only to a certain range?
If not, what options are available?
I have various forms of RSI and don't feel like typing it again:
On Thu, Mar 06, 2008 at 12:00:09PM -0800, Tim wrote:
[...]
Of course this is not an
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
What are the implications for firewire device compatibility of doing
this?
I am no expert on ieee1394, but I have read up a bit on this and
tested
Metlstorm's memory dumping tool and here's what I understand:
Firewire chipsets
Hi Glenn,
It should be realized though that fixing this is not necessarily a simple
thing, nor are architectural considerations missing.
I most probably understated the difficulty of implementing a safe
ieee1394 DMA driver earlier. However, it's one of those things where
the drivers ought
Let's say the computer is off. You can turn it on, but that gets you to
a login screen. What can the Firewire device do?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
key, then don't have autorun (which is default) automatically enabled
for the device.
Thanks to Blue Boar for pointing out that autorun doesn't have anything
to do with it if the attack device can have the drivers automatically
installed (and, of course, that the host controller is enabled).
Message-
From: [EMAIL PROTECTED] [mailto:full-
[EMAIL PROTECTED] On Behalf Of Larry Seltzer
Sent: Friday, March 07, 2008 11:51 AM
To: Bugtraq; Full Disclosure
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
Let's say the computer is off. You can turn it on, but that gets
Let's say the computer is off. You can turn it on, but that gets you
to a login screen. What can the Firewire device do?
OK, I guess I misunderstood the original paper
(http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks
.pdf). It now looks to me like they are claiming they
23 matches
Mail list logo
