Xenophane's Blog

I was recently made aware of a feature in notepad that I was not aware of.

If you open Notepad and type in .LOG (In CAPITAL letters) and the save it.

Then when you open the .txt file next time it will automatically append the date to the end of the file.

Very nice if you want to manually log data to a file.. For instance changes on a server.

The below Princeton “Lest we Remember: Cold Boot Attacks on Encryption Keys” article sparked a debate on the minasi forum (Which most people know I participate actively in)

The user Douggg suggested the use of a to mostly unknown security feature of modern ATA drives, which enables a user to password protect the drive it self.

So I decided to do some research into it.

The Security Mode feature set was initially created for 2½” disks (laptop disks) in about 1996.

——————————————————————————–
The optional Security Mode feature set is a password system that restricts access to user data stored on a
device. The system has two passwords, User and Master and two security levels, High and Maximum. The
security system is enabled by sending a user password to the device with the SECURITY SET PASSWORD
command. When the security system is enabled, access to user data on the device is denied after a power
cycle until the User password is sent to the device with the SECURITY UNLOCK command.
A Master password may be set in a addition to the User password. The purpose of the Master password is to
allow an administrator to establish a password that is kept secret from the user, and which may be used to
unlock the device if the User password is lost. Setting the Master password does not enable the password
system.
The security level is set to High or Maximum with the SECURITY SET PASSWORD command. The security
level determines device behavior when the Master password is used to unlock the device. When the security
level is set to High the device requires the SECURITY UNLOCK command and the Master password to
unlock. When the security level is set to Maximum the device requires a SECURITY ERASE PREPARE
command and a SECURITY ERASE UNIT command with the master password to unlock. Execution of the
SECURITY ERASE UNIT command erases all user data on the device.
The SECURITY FREEZE LOCK command prevents changes to passwords until a following power cycle. The
purpose of the SECURITY FREEZE LOCK command is to prevent password setting attacks on the security
system.
——————————————————————————–

What this seems mean is that you can set two security modes on the drives High & Maximum

In High security mode both the “user” and the “master” password is able to unlock the drive.

In Maximum only the “user” password will unlock the drive, the “master” password needs to be sent with a delete all command, that overwrites the entire disk with 0′s and then allows access to the disk.

IBM started making this widely available in their 3½” disks in 1998 as well, Microsoft later asked Seagate to build the security into their 3½ drives for the Xbox to protect them, later WD followed suit.
This means that practically all disks today have the “security features” available.

As a security precaution the devices have a function called “SECURITY FREEZE LOCK”, when this command is sent to the device it will not accept any changes to the password until next boot. The problem is that most PC manufacturers have not added this feature to the BIOS of PC’s meaning that it is theoretically possible to set the password when the PC is running, rendering the disk unreadable at next boot.

Luckily for us the windows API that sends “ATA” commands does not support the commands:

——————————————————————————–

SECURITY SET PASSWORD
-
SECURITY UNLOCK
-
SECURITY ERASE PREPARE
-
SECURITY ERASE UNIT
-
SECURITY FREEZE LOCK
-
SECURITY DISABLE PASSWORD
——————————————————————————–

So in order for someone to abuse it, that person would have to gain admin access to the PC, install a kernel mode driver that can communicate directly with the disk, and the BIOS should not have sent the “SECURITY FREEZE LOCK” command.

On the security topic Heise.de tested it, and found that it was not enough to remove the circuit board and replace it with a board from an unlocked drive. So password data is stored on the drive platters as well.
They sent the drive to IBAS (Norwegian data recovery company) who were able to recover the key.. (They call it a trade secret)

As with most closed systems it is not known is there is a master master password, though vendors claim there isn’t.

So if you want to add another security hurdle besides encryption, you find a PC with a BIOS that supports the security features, set security the maximum, encrypt the disk with your favorite encryption software. This should scare off most except the mosts adamant hackers or big brother.

There is a tool called WinAAM (German) which is used to manipulate drives acoustics, it will also tell you the current security setting of the drive (You can use it to see if your BIOS sets the SECURITY FREEZE LOCK on the drive) If it doesn’t you might consider to check for a BIOS update, and you might be lucky that the new BIOS sets it.

From what I have read I am convinced that the ATA security standard is not unbreakable, with the right experience/equipment it is still possible to bypass the ATA password, and it does not mitigate the initial problem of the possibility to extract encryption keys from RAM. But it is definitely an extra layer of security.

Researchers from Princeton recently published an article about the possibility to extract information from RAM even after the PC has been turned on.

In short, modern RAM contrary to popular belief does not instantly loose its contents, it degrades gradually over time.
What does this mean ?

One security issue that could arise from the fact that most disk encryption software keeps the encryption key and pre computed key schedules in memory for performance reasons, meaning that if an attacker gains access to the machine he can copy these for offline attacks.

The article further tests the influence of low temperatures to prevent rapid decay of data in the RAM, they cooled the RAM modules to -50 centigrade, which lead to less than 1% data degradation over 5 min.

They even tried cooling a module down with liquid nitrogen and observed a 0.17% decay after 60 minutes.

You can read the full article here.

While I was looking for information about streams in NTFS I found this little gem that I did not know, in Vista the dir command has be upgraded to be able to show streams as well.

If you do a Dir /R it will list all streams like this:

03-12-2007 11:16 23.993 ConsoleLib.ps1
26 ConsoleLib.ps1:Zone.Identifier:$DATA
03-12-2007 11:16 1.433 Get-ScriptParameters.ps1
26 Get-ScriptParameters.ps1:Zone.Identifier:$DATA
01-02-2008 11:36 8.991 Init-TabExpansion.ps1
26 Init-TabExpansion.ps1:Zone.Identifier:$DATA

As I wrote in an earlier post I am using PowerTabs in Powershell.. I recently upgraded to version 0.99 Beta 2 and it would come up with:

Security WarningRun only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm yourcomputer. Do you want to run foo.ps1?[D] Do not run [R] Run once [S] Suspend [?] Help (default is “D”):

I got this every time I  started PowerShell because it was loading the PowerTab files in my PowerShell profile.
I know this is not good practice, but my Execution Policy on my test machine was set to “unrestricted”, so I was wondering why I still got the error. If I changed my Execution policy to RemoteSigned I got the familiar

File C:\Users\ctn\Documents\WindowsPowerShell\PowerTab\Init-TabExpansion.ps1 cannot be loaded. The file C:\Users\ctn\Documents\WindowsPowerShell\PowerTab\Init-TabExpansion.ps1 is not digitally signed. The script will not execute on the system. Please see “get-help about_signing” for more details..
At C:\Users\ctn\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1:16 char:2
+ & < <<< ‘C:\Users\ctn\Documents\WindowsPowerShell\PowerTab\Init-TabExpansion.ps1′ `

That made me remember something Mark said about Vista tagging all files to see if they are internet files or local files, trusted or untrusted.

So I looked into where Vista stores this information (If my memory was better I am sure Mark has said that as well). So I downloaded Streams from Sysinternals to see if something was stored in the stream of the files.

I did a
streams.exe c:\Users\ctn\Documents\WindowsPowerShell\PowerTab\Init-TabExpansion.ps1
Which resulted in:

Streams v1.56 – Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals – www.sysinternals.com

c:\Users\ctn\Documents\WindowsPowerShell\PowerTab\Init-TabExpansion.ps1:
:Zone.Identifier:$DATA 26

Low and behold the PowerTab files have a 26 byte “Zone.Identifier:$Data” stream.

I opened the stream to see what it… This can be done with good ol’ trusty notepad
Notepad File-Name.ps1:Zone.Identifier

Notepad showed the following:

[ZoneTransfer]
ZoneId=3

I thougt ZoneID=3 ??? I consulted the Internet I found the following table.

NoZone = -1
MyComputer = 0
Intranet = 1
Trusted = 2
Internet = 3
Untrusted = 4

I then changed the ZoneID value to 2(trusted) and I do no longer get the annoying security warning.

Just for fun I tried to change my execution policy to RemoteSigned, and it still executed the script without any trouble.