Anthony Vance

One of the new iPhone 3GS features that has received little attention this week is hardware encryption. However, from a forensics standpoint, this is probably the most significant feature of the new update. The feature is buried at the bottom of this “more features” page:

Phil Schiller also briefly mentions this feature at 1:52 of the Apple keynote.

Why Encryption on the iPhone Matters

Encryption on the iPhone matters to businesses because the iPhone can store potentially sensitive information. Among other things, forensics investigators can recover the following from iPhones (from iPhone Forensics by Jonathan Zdziarski):

• Keyboard caches containing usernames, passwords, and nearly everything typed on the iPhone.
• Screenshots of the last state of an application before the home button is pressed to return to the main menu.
• Deleted images.
• Deleted calendar entries and contacts.
• A record of the last 100 calls made.
• Viewed Google Maps images and directions.
• Browser history and caches, even when deleted.
• Deleted email messages.
• Deleted voicemail.
• Pairing records establishing which computers the iPhone was synced with.

You might think that extensive forensics experience and knowledge of the iPhone operating and file system is needed to recover this data. However, several specialized forensics tools, such as Paraben’s Device Seizure and the Sixth Legion’s Wolf, have automated this forensics process and can recover sensitive data from iPhones in seconds.

So it is understandable that encryption on the iPhone is a highly requested feature by corporations, according to Phil Schiller. Hardware-based encryption on the iPhone could effectively nullify forensics work on the iPhone.

Remote Wipe: A Potential Weakness

However, one potential weakness in the iPhone encryption scheme is how the encryption key is stored, and is related to another new iPhone 3GS feature, instantaneous remote wipe:

According to Schiller, hardware encryption on the iPhone 3GS enables instantaneous remote wipe. Apparently, rather than overwriting every bit as does the iPhone 3G, a remote wipe on the iPhone 3GS only overwrites the hardware encryption key, rendering all data on the iPhone unintelligible. This explains why if you later recover your iPhone 3GS, you can restore your data by enabling your MobileMe account on the iPhone, which apparently downloads the hardware encryption key to the iPhone, making the data on the iPhone readable again.

Although this feature is convenient, it does pose a potential security problem. If the hardware encryption key is hidden in the iPhone file system without being encrypted itself, then a forensics investigator could find the key and decrypt data on the iPhone. And forensics tools like a faraday cage will prevent the iPhone from receiving a remote wipe command, lengthening the window to find the encryption key indefinitely.

Of course this would require specialized knowledge of the iPhone and cryptography, but that is exactly what forensics firms like Paraben and Sixth Legion have. And their expertise is encapsulated and automated in tools like Device Seizure and Wolf, extending this ability to more general users.

So while hardware encryption on the iPhone 3GS is an interesting development, unless the encryption key is itself somehow encrypted, it will be a matter of time before the forensics community learns a way to find the key and make forensic analysis of the iPhone 3GS possible.

[Update June 14, 2009: Jonathan Zdziarski of iPhone Forensics left an insightful comment below.]

I wrote here that I love security measures that are simple. That is, those measures that improve security but require no more (and perhaps even less) effort than not using them. Here are three more examples.

Passphrases

Passphrases may not be an ideal security solution, but they are more secure and easier to remember and type than typical passwords. The fact is, passwords are the most prevalent form of authentication and they are not going away soon. Passphrases, then, usefully provide a more secure, easy-to-use alternative.

A friend of mine, Dr. Mark Keith of Arizona State University, demonstrated in a scientific study that passphrases are more secure and easier to remember than typical passwords. First, he showed that because the average person’s vocabulary consists of 3,000 words (a low estimate), a five-word passphrase is stronger than an 8-letter password using alphanumeric and special characters (3000^5 > 95^8).

He also showed that passphrases, although longer than passwords, are easier to remember and easier to use than passwords. The key is writing passphrases in standard written English, or what Keith et al. call “word processing mode” (WPM). Passphrases written in this way (like the passphrase above) are not only easier to remember, but they are also significantly easier to type and result in less login mistakes.

SSH Public Key Authentication

This one is more esoteric, but for a server administrator, SSH public key authentication is the model of security through simplicity. Rather than having to remember a password to various servers, a pair of public/private key files can be used to authenticate users instantaneously. Additionally, if a SSH public key is used in place of a password, password-guessing attacks cannot be used.

Automatic Backup

Backup is not typically thought of as a security measure, but it is probably the most important means to protect data from threats, malicious or accidental. The best way to back up data is also the simplest: routinely backing up data using automatic backup software. My favorite offline backup solution is Time Machine, which seamlessly backs up everything in the background, without any user involvement. Automatic backups is probably one of the simplest measures on this list, but also likely yields the most security for data.

IT security solutions typically involve trade-offs, usually in the form of trading increased security for reduced convenience or added hassle. However, not all security measures require this trade-off.

Some solutions—aside from the initial expense in time and money to set them up—require virtually no compromise in convenience. In fact, some may even make tasks more efficient or add functionality. Below are three examples.

Password Manager

Passwords are not elegant. To be worth anything they must be hard to guess, which usually makes them hard to remember. To make matters worse, users are often required to change their passwords on a regular basis, like every 90 days.

But the Web is the worst part. A typical user might have 15-30 user accounts that each require a password. Perniciously, most users soon tire of mentally maintaining a portfolio of unique passwords and relent to using the same password for every web site account. It has been said that the easiest way to steal passwords is to create an online service that requires a password. Whatever password a new user submits is most likely the same password for a dozen other online services.

The way to stop this wheel of pain is to use a password manager. A password manager is software that securely stores all of your passwords. Instead of having to remember 30 or more passwords, with a password manager you only need to know one—the password that unlocks the password manager.

Because so many passwords people must remember are for web sites, the best password managers integrate with web browsers. Using a password manager, logging into a website requires no thought—a simple keystroke retrieves the password from the password safe and fills in the username and password fields. When creating a new account at a website, the password manager generates a password for you so you don’t have to waste any thought coming up with a unique, unguessable password.

My favorite password manager is 1Password for OS X. It has saved me a lot of time and grief. Life is too short to manage passwords.

Full Disk Encryption

Another elegant security solution is disk encryption, which encrypts part or all of a hard disk. It is probably the most transparent security solution on this list because aside from entering in a password, the user is unaware that data is encrypted—there is almost no perceptible slow-down in performance. And, once encrypted, you don’t have to worry about losing your hard drive or protecting certain documents. All of your data are protected all of the time. I currently use PGP Desktop 9.10 for Mac.

VPN

I’ve done a lot of traveling in the last few months and so have used a lot of public Internet access points at airports, hotels, and other locations. Public Internet access points are not always securely configured. In some hotels for example, it is possible to sniff or eavesdrop on the Internet traffic of other guests at the hotel accessing the Internet. This is an easy way to collect passwords and other information.

One elegant solution to this problem is a VPN, or Virtual Private Network. The purpose of a VPN is to create a secure connection through an untrusted network to a trusted one. For example, my VPN creates a secure, encrypted connection to Georgia State University, no matter where I am in the world. All my traffic first is sent to GSU’s network, which I trust, and from there it continues unencrypted to sites I wish to access.

A VPN is elegant because once the VPN connection is established, all traffic is encrypted seamlessly in the background. You can access the Internet as you normally would, but now all of your Internet traffic is encrypted and safe from eavesdroppers.

My favorite VPN client is Shimo. Not only does it support a wide variety of VPN types, it is dead simple. Creating a VPN connection, even with CISCO VPN’s, only takes one button click. Plus, if I suspend my laptop while a VPN connection is active Shimo will automatically create a new VPN connection when the laptop wakes.

Yesterday PGP announced the availability of their Whole Disk Encryption (WDE) product for OS X next month. Although disk encryption products for the Mac currently exist (like TrueCrypt and FileVault), these solutions only encrypt part of a hard drive, such as a user’s home directory.

Full disk encryption (which is what WDE provides), on the other hand, encrypts every bit on a hard drive—in used or free space. This is important, because forensics products such as EnCase and FTK are very good at finding traces of sensitive information in unused disk space and temporary files like the swap. With full disk encryption, EnCase and FTK are ineffective if an encrypted machine is powered off.

Another reason why PGP WDE for Mac is exciting is because PGP is a highly respected security company and it’s WDE has been tested by the National Institute of Standards and Technology (NIST) to meet its Federal Information Processing Standard 140-2 (FIPS 140-2). Both the reputation of PGP and the FIPS-140 certification indicate that encryption algorithms employed in WDE have been implemented correctly. This is crucial because even secure encryption algorithms can be easily broken if implemented poorly.

Full disk encryption is a great tool for any organization to protect sensitive information. In the next year, Georgia State University will require that PGP Whole Disk Encryption be installed on every laptop, workstation, or server that stores sensitive information. If every organization followed a similar policiy, privacy breaches would not be the almost-weekly security farce that they are today.

I have a Mac running OS X 10.5 Leopard on my home network that I have made accessible from the Internet so I can remotely access it using SSH (Secure Shell) when I am away.

However, there are many popular SSH password brute force cracking tools (such as Hydra). Below is an excerpt from /var/log/secure.log on the Internet-accessible Mac showing an obvious brute force attack:

06:15:20 sshd[54623]: Invalid user jeff from 88.46.222.228
06:15:22 sshd[54625]: Invalid user irc from 88.46.222.228
06:15:24 sshd[54629]: Invalid user list from 88.46.222.228
06:15:25 sshd[54631]: Invalid user eleve from 88.46.222.228
06:15:27 sshd[54633]: Invalid user proxy from 88.46.222.228
06:17:28 sshd[54700]: Invalid user admin from 59.173.2.71
06:17:32 sshd[54702]: Invalid user admin from 59.173.2.71
06:17:36 sshd[54704]: Invalid user admin from 59.173.2.71
06:17:39 sshd[54706]: Invalid user administrator from 59.173.2.71
06:17:43 sshd[54708]: Invalid user administrator from 59.173.2.71
06:17:46 sshd[54710]: Invalid user administrator from 59.173.2.71
06:17:49 sshd[54712]: Invalid user tads from 59.173.2.71
06:17:52 sshd[54714]: Invalid user manet from 59.173.2.71
06:17:55 sshd[54716]: Invalid user creative from 59.173.2.71
06:18:00 sshd[54718]: Invalid user manet from 59.173.2.71

What I am not showing you are hundreds of similar attempts. Further, each username login attempt repeats as many as 20 times in a row, indicating that multiple passwords are being tried.

To entirely sidestep the threat of brute force password attacks, I have disabled password logins and only allow public-key authentication. Here is how you can set this up in OS X 10.5 Leopard:

1. Edit /etc/sshd_config and change the following options, removing the ‘#’ comment sign:

   PasswordAuthentication no
ChallengeResponseAuthentication no

2. Turn off Remote Login in the Sharing preference pane in System Preferences and turn it on again to restart sshd so the changes will take effect.

Now, when someone attempts to SSH to my Mac without the correct private key, she/he will see this message:

Finally, to avoid more log entries of ssh brute force password attempts, I’ve changed the default port for SSH. To my mind, this also reduces the risk of an SSH zero-day exploit.

I recently read an excellent presentation (click here for the PDF) entitled “VileFault” on the cryptographic mechanics of Mac OS X’s FileVault, a disk encryption utility. This is the first independent assessment I have read of FileVault. Other blog entries about FileVault can be found here, here, and here.

FileVault is a Mac OS X disk encryption utility that encrypts a user’s entire home directory (which contains all of a users documents and files but not programs). The Enterprise and Ultimate editions of Windows Vista contain a similar program called BitLocker Drive Encryption. An excellent open source drive encryption program, TrueCrypt, also exists. I think all of these programs mark a favorable trend toward more secure mobile computing.

To summarize the presentation, FileVault can be considered secure if it is used properly. To use FileVault effectively, users must avoid three vulnerabilities. First, users should use encrypted swap files by checking the “use secure virtual memory” setting in the security system setting panel.

Second, users should disable the Safe Sleep feature in OS X. Safe Sleep, like the Windows Hibernate feature, saves whatever is in memory to disk when the laptop battery gets too low. Unfortunately, the Safe Sleep file is not encrypted, allowing others to search for sensitive information using the “strings” or other string parsing tool.

Third, like many encryption solutions, the weakest link is usually the user’s password. The best encryption in the world can’t secure against simple passwords that can be cracked by a computer program in a matter of minutes. If you use a weak password, don’t bother using FileVault or any other form of encryption.

Interestingly, developer builds of Mac OS X Leopard show that FileVault has been significantly updated. It would be interesting to see another cryptographic assessment of FileVault after Leopard is release.

This week Insecure.org released the 2006 results of the top 100 security tools survey. The survey was performed by polling 3,243 active NMAP users (one of the most popular network security programs) on their preferred security tools. Most of the tools are free and open source and many were designed for the Unix/Linux platform.

It is a curiosity that the list of top 100 security programs could easily be called the top 100 hacking programs?both security practitioners and hackers use nearly the same toolset. For this reason it is useful to peruse this list and become familiar with the more popular tools in order to understand available capabilities for ensuring/defeating system security.

This week Ethereal, one of the most popular security and network tools, has had its name changed to WireShark. As this article explains, Gerald Combs, the creator of Ethereal, has moved to a new company and the former employer holds the copyright for the name Ethereal. Because the two parties couldn’t come to an agreement, Combs changed the name to WireShark.

WireShark is a packet sniffing tool that allows people on a local area network (LAN) to “eavesdrop” on other users’ Internet activity. WireShark is a real eye-opener for those unfamiliar with the inherent insecurity of Ethernet-based LAN’s (by far the most dominant LAN technology). For example, a person using WireShark (or a score of similar tools) could easily “listen” to the network traffic in a hotel or wireless hotspot and capture people’s emails, passwords, or other sensitive information.

WireShark and others like it take advantage of the openness of the Ethernet protocol, which was designed for a friendlier computing era, as were so many other network technologies. Fortunately, packet sniffing can be protected against by using a VPN.

I have recently discovered TrueCrypt, a great open source data encryption tool that has recently gained the attention of security experts Bruce Schneier and Steve Gibson. TrueCrypt is cross-platform, meaning it runs on various versions of Linux and Windows (an OS X version is in the works). With TrueCrypt, you can create a folder or volume that encrypts/decrypts data on the fly in a seamless way. Further, TrueCrypt volumes are platform independent, so you can encrypt a volume in Linux and then decrypt it in Windows.

Data encryption is useful for many situations. I use it to encrypt my research data and documents on my laptop. As a researcher, I am required to keep confidential any personal data I may collect in my studies. With TrueCrypt, I can store potentially sensitive data on my laptop without fear of data theft. There are many other practical reasons why someone may wish encrypt his/her documents.

The fact that TrueCrypt is open source is a strong benefit. One advantage TrueCrypt has over Microsoft’s optional encryption scheme for Windows and other commercial solutions is the peer review of source code. The security and encryption communities have full access to the TrueCrypt source code, making any vulnerabilities or errors in the implementation of encryption algorithms plainly visible and more readily remedied.

For information about TrueCrypt, check out Steve Gibson’s “Security Now” podcast (or read the transcript). You can download TrueCrypt here.

I have a relatively new computer after my old Dell laptop failed while under warranty. Before returning my old laptop to Dell I decided to securely delete my hard drive to make my personal information unrecoverable.Secure file deletion is important because data can be recovered from even reformatted hard drives using tools like the Forensics Toolkit (FTK). However, most people don’t even bother reformatting their hard drive before donating their computer or throwing it away.

At any rate, I found a great secure deletion tool: Darik’s Boot and Nuke?or DBAN. DBAN is Linux boot disk that writes random zeros and ones over the entire hard disk according to secure deletion algorithms published by the US Department of Defense and Canada’s RCMP. DBAN also supports the Gutmann algorithm even though it is considered overkill by most experts.

If you want to securely delete a single file rather than an entire hard drive or partition, try GNU’s shred