Cold Boot Attack

Many people think that the data that is stored in DRAM, is erased away instantly after the power is turned off in a Computer. But this is not true. The data still remains in the DRAM for some seconds even in the room temperature and even if DRAM is taken out from the system. The term “Cold Boot Attack” is a term that is mostly used in cryptography and is also known as “Platform Reset Attack”.  The Cold Boot Attack is a type of attack in which the attacker who has the physical access to the computer, tries to retrieve the encryption keys using the cold booting. The term Cold Boot also known as Hard Boot is to power off a computer intentionally. In other words, a cold boot attack is “a process for obtaining unauthorized access to a computer's encryption keys when the computer is left physically unattended”.

Researchers from Princeton University, the Electronic Frontier Foundation and Wind River Systems found that a cold boot attack is possible because dynamic random access memory (DRAM) chips hold data for a long period of time after a computer is turned off. This is also known as data remanence. The time to erase the data from a DRAM is related with the temperature around it. The temperature less than -50 degree Celsius can be obtained using a simple sprays such as Spray Duster (shown below). Researchers have found that at this temperature, less than 1% of bits are erased and remain in the RAM for more than 10 minutes. Instead of common sprays, if Liquid nitrogen is used, the temperature can be decreased up to -196 degree Celsius and at this temperature, less than 0.17 % of bits are erased and remain in RAM for more than 1 hours.

How the Cold Boot Attack Works:

     1)      Freezing DRAM: To perform a cold boot attack, as soon as the intruder has a physical access to the computer, some sprays such as Spray Duster or Liquid Nitrogen is sprayed into the DRAM of the computer so that less amount of data is erased.

     2)      Connecting the External Disk: As soon as RAM is freezes, the computer is connected with an external disk where the intruder can perform the attack in different ways. One of the simple method is the intruder can reboot the system and can run a small Kernel that is in the External disk from which the intruder can access the memory.

The second method is to cut off the power and turned on the power on and run a kernel preventing the operating system to overwrite the memory.

The third method is to cut off the power and take out the RAM and run it into a second computer which the intruder already has; thus preventing the operating system to overwrite the contents of RAM.

                  

      3)      Handling corrupted data: Despite cooling the RAM immediately after the power is off, some amount of data are still erased and contains some errors. To retrieve or correct those errors, some algorithms can be applied to correct the errors in private and symmetric keys. Using such algorithms, the memory images with very less error rate from which keys and other important data can be extracted. Even the popular encryption mechanisms such as BitLocker, TrueCrypt, and FileVault etc. have failed to prevent from a cold boot attack. The MAC OS stores the username and password into the memory which can easily be disclosed using cold boot attack.

Cold Boot Attack Tools:

     1)      RAM imaging tools:  These tools can take the image copy of the RAM. These tools can be stored in USB or other disks and contains a small executable files that can take the copy of the RAM.

     2)      Key scanning tools: These tools scan the Image of the RAM to find the hidden encryption keys in the RAM.

Prevention measures to prevent from Cold Boot Attack:

     1)      Never leave your computer unattended. Have a habit of having the computer turned off when using it on public places.

     2)      To perform a cold boot attack, an intruder needs to freeze out the RAM and take make the data remain in the memory for longer time.  As the attacker needs to access the RAM, make your computer casing strong enough so that the attacker may take time to reach it.

    3)      If the casing is made strong, the intruder might attempt to use the Liquid nitrogen through the casing ventilations. A proper aluminum coil can be wrapped over RAM to prevent it from spray.

     4)      The intruder tries the operating system not to overwrite the memory. So the intruder loads a kernel to be loaded. To make the time delay one can enable bios memory testing on power up which is generally disabled in most computers. This will cause bios to overwrite some data in RAM.

    5)      Encrypting random access memory (RAM) mitigates the possibility of an attacker being able to obtain encryption keys or other material from memory via a cold boot attack.

   6)      If a computer is properly shut down, a lot of encrypted keys will be erased from the memory and terminated. When a machine is shut down or loses power and encryption has not been terminated for example, sudden loss of power, data may remain readable from tens of seconds to several minutes depending upon the physical RAM device in the machine. Ensuring that the computer is shut down whenever it might be stolen can mitigate this risk.

    7)      By using long and multiple encryption keys the Cold boot attack can be mitigated. If there is such encryption keys, faster will the keys erase if the machine is turned off and it will be hard for intruder to read those keys.         

     8)      The encrypted keys and important data can be stored in the cache memory. RAM is a separated device which is easy to handle whereas cache resides on the CPU and it’s hard to dangle with it.

    9)      To make the intruder have difficulty in getting the encryption keys, the keys can be break into multiple fragments.10) Even with these precautions, the intruder can perform a Cold Boot Attack since everything is not feasible.

     11)      By using multiple keys also it is not sure that the important data is present in exposed part.

    12)      If the keys are divided into multiple fragments, the owner will also have a disadvantage of decryption time.

     13)      The intruder has the option to move the DRAM into another computer.       

     14)      Even if the casing is made strong enough, the intruder has several ideas to open it up within seconds.

Conclusion:

The cold boot attack is a type of attack where the encryption keys are extracted using a cold boot. To perform a cold boot attack, an intruder freezes the RAM of a computer using some chemical such a Liquid Nitrogen. Such chemical instantly decreases the temperature around the RAM. RAM can be thought of as a capacitor. If the temperature is cooled down, data can stay on ram for longer period of time. At the meantime, the intruder can retrieve the encryption keys from the RAM. This process is termed as a Cold Boot Attack. There are various ways to minimize the attack. However, intruder also has 100’s of ways to perform an attack. So the most important thing to note is to avoid storing classified or important data in DRAM.

References:

      1)      http://searchsecurity.techtarget.com/definition/cold-boot-attack 

      2)      http://www.youtube.com/watch?feature=player_embedded&v=JDaicPIgn9U 

      3)      http://en.wikipedia.org/wiki/Cold_boot_attack

      4)      http://cissp.logicalsecurity.com/cold-boot-attack/cissp/cold-boot-attack/

      5)      http://www.wilderssecurity.com/showthread.php?t=283052

      6)      citp.princeton.edu/pub/coldboot.pdf 

IPV4 vs IPV6

IPv6 is an improved version of the current Internet Protocol, IPv4. However, it is still an Internet Protocol. A protocol is a set of procedures for communications. In Internet Protocol, information such as IP addresses of the sender and the receiver of the data packet is placed in front of the data. This information is called “header”. This is similar to specifying the addresses of the sender and the recipient when you send a package by mail.

One feature of IPv6 that immediately comes to our mind is huge address space. This refers to the fact that, among many elements shown in Figure 1 and 2, the Source Address and the Destination Address has each been expanded from 32 bits to 128 bits. If you just think in terms of pure combination of numbers, there used to be 232 possible ways to represent addresses, but now there are 2128 possible ways to represent them.

However, if you compare Figures 1 and 2 again, you will realize that although IPv6 uses four times more digits to express the addresses of the source and the destination, length of the header has not increased much from that of IPv4. This is because header format has been simplified in IPv6. You can see that among many elements (called “field”) shown in Figure 1, those shown in red do not exist in Figure 2.

One of the important changes is that there is no Options field in Figure 2. In IPv4, Options field can be used to add information about various optional services. For example, information related to encryption can be added here. Because of this, the length of the IPv4 header changes according to the situations. Due to this difference in length, routers that control communications according to the information in the IP header can’t judge the length of the header just by looking at the beginning of the packet. This makes it difficult to speed up packet processing with hardware assist. 

On the other hand, IPv6 moves information related to additional services to a section called extension header. The part shown in Figure 2 is called basic header. Therefore, for plain packets, IP header length is fixed to 40 bytes. In terms of making it easier to process packets with hardware, you can say that IPv6 can be accelerated much easier than IPv4.

Another field that exists in Figure 1 but is absent from Figure 2 is the Header Checksum field. A Header Checksum is a number used to check for errors in header information, and is calculated using the numbers in the header. However, problem with this approach is that header contains a number called TTL (Time To Live), which changes every time the packet goes through a router. Because of this, Header Checksum must be recalculated every time the packet goes through a router. If we can free up routers from this type of calculations, we could reduce the delay. Actually, TCP layer that resides above IP layer checks errors of various information including sender address and destination address. Since performing same calculations at the IP layer is redundant and unnecessary, Header Checksum is removed from IPv6. 

Figure 1 contains 8bit field called “Service Type”. This field is used to represent the priority of the packet, for example whether it should be delivered express or with normal speed, and allows communication devices to handle the packet accordingly. Service Type field is composed of TOS (Type of Service) field and Precedence field. TOS field specifies the type of service and contains cost, reliability, throughput, delay, or security. Precedence field specifies the level of priority using eight levels from 0 to 7. IPv6 provides the same function with a field called Traffic Class.

Flow Label field has a 20 bits length, and is a field newly established for IPv6. By using this field, packet’s sender or intermediate devices can specify a series of packets, such as Voice over IP, as a flow, and request particular service for this flow. Even in the world of IPv4, some communication devices are equipped with the ability to recognize traffic flow and assign particular priority to each flow. However, these devices not only need to check the IP layer information such as address of the sender and the destination, but also need to check the port number which is an information that belongs to a higher layer. Flow Label field attempts to put together all these necessary information and provide them at the IP layer. However, specifics on how to use it is still undecided.

As we have seen in this article, IPv6 aims to provide intelligent transmission framework that is easy to handle for intermediate devices by keeping the basic header simple and fixed length. 

Radio Waves

Radio waves are an invisible form of electromagnetic radiation that varies in wavelength from around a millimeter to 100,000 km, making it one of the widest ranges in the electromagnetic spectrum. "Radio" is a catch-all term describing all forms of electromagnetic radiation with a wavelength longer than a millimeter and a frequency above 300 GHz. Frequency refers to how long the measured time is between the "crest" and "trough" of a wave arriving at the source. For visible light, the frequency is in the 450-750 terahertz range, meaning in a single second of waves, 450-750 crests and troughs pass through a detector. Discovery and Utilization:        Radio waves were first predicted by mathematical work done in 1865 by James Clerk Maxwell. Maxwell noticed wavelike properties of light and similarities in electrical and magnetic observations. He then proposed equations that described light waves and radio waves as waves of electromagnetism that travel in space. In 1887, Heinrich Hertz demonstrated the reality of Maxwell's electromagnetic waves by experimentally generating radio waves in his laboratory.[1] Many inventions followed, making practical the use of radio waves to transfer information through space. 5 different types of radio waves and there uses: There are more than 5 Radio portion of the electromagnetic spectrum Radio waves are divided up into bands by frequency (and corresponding wavelength) as shown in the radio frequency spectrum table below. Extremely low frequency ELF 1 3–30 Hz 100,000 km – 10,000 km Communication with submarines Super low frequency SLF 2 30–300 Hz 10,000 km – 1000 km Communication with submarines Ultra low frequency ULF 3 300–3000 Hz 1000 km – 100 km Communication within mines Very low frequency VLF 4 3–30 kHz 100 km – 10 km Submarine communication, avalanche beacons, wireless heart rate monitors, geophysics Low frequency LF 5 30–300 kHz 10 km – 1 km Navigation, time signals, AM longwave broadcasting Medium frequency MF 6 300–3000 kHz 1 km – 100 m AM (Medium-wave) broadcasts High frequency HF 7 3–30 MHz 100 m – 10 m Shortwave broadcasts, amateur radio and over-the-horizon aviation communications Very high frequency VHF 8 30–300 MHz 10 m – 1 m FM, television broadcasts and line-of-sight ground-to-aircraft and aircraft-to-aircraft communications Ultra high frequency UHF 9 300–3000 MHz 1 m – 100 mm television broadcasts, microwave ovens, mobile phones, wireless LAN, Bluetooth, GPS and Two-Way Radios such as FRS and GMRS Radios Super high frequency SHF 10 3–30 GHz 100 mm – 10 mm microwave devices, wireless LAN, most modern Radars Extremely high frequency EHF 11 30–300 GHz 10 mm – 1 mm Radio astronomy, high-speed microwave radio relay. Source: wiki

The Proxy Server

In an enterprise that uses the Internet, a proxy server is a server that acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server is associated with or part of a gateway server that separates the enterprise network from the outside network and a firewall server that protects the enterprise network from outside intrusion.
A proxy server receives a request for an Internet service (such as a Web page request) from a user. If it passes filtering requirements, the proxy server, assuming it is also a cache server , looks in its local cache of previously downloaded Web pages. If it finds the page, it returns it to the user without needing to forward the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet. When the page is returned, the proxy server relates it to the original request and forwards it on to the user.
To the user, the proxy server is invisible; all Internet requests and returned responses appear to be directly with the addressed Internet server. (The proxy is not quite invisible; its IP address has to be specified as a configuration option to the browser or other protocol program.)
An advantage of a proxy server is that its cache can serve all users. If one or more Internet sites are frequently requested, these are likely to be in the proxy's cache, which will improve user response time. In fact, there are special servers called cache servers. A proxy can also do logging.
The functions of proxy, firewall, and caching can be in separate server programs or combined in a single package. Different server programs can be in different computers. For example, a proxy server may in the same machine with a firewall server or it may be on a separate server and forward requests through the firewall.

Ping of Death

Technically speaking, the Ping of Death attack involved sending IP packets of a size greater than 65,535 bytes to the target computer. IP packets of this size are illegal, but applications can be built that are capable of creating them. Carefully programmed operating systems could detect and safely handle illegal IP packets, but some failed to do this. ICMP ping utilities often included large-packet capability and became the namesake of the problem, although UDP and other IP-based protocols also could transport Ping of Death.
Operating system vendors quickly devised patches to avoid the Ping of Death. Still, many Web sites today block ICMP ping messages at their firewalls to avoid similar denial of service attacks. A ping of death (abbreviated "POD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 56 bytes in size (or 84 bytes when IP header is considered); historically, many computer systems could not handle a ping packet larger than the maximum IPv4 packet size, which is 65,535 bytes. Sending a ping of this size could crash the target computer.

The Router

In packet-switched networks such as the Internet, a router is a device or, in some cases, software in a computer, that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks and decides which way to send each information packet based on its current understanding of the state of the networks it is connected to. A router is located at any gateway (where one network meets another), including each point-of-presence on the Internet. A router is often included as part of a network switch.
Routers forward data packets across computer networks. A Router checks the data packet for its destination address and protocol format details. If the router microprocessor finds a match in its address tables, it routes it to that destination address. If the destination address is on a network type that uses a different transmission protocol, the appropriate new protocol data is added to the packet.

User Datagram Protocol

The User Datagram Protocol (UDP) is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network without requiring prior communications to set up special transmission channels or data paths. The protocol was designed by David P. Reed in 1980 and formally defined in RFC 768.
UDP uses a simple transmission model without implicit hand-shaking dialogues for providing reliability, ordering, or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated, or go missing without notice. UDP assumes that error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level. Time-sensitive applications often use UDP because dropping packets is preferable to waiting for delayed packets, which may not be an option in a real-time system.^[1] If error correction facilities are needed at the network interface level, an application may use the Transmission Control Protocol (TCP) or Stream Control Transmission Protocol (SCTP) which are designed for this purpose.