I think you'd look awfully suspicious sitting next to a computer with the back open hosing down the RAM with an aerosol can.

Mac OS X never offered full disk encryption. OS X 10.7 (Lion) does. Just an FYI...

i want to sex the mouth of the woman who narrates

Anyone who carelessly leaves their laptop laying around is an idiot and deserves to lose it!

Why go through all this trouble? Bill Gates and Steve Jobs gave the feds a back door years ago for maybe a few $million.

Use Linux, TrueCrypt and BleachBit.

Wonderful job, folks :

P=NP solution! Give me!!

Eh I am more worried about bios attacks. An attacker stealing or tampering with a laptop while in a public place and putting a sniffer which will capture the key on boot.

two words, hardware keylogger.

knife to throat my work

wait..if they already have your laptop why dont they just take it with them?

Kennedy Assassination .doc file and Social Security Numbers .xls and there in the "Secret Files" folder @4:22 What secrets will now be revealed thanks to the encryption key being beaten. But in all seriousness yes these keys in ram can easily be obtained and yes the the cooling of ram will make it readable for a longer period of time.

ZOMG, so you like totally "freeze" the RAM?

That's freaking amazing, I never thought of that!!!!!!

I LOLed BTW, thanks for the laugh.

How hard is it to flush the memory during shutdown? Or is it only when power is cut that the data remains in memory.

Well, after that i'd say:

When the police stands in front of your door, shut the PC down.

Take your time, do something for at least 2 Minutes and the RAM is empty. - Safe -

@TheWanAntOnly

Another nice (and easy to do) thing would just be ordering the machine to write all the bits in ram to 0 or 1 or so when it's ordered to shutdown. (Any Linux distro -> Very very easy, Windows -> can't tell, OS X -> can't tell.)

Wouldn't be hard to accomplish... :'D

@EUBG your an idiot... sure it could write 0's/random data on shutdown but if you f*cking pulled the plug/battery than that wont work..... you can just buy extra hardware for you computer that surges the ram with a internal battery when a voltage drop is detected or a shutdown... all else just turn off when done...

what great video, too much intersting

Always turn your computer off... not sleep or standby... just off.

Self-encrypting hard drives are the only defense from this and other attack such Evil Maid.

OMG H4X!

The 'Evil Maid' attack is a far simpler (and proven) method of gaining a Truecrypt password.

Check out my swell videos!

Yes, the document names at 4:22 are a nice touch. A proof for P=NP? I would be interested in reading that...

lol at 4:22

Truecrypt is vunerable, she said *probably* vunerable. When you enter the password on it is stored in the RAM memory. After the header is unencrypted the real encryption keys are read to the RAM memory like the password so data can be unencrypted. While the file/hd is mounted you can apply this type of attack. But once you unmount it truecrypt wipe the memory for those informations and this attack is *probably* not valid.

That is true, however when the computer is abruptly shut down, (by removing the battery, as mentioned in the video) then the program is not able to wipe the memory.

I read this from their website.

I don't think that's true for TrueCrypt

I Won't believe it until you show me on one of your videos.

so cool!

Kennedy Assassination though? fair enough...

@Evi1M4chine Did you even watch this video? It doesn't matter if computer does or does NOT boot from an external disc, since you can cool the RAM module and plug it to another system, and dump its contents from there. -.-

This can be protected by setting on-boot passwords, bios passwords, boot menu passwords and for the RAM: max out the RAM and epoxy the RAM in place.

I liked the file named "Kennedy Assassination". If only it were that easy. ;)

Also, TrueCrypt already fixed that problem, by never storing the key freely in RAM, a looong time ago.

@Evi1M4chine

Any documentation on this? I haven't seen anything on the Truecrypt website about this.

@Evi1M4chine

Can you please link to a source which verifies that statement.

@Evi1M4chine without knowing TC specifically I'd still say it has to store the key in RAM in some form because it needs it all the time for en-/decrypting data as it is being written to/read from the physical disk. It may just not store the key in a continuous RAM region, which would make reading it a bit more difficult, but not impossible if this bitunlocker thing has specific knowledge about how TC stores the key.

@Evi1M4chine

What do you mean by freely?

@Evi1M4chine test

@Evi1M4chine Can you or anyone of your supporters prove that statement? Fixed? No. At least their documentation still says today: “Inherently, unencrypted master keys have to be stored in RAM too..”

This will not be subject to change – it is simply not possible without using a TPM.

@Schwirrsi

Even if is not, is stupid, prove you can dump an encryption key with a residual image of the joconde.

If any letter or symbol or number is missing on the data file of encryption key it isnt work, all the blanc data need to be brute-forced. If you have more than 20 blank in the key code the probleme is the same has a long password, you need a supercomputer and some years to break it.

@Evi1M4chine Nope, see truecrypt docs

"Inherently, unencrypted master keys have to be stored in RAM too. "

NO you retards! The computer does NOT boot from the external hard disk. Except if you were just as retarded, by actually configuring that (or leaving it configured that way, which is the same.) in the BIOS.

And you know this EXACTLY. So youre deliberately lying, to make a point that does not exist for those who really care for their security. (As opposed to those who just leave encryption on by default, because they dont care enough to change anything at all.)

still they can remove the ram and place it on a computer of their own, so...

go in bios yourself and change the mode yourself?

@Evi1machine:

It is possible to create a program on a DVD, insert it, and boot from that DVD. If you want to save your computer in case of a crash, you *MUST* be able to boot from a DVD before your harddisk drive.

So, you can configure the program on the DVD (just like the Norton Ghost wizard) to boot up, and copy/crack/whatever.

This is of course only needed if the eks. HDD boot option is bellow the primary harddisk.

evetrone can chanege the BIOS settings, you can easily find master-passwords on the internet, so BIOS-passowrds also don't amke the compute secure.

Authorities in charge of security (U.S. Military Intelligence) assert that all data in commercial RAM instantly disappears as soon as power is cut off. For example, when RAM is unplugged from computer, as demonstrated in this video. This video exposes that myth and shows most security regs and SOPs as most inadequate.

dude...thats not how a commercial ram works...not that i want to defend this video, but what is mentionned with the picture in the video is actually right. Its because of the way the ram is made (the comparators and the flip-flops composing the ram are loosing their power gradually, so afterimages of what was there stays for a short time).

next time, try to know a liitle bit more on the subject before saying that something is ''inadequate''

Of course it runs GNU Linux! What else?

haha!!! LINUX UBUNTU RULEZ!!!

i love how this corporate dumbnubs playing black hats with cold boot attack and trying pushing their marketing bullshit

little they know most of pc's that have ECC ram or quick boot enabled in bios will completely make such attack useless

her voice is highly annoying -

Well duh! This is nothing new.

What kind of "expert" would think volatile memory is magically wiped as soon as power is lost? Other than an "expert" in the Microsoft-bubble sense of the word..

Nobody in the real world of computing would trust that SDRAM module content is gone until it had been explicitly overwritten.. several times (multiple passes for those paranoid enough to think some quantum physics forensic techniques could detect previous states).

Oh no! Think of swapping/paging to disk

I think this can be prevented by turning of autorun on external devices, like that external USB HDD, and by removing anything but the internal HDD from boot order + protect that with bios password(though with removing motherboard battery, that pass can easily be erased)

Truecrypt also mentions this attack in its documentation and says with cooled ram, memory can stay intact for several hours, but with some new types of memory modules it is only 2.5 seconds.

Remove the battery from your motherboard and you should be safe, right?

wrooong

this relies on the fading of ram cells, which aren't powered by the cmos battery... lrn2cptr

the cmos battery is just that. it keeps the clock running and not much else, it doesn't power the ram at any time

the whole point is even when you remove the power, the ram takes time for its stored charge to dissipate low enough to be unreadable

Just as I posted my comment I thought to myself, "what?".

I know that the battery only holds settings and such for the mobo.

hah! "Kennedy Assasination.doc, PxNP Proof.tex, Social Security Numbers.xls"

So is there anyway to write a shutdown program that wipes the ram on state change?

I don't know how to do it in python maybe I'll try with C.

I think my Acer Aspire One [AOA150] is Well protected, if the data don´t dissapear on all the fucking time it need to get to the Ram Slot, then maybe the key is stored on the 512 Soldered Ram that come in the Motherboard.

3:17 The computer is locked so we normally can't access without user's password

Ophcrack FTW lol

COOL !!

Nice stuff. I see Mac coming with another commercial attacking PC. You guys need to come out with similar stuff attacking MAC users.

they said that it works on macs too... this isnt an attack its a public service announcement that isnt targeting users of any individual system.

wouldnt spraying the duster short some of the motheroard of the comp??

Not when it is off.

meh, forgot about turning it off, lol

Where can you get this ram2usb software?

Good work, guys. Very interesting stuff.

A "hax0r" that uses Ubuntu? I THINK NOT!

NOBODY CAN HACK MY BOX! I store all my sensitive data on a stand alone usb drive that has 128 bit AES hardware encryption on it and cycles keys whenever I backup, which means not only does this thing have government grade encryption but it also stores all the keys on the drive itself which has no RAM and you cannot access the drive without the 30 character alpha-numberic password that I change every 15 days...

Easy, I would just use a key logger.

"stand alone usb drive"

How exactly is a key logger going to help you hack into something off the net?

Not only will a keylogger not do you any good because the box is not online, I use a hardware firewall, software firewall, as well as an encrypted net connection... Even my logitech keyboard has it's own encryption designed to prevent keystroke detection attacks.. bottom line > UNHACKABLE!

None of that would effect a software key logger. If I have physical access, your machine is pretty much compromised.

My encrypted keyboard alone would stop the keylogger. And you would have to find out where I lived to get physical access, considering you do not have my ip, that is impossible for YOU to accomplish.

It would not effect a SOFTWARE key logger.

Software loggers are very simple in design in order to remain undetected. An encrypted usb keyboard would not be susceptible to these loggers which usually monitor bus or irq, You would need a more advanced logger that monitors USB communication and can crack the encryption scheme. I'm not saying it's impossible, im just saying the simple loggers out there cannot do it. And using a more advanced logger would mean going further up the operating system and make you more vulnerable to detection.

At the end of the day though, this isn't going to stop any keylogger polling the WinAPI for key events.

Every application does this and you can't really distinguish malicious and non-malicious lookups of this table due to the fact most if not all applications poll a vast array of key events.

And like BioSlayer said: Physical Access == Comprimised

I agree and I have stated before that my box is vulnerable to physical attacks, the chances of a physical break in combined with an individual who is able to bypass my security is very remote considering the vast majority of people who commit such breaking and entering don't have the knowledge nor the education to perform such tasks.

Unless of course one of you find out where I live =)

ya cold boot is serious business i got a freezer for all y'all pc's niggers.

PAPER OF THE YEAR

Really amazing!

to boot from an external device you have to get into the bios boot menu right? so if you have your bios password protected this wouldn't work.

just press enter when startup and chose which you want to boot from, even if you set password in bios you can clear it by the ClearCMos buttn at the motherboard

ya, or as they demonstrated in the video; if all else fails you can just pop out their ram chip and put it in your own machine.

Technically Yes, but if they have access to your computer they could easily flash the bios, by moving jumpers around and wipe all existing passwords on your motherboard.

WRONG. RAM losses data as soon as there isn't any power. Only capacitors can store power. So the only risk to ur PC when it off. Surges.

ram acts like a paper where the cpu temperaly write its calculation xP

I no. But RAM wipes out wen no power.

No, look up how a transistor works. Also, the CPU has a cache, specifically for that.  The memory is a little different. I think I head an analogy before about it. The space right in fron of you on your desk is the cache, and the drawers to your side are the memory.

no, your an idiot.

no am right. It will hold a charge for a few seconds, but the data becomes unreadable.

OMG WHO CAREs!~!~!~!

first off there are better ways to get full access, some taking about 5minz. And for all of you who keep data like this on your lappys i hope this happens to you for being stupid enuff to keep data like that on there.

haha :P im protected, since i set my keys to be uset in hdd (i set 300mb of it to be used as ram) and i locked the boot process from only my hdd, no other external devices (usb, cd/dvd, floppy,fire wire, etc.)will be run while booting, so there is no possible way on hacking my pc :P

here it is other Script Kiddie. kid go to school a let this shit to pros.

thanks for posting

Good lord. I heard about this from my boss..

So when the police burst into my house i should turn off my pc so the ram can erase itself and my Encryption Keys will be gone?

No, just remove your RAM and break it. Or take a lighter to it (heating the RAM will have the opposite effect of cooling it, and of course melting = breaking :)

i have a better idea! i will place some small amounts of c4 around my ram and when the cops come i push button lol.

(i want to join in the fun)

i have a good idea to, keep a bottle of water and or soft drink next to your computer, and poor it over it...

Cops? I was actually thinking that this is the sort of thing that would be used against authority, actually.

Wow, this is a major vulnerabilty. So like any pro hacker can get make a dump of the RAM while the key is still in it, then extract it? Genius.

just turn off your pc/laptop whenever you wont use it or theres people you dont know near, when PC turns off (no energy) RAM DATA gets erased, if you manage to get the data of the RAM after turned off , you are pretty fast..

Didn't the presentation conclude saying that other encryption technologies on other operating systems were as vulnerable? This attack has nothing to do with Windows specifically.

lesson learned is that ure ignorant to the highest degree

u do realize that mac's also use the same or nearly the same encryption algorithms and methods right? and u do also realize there are memory cards in mac's too? linux may be safer because it is open source but that doesnt guarantee safety either. these techniques can oft be pulled off on any systems if not all the time.

another thing

a common saying for macs: security through obscurity

Actually, they're right. You should do your own research, though - "Microsoft COFEE"

Peace.

I have a question. So you turn off the computer with the external hard disk plugged in, and it automatically takes the remaining RAM. But they have like a software in the disk. I want htat software xD

Yes, the name of the software is bitUnlocker

good job MR.hacker

whant a trophy?

Unfortunately, little will block the memory being cooled and then transfered to another computer, as mentioned in the video.

How about I just drop the 20 lbs magnet on top of my laptop before you put it in your hands, boo supergeeks loose! :)

Even a very strong magnet will not do a very good job of permanently wiping a drive. And even if it did, the downside to this is that you destroy your hard drive and lose the data in the process.

You lost the benefit of encryption - that you are still able to access the data but someone else can't, even if they have physical access to whatever it resides on.

ghsorb lvr

d:P

Interesting. I wonder how the ATA disk security ("hard disk password") would come into play here.

Whenever my computer is turned on or wakes from sleep, I have it set in such a way that a password is needed to access the disk. This is hardware (written to the disk itself), and not stored in RAM. Once this is entered, the computer presents the normal login screen.

While surely less secure in many ways than encryption, I wonder if it'd be an easy and practical means of countering this attack.

If the computer is stolen while the computer is on, it may still be vulnerable, because the hard disk will still have the decrypt key in its memory. Whether you would be able to freeze and remove the hard drive and then 'hot-swap' it into another system to access like nothing happened, I don't know. I imagine it would be possible but difficult.

lol "Kennedy Assassination" "Social Security Numbers"

MCBathtub... you crack me up man, talking like your a computer 'expert'. If you really knew your shit you would know that RAM consists of silicon wafer arrays that, believe it or not, CAN HOLD DATA after power is removed. Granted they need to be extremely cold. Point B, electricity doesn't use itself up, when the ram chip is unplugged from the computer their is no place for the negative electrons to travel, so they sit in the silicon for a small amount of time. Stop embarrassing yourself kthx

I don't know if anyone mentioned this already, but why the switch from the Vista to Ubuntu box during the demo? Is it booting into Ubuntu from the external HDD? (Around 3:50)

because he wrote(has) a program for recovering data, that runs in Linux.

I think that method wont work when truecrypts auto dismount feature is on or ?

So if you close your notebook the volume will be unmounted so theoretically that attack is quite useless then or ?

I would really like to know if it's still storing the key in the ram once auto dismount was taking place.

When a Truecrypt volume is dismounted its associated key is wiped from memory using a cryptographically secure method.

But if it's mounted when you /physically/ steal the computer, or are at the login password prompt (and the disk is mounted as a system disk would be) when you /cut the power/ to use these techniques, the key is still in memory and vulnerable to these attack methods.

Which is why you should always dismount the encrypted drives when you leave the computer, as I stated previously.

yea im not scared cuz someone has to steal ur computer, none of this stuff isnt done over the net so im not scared

lmao, a 21 year electrical engineer who 'knows'... come on. Maybe if you would TRY what these people are suggesting, you would find that common literature makes assumptions about this technology that are INCORRECT.

Very interesting concept. Trabant6666, go fuck a tree and learn some computer science before you go trashing peoples work. I guess you don't understand the concept of DUMPING the contents of memory to disk for viewing. Take an A+ class before you decide to make a hateful post kthx.

PS. Learn to spell and use grammar

this is stupid and impractical, even single bit from the encryption key (with your stupic error correction) "faded" in ram and you're method is fucked up bitches

see the web site: the research paper talks about ways to recover keys even if a sizable number of bits have decayed

u guys r smart

Now heres the question.

Can this technique be used to hack the Xbox 360?

Very interesting. But I don't think this is a software problem. And changing the encryption software would not completely solve it. The encryption software must store the key in memory. If you can somehow read the memory while the key is there, you break it.

Why Does her voice sound so much lower after 4:25??

Hackers love it when you think you know you're safe because you know what a capacitor is.

Its simple folks. Don't leave your laptop unattended, especially in public. You are still not safe even with encryption.

One of you brilliant EEs are going to get robbed. You won't feel so smart then.

Even if this attack were viable, the problem is not with the software. Leaving secure drives mounted when you are not physically at the computer is where the fault lies.

Truecrypt has a simple solution for this, just check the "Auto-dismount when entering power saving mode" option. Now when you put the computer to sleep the keys are erased.

Props for the Shmoocon sticker on the hard drive.

So what this video is basically saying is that your data is safer if you don't use any encryption at all. Furthermore, it's probably not a bad idea to hold a lit match or lighter above your memory chips each time you shut down your computer to make sure the memory fade faster. These are great tips! Thanks for making the video!

No, it tells how i can get my mothers key! :P

And if you leave your Laptop/PC unattended it should be completely powered down...

Great video!!!

Where did you hear that? Capacitors can hold charge for minutes or hours, depending largely on their construction and insulator. Even a relatively simple glass and metal capacitor can hold a charge for several minutes.

Wtf are you talking about? You think the capacitors in RAM can hold their charge for minutes? Not only is a second a LONG TIME, it's more like 100ms...at best.

Ok, so how long will it take someone to invent a boot device that will flush or overwrite all memory?

so if you always shut your computer down, and you have the option to put in the security key every time the computer boots up, you're safe. That's what I got out of that video.

Ah so computer manufactures should wipe the memory with their bios. Bios hackers can easily add this feature. What about when the bios does a memory check is it not writing zeros and ones at this time?

ya. proly the best solution is a self destruct mechanism which will explode the drive if a second key is not entered within 15 seconds of auth. I'm just waiting for MS to add this to the next service pak. short of that... don't store your porn on hard disk, store it on youtube.

What about Checkpoint's Pointsec?

i just make sure no one steals my laptop

What about gluing the ram into the notebook / onto the mainboard so that it can't be removed without destroying everything? Boot from external media (others than the internal hdd) can be disabled, too.

Then, something like that won't be possible that easily ;)

This is assuming a) The laptop is set to boot via USB(which is VERY rare), b) The laptop has slow-clearing memory, c) The attacker has physical access to the laptop straight after someone has shut it down. d) The victim won't be surprised to see that his perfectly fine laptop has lost its power somehow and reset and has white frothy crap all over it. e) The attacker will be able to access the laptop a second time.

It's absolutely impractical. Use a keylogger, social engineering etc instead.

if you read the page, they found that even at room temp they can still use the memory with just a can of air.

yea you are right.....there are too many variables for this to be a practical method of hacking. What is social engineering btw?

True but non the less interesting.

social engineering is a hacking method that tries to guess passwords based on your personality. they would observe you, try to get information of your life, such as names and birthdates of wife/hubbie, kids, pets, etc., and use those and variants of them as guessed passwords.

But it is one of many(?) possible solutions to get the data you stored.

Even without DRAM recovery, most disk encryption packages are subject to password breaking dictionary attacks as long as you have physical access to the device. Most users passwords contain 18 bits or so of entropy, so rather trival to dictionary attack.

There is a VERY simple way to prevent this from being and issue on many systems. Set a BIOS password that is required both to boot the machine and to change settings like the boot order. Then simply make sure the machine is not set to boot from a USB drive. As for pulling out the RAM, that can't be completely prevented but some epoxy holding the RAM in should make sure it can't be taken out intact while it still contains data.

interesting

digg

An application that simply zeroed all ram during shutdown and erased any password fields on disk would solve it. People wouldn't be able to use sleep mode, suspend or leave it long enough for the password screen to be sitting there, but it could be worth it. Also don't turn your back on your computer, lol.

Princeton people are not terrorists retard

thank you for sharing this ! scary stuff !

wow this sucks XD

we can even get freeze burn by touching the ice cold object with bare hands, brilliant

so essentially, never leave your laptop out in the open at a public area

Huh. Thought this was common sense.

But really, there is almost no risk of a theif being smart enough to do this. They will just wipe your disk and sell your laptop.

No.  The point is power down your lap top when you are done, rather than using sleep mode, IF you are are depending on encryption to protect the contents of your files from prying eyes.

If anyone is still worried here is a few tips and suggestions:

The software is made by this organization, not an everyday criminal.

If your paranoid over your information getting stolen go check out Absolute software, They'll install a chip in your laptop that will remotely destroy the hard drives information and can recover the laptop through GPS. So even if they crack the encryption on the hard drive there will be nothing on it.