Researchers dive into memory dumps

March 31, 2008 – 2:59 PM

Building on earlier research into cold-boot attacks on computer memory, two consultants showed off their prototype tools for grabbing passwords from untended computers, during a session at the CanSecWest conference last week.

The consultants — Sherri Davidoff and Tom Liston, both of security firm Intelguardians — found that numerous Windows and Linux applications keep passwords unencypted in a computer’s physical memory during run time. The two researchers experimented with a number of methods of creating a bootable image on a USB thumb drive that could scan for and grab passwords from the random access memory (RAM) of computers to which an attacker had access.

“The goal here is to see if we can hit an office building in 25 minutes or less and get out with a lot of valuable data,” Davidoff told attendees.

Davidoff and Liston had investigated the issues around the same time that a mixed group of academic and privacy researchers had discovered that sensitive data kept in the random-access memory (RAM) of a computer could last for at least 10 minutes after the machine is shut down, if the memory is cooled using compressed air. The so-called “cold boot” attack allows an attacker the ability to restart a computer and use a bootable drive to grab data from memory.

Davidoff and Liston created a USB thumb drive that could be plugged into a computer and that would, after the computer was restarted, scan the data left in the computer’s physical memory for passwords and other sensitive data. The two researchers created a pair of programs to find the telltale signatures in memory that indicate where a password might be store and called the scripts DaisyDukes because the programs were “very revealing,” Liston said.

“When we put this together and plugged it in, what did we find? Boatloads of passwords,” he said.

On Linux, the Gnome Desktop Manager stores, not only the login password in memory, but other passwords as well, the researchers found. The researchers discovered passwords for the Thunderbird e-mail client and secure shell (SSH) program. On Windows, Outlook stored its passwords in ASCII, while other programs — such as AOL Instant Messenger — stored passwords in Unicode.

Attacks aimed at dumping memory using an external drive can be made significantly harder by setting a BIOS password to prevent the system from automatically booting, the researchers said.

Source: Security Focus