Thursday, October 22, 2009

Worried About The Evil Maid?

Joanna Rutkowska's "Evil Maid" TrueCrypt attack has been getting a lot of buzz in security circles today. In essence, the attack involves compromising the trust that TrueCrypt (and the user) places in the boot process. An evil maid (or other ne'er-do-well) exploits their physical access to a machine and that machine's capability to boot from external media such as a USB device to add a keylogger or other trojan to the boot sector or firmware, allowing capture of the presumably unchanging decryption key that the user enters to access their filesystem.

Am I particularly concerned about this as an attack against my organization's resources? Of course not!

We do use encryption on our mobile systems - not TrueCrypt, but the caution is largely against the concept, not necessarily only Rutkowska's specific implementation. With that said, a simple risk assessment serves us in good stead. Is our data so valuable, or are maids so twisted that we have to worry about them attempting to access our laptops which (hopefully) we lock in safes in hotel rooms, or otherwise appropriately protect? No - none of the people that I work with are in Her Majesty's Secret Service, or otherwise likely to be high value targets.

The good news is that Rutkowska's implementation of this attack serves as a good reminder that our trust in enterprise drive encryption is much like any other technological solution in our daily security war - simply a stage in the escalation of tools.

Years ago, we recommended passwords on laptops. Then, legislation and more technically aware users pushed us to drive encryption. Next, as attacks like this become more widely approachable, we'll worry about how to use TPM, drive hashing, two factor authentication, or technologies that can guarantee the state of a system between uses. For now, I'm far more worried about malware installed on systems either via a vulnerability or a user's mistake. Why? Because our drive encryption efforts do nothing when the drive is unlocked for the user's daily work.

For your daily security efforts, you can likely worry about much more immediate security concerns - and in the meantime, if your maid cackles evilly, and speaks in l33t - you may want to guard your USB ports.

No comments: