secure data export

Fri Jun 24 04:54:02 IDT 2011

On 24/06/11 00:35, Orna Agmon Ben-Yehuda wrote:
> Hello all security experts,
>
Hiya,

> I would like to export data from a machine on a business's internal 
> network on a safe media, such that only the files I want exported are 
> on the media. Specifically, I consider the possibility that the 
> machine may already be infected by a malware which adds 
> business-sensitive data to all outgoing media, and would like to 
> defend against such a theoretical malware. The question may be limited 
> to text files.
>
> Things already considered:
> *The media is a CD, which will be written and then finalized. No USB 
> devices.
> *An artificial file will be added to the data file, to fill the media 
> as much as possible. This, however, leaves a part of the disk capacity 
> unused - the part used for the structure table (what used to be FAT), 
> which is a place where additional data can hide.
Don't see how that helps.
> *The CD will be read in two different machines, with two different 
> operating systems.
Try "copied". The CD will be burned on one machine. Only the relevant 
files copied to another CD on a second machine, and again on a third 
machine. If any of these machines are not infected then only the 
information you think is there will actually be there.
> One of the systems will be a bootable linux disk, to preserve its 
> (hopefully) initial not-infected status. The listing of files will be 
> performed including hidden files (ls -la in Linux). The person who 
> wrote the files will read them, to verify they contain the correct 
> information.
If you copy the files rather than only read the disc, this step becomes, 
thankfully, unneeded.

I think you mis-stated your security concerns, though. Assuming I can 
guess the reason for this requirement, I think you will not be able to 
satisfy yourself that the same unknown that has infected your computer 
has not also infected the Linux image you are booting from or the USB 
controller that does the actual writes. Depending on your level of 
paranoia (and when it comes to such scenarios, "paranoia" is the only 
conceivable description), I would suggest the following:

The only way to avoid going into a loop over what an infinite resources 
theoretical attacker might do is to use a media that can have no room 
for hitchhiking information. My suggestion - print it out and OCR it on 
another machine. I seem to recall a distant story about PGP writing a 
program that did OCR helping during the printing (MD5 of the line, or 
something like that), but I doubt your paranoia will not suspect that 
that very same program also puts in unwanted information into that area.

Of course, you might still claim that the virus will use one dot errors 
(either black pixels where white ones should have been or vice versa) in 
order to leak information out. Some careful math can put a limit on just 
how much information can leak this way before the dots themselves become 
noticeable, and hopefully we can prove that not enough information can 
leak to pose a real risk (i.e. - decide that the attacker can get all 
the information she wants that can fit inside 10 bytes, and we can live 
with that).

Shachar

> Questions:
> What else should I do?
> What about a malware compressing the data, using the extra space for 
> additional data?
> If I compress the data to avoid further compression, how can the 
> person verify it contains exactly what it should?
> What can I not defend against?
> Are such malware as I imagine known? For Linux? Windows?
>
> Thanks for considering the problem,
> -- 
> Orna Agmon Ben-Yehuda.
> http://ladypine.org
>
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

-- 
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20110624/2099a5eb/attachment.html>