secure data export

Sat Jun 25 17:51:35 IDT 2011

On Fri, Jun 24, 2011 at 4:54 AM, Shachar Shemesh <shachar at shemesh.biz>wrote:

> **
> On 24/06/11 00:35, Orna Agmon Ben-Yehuda wrote:
>
> Hello all security experts,
>
>  Hiya,
>
>
>  I would like to export data from a machine on a business's internal
> network on a safe media, such that only the files I want exported are on the
> media. Specifically, I consider the possibility that the machine may already
> be infected by a malware which adds business-sensitive data to all outgoing
> media, and would like to defend against such a theoretical malware. The
> question may be limited to text files.
>
> Things already considered:
> *The media is a CD, which will be written and then finalized. No USB
> devices.
> *An artificial file will be added to the data file, to fill the media as
> much as possible. This, however, leaves a part of the disk capacity unused -
> the part used for the structure table (what used to be FAT), which is a
> place where additional data can hide.
>
> Don't see how that helps.
>

The point of the additional file is to leave little room for anything else.
Regarding the FAT place: Assuming the CD ends up on an infected machine, or
falls into the wrong hands ( example: you want to make your client an offer
on a CD, but you do not wish to give the client info about other offers you
made, in this case the wrong hands are exactly the hands the CD goes to),
the infected internal machine and the infected external machine agree on the
interpretation of the extra space in the table sectors, and may communicate
information through it.

>
>  *The CD will be read in two different machines, with two different
> operating systems.
>
> Try "copied". The CD will be burned on one machine. Only the relevant files
> copied to another CD on a second machine, and again on a third machine. If
> any of these machines are not infected then only the information you think
> is there will actually be there.
>
>  One of the systems will be a bootable linux disk, to preserve its
> (hopefully) initial not-infected status. The listing of files will be
> performed including hidden files (ls -la in Linux). The person who wrote the
> files will read them, to verify they contain the correct information.
>
> If you copy the files rather than only read the disc, this step becomes,
> thankfully, unneeded.
>
> I think you mis-stated your security concerns, though. Assuming I can guess
> the reason for this requirement, I think you will not be able to satisfy
> yourself that the same unknown that has infected your computer has not also
> infected the Linux image you are booting from or the USB controller that
> does the actual writes. Depending on your level of paranoia (and when it
> comes to such scenarios, "paranoia" is the only conceivable description), I
> would suggest the following:
>
> The only way to avoid going into a loop over what an infinite resources
> theoretical attacker might do is to use a media that can have no room for
> hitchhiking information. My suggestion - print it out and OCR it on another
> machine. I seem to recall a distant story about PGP writing a program that
> did OCR helping during the printing (MD5 of the line, or something like
> that), but I doubt your paranoia will not suspect that that very same
> program also puts in unwanted information into that area.
>
> Of course, you might still claim that the virus will use one dot errors
> (either black pixels where white ones should have been or vice versa) in
> order to leak information out. Some careful math can put a limit on just how
> much information can leak this way before the dots themselves become
> noticeable, and hopefully we can prove that not enough information can leak
> to pose a real risk (i.e. - decide that the attacker can get all the
> information she wants that can fit inside 10 bytes, and we can live with
> that).
>
> Shachar
>
>  Questions:
> What else should I do?
> What about a malware compressing the data, using the extra space for
> additional data?
> If I compress the data to avoid further compression, how can the person
> verify it contains exactly what it should?
> What can I not defend against?
> Are such malware as I imagine known? For Linux? Windows?
>
> Thanks for considering the problem,
> --
> Orna Agmon Ben-Yehuda.
> http://ladypine.org
>
>
> _______________________________________________
> Linux-il mailing listLinux-il at cs.huji.ac.ilhttp://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
>
>
> --
> Shachar Shemesh
> Lingnu Open Source Consulting Ltd.http://www.lingnu.com
>
>

-- 
Orna Agmon Ben-Yehuda.
http://ladypine.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20110625/733f5ea9/attachment.html>