Virus writers are becoming more devious and more intelligent. Unfortunately, that means many of their new approaches to spreading their work will get past even our best efforts of protecting and locking down our systems. A new type of threat has been identified, but no specific virus that exploits this threat has been discovered yet.
In a paper published by Adi Shamir of the Weizmann Science Institute, in Rehovot, Israel, and Nicko van Someron of NCipher, Cambridge, U.K., a method to quickly and easily locate encryption keys and encrypted data is clearly defined. The method describes how relatively easy it is to discover private keys stored on a computer. Most private keys are 2 to 2048 bits long and are sufficiently random to stand out as anomalies from the otherwise ordered data stored on a hard drive.
In addition to locating the private keys themselves, this method can be modified to discover encrypted data. Malicious virus, worm, or Trojan developers can use this methodology to locate encrypted data and transmit it back to an online repository where code breaking techniques can be employed against it. In most cases, the sections of a hard drive that are encrypted contain the data that is the most valuable.
There are a few ways to impose preventative measures against these types of theoretical attacks. Waiting until real-world exploitations of these findings are discovered is poor security management.
First, never store private keys on your
Second, when you must use encryption to protect files, encrypt the entire hard drive. If your system is ever violated by an encryption stealing worm, the more data it has to handle, the more likely it will fail in its task to transmit the treasure and that your auditing system will discover the activity. In effect you will be overloading the malicious code which would have had no problem with a 100KB file but which cannot process a 10GB block of data.
Third, use a secure deletion utility. Just because you store your private keys in removable media does not guarantee that they are not temporarily stored on your system when used. The most common problem is when a private key is stored to the paging file and not properly removed. To remedy this, you should always clear the paging file when shutting down and delete any backup or temporary files that may have been created when you opened the encrypted file (such as from Microsoft Word).
For more information, see the paper "Playing hide and seek with stored keys" at http://www.ncipher.com/products/rscs/downloads/whitepapers/keyhide2.pdf.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in July 2002