The claim behind this feature is that you can have a secret encrypted file system that will remain undetected, and so you can deny its existence if your drive is confiscated somehow. Schneier and the other authors prove that this deniability is rather weak. Since the encrypted file system is stored and used within a normal operating system (Windows, Linux, etc.), traces of its existence are scattered throughout the unencrypted parts of the hard drive. There are swap files, temporary files, and other remnants created by various applications, such as word processors.
Since the paper [PDF] came out, TrueCrypt released version 6.0, which addresses many of the issues presented in this paper. But the bottom line is that you shouldn’t depend on this deniability feature. It’s much safer to encrypt the entire disk, to ensure that sensitive data isn’t left on unencrypted portions of the file system. The only problem with this method is that you can’t deny having anything encrypted.
The funny thing is, these vulnerabilities were created in the run-time implementation of Ruby, which is itself written in C. So it’s really not all that surprising, considering how hard it is to write secure, large, bug-free C programs.
This is a cut and dry example of why the insider threat is such a major issue. I guess some companies need to learn the hard way: Disable all accounts belonging to terminated employees; if it’s an admin (or the IT director), change all the root passwords as well. Of course, this implies that a company has to keep track of all the accounts an employee might have, which is not easy. The important thing to remember is that this is more of a people/policy challenge than a technical one.
We all know that Windows can’t compete with Linux or UNIX when it comes to useful command line utilities (excluding Cygwin). But what most people don’t know is how many commands actually are available in Windows. If your job is to investigate intrusions on Windows machines, there are some nifty little command line tools that can help make your job easier.
This article by Ed Skoudis lists a few of them, with handy examples of how the commands might be used in a security investigation. He mostly talks about wmic, openfiles (which I had never heard of before), and netstat. Unless you’ve done recent Windows administration work, you’ve probably never had to use wmic, but it’s really powerful, with tons of options. Also, be sure to check out the second part of his article, which goes into more advanced command line tricks - like “for” loops and querying the registry.
A more comprehensive list, although less detailed, was published by Kevin Beaver. There is overlap, but Kevin mentions a few addiontal commands.
Google has some good content about web security available on their Google Code University portal. There’s introdutory course material, and even some videos. The one titled “How to Break Web Software” is pretty interesting.
