From diazrogelio en gmail.com  Thu Oct  1 11:35:12 2009
From: diazrogelio en gmail.com (rogelio diaz)
Date: Thu, 1 Oct 2009 11:35:12 -0300
Subject: [LACNIC/Seguridad] Reversa PTR
In-Reply-To: <1f7c1f8479b19b2a6e1c99752255bcc4.squirrel@mail.velocom.com.uy>
References: <cc37892d0909241212r513ea5cw5efa746b26968ec4@mail.gmail.com>
	<3E54CA37-2CBF-4B5E-BE89-16671C1D703C@utp.ac.pa>
	<cc37892d0909241323l6b26af9cj23b4f13e7ca2cce3@mail.gmail.com>
	<de85c96f0909241326s74d20d3ybc6e4d43edce4b04@mail.gmail.com>
	<cc37892d0909241339o113b68b6m82cabca322b3f939@mail.gmail.com>
	<1f7c1f8479b19b2a6e1c99752255bcc4.squirrel@mail.velocom.com.uy>
Message-ID: <9565be4a0910010735j1badbc41i7156a3bf571f60cd@mail.gmail.com>

El tema es asi tiene que pedirle al isp que no solo delegue el blocke ip
200.11.30/24 sino tambien el reverso.
Esto no es un problema tecnico sino que es administrativo del proveedor.

Espero que no sea tarde la info

Saludos
         - DIAZ, Rogelio  -
        Front, Atencion Telefonica
   Telefonica Empresas Grandes Clientes
       catefront en telefonica.com.ar
     rogeliod en teleperformance.com.ar

P Antes de imprimir este e-mail piense bien si es necesario hacerlo, el
medioambiente es cosa de todos.

Este mensaje es estrictamente confidencial. Puede contener información
amparada y protegida por el secreto profesional. Si usted ha recibido este
e-mail por error, por favor comuníquenoslo inmediatamente respondiéndolo a
catefront en telefonica.com.ar y elimínelo de su sistema. El contenido de este
mensaje no debe ser copiado ni divulgado a ninguna persona. Muchas Gracias.

El 24 de septiembre de 2009 18:11, Joaquin Sardas
<jsardas en velocom.net.uy>escribió:

> Hola Gerald,
>
> Por las informaciones proporcionadas todo parecería indicar que el
> problema es que aún no han configurado la delegación inversa de DNS en el
> sistema de Lacnic.
>
> Puedes verificarlo a través del siguiente link, ingresando la red de
> referencia, 200.11.30.0/24 :
>
> http://lacnic.net/cgi-bin/lacnic/whois?lg=SP
>
> En alguna parte deberían estar especificados los DNS master y secundarios,
> con información de este formato:
>
> nserver:     NS1.INGIP.NET
> nsstat:      20090919 AA
> nslastaa:    20090919
> nserver:     NS2.INGIP.NET
> nsstat:      20090919 AA
>
> (puedes probar a ingresar otra red y constatar que en 200.11.30.0/24 no
> aparecen los DNS, pero en otras redes sí)
>
> Lo recomendable sería que ingresaran al sistema a través de:
>
> https://lacnic.net/cgi-bin/lacnic/stini?lg=SP
>
> Y desde allí accedieran a: Bloques -> [Deleg] --> AltDel, luego de lo cual
> deberían ver la sección "Delegación Inversa de DNS", con los campos a
> rellenar de "Master", "Slave1", "Slave2", etc. Deben ingresar al menos 2
> servidores DNS que utilicen para resolver los reversos (PTR) de las redes
> que manejan. Una vez completado esto, y propagado el cambio, lo que les
> quedaría es verificar que tengan bien configurado sus DNS para responder
> por los registros reversos de las redes en cuestión (ej. las zonas del
> formato "30.11.200.in-addr.arpa")
>
> Saludos,
> Joaquín.-
>
>
>
> > Ok si eso es asi como resuelvo el inconveniente.
> >
> >
> >
> > El 24 de septiembre de 2009 14:26, Jorge Evangelista <
> > netsecuredata en gmail.com> escribió:
> >
> >> Hola Gerald,
> >>
> >> Si parece que LACNIC falta que redireccionen los PTR a tus DNS.
> >>
> >> # dig -x  200.11.30.1 +trace NS
> >> ; <<>> DiG 9.2.3 <<>> -x 200.11.30.1 +trace NS
> >> ;; global options:  printcmd
> >> .                       155392  IN      NS      D.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      E.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      F.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      G.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      H.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      I.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      J.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      K.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      L.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      M.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      A.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      B.ROOT-SERVERS.NET.
> >> .                       155392  IN      NS      C.ROOT-SERVERS.NET.
> >> ;; Received 496 bytes from 200.62.227.6#53(200.62.227.6) in 0 ms
> >> 200.in-addr.arpa.       86400   IN      NS      NS2.LACNIC.NET.
> >> 200.in-addr.arpa.       86400   IN      NS      SEC3.APNIC.NET.
> >> 200.in-addr.arpa.       86400   IN      NS      TINNIE.ARIN.NET.
> >> 200.in-addr.arpa.       86400   IN      NS      NS.LACNIC.NET.
> >> 200.in-addr.arpa.       86400   IN      NS      NS2.DNS.BR.
> >> 200.in-addr.arpa.       86400   IN      NS      NS-SEC.RIPE.NET.
> >> 200.in-addr.arpa.       86400   IN      NS      NS3.AFRINIC.NET.
> >> ;; Received 214 bytes from 128.8.10.90#53(D.ROOT-SERVERS.NET) in 126 ms
> >> 200.in-addr.arpa.       10800   IN      SOA     ns.lacnic.net.
> >> hostmaster.lacnic.net. 2009092415 1800 900 691200 10800
> >> ;; Received 118 bytes from 200.3.13.11#53(NS2.LACNIC.NET) in 148 ms
> >>
> >> Segun el trace la gestion de tus reversos los tiene  ns.lacnic.net
> >>
> >> Saludos
> >>
> >>
> >>
> >>
> >>
> >>
> >> 2009/9/24 Gerald Lanzas <gerald.lanzas en gmail.com>
> >>
> >>> Joaquin tambien adquirimos un ASN(28072) con el bloque 200.11.30.0/24,
> >>> lo
> >>> estamos publicando por BGP, por medio de nuestro ISP, de manera
> >>> directa.
> >>>
> >>> Te agradesco de antemano.
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Seguridad mailing list
> >>> Seguridad en lacnic.net
> >>> https://mail.lacnic.net/mailman/listinfo/seguridad
> >>>
> >>>
> >>
> >>
> >> --
> >> "The network is the computer"
> >>
> >> _______________________________________________
> >> Seguridad mailing list
> >> Seguridad en lacnic.net
> >> https://mail.lacnic.net/mailman/listinfo/seguridad
> >>
> >>
> > _______________________________________________
> > Seguridad mailing list
> > Seguridad en lacnic.net
> > https://mail.lacnic.net/mailman/listinfo/seguridad
> >
>
>
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <http://mail.lacnic.net/pipermail/seguridad/attachments/20091001/b99e2c75/attachment.htm>

From lsolis en entelnet.bo  Mon Oct  5 16:57:34 2009
From: lsolis en entelnet.bo (Lia Solis)
Date: Mon, 05 Oct 2009 15:57:34 -0400
Subject: [LACNIC/Seguridad] Anuncio: FIRST Technical Colloquium
	y	CLCERT/FIRST Security Workshop
References: <4AC0BA5A.8090407@cec.uchile.cl>
Message-ID: <E2AF7547AAED43E1AF195B9B18B2380D@ENTELB71F290EF>

Estimado Sergio,

Mucho agradecere si puedes depejar mis siguientes dudas:

Quienes pueden participar?
Tiene un costo de participacion?
El formulario de inscripcion de la pagina web sirve como un tipo de 
reserva?.

Gracias de antemano por las respuestas.


Saludos cordiales
---------------------------------
Lia M. Solis M.
Datos IP - ENTEL S.A.
Fon.(+591-2) 2141010 Ext 3135
Cel. (+591) 72550576
E-mail: lsolis en entelnet.bo
----- Original Message ----- 
From: "Sergio Miranda" <sem en cec.uchile.cl>
To: <seguridad en lacnic.net>
Sent: Monday, September 28, 2009 9:30 AM
Subject: [LACNIC/Seguridad] Anuncio: FIRST Technical Colloquium y 
CLCERT/FIRST Security Workshop


PRIMER ANUNCIO:
FIRST Technical Colloquium, y CLCERT/FIRST Security Workshop.
Santiago, 20-23 de Octubre 2009
http://www.clcert.cl/tc2009

Del 20 al 23 de Octubre del 2009 se realizará en Santiago el FIRST
Technical Colloquium y CLCERT/FIRST Security Workshop. El FIRST
Technical Colloquium (TC) es un encuentro de grupos de respuesta a
incidentes de seguridad (CSIRTs), fundamentalmente de la región pero
abierto a la participación de todos los miembros de FIRST
(http://www.first.org). Versiones previas del TC han tenido lugar en
Latvia (2009), Uruguay, Japon, Republica Checa (2008), Peru, Malasia,
Qatar, EE.UU., Hungria (2007), etc. Esta es la primera vez que el evento
se realiza en Chile.

En conjunto con el FIRST TC, tendrá lugar el CLCERT/FIRST Security
Workshop, un encuentro sobre seguridad informática destinado a acercar a
expositores de gran nivel a la comunidad de TICs Chile y de la región.
El Security Workshop estará abierto al público y contará con la
participación de conferencistas internacionales y participantes del
FIRST TC.

Mas información sobre el evento e inscripciones se encuentran
disponibles en http://www.clcert.cl/tc2009
  ------------------------------------------------------------------------
ORGANIZAN: FIRST - http://www.first.org CLCERT - http://www.clcert.cl
AUSPICIAN: NIC-Chile, Intel, Microsoft, Synapsis
PATROCINAN: Gobierno de Chile, U. de Chile, Reuna

-- 
Sergio Edo. Miranda
Area de Ingenieria - CEC
Universidad de Chile
fono: 9784328 fax: 6898902
_______________________________________________
Seguridad mailing list
Seguridad en lacnic.net
https://mail.lacnic.net/mailman/listinfo/seguridad 


From sem en cec.uchile.cl  Mon Oct  5 18:12:49 2009
From: sem en cec.uchile.cl (Sergio Miranda)
Date: Mon, 05 Oct 2009 17:12:49 -0400
Subject: [LACNIC/Seguridad] Anuncio: FIRST Technical
 Colloquium	y	CLCERT/FIRST Security Workshop
In-Reply-To: <E2AF7547AAED43E1AF195B9B18B2380D@ENTELB71F290EF>
References: <4AC0BA5A.8090407@cec.uchile.cl>
	<E2AF7547AAED43E1AF195B9B18B2380D@ENTELB71F290EF>
Message-ID: <4ACA6151.8030009@cec.uchile.cl>

Hola, respondo a la lista por si es de interes para alguien mas:

Lia Solis wrote:
> Estimado Sergio,
> 
> Mucho agradecere si puedes depejar mis siguientes dudas:
> 
> Quienes pueden participar?

Cualquier estudiante o profesional que trabaje en el area de seguridad
computacional.

> Tiene un costo de participacion?

El workshop (dias 20 y 21) es gratuito, estamos liberando un segundo
anuncio con la agenda preliminar. Los dos ultimas dias (22 y 23 de
ocutubre) el evento es restringido para miembros de FIRST

> El formulario de inscripcion de la pagina web sirve como un tipo de
> reserva?.

Si, registrandote garantizas un cupo en el evento, esperamos tener
cabida para todos los interesados.

Atento a cualquier consulta, te saluda atte


-- 
Sergio Edo. Miranda
Area de Ingenieria - CEC
Universidad de Chile
fono: 9784328 fax: 6898902

From gonzalo en ti-bo.com  Tue Oct  6 08:50:13 2009
From: gonzalo en ti-bo.com (Gonzalo GLR. Landaeta Rodriguez)
Date: Tue, 6 Oct 2009 07:50:13 -0400
Subject: [LACNIC/Seguridad] Anuncio: FIRST Technical
	Colloquiumy	CLCERT/FIRST Security Workshop
Message-ID: <CE6FAED90DF7A84D888CE27D32FA008C0D4E72@inetsrv1.ti-bo.com>

Sergio:
Desde Bolivia también estamos siguiendo los correos, ya nos involucraremos más en la lista.
Un abrazo cordial,
Gonzalo Landaeta Rodríguez

Gonzalo Landaeta Rodríguez
PRESIDENTE CBTI
Cámara Boliviana de Tecnologías de la Información
www.cbti.org.bo 
trabajandoelfuturo



-----Mensaje original-----
De: seguridad-bounces en lacnic.net [mailto:seguridad-bounces en lacnic.net] En nombre de Lia Solis
Enviado el: lunes, 05 de octubre de 2009 15:58
Para: Lista para discusión de seguridad en redes y sistemas informaticos de la región
Asunto: Re: [LACNIC/Seguridad] Anuncio: FIRST Technical Colloquiumy CLCERT/FIRST Security Workshop

Estimado Sergio,

Mucho agradecere si puedes depejar mis siguientes dudas:

Quienes pueden participar?
Tiene un costo de participacion?
El formulario de inscripcion de la pagina web sirve como un tipo de 
reserva?.

Gracias de antemano por las respuestas.


Saludos cordiales
---------------------------------
Lia M. Solis M.
Datos IP - ENTEL S.A.
Fon.(+591-2) 2141010 Ext 3135
Cel. (+591) 72550576
E-mail: lsolis en entelnet.bo
----- Original Message ----- 
From: "Sergio Miranda" <sem en cec.uchile.cl>
To: <seguridad en lacnic.net>
Sent: Monday, September 28, 2009 9:30 AM
Subject: [LACNIC/Seguridad] Anuncio: FIRST Technical Colloquium y 
CLCERT/FIRST Security Workshop


PRIMER ANUNCIO:
FIRST Technical Colloquium, y CLCERT/FIRST Security Workshop.
Santiago, 20-23 de Octubre 2009
http://www.clcert.cl/tc2009

Del 20 al 23 de Octubre del 2009 se realizará en Santiago el FIRST
Technical Colloquium y CLCERT/FIRST Security Workshop. El FIRST
Technical Colloquium (TC) es un encuentro de grupos de respuesta a
incidentes de seguridad (CSIRTs), fundamentalmente de la región pero
abierto a la participación de todos los miembros de FIRST
(http://www.first.org). Versiones previas del TC han tenido lugar en
Latvia (2009), Uruguay, Japon, Republica Checa (2008), Peru, Malasia,
Qatar, EE.UU., Hungria (2007), etc. Esta es la primera vez que el evento
se realiza en Chile.

En conjunto con el FIRST TC, tendrá lugar el CLCERT/FIRST Security
Workshop, un encuentro sobre seguridad informática destinado a acercar a
expositores de gran nivel a la comunidad de TICs Chile y de la región.
El Security Workshop estará abierto al público y contará con la
participación de conferencistas internacionales y participantes del
FIRST TC.

Mas información sobre el evento e inscripciones se encuentran
disponibles en http://www.clcert.cl/tc2009
  ------------------------------------------------------------------------
ORGANIZAN: FIRST - http://www.first.org CLCERT - http://www.clcert.cl
AUSPICIAN: NIC-Chile, Intel, Microsoft, Synapsis
PATROCINAN: Gobierno de Chile, U. de Chile, Reuna

-- 
Sergio Edo. Miranda
Area de Ingenieria - CEC
Universidad de Chile
fono: 9784328 fax: 6898902
_______________________________________________
Seguridad mailing list
Seguridad en lacnic.net
https://mail.lacnic.net/mailman/listinfo/seguridad 

_______________________________________________
Seguridad mailing list
Seguridad en lacnic.net
https://mail.lacnic.net/mailman/listinfo/seguridad

From francisco en arias.com.mx  Fri Oct  9 13:23:41 2009
From: francisco en arias.com.mx (Francisco Arias)
Date: Fri, 9 Oct 2009 09:23:41 -0700
Subject: [LACNIC/Seguridad] =?iso-8859-1?q?Propuesta_de_firma_de_la_ra=EDz?=
	=?iso-8859-1?q?_del_DNS_sin_validaci=F3n_habilitada_por_6_meses?=
Message-ID: <e5de97e20910090923u6059d78fhaca41e1c21b2269@mail.gmail.com>

Quizá sea de interés la propuesta que IANA/ICANN y Verisign pusieron
sobre la mesa respecto a como hacer el "deployment" del firmado de la
zona raíz del DNS. Tiene implicaciones para los "DNS resolvers" de los
ISPs o cualquier otro interesado en hacer validación de DNSSEC.

Básicamente proponen firmar la zona raíz sin publicar la llave con la
que firmaron, sino una llave dummy (incluso con mensaje incluido para
los administradores de resolvers) por un periodo de 6 meses (enero a
junio del 2010) en el que se irían sumando root-servers a la
publicación de esta zona firmada" uno a uno. La idea es que si hay
problemas se haría más fácil el "rollback" a una zona no firmada.
Finalmente el 1 de julio del 2010 se publicarían por fin las llaves
verdaderas y se podría comenzar a validar la raíz.

En el mensaje que adjunto vienen las ligas a las presentaciones que se
dieron en el evento de RIPE esta semana.

Saludos,

fjac


---------- Forwarded message ----------
From: Jakob Schlyter <jakob en kirei.se>
Date: 2009/10/8
Subject: Re: [dnssec-deployment] About "no validation" for DNS root
signing strategy
To: DNSSEC deployment <dnssec-deployment en shinkuro.com>
Cc: Joe Abley <jabley en hopcount.ca>, Thierry Moreau
<thierry.moreau en connotech.com>


On 8 okt 2009, at 18.14, Thierry Moreau wrote:

> How do you train the world that "bogus" (intermittent bogus since not all root nameservers will deploy at the same time) is fine until some date, and then once deployed, "bogus" is bogus?

the intention with the DURZ, the Deliberately Unvalidatable Root Zone,
is that it should be obvious to everyone that it is not possible to
validate the signatures.  I do not know of any resolver that would try
to validate signatures, even though you do not have a trust anchor
configured, so to get any sort of validation failure you have to
actually configure the bad key.

we have considered using another algorithm identifier, but there are
currently no experimental identifiers [1]. we did consider using a
private algorithm, but decided that it could have other issues as
well.

       jakob (part of the design team together with Matt, Joe and
others at ICANN/VeriSign)


[1] http://www.iana.org/assignments/dns-sec-alg-numbers/


plenary presentation: http://tr.im/B88b
dnswg presentation:   http://tr.im/B87D

audio and transcripts soon available via http://rosie.ripe.net/.

From alexandra en lacnic.net  Tue Oct 13 11:17:11 2009
From: alexandra en lacnic.net (Alexandra Dans)
Date: Tue, 13 Oct 2009 12:17:11 -0200
Subject: [LACNIC/Seguridad] Proyecto AMPARO Project: sitio web y llamado a
 proyectos / Website and Call for Projects
Message-ID: <4AD48BE7.5070008@lacnic.net>

* Português a continuação
**English will follow


El proyecto AMPARO desea comunicar el lanzamiento de su sitio web:
http://www.proyectoamparo.net

En él podrán informarse de manera más amplia sobre el propósito del 
proyecto, las actividades previstas y visitar la sección "convocatoria a 
proyectos". El llamado a iniciativas de investigación en Seguridad 
Informática en la región de América Latina y el Caribe abrirá el 
miércoles 14 de octubre del 2009: 
http://www.proyectoamparo.net/es/convocatoria-proyectos

-------------------------------------------------------------------------
O projeto AMPARO deseja comunicar o lançamento de seu sitio web: 
http://www.proyectoamparo.net/pt-br


Você poderá informar-se de uma maneira mais amplia sobre o propósito do 
projeto, as atividades previstas e visitar a seção ?convocação a 
projetos?. O chamado para iniciativas de pesquisa em Segurança 
Informática na região de America Latina e o Caribe abrira na Quarta 
feira 14 de outubro de 2009:
http://www.proyectoamparo.net/pt-br/convoca-o-projetos

------------------------------------------------------------------------

The Amparo Project is launching his website:
http://www.proyectoamparo.net/en

You will be able to get information about the purpose of the project, 
the planned activities and to visit the section ?Call for projects? 
which will open tomorrow, October 14th 2009, for e-Security research 
projects in the Latin American and Caribbean region:
http://www.proyectoamparo.net/en/call-projects




From carlos.martinez en csirt-antel.com.uy  Tue Oct 27 13:35:09 2009
From: carlos.martinez en csirt-antel.com.uy (Carlos M. Martinez)
Date: Tue, 27 Oct 2009 12:35:09 -0300
Subject: [LACNIC/Seguridad] Fwd: Evil Maid goes after TrueCrypt!
Message-ID: <4AE7132D.9080804@csirt-antel.com.uy>


Interesante lectura




    Evil Maid goes after TrueCrypt!

<http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html>

via The Invisible Things Lab's blog
<http://theinvisiblethings.blogspot.com/> by noreply en blogger.com
(joanna) on 10/15/09

>From time to time it?s good to take a break from all the ultra-low-level
stuff, like e.g. chipset or TXT hacking, and do something simple, yet
still important. Recently Alex Tereshkin and I got some spare time and
we implemented the Evil Maid Attack
<http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html>
against TrueCrypt system disk encryption in a form of a small bootable
USB stick image that allows to perform the attack in an easy
?plug-and-play? way. The whole infection process takes about 1 minute,
and it?s well suited to be used by hotel maids.

The Attack
Let?s quickly recap the Evil Maid Attack. The scenario we consider is
when somebody left an encrypted laptop e.g. in a hotel room. Let?s
assume the laptop uses full disk encryption like e.g. this provided by
TrueCrypt <http://www.truecrypt.org/>or PGP Whole Disk Encryption
<http://www.pgp.com/products/wholediskencryption/index.html>.

Many people believe, including some well known security
<http://citp.princeton.edu/memory/faq/> experts
<http://www.tomshardware.com/reviews/dino-dai-zovi,2260-5.html>, that it
is advisable to fully power down your laptop when you use full disk
encryption in order to prevent attacks via FireWire/PCMCIA
<http://theinvisiblethings.blogspot.com/2009/05/thoughts-about-trusted-computing.html>or
?Coldboot? attacks <http://citp.princeton.edu/memory/>.

So, let?s assume we have a reasonably paranoid user, that uses full disk
encryption on his or her laptop, and also powers it down every time they
leave it alone in a hotel room, or somewhere else.

Now, this is where our Evil Maid stick comes into play. All the attacker
needs to do is to sneak into the user?s hotel room and boot the laptop
from the Evil Maid USB Stick. After some 1-2 minutes, the target
laptop?s gets infected with Evil Maid Sniffer that will record the disk
encryption passphrase when the user enters it next time. As any smart
user might have guessed already, this part is ideally suited to be
performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or
her laptop, the passphrase will be recorded and e.g. stored somewhere on
the disk, or maybe transmitted over the network (not implemented in
current version).

Now we can safely steal/confiscate the user?s laptop, as we know how to
decrypt it. End of story.

Quick Start
Download the USB image here
<http://invisiblethingslab.com/resources/evilmaid/evilmaidusb-1.01.img>.
In order to ?burn? the Evil Maid use the following commands on Linux
(you need to be root to do dd):
|
dd if=evilmaidusb.img of=/dev/sdX
|
Where |/dev/sdX| should be replaced with the device representing your
USB stick, e.g. |/dev/sdb|. Please be careful, as choosing a wrong
device might result in damaging your hard disk or other media! Also,
make sure to use the device representing the whole disk (e.g.
|/dev/sdb|), rather than a disk partition (e.g. |/dev/sdb1|).

On Windows you would need to get a dd-like program, e.g. this one
<http://www.chrysocome.net/dd>, and the command would look more or less
like this one (depending on the actual dd implementation you use):
|
dd if=evilmaidusb.img of=\\?\Device\HarddiskX\Partition0 bs=1M
|
where |HarddiskX| should be replaced with the actual device the
represents your stick.

After preparing the Evil Maid USB stick, you?re ready to test it against
some TrueCrypt-encrypted laptop (more technically: a laptop that uses
TrueCrypt system disk encryption). Just boot the laptop from the stick,
confirm you want to run the tool (press ?E?) and the TrueCrypt loader on
your laptop should be infected.

<http://2.bp.blogspot.com/_Ti3q3Hdvels/Stdls03RIgI/AAAAAAAAAFo/t-h8arbkmvo/s1600-h/em1.gif>Now,
Evil Maid will be logging the passphrases provided during the boot time.
To retrieve the recorded passphrase just boot again from the Evil Maid
USB -- it should detect that the target is already infected and display
the sniffed password.

<http://3.bp.blogspot.com/_Ti3q3Hdvels/Stdly_rCP0I/AAAAAAAAAFw/MIGLEThUux4/s1600-h/em2.gif>The
current implementation of Evil Maid always stores the last passphrase
entered, assuming this is the correct one, in case the user entered the
passphrase incorrectly at earlier attempts.

NOTE: It?s probably illegal to use Evil Maid to obtain password from
other people without their consent. You should always obtain permission
from other people before testing Evil Maid against their laptops!

CAUTION: The provided USB image and source code should be considered
proof-of-concept only. Use this code at your own risk, and never run it
against a production system. Invisible Things Lab cannot be held
responsible for any potential damages this code or its derivates might
cause.

How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the
first 63 sectors of the primary disk (|/dev/sda|) and checks (looking at
the first sector) if the code there looks like a valid TrueCrypt loader.
If it does, the rest of the code is unpacked (using gzip) and hooked.
Evil Maid hooks the TC?s function that asks user for the passphrase, so
that the hook records whatever passphrase is provided to this function.
We also take care about adjusting some fields in the MBR, like the boot
loader size and its checksum. After the hooking is done, the loader is
packed again and written back to the disk.

You can get the source code for the Evil Maid infector here
<http://invisiblethingslab.com/resources/evilmaid/evilmaid-src-1.0.tgz>.

Possible Workarounds
So, how should we protect against such Evil Maid attacks? There are a
few approaches...

1. Protect your laptop when you leave it alone
Several months ago I had a discussion with one of the TrueCrypt
developers about possible means of preventing the Evil Maid Attack,
perhaps using TPM (see below). Our dialog went like this (reproduced
here with permission from the TrueCrypt developer):

    TrueCrypt Developer: We generally disregard "janitor" attacks since
    they inherently make the machine untrusted. We never consider the
    feasibility of hardware attacks; we simply have to assume the worst.
    After an attacker has "worked" with your hardware, you have to stop
    using it for sensitive data. It is impossible for TPM to prevent
    hardware attacks (for example, using hardware key loggers, which are
    readily available to average Joe users in computer shops, etc.)

    Joanna Rutkowska: And how can you determine that the attacker have
    or have not "worked" with your hardware? Do you carry your laptop
    with you all the time?

    TrueCrypt Developer: Given the scope of our product, how the user
    ensures physical security is not our problem. Anyway, to answer your
    question (as a side note), you could use e.g. a proper safety case
    with a proper lock (or, when you cannot have it with you, store it
    in a good strongbox).

    Joanna Rutkowska: If I could arrange for a proper lock or an
    impenetrable strongbox, then why in the world should I need encryption?

    TrueCrypt Developer: Your question was: "And how can you determine
    that the attacker has or has not worked with your hardware?" My
    answer was a good safety case or strongbox with a good lock. If you
    use it, then you will notice that the attacker has accessed your
    notebook inside (as the case or strongbox will be damaged and it
    cannot be replaced because you had the correct key with you). If the
    safety case or strongbox can be opened without getting damaged &
    unusable, then it's not a good safety case or strongbox. ;-)


That's a fair point, but this means that for the security of our data we
must relay on the infeasibility to open our strongbox lock in a "clean"
way, i.e. without visually damaging it. Plus it means we need to carry a
good strongbox with us to any travel we go. I think we need a better
solution...

Note that TrueCrypt authors do mention the possibility of physical
attacks in the documentation
<http://www.truecrypt.org/docs/physical-security>:

    If an attacker can physically access the computer hardware and you
    use it after the attacker has physically accessed it, then TrueCrypt
    may become unable to secure data on the computer. This is because
    the attacker may modify the hardware or attach a malicious hardware
    component to it (such as a hardware keystroke logger) that will
    capture the password or encryption key (e.g. when you mount a
    TrueCrypt volume) or otherwise compromise the security of the computer.

However, they do not explicitly warn users of a possibility of something
as simple and cheap as the Evil Maid Attack. Sure, they write "or
otherwise compromise the security of the computer", which does indeed
cover e.g. the Evil Maid Attack, but my bet is that very few users would
realize what it really means. The examples of physical attacks given in
the documentation, e.g. modifying the hardware or attaching a malicious
hardware, is something that most users would disregard as too expensive
an attack to be afraid of. But note that our Evil Maid attack is an
example of a ?physical? attack, that doesn?t require any hardware
modification and is extremely cheap.

Of course it is a valid point, that if we allow a possibility of a
physical attack, then the attacker can e.g. install a hardware
keylogger. But doing that is really not so easy as we discuss in the
next paragraph. On the other hand, spending two minutes to boot the
machine from an Evil Maid USB stick is just trivial and is very cheap
(the price of the USB stick, plus the tip for the maid).

2. The Trusted Computing Approach
As explained
<http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html>a
few months ago on this blog, a reasonably good solution against Evil
Maid attack seems to be to take advantage of either static or dynamic
root of trust offered by TPM. The first approach (SRTM) is what has been
implemented in Vista Bitlocker. However Bitlocker doesn?t try to
authenticate to the user (e.g. via displaying a custom picture shot by
the user, with the picture decrypted using a key unsealed from a TPM),
so it?s still possible to create a similar attack against Bitlocker, but
with a bit different user experience. Namely the Evil Maid for Bitlocker
would have to display a fake Bitlocker prompt (that could be identical
to the real Bitlocker prompt), but after obtaining a correct password
from the user Evil Maid would not be able to pass the execution to the
real Bitlocker code, as the SRTM chain will be broken. Instead, Evil
Maid would have to pretend that the password was wrong, uninstall
itself, and then reboot the platform. Thus, a Bitlocker user that is
confident that he or she entered the correct password, but the OS didn?t
boot correctly, should destroy the laptop.

The dynamic root of trust approach (DRTM) is possible thanks to Intel
TXT technology, but currently there is no full disk encryption software
that would make use of it. One can try to implement it using Intel?s
tboot <http://sourceforge.net/projects/tboot/>and some Linux disk
encryption, e.g. LUKS.

Please also note that even if we assume somebody ?cracked? the TPM chip
(e.g. using an electron microscope, or NSA backdoor), that doesn?t mean
this person can automatically get access to the encrypted disk contents.
This is not the case, as the TPM is used only for ensuring trusted boot.
After cracking the TPM, the attacker would still have to mount an Evil
Maid attack in order to obtain the passphrase or key. Without TPM this
attack is always possible.

Are those trusted computing-based approaches 100% foolproof? Of course
not. As signalized in the previous paragraph, if an attacker was able to
mount a hardware-based keylogger into your laptop (which is non-trivial,
but possible), then the attacker would be able to capture your
passphrase regardless of the trusted boot. A user can prevent such an
attack by using two-factor authentication (RSA challenge-response
implemented in a USB token) or e.g. one-time passwords, so that there is
no benefit for the attacker to capture the keystrokes. But the attacker
might go to the extreme and e.g. replace the DRAM, or even the CPU with
malicious DRAM or CPU that would sniff and store the decryption key for
later access. We?re talking here about attack that very few entities can
probably afford (think NSA), but nevertheless they are theoretically
possible. (Note that an attack with inserting a malicious PCI device
that would try to sniff the key using DMA can be prevented
<http://theinvisiblethings.blogspot.com/2009/03/trusting-hardware.html>using
TXT+VT-d technology).

However, just because the NSA can theoretically replace your CPU with a
malicious one, doesn?t mean TPM-based solutions are useless. As for the
great majority of other people that do not happen to be on the Terrorist
Top 10, these represent a reasonable solution that could prevent Evil
Maid attacks, and, when combined with a proper two-factor
authentication, also simple hardware based attacks, e.g. keylogger,
cameras, remote keystroke sniffing using laser, etc. I really cannot
think of a more reasonable solution here.

3. The Poor Man?s Solution
Personally I would love to see TrueCrypt implementing TPM-based trusted
boot for its loader, but, well, what can I do? Keep bothering TrueCrypt
developers with Evil Maid attacks and hope they will eventually consider
implementing TPM support...

So, in the meantime we have come up with a temporary poor man?s solution
that we use at our lab. We call it Disk Hasher. It?s a bootable
Linux-based USB stick that can be configured in quite a flexible way to
calculate hashes of selected disk sectors and partitions. The correct
hashes are stored also on the stick (of course everything is encrypted
with a custom laptop-specific passphrase). We use this stick to verify
the unencrypted portions of our laptops (typically the first 63 sectors
of sda, and also the whole /boot partition in case of Linux-based
laptops where we use LUKS/dm-crypt).

Of course there are many problems with such a solution. E.g. somebody
who can get access to my Disk Hasher USB (e.g. when I?m in a swimming
pool), can infect it in such a way that it would report correct hashes,
even though the disk of my laptop would be ?evilmaided?...

Another problem with Disk Hasher solution is that it only looks at the
disk, but cannot validate e.g. the BIOS. So if the attacker found a way
to bypass the BIOS reflashing protection on my laptop, then he or she
can install a rootkit there that would sniff my passphrase or the
decryption key (in case I used one time passwords).

Nevertheless, our Disk Hasher stick seems like a reasonable solution and
we use it often internally at ITL to validate our laptops. In fact this
is the most we can do, if we want to use TrueCrypt, PGP WDE, or
LUKS/dm-crypt.

FAQ

Q: Is this Evil Maid Attack some l33t new h4ck?
Nope, the concept behind the Evil Maid Attack is neither new, nor l33t
in any way.

Q: So, why did you write it?
Because we believe it demonstrates an important problem, and we would
like more attention to be paid in the industry to solving it.

Q: I?m using two-factor authentication, am I protected against EM?
While a two-factor authentication or one time passwords are generally a
good idea (e.g. they can prevent various keylogger attacks), they alone
do not provide protection from Evil Maid-like attacks, because the
attacker might modify his or her sniffer to look for the final
decryption key (that would be calculated after the 2-factor
authentication completes).

Q: How is Evil Maid different from Stoned-Bootkit?
The Stoned Bootkit <http://www.stoned-vienna.com/>, released a few
months ago by an individual describing himself as ?Software Dev. Guru in
Vienna?, is also claimed to be capable of "bypassing TrueCrypt", which
we take to mean a capability to sniff TC's passphrases or keys. Still,
the biggest difference between Stoned Bootkit and Evil Maid USB is that
in case of our attack you don?t need to start the victim's OS in order
to install Evil Maid, all you need to do is to boot from a USB stick,
wait about 1 minute for the minimal Linux to start, and then press ?E?,
wait some 2 more seconds, and you?re done. With the Stoned Bootkit,
according to the author?s description, you need to get admin access to
the target OS in order to install it, so you either need to know the
Windows admin password first, or use some exploit to get the installer
executing on the target OS. Alternatively, you can install it from a
bootable Windows CD, but this, according to the author, works only
against unencrypted volumes, so no use in case of TrueCrypt compromise.

Q: I've disabled boot from USB in BIOS and my BIOS is password
protected, am I protected against EM?
No. Taking out your HDD, hooking it up to a USB enclosure case and later
installing it back to your laptop increases the attack time by some 5-15
minutes at most. A maid has to carry her own laptop to do this though.

Q: What about using a HDD with built-in hardware-based encryption?
We haven?t tested such encryption systems, so we don?t know. There are
many open questions here: how is the passphrase obtained from the user?
Using software stored on the disk or in the BIOS? If on the disk, is
this portion of disk made read-only? If so, does it mean it is
non-updatable? Even if it is truly read-only, if the attacker can
reflash the BIOS
<http://invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf>,
then he or she can install a passphrase sniffer there in the BIOS. Of
course that would make the attack non-trivial and much more expensive
than the original Evil Maid USB we presented here.

Q: Which TrueCrypt versions are supported by the current Evil Maid USB?
We have tested our Evil Maid USB against TrueCrypt versions 6.0a - 6.2a
(the latest version currently available). Of course, if the ?shape? of
the TrueCrypt loader changed dramatically in the future, then Evil Maid
USB would require updating.

Q: Why did you choose TrueCrypt and not some other product?
Because we believe TrueCrypt is a great product, we use it often in our
lab, and we would love to see it getting some better protection against
such attacks.

Q: Why there is no TPM support in TrueCrypt?
The TrueCrypt Foundation published official generalized response to
TPM-related feature requests here <http://www.truecrypt.org/faq#tpm>.

Acknowledgments
Thanks to the ennead en truecrypt.org for all the polemics we had which
allowed me to better gather my thoughts on the topic. The same thanks to
Alex and Rafal, for all the polemics I have had with them (it's
customary for ITL to spend a lot of time finding bugs in each other's
reasoning).





      Things you can do from here:

    * Subscribe to The Invisible Things Lab's blog

<http://www.google.com/reader/view/feed%2Fhttp%3A%2F%2Ftheinvisiblethings.blogspot.com%2Ffeeds%2Fposts%2Fdefault%3Falt%3Drss?source=email>
      using *Google Reader*
    * Get started using Google Reader
      <http://www.google.com/reader/?source=email> to easily keep up
      with *all your favorite sites*




From suender en ctbc.com.br  Tue Oct 27 17:03:18 2009
From: suender en ctbc.com.br (suender en ctbc.com.br)
Date: Tue, 27 Oct 2009 16:03:18 -0300
Subject: [LACNIC/Seguridad] =?iso-8859-1?q?AUTOM=C1TICO=3A_Suender_Batista?=
 =?iso-8859-1?q?_Oliveira_est=E1_ausente_do_escrit=F3rio_=28retorna_em_03/?=
 =?iso-8859-1?q?11/2009=29?=
Message-ID: <OFEF4F4DDD.CE3362E5-ON0325765C.0068AC30-0325765C.0068AC30@ctbc.com.br>


Estarei ausente do escritório até 03/11/2009

Meus amigos,

Estou ausente no período de 16/10 à 03/11/2009 por motivo de férias.

Neste período serão meus substitutos:

Segurança e SOC  - Leonel Naves Paparotto (leoneln en ctbc.com.br)
Infra-TI de Telecom  - Fabrício de Sousa Pereira (fabricios en ctbc.com.br)
Sistemas de Gerência  - Pedro Victor Lourenço Fragola (pedrov en ctbc.com.br)

Assuntos relacionados à gestão da camada de serviços e escalonamentos  -
Francisco Borges Buzatto (franciscob en ctbc.com.br)

OBS.: A área de plataformas agora faz parte do CDS, portanto qualquer
necessidade procurarem o Rodrigo Borges de Almeida (rodrigoba en ctbc.com.br).


Nota: esta é uma resposta automática à sua mensagem  "[LACNIC/Seguridad]
Fwd: Evil Maid goes after TrueCrypt!" enviado em 10/27/09 12:35:09 PM.

Esta é a única notificação que você receberá enquanto esta pessoa estiver
ausente.


From alexandra en lacnic.net  Wed Oct 28 14:51:31 2009
From: alexandra en lacnic.net (Alexandra Dans)
Date: Wed, 28 Oct 2009 14:51:31 -0200
Subject: [LACNIC/Seguridad] =?iso-8859-1?q?15_d=EDas_para_el_cierre_del_ll?=
 =?iso-8859-1?q?amado_a_proyectos_de_Seguridad?=
Message-ID: <4AE87693.2040306@lacnic.net>


El proyecto AMPARO (Fortalecimiento de la Capacidad Regional de atención 
de incidentes de Seguridad en América Latina y el Caribe) desea 
recordarles que quedan 15 días antes del cierre del llamado a proyectos 
de investigación en temas de Seguridad.

Para más información, visite:
http://www.proyectoamparo.net/es/convocatoria-proyectos


-- 
Alexandra Dans
Coordinadora de Cooperación Institucional
Cooperation officer

LACNIC

Phone: +598 2 6042222 ext. 4131
Fax: +598 2 6042222 ext. 4112
Address: Rambla Rep. de México 6125 - 6127
C.P. 11400, Montevideo - Uruguay

website: www.lacnic.net; www.programafrida.net


From alexandra en lacnic.net  Wed Oct 28 16:02:48 2009
From: alexandra en lacnic.net (Alexandra Dans)
Date: Wed, 28 Oct 2009 16:02:48 -0200
Subject: [LACNIC/Seguridad] 15 days left for e-Security research projects
Message-ID: <4AE88748.2020809@lacnic.net>

The call for e-Security research projects launched by the AMPARO project 
(Strengthening Regional Capability for Security Incident Response in 
Latin America and the Caribbean) will close in 15 days, on November 15th 
2009.

For more information, please visit: 
http://www.proyectoamparo.net/en/call-projects