Security through obscurity

Protecting your identity online using anonymity

It seems like every week the newspapers are filled with horror stories of people’s identities being stolen, of millions of credit card numbers being stolen, of lives being ruined. People have been buying and selling goods and services literally since the dawn of humankind; so what has changed to cause this sudden massive increase in fraud? How are the purchasing habits of people today creating such opportunities for identity theft? What can we learn from the past to protect ourselves?

Identity Theft

Identity theft is when another person can take unauthorized actions that you become liable for. In modern societies, your identity consists of the documentation that uniquely identifies you. The scope of identity theft can vary from the ability to make unauthorized charges on your credit card, the ability to apply for unemployment, the ability to apply for new credit cards or loans, to the ability to apply for death benefits. The key issue is that making purchases today requires identifying yourself as part of the transaction. The act of identification allows for your information to be stolen and used for unauthorized purchases.

Money

So what is money anyway? It appears that money spontaneously arises in barter economies as society converges on a few key goods that meet the three requirements of money. Any object or token that can act as a store of value, a medium of exchange, and a unit of account may be used by a society as money. In addition to the three requirements, it is desirable that the object or token being used as money be difficult to counterfeit, be easily divisible, be easily transportable, be fungible, and be scarce.

So money is any object or token that people are willing to use to transact an exchange of goods and services. It is the people’s trust in the object or token and not some government’s mandate that determines its value. It all comes down to trust. Money has two forms of trust. Fiat money that is created by government entities for use under threat of force typically has minimal inherent value. The value of the object or token in relation to the goods and services being transferred is determined by the faith people have in the government to act in a rational and ethical manner. Since money must be scarce to have value, the ability for a government to print more money than the nations buying power or Gross Domestic Product (GDP) can support can and often does lead to inflation. Since inflation leads to the devaluation of the object or token representing money, fait money typically fails the requirement that it be a store of value which can be seen in the poor saving rate of the average American. Why own cash (savings) if its value diminishes in time?

If fait money depends on a rational government for its ability to act as a store of value then the only other alternative is commodity money. Commodity money is where the object or token of exchange has its own inherent value. Its value varies in relation to its perceived value verses the perceived value of the object being exchanged. Traditionally gold and silver have met the three requirements of an object to be used as money and have long been seen as a hedge against the vagaries of governments.

Anonymity

Being unknown. Being anonymous means keeping your identity hidden or protected. A strict definition of anonymity means that the parties of each transaction remain unknown to the point that it is impossible to know if two parties have had multiple transactions. An anonymous individual who walks in to a store and buys a pack of gum is only anonymous if there is no way to know if the individual has ever been in that store before. While preferable for some transactions for protection of the individuals involved most transactions prefer Pseudonymity or the use of a pseudonym. The use of a pseudonym allows an individual or an entire group to hide their real identity behind a single pseudonym. Pseudonymity allows for the creation of social networks that protect the true identity of individuals while still allowing for the pseudonym to gain trust through its interactions with others.

The purchase

Now that the basic principles behind identity theft and money have been explored, how does this relate to secure purchasing on the internet? The traditional business transaction since the dawn of humankind has been when two individuals come together in a buy sell arrangement and complete the transaction using a mutually trusted medium of exchange i.e. A person purchases a pack of gum from another person using money. The value of the gum in relation to the money is based on the trust the parties have in the money – not in each other. The purchase price is the relation of the worth of the gum to the perceived worth of the money. At no time does the identity of either party matter because the transaction is based on the perceived worth of the items being exchanged.

The flaw in Internet purchases that leads to identity theft is the fact that money isn’t used. Let’s repeat that. Money isn’t used to purchase products today – credit cards or debit cards are. Credit cards are a promise to pay later using money. Since the seller is only left with a promise of payment, who the buyer is matters. Can they pay? Who are they? Can they be found? Do they have a history of non-payment?

Solutions

Now that the root cause of identity theft has been highlighted, what are the solutions? Either a solution that allows for the creation of a pseudonym to limit identity exposure or a true electronic cash system allowing for anonymous transactions should be used.

A pseudonymous system would be one where the underlying transaction still requires the promise of payment but the trust issue is shifted from the buyer to a trusted third party. An example would be either a prepaid anonymous debit card or a single use credit card number. Either allow for some degree of protection.

A prepaid anonymous debit card becomes a bearer instrument where both parties trust is shifted and limited. The buyer limits exposure to theft and fraud buy determining how much money to entrust to the prepaid card and the seller has the trust in the buyer shifted to trust in the card providing institution.

A single use credit card number leverages an existing promise arrangement with a third party institution into a single transaction. The buyer requests a single use card number tied to an existing credit account for the purchase price of the goods from the seller. The card number is only good for a single transaction up to the requested amount. The buyer then provides the seller with all the information required plus the single use number. This allows the buyer to limit exposure to a predetermined amount. If the card number is stolen in transit the amount of loss is limited to a single one time loss of the requested amount.

While both of these systems – that are in use today – allow for the limited protection from identity theft by minimizing loss from existing credit lines, they don’t protect from the other forms of identity theft. Once enough personal information is disclosed it is possible for third parties to acquire new lines of credit in your name. The only solution is to limit the credit card transactions to trusted businesses.

A true electronic money system is one that meets the three requirements of money. Either the electronic object or token being used as money has a perceived inherent value such as commodity money or acts as fait money where the object or token is backed by a trusted entity. E-gold is an example of a commodity money system where the electronic tokens are backed by a commodity good – gold. The Octopus card is an example of a fait money system. Both systems work and allow anonymous transactions due to the fact that the transaction is base on the exchange of items of perceived equal worth.

"It is well enough that people of the nation do not understand our banking and monetary system, for if they did, I believe there would be a revolution before tomorrow morning."
- Henry Ford

Microsoft Encrypted File System - Digital Forensic Analysis

Overview

Microsoft has provided its customers with the ability to protect their sensitive files using its Encrypting File System (EFS). EFS allows for the transparent encryption and decryption of sensitive files and is billed as a solution to protect documents in the event of the physical compromise of a computer. This article will show that it is possible to forensically recover documents protected with EFS without resorting to breaking its encryption.

What is EFS?

EFS is an additional technology added to Microsoft’s New Technology File System (NTFS) beginning with Microsoft Windows 2000. It allows for the transparent encryption and decryption of protected files with minimal additional effort required by the end user.

Purpose

The purported purpose of EFS is to protect unauthorized access to protected files beyond the protection provided by the standard NTFS file permissions. This means that EFS should protect the document from unauthorized access even in the event that the system is compromised or stolen. The basic line of thinking is that even if you cannot stop unauthorized individuals from gaining access to the file itself; EFS will still protect the contents of the file.

How EFS works

EFS uses a hybrid of both symmetric and asymmetric encryption algorithms. A detailed look at the internals of EFS can be found here.

It is important to note, as the conclusion highlights, that to be able to access the encrypted files each user’s public/private key pair is stored on the local computer in the users profile directory.

What is digital forensic analysis?

Digital forensic analysis also known as computer forensic analysis is the process of examining digital media for evidence. Digital media can consist of:

• computer hard drives,
• cell phones,
• cdroms,
• floppy disks,
• USB thumb drives, etc.

Computers only do what they are told and the traces of their activity are left on the computer’s storage areas - cause and effect, actions and evidence. So, analysis of digital media provides evidence of an individual's actions, and when combined with evidence gathered in a large investigation, can show if and how someone lied, cheated or planned out an action. Those who try to hide their actions using encryption only end up showing they felt they had something to hide.

Test plan

So how effective is EFS at keeping protected files away from prying eyes? This test will only focus on how effective EFS is at hiding information. There will not be any attempt to break EFS - just work around it. All encryption can be broken; it’s just a matter of time.

The test plan will consist of:

1. Create an unencrypted document that we will then encrypt.
2. Create a document that should be immediately encrypted.
3. Analyze the hard drive and find the encrypted files.

Create evidence

To make sure that no stray files can cloud the results; the test will include installing all the software to a computer.

Test computer

The test computer will consist of using a 10GB VMWare virtual computer. Microsoft Windows XP and Microsoft Office 2003 are the only software installed that will be installed.

Folder creation

A single user account named "qwerty" will be created and used. The first step is to create a folder named EFS in My Documents.

Next, create two sub folders “encrypted” and “unencrypted”.

Enable EFS on the “encrypted” folder.

File creation

First, create a new word document in the “unencrypted” folder.

Then, add some text to the document.

Repeat the file creation steps in the "encrypted" folder.

Digital forensic analysis

Now that the evidence is created analyze of the hard drive can begin. The first evidence discovered is the alternate data stream $EFS connected to the “encrypted” folder. Note that the bottom of the screenshot shows the content of the alternate data stream. It contains the symmetric key used to encrypt the files that is itself encrypted with the default user account’s (“qwerty@victim”) public key. This can be taken and “cracked” offline.

Next the “unencrypted” folder is reviewed. Note the “~$encrypted document1.doc” file. This is the temporary file that Microsoft Word creates when a document is edited. The content of the file is visible at the bottom of the screenshot.

Looking at the “encrypted” folder show the existence of two alternate data streams, each belonging to a word document, note the difference in the bottom of the screenshot where the encrypted document contents are visible but unreadable.

The problem for EFS is when documents move between encrypted and unencrypted areas of a hard drive. The screenshot below shows the result of a file move below. When a file is moved the original location is deleted - but not overwritten - allowing for the recovery of the unencrypted version. Not shown is the fact that portions of protected documents end up in the pagefile in unencrypted form.

When EFS first encryptes a document, it copies the unencrypted contents to a file called "efs0.tmp" in the current folder. The data is then encrypted, written back to the original file, and then the temp file is deleted. This exposes the last endited file in each folder in a potentialy recoverable state as the screenshot below shows.

Findings

Temporary file issue

Temporary files are deleted but not overwritten allowing for clear text versions of encrypted documents to be found and recovered.

File names

All the file names of documents are left unencrypted. This is by design, however, this allows attackers to focus attentions on files that are named after what an attacker wants such as “2005 banking information.doc”

Key recovery

While beyond the scope of this test; the fact that the encryption keys are on the system allows for the keys to be stolen and broken.

The user problem

Notice that no additional steps were required for a user to use encryption other then selecting a folder to encrypt? Any access by the user allows for the transparent decryption of the files. This reduces the security of EFS to the user’s password.

Conclusion

It is unfortunate that current security follows the sliding scale from hard to use but secure to easy to use but insecure. Microsoft designed EFS to be easy for the average user to use. In so doing, it fails to meet the purpose of encryption – protecting documents from physical access to the computer or digital media. The fact that encryption will be inconsistently applied to user data and the fact that deleted files are not viewable by the end user allows for unencrypted data to remain on the system. The encryption keys also are stored locally putting the encrypted data at risk. The final failing for Microsoft is not recognizing that over 90% of users will disclose there passwords when asked. Social engineering is still the biggest vulnerability to your data – because there is no patch for human stupidity.