Defeating the Rule of Possession

By Seth Ross

Under maritime law, “possession is nine-tenths of the law” is a long-standing rule that has evolved over centuries. Its practical effect is that objects that are found in the open seas — abandoned ships, for example — belong to the finder. Over time, the rule has been extended under Common Law to ownership issues on solid land. This is a rule of force rather than of law, per se, that also has bearing on information security. For practical purposes, the rule can be modified to state that “possession is 100% of information security”, meaning, the party that is in physical possession of an information asset controls its security, regardless of whom might actually own the asset. This dictate has profound implications in computer security.

As more and more of the value of modern economic systems is expressed in and controlled by computer data, bad actors -- including thieves, spies, and corrupt insiders -- have increasing incentives to gain possession of computers, even temporarily, in order to steal data. Every computer on the planet is subject to the risk of data thievery, even those protected by substantive physical security and network security countermeasures. This is largely due to the weak system security posture of most modern operating systems, which are designed for functionality and access. Very few system security countermeasures can prevent someone who controls a computer from accessing its data.

Recent operating systems from Microsoft, for example, contain a relatively robust series of countermeasures, including multi-user authentication architectures, which are designed to prevent unauthorized access to computer operating systems. Despite Microsoft’s significant investment, these countermeasures are largely reliant on user honesty and good will and fail utterly if the machine is in the hands of a bad actor. Given a Windows PC configured for system security, an attacker or thief can steal the data by ripping out a hard disk and mounting it on a different system, by booting into another operating system and mounting the disk, or by using one of the many forensic tools on the market to capture an image of the disk for offline analysis.

A thief may have no technical skills whatsoever. An attacker with a budget of US$100 can purchase one of the many password recovery tools offered for sale on the Internet. These tools use a variety of techniques to recover the administrator password. These methods include brute-force attacks, which try every possible password combination, and dictionary attacks, which run every common word and then its variants against the authentication system. The fact that these can be used legitimately by lawful owners who have forgotten a privileged password or by attackers to steal data illustrates the Rule of Possession: you own the machines that you possess.

Gaining Possession

There are two major ways that attackers can gain possession of a system: they can steal it outright, or they can gain surreptitious access.

Computer Thievery

Every computer owner faces the risk of theft, from the largest organizations down to the humble single user. Several important trends in computing are escalating the risk. Computers are getting smaller and thus easier to steal. Laptop and notebook computers are getting more powerful in each successive generation, prompting many to deploy them as replacements for desktop machines. Millions of laptops are sent into the field each day, outside established security perimeters, where they become accessible to thieves.

No one knows how many laptop computers are stolen each year. Laptop theft is not tracked as a separate crime category by law enforcement agencies, and even if it were, the numbers would be artificially low: many victims -- especially those with reputations to protect -- do not report the loss of laptops. One insurance company estimates that there were 620,000 laptop theft claims in the US in 2002: this figure is a crude proxy for the total number of losses including uninsured assets. Over the last six years, respondents to a computer crime survey have reported more than $50 million in losses due to laptop theft. The average reported loss over this six-year period was more than $50,000 per stolen computer.

Although the scope of the problem is difficult to quantify, the news media do discover and report on a significant number of high profile losses each year. The UK Ministry of Defence and the US State Department each have had hundreds of laptop computers go unaccounted for. Laptops have been lost by intelligence officers in train stations and pubs. Laptops go missing in airports, taxis, conference rooms, and hotels. One Chief Executive Officer’s laptop was stolen off a podium after a press conference. Nor are laptops the only target: thieves dressed as maintenance workers were recently able to steal server systems out of the data center of an Australian airport.

These kinds of thefts fall into two broad categories. In many cases, laptop theft is a crime of opportunity: the criminal is looking to steal a computer for its hardware resale value. In other cases, the criminal is not interested in just any computer: a specific computer with valuable data is the target. From the point of view of the victim, the second kind of theft can be considerably more damaging. Not only is the hardware asset lost, but the data it stores can be compromised as well. There are variations of these kinds of thefts: in some cases, criminals might be looking for a specific piece of hardware for resale or, more opportunistically, for any data that might be resold on the black market. As a general rule, however, the attacker is after either the asset or the data.

Surreptitious Access

Stealing a computer in order to steal its data can be an unnecessarily risky activity, from the point of view of the attacker. First, there is a chance that the thief will be caught in the act. Second, the thief has to assume that the victim will notice. It’s possible that the victim will respond by contacting law enforcement or by deploying another resource such as a private investigator. Finally, it’s possible that the victim will be able to make a connection between a stolen asset and subsequent misuse of the asset’s data.

Given the risk of discovery, many data thieves prefer to surreptitiously access the target machine. This is particularly true in situations (like espionage), where being caught can have serious consequences (a diplomatic incident or even capital punishment), but it’s also true when the stakes are lower (an employee is attacking another employee’s machine and doesn’t want to get fired).

There are many methods for gaining surreptitious access to a computer in order to assert the Rule of Possession. An insider can wait until a co-worker goes to lunch and then run a forensic attack on the co-worker’s machine. Law enforcement can get a warrant to break into a target’s home and either acquire data or plant surveillance devices. Spy agencies target hotels where foreign visitors stay and gain access while the victim is out for dinner or a swim. They may also hire prostitutes to exhaust the victim and steal the data during the victim’s post-coital slumber.

As the above scenarios illustrate, sometimes the thief has the backing of a major national government. Other times, the thief is a major national government. Governments assert control at border crossings and international airport terminals, where any object can be briefly taken and inspected for “security reasons”. Post 9/11 airport security measures provide an airtight pretext for imaging foreign machines of interest behind closed doors as part of the normal course of customs operations.

Surreptitious data theft is not always full of intrigue. One of the most tried and true methods for acquiring data from competitors is to attack their garbage. In the US, owners lose proprietary rights to discarded items: anyone is free to check the trash for old hard drives and other data devices. “Dumpster diving” is an easy, low-cost, and usually legal way to steal data without the victim’s knowledge. The used equipment after-market presents additional opportunities for acquiring data. A recent MIT study found confidential data on most of a random selection of used hard drives bought on eBay and through other resale sources. Sloppy disposal techniques are a boon for data thieves.

The Risks of Losing Control

Given the declining cost of powerful laptop computers, many large organizations are prepared to write off the loss of hardware assets in the field as a cost of doing business. The theft of data, on the other hand, can have devastating impacts. The harm might include loss of proprietary company information to competitors, the loss of national secrets to the enemy, or -- for a consumer -- the loss of important identity information that can be resold to identity thieves. In some cases, the loss of data could have devastating secondary consequences: critical engineering data or information relating to security measures, for example, could fall into the hands of terrorists bent on the total destruction of some other asset.

Even in the absence of direct harm, computer theft can have negative legal implications for organizations that are mandated to protect information about their customers. In many countries, consumers are protected by data protection and computer privacy laws. In the US, for example: the Health Insurance Portability and Accountability Act (HIPAA) mandates standards-based data protection by all health care organizations; the Gramm-Leach-Bliley Act (GLB Act) requires financial institutions to develop and implement information security programs that will prevent unauthorized access to certain types of personal information; and California’s Database Security Breach Information Act (SB 1386) requires notification to consumers if sensitive data has breached.

Defeating the Rule of Possession

Computer owners can deploy computer theft countermeasures that are designed to address prevention, deterrence, recovery, or risk mitigation.

Anti-Theft Devices

A wide variety of anti-theft devices address computer theft prevention and deterrence as well as stolen asset recovery. One of the best ways to protect a laptop is to lash it to a stationary object using a cable lock system like the Notebook Guardian from PC Guardian Anti-Theft (http://www.pcguardiananti-theft.com). Most laptops have a security slot in the side or in the back of the case. A locking head fits into the slot, and a cable assembly prevents a thief from taking the laptop. These kinds of solutions have some limitations. They only work when the laptop is at a desk, on a conference table, or in some other stationary position. Additionally, some of the cheaper cable locks on the market can be defeated by a screwdriver or pliers. Even the best will succumb to a wire cutter.

Other anti-theft systems address deterrence, most notably, alarm systems that can detect when a stationary laptop is moved by an unauthorized party. Some systems address recovery, so that when a stolen laptop is connected to the Internet, it “calls home” to its owner.

Most of these products can prevent or deter an opportunistic attacker, who will likely move on to the next prospect, but utterly fail against a determined thief with a specific target in mind. Thus, the laptop owner who faces an active threat model — that is, a competitor or enemy with specific targets in mind — must operate on the assumption that the anti-theft devices offer minimal protection against a determined attack. Assuming the machine is lost, additional countermeasures must mitigate the risks.

Data Encryption

Given that it is not practical to prevent a determined attacker from stealing a laptop, data encryption provides motivated owners with a formidable line of defense that prevents data theft and mitigates the potential harm of a loss event. At the most basic level, encryption can be used to scramble data so that only an authorized party with the correct key can descramble it. With appropriate encryption controls in place, the data on a stolen, lost, or surreptitiously accessed device has no value for the attacker. By deploying encryption, the owner of an asset creates an exception to the Rule of Possession.

There are many encryption solutions available to computer owners, but most of them do not provide enough assurance that a thief cannot acquire data. Encryption solutions can be grouped into two buckets: file/folder/virtual disk encryption solutions, which protect the data stored in selected files, folders, or virtual disks, and full disk encryption, which provides protection for all the data on a system including the operating system and applications. While many PC applications offer built-in file encryption, almost all of these can be trivially broken by off-the-shelf recovery tools.

There are numerous benefits to the full-disk approach, as opposed to mere file encryption. Manual file-by-file encryption is laborious and error prone. It’s all too easy for a user to leave sensitive information unprotected. Even if the user is exceptionally careful, Windows application data gets stored in numerous locations, including temporary directories and swap files. Full-disk encryption addresses the sloppiness of both users and applications: all data is encrypted, regardless of user work habits and application file storage routines. Once installed, the operations of a full-disk solution can be completely transparent to both the user and applications.

The transparency of full disk encryption solutions is an important advantage. The history of cryptography is replete with narratives about users getting things wrong. In 1883, Flemish linguist Auguste Kerckhoffs published a groundbreaking article on military cryptography that established the principle that cryptosystems must be easy to use. Kerckhoffs observed the breakdowns of French cryptographic systems in the field during the Franco-Prussian War. He noted that an appropriate encryption system “must be easy to use and must neither require stress of mind nor the knowledge of a long series of rules.”

Matt Blaze cited the many benefits of full-disk or filesystem encryption solutions -- including transparency for the user -- in a groundbreaking 1993 paper on his Cryptographic File System. Around that time, PC Guardian was approached by Compaq Computer Corp. to develop an access control product for a new line of laptop computers. The resulting product led to the creation of Encryption Plus® Hard Disk (EP Hard Disk). Since that time, EP Hard Disk has undergone continuous and aggressive development. Now available in release version 7.1.0, EP Hard Disk illustrates how computer owners can close the gap between ownership and possession, breaking the rules that give attackers access to valuable information assets.

ABOUT THE AUTHOR
Seth Ross was the Chief Security Officer at PC Guardian Technologies.