INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Evil Maid Attacks - Remediation for the Cheap
Published: 2022-11-16
Last Updated: 2022-11-16 18:15:23 UTC
by Johannes Ullrich (Version: 1)
[This is a guest diary submitted by Gebhard. For feedback, you can connect with Gebhard via our DShield slack]
Preliminary note
In this diary, we are assuming PC-like devices with state-of-the-art disk encryption (full disk encryption, FDE) and a "normal" desktop OS (Linux, Windows, ...).
What is the evil maid attack?
The so-called evil maid attack is an attack against hardware devices utilizing hard- and/or software. It is carried out when the hardware is left unattended, e.g., in a hotel room when you're out for breakfast. The attacker manipulates the device in a malicious way, e.g.:
if the device is running: cool down and take out RAM to copy it (e.g., to find sensitive information)
manipulate the mainboard / BIOS (e.g., to add a backdoor)
manipulate the content from the unencrypted bootloader (e.g., to add a backdoor)
The last attack may even work with secure boot enabled because of 0-day vulnerabilities in the signed boot code or known vulnerabilities in the signed boot code, which is not disabled due to outdated revocation lists in the BIOS.
Your possible options
There are several ways to minimize the risk of an unnoticed, successful evil maid attack. Which road you go depends on your personal threat model (and your budget, of course).
Take the risk
If evil maid attacks do not matter in your situation, e.g., because you're using a disposable device that is already assumed to be compromised, then you can simply take the risk.
Read the entire diary entry at: https://isc.sans.edu/diary/Evil+Maid+Attacks+Remediation+for+the+Cheap/29256/
Packet Tuesday: Network Traffic Analysis for the Whole Family
Published: 2022-11-15
Last Updated: 2022-11-15 17:17:06 UTC
by Johannes Ullrich (Version: 1)
A short while ago, I floated the idea of a weekly video series with short lessons about packets, protocols, and networks. Today, we are kicking of "Packet Tuesday". Packet Tuesday, as the name implies, will release a new video each Tuesday. We will discuss packets in detail. See the first two videos below. For future videos, please subscribe to the YouTube channel. I will also use PacketTuesday.com for videos and related materials. There is usually a PCAP file to go with each video.
Packet Tuesday Website: https://packettuesday.com
YouTube Playlist: https://www.youtube.com/playlist?list=PLs4eo9Tja8biVteSW4a3GHY8qi0t1lFLL
Read the entire diary entry at: https://isc.sans.edu/diary/Packet+Tuesday+Network+Traffic+Analysis+for+the+Whole+Family/29252/