Archive for August, 2009

The Dirty SQL Tricks

Posted: August 24, 2009 in kd-team archive, papers
Tags: , , ,

Another old paper :)



Web Request Maker

Posted: August 24, 2009 in kd-team archive, tools

Another old tool :)


Process Memory Dumper

Posted: August 24, 2009 in kd-team archive, tools
Tags: , , ,

Another old tool :)


Copy File Time

Posted: August 24, 2009 in kd-team archive, tools
Tags: , ,

Another old tool.


This time it’s actually an afternoon thought. So let’s say you will be traveling from one country to another and you have stored your truecrypt container on a remote site. There is a chance someone might steel it and try to brute force it. Usually if you are paranoid enough a brute force on a truecrypt container is well…useless. Because you are THAT paranoid you actually also want to make sure that a brute force on your container really is futile. So how about corrupting the container in a controlled way? Check out the file format specifications:

A good option would be to change the 4bytes of the encrypted TRUE string to some random bytes. Make sure u have a backup of the original bytes(preferably memorized). This should prevent the successful decryption of the container even if someone has the correct password.

It’s security by obscurity but hey…you can never have enough layers of security. Another interesting idea is to modify the truecrypt source/binary on your hard disk to use the string FOUR instead of TRUE for the whole decryption verification. So unless they also steel your modified version of the truecrypt binary they will not be able to open it.

Just to make sure…the above ideas are only an ADDITIONAL security layer and it CAN be broken if detected by an adversary. I just thought it would be fun to have an additional layer of security on my truecrypt containers.

So you have just finished installing the hidden operating system offered by TrueCrypt. You are however stuck with the following problem…you need frequent access to the hidden operating system…which means that you won’t be using the decoy system that much. According to the guidelines offered by TrueCrypt this means that your plausible deniability is a little bit less plausible. How about fixing this? What if you could “work” at the same time in both operating systems?

So there I was thinking I could write a blog posting with screenshots and a extended howto. Unfortunatly I am not able to perform the idea on my computer and I got no spare computer left. So I’m just going to put it out there and maybe someone feels like implementing it and letting me know how well it works.

The whole thing is rather simple, it actually fits in a sentence:

Run your decoy OS inside your hidden OS with the help of virtualization techniques.

Like stated before the claim is simple. It’s a shame I got no spare computer around atm to test it out. In theorie it should work fine. Only thing that worries me is the possible evidence that a virtualization application might leave on the booted decoy system, I’m thinking there is none…but I haven’t been able to test this.

So just to be clear this is NOT an idea to go against the TrueCrypt Security Precautions, it’s just another method to be able to spend more time in a hidden operating system without having to worry that it could be compromised because of forensics on your decoy os. This way all the timestamps and the temp files will be kept up to date in your decoy os while you are working in your hidden os.

To take it one step further…you could even write a few scripts to startup your email, mark them as read at varieng intervals and surf around on the web. If they ask you why you have script to automate things inside your decoy os, you can just answer with a simple answer: I’m lazy.

If I get a spare computer anytime soon I’ll be sure to let you know how this method works out.