4

Do any measures exist to protect against the kind of attack depicted in this XKCD, and does this kind of attack have a name?

enter image description here

Basically I'm referring to a criminal threatening violence against a person if they do not give them the key.

I had worked at a company that (IMHO) had many nonsense security policies (especially when it came to physicals locks) and wondered: we lock things up but often leave the keys close to where the lock is. For example we would lock the laptop to the desk and shut the desk drawer if we left our desk, but would leave the keys in an unlocked drawer or personal belongings at the desk. Would it really be safer to carry keys and security badges on your person?

The only concept of a counter measure I've seen is how TrueCrypt has hidden volumes.

Community
  • 1
Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • 2
    May be implementing a "distress code" feature would help for such critical situation. This "distress code" will enable a sandbox environment with dummy or restricted environment. Just a thought. – Krishna Pandey Sep 07 '16 at 09:09
  • 1
    There have been [famous examples](https://en.wikipedia.org/wiki/Northern_Bank_robbery) – paj28 Sep 07 '16 at 11:26
  • 1
    What kind of organisation are you thinking of? Most companies instruct staff to comply with threats, but [these guys](https://i.ytimg.com/vi/n2KgRePE88w/hqdefault.jpg) wouldn't – paj28 Sep 07 '16 at 11:33
  • @paj28 it is a fairly generic question I admit. I would guess if the company is large and serious enough they would hire security guards. But what about start up companies or even home users? – Celeritas Sep 07 '16 at 20:00

3 Answers3

8

Some common terms for this is "rubber hose cryptography" or sometimes "monkey wrench cryptography". I have also heard it being refered to as "the one side channel to rule them all", but that is hardly an established name.

What this boils down to is the realisation that in the end all security relies on physical security. If the place where you store the key is not secure, the data protected by the key is not secure. If the place where you store your key is your memory (or your back pocket), what we are talking about here is your physical security.

There is no silver bullet for this one. A clever trick like hidden volumes is not useless, but I can imagine that a violent, determined, and competent attacker would make you talk about them.

You can split the key or store the parts on different locations. Or you can leverage an existing institution by putting the key in a safe deposit (that requires you to show ID) at a bank. Both of these are very unpractical if you need the key for daily use, and both can of course be broken. In fact, the last one might even just escalate the situation when the attacker is forced to take more drastic actions to compulse you to get the key from the bank.

Others solutions include setting up a dead man's switch (where the data is automatically deleted unless you check in each day) or having a fake key that when used deletes the data. These could prevent the attacker from getting to the data, but obviously at the cost of the data being deleted.

And would you really like to deal with the guy with the monkey wrench after he finds out you duped him? If you are worried about a violent attacker, you need to have a hard think about wheater the integrity of your data is really more important to you than your knee caps or your life. In a lot of cases, the best solution is to give up and give the guy with the monkey wrench what he wants. After that, you can call the police. Unless the attacker is the police, of course...

So why doesn't the bad guys always attack with a rubber hose instead of with Metasploit? Using violence is expensive:

  • The victim will know that you attacked, and stole the data.
  • You need physical proximity to the victim, and the attack can not be automated.
  • A lot of people think you can still go to heaven even if you abuse SQLi vulnerabilities, but waterboarding will land you in hell.
  • It is risky. What if the victim fights back? What if you get caught? I have never heard of anyone getting shot while doing packet injection.
  • The police is way more likely to try to track you down if you commit violent crimes. And they are way more likely to succeed - covering your traces in the real world is hard. You can not hide behind a proxy server in Nigeria.

So unless your day job is being James Bond, perhaps you should not worry to much.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • I guess what I'm thinking is, is it really worth it to have physical security in the first place if the guy with the monkey wrench will always win anyways? I know it sounds strange. – Celeritas Sep 07 '16 at 10:12
  • Not sure I follow you? More physical security will make life harder for the guy with the monkey wrench, just like more non-physical security will make life harder for the guy with the metasploit. – Anders Sep 07 '16 at 10:36
  • 4
    @Celeritas Just because there is a slim possibility that an attacker might show up who is unscrupulous and determined enough to use torture to reach their goal does not mean you need to leave the door open to the far larger group of attackers who won't. – Philipp Sep 07 '16 at 18:14
  • @Philipp I guess the thing I find peculiar is that beating someone up to comply 1) doesn't take any knowledge or special skills 2) doesn't take many resources or cost money 3) probably will work considering there are few defenses or counter measures. I guess the thing is, if an attacker tries this "rubber hose" method, then his identity will be known to the victim unlike other scenarios such as picking a lock or cracking a combo etc. and this is a big deterrent because if his identity is known he will be caught. – Celeritas Sep 08 '16 at 09:22
  • @Celeritas If you're trying to work with "real life" security, rather than just cryptography, intel is a huge part of the problem. You want to know when your employees are being put under duress, and you want to convince them that you will help them if they get into such a situation. Then, the employee comes to you. If the employee has the information in their head, the attacker may get it, but if the attacker has to come to your building, he/she is on your turf now. – Cort Ammon Sep 08 '16 at 20:30
3

There not much you can do when the attacker can get an authorized person to cooperate with them, be it through threats of violence, bribery, blackmail or deception. However, there are a few things which help to at least reduce the possible damage:

  • Hand out access privileges on a per-need basis. Do not give anyone more access than they need to do their job.
  • Have particularly sensitive operations require at least two authorized people to cooperate (four-eyes principle). That way the attacker needs to corrupt at least two people simultaneously.
  • Log any sensitive actions so it can be traced back to who performed it. Make everyone aware that these logs are monitored regularly. That way people take a larger risk by cooperating with an attacker.
  • Be a good boss. Provide a good working environment, create an atmosphere of mutual trust (yes, I am aware that this goes against the previous points) and pay fairly. People are far less likely to betray you when they like working for you.
Philipp
  • 48,867
  • 8
  • 127
  • 157
0

No. You can be unable to tell the key, but you are able to do for an attacker what he wants, for example remember the data encrypted, reengineer the trade secret device based on your knowlege without access to blueprints, or go to the secured area and take what attacker requests and bring it to him.

KOLANICH
  • 892
  • 6
  • 14