Transfer of data via handshake

Hi all, need an "experts-eye" on a situation at work.

I work in an environment whereby machines are approved to store
information at varying levels of classification.

To investigate a potential security problem, the hard disk of a machine
at security level "2" was connected directly to a machine at security
level "3" in order to establish if information at level "3" had
inadvertently been stored on that machine. Windows search was used to
establish all files modified since the date of the suspected transfer,
and this indicated that no files had been transferred.

Our security advisors now say that since the disk at level "2" had been
connected to a machine at level "3", it must be now be treated as level
"3", since:

"electronic handshaking will have taken place so they can talk to each
other and that data concerning those handshakes may contain blocks of
data at level 3"

I don't really believe this. Yes, I understand handshaking may happen,
but question whether user-data gets passed in the process, and also
question whether this information is written to the disk platter
itself.

I'd really appreciate anybody's opinion on whether the above transfer
mechanism actually exists.

Cheers,
Ian Mayo

Re: Transfer of data via handshake

IanMayo@gmail.com wrote:
> To investigate a potential security problem, the hard disk of a machine
> at security level "2" was connected directly to a machine at security
> level "3" in order to establish if information at level "3" had
> inadvertently been stored on that machine. Windows search was used to
> establish all files modified since the date of the suspected transfer,
> and this indicated that no files had been transferred.
> Our security advisors now say that since the disk at level "2" had been
> connected to a machine at level "3", it must be now be treated as level
> "3"

If I understand your level concept correctly, then your security
advisors are right.

I don't know, what this "handshaking" means, but I do know, what
"compromizing" means.

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de

Re: Transfer of data via handshake

Volker Birk wrote:
> IanMayo@gmail.com wrote:
> > "3"
>
> If I understand your level concept correctly, then your security
> advisors are right.
>
> I don't know, what this "handshaking" means, but I do know, what
> "compromizing" means.
>
> Yours,
> VB.
> --

thanks for that Volker. I understood that devices conducted
handshakes, but I could see why data would be written to a disk
platter.

"Compromize" does infer that data has been written to the attached
device. I guess that's the root of my question: what process could
have written data to the attached device. It's a little like the
"emperor's new clothes" whereby something that may have been expressed
off-hand becomes an unquestionable fact.

I'd appreciate any light you can throw on how/why data could have been
written to the target device.

cheers,
Ian.

Re: Transfer of data via handshake

IanMayo@gmail.com wrote:
> Hi all, need an "experts-eye" on a situation at work.
>
> I work in an environment whereby machines are approved to store
> information at varying levels of classification.
>
> To investigate a potential security problem, the hard disk of a machine
> at security level "2" was connected directly to a machine at security
> level "3" in order to establish if information at level "3" had
> inadvertently been stored on that machine. Windows search was used to
> establish all files modified since the date of the suspected transfer,
> and this indicated that no files had been transferred.

What if a file had been transferred and then deleted, in which case
Windows search would not find it but the data could still be on the
disk? I would also be concerned if I was the security officer that you
suspected there was a route where by such a transfer could have occurred.

> Our security advisors now say that since the disk at level "2" had been
> connected to a machine at level "3", it must be now be treated as level
> "3", since:
>
> "electronic handshaking will have taken place so they can talk to each
> other and that data concerning those handshakes may contain blocks of
> data at level 3"
>
> I don't really believe this. Yes, I understand handshaking may happen,
> but question whether user-data gets passed in the process, and also
> question whether this information is written to the disk platter
> itself.
>
> I'd really appreciate anybody's opinion on whether the above transfer
> mechanism actually exists.

Can you prove that it did not? Depending on the level of security you
are trying to achieve (and any external security standard you have to
meet) the rules could easily err on the side of precaution. I've
certainly come across such rules.
--
Flash Gordon, living in interesting times.
Web site - http://home.flash-gordon.me.uk/
comp.lang.c posting guidelines and intro:
http://clc-wiki.net/wiki/Intro_to_clc

Re: Transfer of data via handshake

IanMayo@gmail.com wrote:
> "Compromize" does infer that data has been written to the attached
> device. I guess that's the root of my question: what process could
> have written data to the attached device. It's a little like the
> "emperor's new clothes" whereby something that may have been expressed
> off-hand becomes an unquestionable fact.

No, it isn't. Try to see security as a non deterministic model.

To be secure against an unwanted event means, that you're sure, that
this event may not happen (or at least that you're sure that this event
is so unlikely to happen, that it will not happen in practice).

Layered security usually means, that you specifiy increasing security
requirements (aka being secure against extra unwanted events or against
extra attacks) when going from layer to layer.

So if you have a layered approach, then all items in a layer below are
treated as being compromized when you have the view of a layer above,
because you're not secure against every unwanted event there.

And that means, the hard disk can be treated as being secure in
layer 3 in your example, but has to be treated as being compromized in
layer 2 from now on, if layer 2 is above layer 3 (and I did understand
correctly ;-)

> I'd appreciate any light you can throw on how/why data could have been
> written to the target device.

This does not depend on technical solutions. It is so by principle.

Yours,
VB.
--
Ich würde schätzen, dass ca. 87% aller spontanen Schätzungen völlig für
den Arsch sind.

Ralph Angenendt in debate@ccc.de

Re: Transfer of data via handshake

In article <1153384819.496595.292060@i3g2000cwc.googlegroups.com>,
wrote:
>Volker Birk wrote:
>> IanMayo@gmail.com wrote:
>> > "3"
>>
>> If I understand your level concept correctly, then your security
>> advisors are right.
>>
>> I don't know, what this "handshaking" means, but I do know, what
>> "compromizing" means.
>>
>> Yours,
>> VB.
>> --
>
>thanks for that Volker. I understood that devices conducted
>handshakes, but I could see why data would be written to a disk
>platter.
>
>"Compromize" does infer that data has been written to the attached
>device. I guess that's the root of my question: what process could
>have written data to the attached device. It's a little like the
>"emperor's new clothes" whereby something that may have been expressed
>off-hand becomes an unquestionable fact.
>
>I'd appreciate any light you can throw on how/why data could have been
>written to the target device.


The point of view of your security officer is that it's impossible to
prove that no data was written by the level 3 machine and his job is
to eliminate any possibility. He's right, and he's probably in
charge.

All it would take is some obscure program, like a keystroke logger on
the level 3 machine to dump the data to your disk in a way invisible
to Windows commands. That's trivial.

A buddy of mine took a job in a Top Secret facility back in the day
when scientific calculors cost several hundred bucks. (HP 35).

The day he showed up on the job, the security officer said that if the
calculator was carried into the secure area it would never be allowed
out because it was impossible to show that it wasn't storing secret
information.




--
a d y k e s @ p a n i x . c o m

Don't blame me. I voted for Gore. A Proud signature since 2001