A couple of days ago a researcher released a tool, msramdmp, which is available here, and details how to grab data from RAM.
Today, Kelly Jackson Higgins details, on our sister site, DarkReading, in this story, about additional tools coming to the fore that make it possible for attackers to use Firewire drives to commandeer locked Windows systems.
From the story:
"That Firewire port is, as designed, literally there to let you plug things into your laptop memory banks," says Thomas Ptacek, principal with Matasano Security. "When you think of Firewire, you really should just think of a cable coming directly out of your system's DRAM banks. That's basically all Firewire is."
Ptacek says this tool raises the bar in physical hacking. "People think about physical hacking as something you have to do with a screwdriver and 20 minutes, under cover of darkness. Attacks like Adam's can be done in the time it takes you to pick up a sheet of paper off the office printer," he says.
In the story, Ptacek advises users that the best defense is to disable their Firewire ports. That may be good advice for enterprises with lots of sensitive data on notebooks. It's probably not practical for anyone doing video editing, or managing large graphic files. And while it's not a perfect solution, it's better than nothing. So it's probably a good time for larger enterprises to evaluate whether or not external ports should be disabled, especially for execs and others carrying sensitive information.
The best defense, obviously, is not to lose sight of notebooks. It's also probably time to start calling full disk encryption vendors and ask how they're mitigating the risk to these attacks.
But I wouldn't expect much, as Thomas Claburn reminds us, in this story, of one of Microsoft's 10 Immutable Laws of Security:
"If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."