Security Basics mailing list archives
RE: Encryption on Laptops?
From: Bart.Lansing () kohls com
Date: Fri, 19 Mar 2004 12:44:26 -0600
On Wed, 2004-03-17 at 23:48, Simon and Sara Zuckerbraun wrote:
Honestly, protecting data on a laptop is very, very hard to accomplish.
Once
an adversary gains physical control of a machine, there's not much that
can
stop him from also gaining access to the data. I wish there were some
simple
answers I could give you, but there just aren't. It's a tough subject. If you enable EFS on Windows XP, this provides you with 128-bit
encryption.
This type of encryption is strong enough so that it can not be defeated directly using any technology currently known to man.
And by saying the above, managed to lose a certain amount of credibility. While it is improbable that the required resources to break this encryption scheme is unlikely, is is not impossible: * This is not to say that a DES-encrypted message cannot be "broken." Early in 1997, RSA, owners of another encryption approach, offered a $10,000 reward for breaking a DES message. A cooperative effort on the Internet of over 14,000 computer users trying out various keys finally deciphered the message, discovering the key after running through only 18 quadrillion of the 72 quadrillion possible keys! Few messages sent today with DES encryption are likely to be subject to this kind of code-breaking effort. ( http://www.aces.att.com/glossary/des.htm) * Given forward leaps in technology, it is certainly the case that number of machines and the time required has and will continue to drop. Even with EFS's use of DESX, it is possible to break. However, even easier...by far, is the use of products like Winternal Software's ERD Commander, which allow the admin password to be easier changed...bypassing EFS altogether...since, once admined., the EFK scheme is rendered moot. I simply change the user account passwords on the box in question, log in as the user, and voila, I have the files. Don't want to pay for ERD Commander? Well heck, download "ntpasswd" boot from it, and watch a linxu distro magically mount NTFS for you and admin to your heart's content. (http://www.sans.org/rr/papers/66/211.pdf). Yes, if you take the time and effort to use appropriate syskey policies you can close this gaping hole as well...but while possible, it's not practical at all in a large user base. Even if you use a win 2000 domain to keep the SAM database and recovery key isolated...you're not going to travel very well...and then...why was it you had a laptop? EFS is good thing...it's just not the Holy Grail. Bart Lansing Manager, Desktop Services Kohl's IT CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Encryption on Laptops? Shanafelt, Gabe (Mar 16)
- Re: Encryption on Laptops? Steven Joerger (Mar 17)
- Re: Encryption on Laptops? David E Mazza (Mar 17)
- RE: Encryption on Laptops? Aditya, ALD [Aditya Lalit Deshmukh] (Mar 19)
- Re: Encryption on Laptops? Magi Networks (Mar 17)
- Re: Encryption on Laptops? David E Mazza (Mar 17)
- Re: Encryption on Laptops? micron (Mar 17)
- RE: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 18)
- RE: Encryption on Laptops? Aaron (Mar 18)
- RE: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 19)
- RE: Encryption on Laptops? Bart . Lansing (Mar 22)
- Re[2]: Encryption on Laptops? Alexander Lukyanenko (Mar 26)
- Re: Re[2]: Encryption on Laptops? Bart . Lansing (Mar 26)
- RE: Re[2]: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 29)
- RE: Encryption on Laptops? Aaron (Mar 18)
- Re: Encryption on Laptops? Steven Joerger (Mar 17)
- <Possible follow-ups>
- RE: Encryption on Laptops? Yoo, Gene (Mar 17)
- Re: Encryption on Laptops? SMiller (Mar 18)
- RE: Encryption on Laptops? Kathmann, Nicholas (Mar 19)
- RE: Encryption on Laptops? Kenneth Buchanan (Mar 19)