Security Basics mailing list archives
Re: How to Test HDD Encryption
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 14 Nov 2007 17:13:56 +0100
On 2007-11-14 jfvanmeter () comcast net wrote:
I recently completed a pen test for a client and discoveried a new directory traversal in a web enable application. The target for the test was FDE enabled , once the target was booted and the OS mounted I could exploit the directory traversal to read any file on the system. After I informed my client of the problem, they asked me to do additional testing, I found if I encrypted the file, and ran the directory traversal, I could no longer read the file. So until the ventor patched there software, a mitigating step to lower the risk was to encrypted the files the client felt were the greatest risk if someone was to run the exploit.
First, hosts that are world-accessible should not hold sensitive data in the first place. Second, services running on a world-accessible hosts should be running under their own user account. Third, a directory traversal will expose only those files that are accessible by the user running the exploited service. If encrypting the files mitigated the problem, then the user running the service apparently didn't need access to those files. Thus revoking read access for that user would have mitigated the problem just as well without the additional overhead of file-level encryption.
I believe you need both, FDE to protect the data at rest, and file encryption to protect the data when it is active.
I still fail to see an advantage of file-level encryption. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Re: How to Test HDD Encryption, (continued)
- Re: How to Test HDD Encryption Ansgar -59cobalt- Wiechers (Nov 13)
- RE: How to Test HDD Encryption Eric White (Nov 13)
- Re: RE: How to Test HDD Encryption jim . lehman (Nov 13)
- Re: RE: How to Test HDD Encryption Ansgar -59cobalt- Wiechers (Nov 13)
- FDE and integrity of OS Was: How to Test HDD Encryption Alexander Klimov (Nov 14)
- Re: FDE and integrity of OS Was: How to Test HDD Encryption Mike Hale (Nov 14)
- RE: FDE and integrity of OS Was: How to Test HDD Encryption Craig Wright (Nov 14)
- Re: FDE and integrity of OS Was: How to Test HDD Encryption Ansgar -59cobalt- Wiechers (Nov 14)
- Re: RE: How to Test HDD Encryption Ansgar -59cobalt- Wiechers (Nov 13)
- RE: How to Test HDD Encryption Eric White (Nov 14)
- Re: How to Test HDD Encryption Ansgar -59cobalt- Wiechers (Nov 14)
- Re: How to Test HDD Encryption Ansgar -59cobalt- Wiechers (Nov 14)