Re: [Full-disclosure] Firewire Attack on Windows Vista

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

Larry Seltzer wrote:

> > > WRT the DMA access over FireWire it's but a bad response since it
> doesn't get the point!
> > > 1. Drive encryption won't help against reading the memory.
> > > 2. The typical user authentication won't help, we're at hardware level
> > >   here, and no OS needs to be involved.
> > > 3. The computer is up (and running; see above), no hibernate or sleep
> > >   is involved here.
>
> So on a freshly-booted system with drive encryption you can read
> whatever you want on the disk? 

No. As another poster already wrote: there's no(t yet a) disk involved.

The attacker just reads the memory and can then try to find cached
credentials or cryptographic keys (as described in the paper by Ed Felten
et al).

But let's take it further: Windows uses TCP/IP over IEEE 1394 in
standard setup, so after getting the cached credentials of an
Administrator from memory an attacker can successfully (I assume a
standard setup where the Windows firewall allows accesses from the own
subnet) mount \\target\C$ or \\target\ADMIN$ and thus read the files
on the disk. If only drive encryption is used, the files are decrypted
by the target.

> > > 4. Group policies can be circumvented, even by a limited user.
> <http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventi
> ng-group-policy-as-a-limited-user.aspx> 
>
> What he says is that some group policies, not including system-wide
> security settings, maybe circumvented, even by a limited user.

Right. The point is that group policies can/might help, but are not
"fool proof".

Stefan Kanthak