Security Basics mailing list archives
RE: Re[2]: Encryption on Laptops?
From: "Simon and Sara Zuckerbraun" <szucker () rcn com>
Date: Sun, 28 Mar 2004 01:04:32 -0600
Hello Bart, Alexander. As I've said, EFS is not broken. As I've been looking into this matter, it appears to me that the type of attack that Bart described is indeed possible - but only on Windows 2000 (not XP), and then only when attacking the data of a local user (not a domain user). See the following article for detailed information: http://support.microsoft.com/default.aspx?kbid=309408 dealing with how Windows uses Protected Storage to safeguard critically sensitive user data such as private keys. As MS states in this article: "Microsoft recommends that you use one of the following methods for Windows 2000 stand-alone computers that contain sensitive data that may be physically compromised: "Upgrade to Windows XP "Use SYSKEY mode 2 or 3 on the Windows 2000-based laptop By "stand-alone" they are referring to machines used without being joined to a domain (and I would suppose that the same is true for all *local* accounts, even if they are on a machine that happens to be joined to a domain). And I am skeptical that SYSKEY could provide serious protection on a laptop, given the way laptops are generally used - if the laptop is stolen while it's in suspended mode or hibernated mode, the SYSKEY is right there in RAM or in the hibernation file. Now, brute-forcing the user's password - this is something that can be anywhere from trivial to extraordinarily difficult, depending upon the strength of the password that the user has chosen. While we're on the topic, there's an article at http://support.microsoft.com/default.aspx?kbid=299656 that has some important info on strengthening the way Windows 2000/XP/2003 stores passwords. I don't see any reason to conclude that EFS is inherently a weak solution. EFS has nothing to be ashamed of when compared with alternative products. Its strength is highly dependent on having proper procedures in place, as we've been discussing. But you could say the same for virtually any security product. Defending data on a laptop is still a tall order. Simon -----Original Message----- From: Bart.Lansing () kohls com [mailto:Bart.Lansing () kohls com] Sent: Friday, March 26, 2004 12:37 PM To: security-basics () securityfocus com Subject: Re: Re[2]: Encryption on Laptops? Alexander, I do indeed stand (well, sit..I was never much for keyboarding while standing) corrected...we do need to take the time to brute the user'spassword once we own the box. Still, trivial for anyone who really wants the files :) Bart Lansing Manager, Desktop Services Kohl's IT Alexander Lukyanenko <sashman () ua fm> wrote on 03/25/2004 03:49:59 PM:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Bart et al, ... BLkc> I simply change the BLkc> user account passwords on the box in question, log in as BLkc> the user, and voila, I have the BLkc> files. Nonsense! The idea of EFS is that the encryption keys (`certificates') are itself encrypted with user's passwords. If you don't know the password, you won't get to the files, and if you'll forcibly change the user's password, you'll kill the certificate and render the encrypted files unreadable. But, the system can still be "opened". You can boot with ERD/ntpasswd, change admin's password, boot Windows as usual, login, run pwdump/lc4, get the password hashes and then brute-force them using lc4 or John The Ripper (don't sure about the later being able to deal with NTLM2 hashes). Then you login as the user in question with his/her password and voila, you have the files. It ain't as easy and fast (you need to bruteforce a password), as just changing a user's password, but still possible. Cheers, * * * * * * * * * * * * * * * * Alexander V. Lukyanenko * * ma1lt0: sashman ua fm * * ICQ# : 86195208 * * Phone : +380 44 458 07 23 * * OpenPGP key ID: 75EC057C * * NIC : SASH4-UANIC * * * * * * * * * * * * * * * * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAY1QMlz+8e3XsBXwRAsctAJ48/oMjTcreWlX6VoGXOAnVvp5lbACfYrQj OCP2z+qFgAVUtiKMZ4AErb0= =TGm2 -----END PGP SIGNATURE-----
CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Encryption on Laptops?, (continued)
- Re: Encryption on Laptops? David E Mazza (Mar 17)
- RE: Encryption on Laptops? Aditya, ALD [Aditya Lalit Deshmukh] (Mar 19)
- Re: Encryption on Laptops? Magi Networks (Mar 17)
- Re: Encryption on Laptops? David E Mazza (Mar 17)
- Re: Encryption on Laptops? micron (Mar 17)
- RE: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 18)
- RE: Encryption on Laptops? Aaron (Mar 18)
- RE: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 19)
- RE: Encryption on Laptops? Bart . Lansing (Mar 22)
- Re[2]: Encryption on Laptops? Alexander Lukyanenko (Mar 26)
- Re: Re[2]: Encryption on Laptops? Bart . Lansing (Mar 26)
- RE: Re[2]: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 29)
- RE: Encryption on Laptops? Aaron (Mar 18)