RE: Re[2]: Encryption on Laptops?

["Simon and Sara Zuckerbraun" <szucker () rcn com>]

Hello Bart, Alexander.

As I've said, EFS is not broken.

As I've been looking into this matter, it appears to me that the type of
attack that Bart described is indeed possible - but only on Windows 2000
(not XP), and then only when attacking the data of a local user (not a
domain user). See the following article for detailed information:

http://support.microsoft.com/default.aspx?kbid=309408

dealing with how Windows uses Protected Storage to safeguard critically
sensitive user data such as private keys.

As MS states in this article:

"Microsoft recommends that you use one of the following methods for Windows
2000 stand-alone computers that contain sensitive data that may be
physically compromised: 
"Upgrade to Windows XP
"Use SYSKEY mode 2 or 3 on the Windows 2000-based laptop

By "stand-alone" they are referring to machines used without being joined to
a domain (and I would suppose that the same is true for all *local*
accounts, even if they are on a machine that happens to be joined to a
domain).

And I am skeptical that SYSKEY could provide serious protection on a laptop,
given the way laptops are generally used - if the laptop is stolen while
it's in suspended mode or hibernated mode, the SYSKEY is right there in RAM
or in the hibernation file.

Now, brute-forcing the user's password - this is something that can be
anywhere from trivial to extraordinarily difficult, depending upon the
strength of the password that the user has chosen. While we're on the topic,
there's an article at http://support.microsoft.com/default.aspx?kbid=299656
that has some important info on strengthening the way Windows 2000/XP/2003
stores passwords.

I don't see any reason to conclude that EFS is inherently a weak solution.
EFS has nothing to be ashamed of when compared with alternative products.
Its strength is highly dependent on having proper procedures in place, as
we've been discussing. But you could say the same for virtually any security
product.

Defending data on a laptop is still a tall order.

Simon


-----Original Message-----
From: Bart.Lansing () kohls com [mailto:Bart.Lansing () kohls com] 
Sent: Friday, March 26, 2004 12:37 PM
To: security-basics () securityfocus com
Subject: Re: Re[2]: Encryption on Laptops?






Alexander,

I do indeed stand (well, sit..I was never much for keyboarding while
standing) corrected...we do need to take the time to brute the
user'spassword once we own the box.  Still, trivial for anyone who really
wants the files :)

Bart Lansing
Manager, Desktop Services
Kohl's IT


Alexander Lukyanenko <sashman () ua fm> wrote on 03/25/2004 03:49:59 PM:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Bart et al,
> ...
> BLkc>    I simply change the
> BLkc>  user account passwords on the box in question, log in as
> BLkc> the user, and voila, I have the
> BLkc>  files.
> Nonsense! The idea of EFS is that the encryption keys
> (`certificates') are itself
> encrypted with user's passwords. If you don't know the password,
> you won't get to the files, and if you'll forcibly change the user's
> password, you'll kill the certificate and render the encrypted files
> unreadable.
> But, the system can still be "opened".
> You can boot with ERD/ntpasswd, change admin's password, boot
> Windows as usual, login, run pwdump/lc4, get the password hashes and then
> brute-force them using lc4 or John The Ripper (don't sure about the
> later being able to deal with NTLM2 hashes). Then you login as the
> user in question with his/her password and voila, you have the files.
> It ain't as easy and fast (you need to bruteforce a password), as just
> changing a user's password, but still possible.
>
> Cheers,
> * * * * * * * * * * * * * * *
> * Alexander V. Lukyanenko   *
> * ma1lt0: sashman ua fm     *
> * ICQ#  : 86195208          *
> * Phone : +380 44 458 07 23 *
> * OpenPGP key ID: 75EC057C  *
> * NIC   : SASH4-UANIC       *
> * * * * * * * * * * * * * * *
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (MingW32)
>
> iD8DBQFAY1QMlz+8e3XsBXwRAsctAJ48/oMjTcreWlX6VoGXOAnVvp5lbACfYrQj
> OCP2z+qFgAVUtiKMZ4AErb0=
> =TGm2
> -----END PGP SIGNATURE-----


CONFIDENTIALITY NOTICE: 
This is a transmission from Kohl's Department Stores, Inc.
and may contain information which is confidential and proprietary.
If you are not the addressee, any disclosure, copying or distribution or use
of the contents of this message is expressly prohibited.
If you have received this transmission in error, please destroy it and
notify us immediately at 262-703-7000.

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves
the right to retrieve and read any message created, sent and received.
Kohl's reserves the right to monitor messages by authorized Kohl's
Associates at any time
without any further consent.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------