Re: TrueCrypt and Windows Hibernate feature

["Bradley, Stephen W. Mr." <bradlesw () MUOHIO EDU>]

Must be one heck of a tool if it can decrypt anything powered off.

Sent from my iPad

Stephen Bradley
bradlesw () muohio edu

On Dec 10, 2010, at 7:26 PM, "Alexander Kurt Keller" <alkeller () SFSU EDU> wrote:

> If the attacker has access to the OS file system, powered on or not, remotely or local, then it is game over. 
>
> Moreover this attack is not viable if your OS drive is encrypted and powered down as there would be no way to obtain 
> a copy of the hiberfil.sys file.  That said, I can see how this would be concerning to folks who are NOT performing 
> OS disk encryption and using BitLocker or TrueCrypt for external/virtual volumes.
>
> Press release is here:
> http://www.lostpassword.com/pdf/pr-101209.pdf
>
> I understand the proposed attack vector against an external/virtual volume that has been encrypted. But I can't wrap 
> my head around this paragraph from the release:
>
> "The latest enhancements to Passware Kit make instant decryption for powered-off computers possible by analyzing a 
> single hibernation file....If a computer with a mounted TrueCrypt or BitLocker To Go hard disk has hibernated at 
> least once, Passware Kit will instantly decrypt the hard disk even if the computer is no longer running."
>
> Are they just saying you could mount the unencrypted OS drive on another computer, grab the hiberfil.sys file and 
> parse that to obtain the Bitlocker/Truecrypt password for the encrypted external/virtual volume?
>
> Best,
> alex
>
>
>
> Alex Keller
> Systems Administrator
> Academic Technology, San Francisco State University
> Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu
>
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, 
> Bob
> Sent: Friday, December 10, 2010 3:06 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] TrueCrypt and Windows Hibernate feature
>
> Wondering if anyone had seen this article and what impact, if any, it will have on your use of TrueCrypt?
>  
> http://www.securityweek.com/microsoft-windows-sleep-feature-poses-security-risk?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek%29
>  
> We just implemented the campus-wide use of TrueCrypt, but for select folder/volume encryption and not for full disk 
> encryption and are interested in how anyone else is responding to the claims contained in the article.
>  
> Happy Holidays!
>  
> Bob Smith
> AVP IITS & Information Security Officer
> Longwood University
> 201 High Street
> Farmville, Virginia 23901
> www.longwood.edu/infosec
>  
>  
>  
>  
>  
>