From: Dufresne, Pierre (PIERRE.DUFRESNE@MESS.GOUV.QC.CA)
Date: Fri Oct 14 2005 - 19:07:47 EDT
Hi Chris,
I also agree that BIOS are usually trivial to get rid of. We also have
multiple brands/models which all have different ways to set this kind of
password. With SYSKEY, the method would be standard across all our models
of laptops. And since the user needs to provide another password in both
cases, it might as well be a SYSKEY password.
Resetting passwords in the SAM will not help you when SYSKEY is in mode 2
because it will ask for the syskey password before gettting to the logon
screen.
I don't want to believe that it is game over if an attacker gets physical
access to one of my laptops. EFS with XP sp2 uses AES as the encryption
algoritmh, which I believe is pretty strong. I am not expert, but I think
that if you protect the passwords/keys/credentials with something like
SYSKEY, you will give the attacker a much harder time.
If anyone has any idea on how to defeat the combination I suggested, please
let me know.
Thanks
-----Original Message-----
From: Chris Clymer [mailto:cclymer@gmail.com]
Sent: 13 octobre 2005 00:38
To: "lists AT dawes DOT za DOT net"@smtp.enginuiti.com;
pen-test@securityfocus.com
Subject: Re: Password "security" - was"Passwords with Lan Manager (LM) under
Windows" and "Whitespace in passwords"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rogan Dawes wrote:
> [The original poster seemed to be concerned about the laptop being stolen]
>
>>> As I said, by using SYSKEY with a password-on-boot, I was hoping to
>>> protect the cache entries stored on the laptops. Without the SYSKEY
>>> password, the machine won't boot, so an attacker could not dump the
>>> cache (CacheDump) or get access to the LSA (LSADump2). I also assume
>>> that booting with another OS would not give the attacker access to the
>>> EFS files because AES is pretty strong, the cache entries are encrypted
>>> with a secret (NL$KM) which is stored in the LSA and the LSA is not
>>> accessible because the system key is password protected by a password
>>> which is not stored locally anymore. I don't assume my reasoning is
>>> foolproof, I just want to make sure deploying SYSKEY with a
>>> password-on-boot will render our laptops harder to penetrate.
>>
>>
>
> Have you thought about implementing a BIOS password on the hard drive?
>
> Granted, there is no mechanism for locking out passwords, but I don't
> think that there are too many BIOS's that would allow you to automate a
> brute force attack . . . .
>
> As far as I know, there is no method to override the hard drive password
> once it is set . . . (although maybe reformatting the whole disk might
> have some effect)
>
> Regards,
>
> Rogan
>
BIOS passwords are trivial to get rid of for an attacker with physical
access to the machine. Just need to clear the CMOS. Every board has
its own method, there can be a jumper to be set, or yanking the battery.
Google is sure to reveal the right method for any model of laptop.
As far as EFS...I believe it is tied into the standard windows
authentication. I seem to recall(from these lists?) that it just uses
the user's login password from the SAMS file to encrypt. If you can
boot another OS(after getting around the BIOS password) you can get to
the SAMS, which means game over. I did read a few things about putting
your EFS key onto a floppy or other removable media. I'm not sure if
this takes care of these other vectors in XP or not. It was clear that
in win2k the administrator user always maintains the ability to read efs
files...and as mentioned, reading and changing the SAMS from a live disk
is trivial.
It is best to assume that if an attacker gets physical access in any
situation, its game over. Does that sensitive data need to be on a
laptop where its out of your control and often in harms way? Why not
keep it on a company server and only allow access through a secure VPN?
I'm working on a paper about a much different way of preventing these
kinds of attacks. Mine is mostly aimed at recovering a stolen laptop,
but it uses a lot of misdirection which could be useful hiding sensitive
data. The method is to prompt the user with a standard login screen,
and have a bad password fail into booting a "fake" install which runs in
emulation. As far as the attacker is concerned, they are inside a
standard windows install, and hopefully look around a bit at interesting
things we have left lying around. Underneath this emulated windows is
another OS, such as linux, which is running various scripts to log the
attacker's keystrokes, his activities, and to dial home with as much
information as possible should be connect to the internet.
- --
Chris Clymer - Chris@ChrisClymer.com
PGP: E546 19B6 D1EC 47A7 CAA0 8623 C807 398C CD27 15B8
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDTeSzyAc5jM0nFbgRAkueAJ4992RFKqIopCSjGqn984RZ8kHM4gCfSeH4
t0NtsHCnSzmk4BvoLNIa/i8=
=208N
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:03 EDT