From: Miguel Dilaj (Miguel.Dilaj@nccgroup.com)
Date: Fri Oct 14 2005 - 04:07:54 EDT
Hi all,
My comments in line.
Chris wrote:
> BIOS passwords are trivial to get rid of for an attacker with physical
access to the machine. Just need to clear the CMOS. Every board has
its own method, there can be a jumper to
> be set, or yanking the battery.
> Google is sure to reveal the right method for any model of laptop.
Yes. But that applies only to the BIOS POP (Power On Password).
The other password you can setup in most modern laptops is the HDP (Hard
Disk Password) and, believe me, it's not trivial to get rid of this one.
Before anyone suggests taking the disk out and putting it into another
machine, please Google a bit on how badly lock the disk is ;-)
To remove this password there ARE a few options (see one of my previous
posts), but none is trivial.
> As far as EFS...I believe it is tied into the standard windows
authentication. I seem to recall(from these lists?) that it just uses
the user's login password from the SAMS file
> to encrypt. If you can boot another OS(after getting around the BIOS
password) you can get to the SAMS, which means game over. I did read a
few things about putting your EFS key
> onto a floppy or other removable media. I'm not sure if this takes
care of these other vectors in XP or not. It was clear that in win2k
the administrator user always maintains
> the ability to read efs files...and as mentioned, reading and changing
the SAMS from a live disk is trivial.
For a start: the whole SYSKEY idea (the basis for EFS encryption) has
changed a lot from Win2K to WinXP. Changes were for good, Microsoft
(that I don't like, but I've to be fair with them) worked in
implementing a lot of suggestions to enhance security based on flaws in
Win2K.
Syskey can be attacked for as long as the keys are somewhere near, but
if they are stored in a floppy (and the floppy is not in the same bag as
the laptop), or, WHAT IS MUCH BETTER, you have to enter the SYSKEY
passphrase every time you boot, then it's pretty secure.
Said that, the SAM is SYSKEY'ed, and of course if the passphrase only
resides in your memory (the thing in between your ears) it's not easy to
decrypt it (theories of bruteforcing it, anyone? ;-)
Same criteria probably applies to Advanced EFS Password Recovery (or
however the tool from Elcomsoft is named) mentioned by Marco a couple
days ago, it probably works great only if the key is somewhere, and
perhaps if your passphrase is a nice dictionary word like "dog". Haven't
tried it, but feel free to experiment.
Regarding vectors, feel free to investigate further on the sticky key
attack (i.e., pressing SHIFT 5 times) at the SYSKEY passphrase prompt.
Read my previous post(s).
Getting the disk booted into another OS will allow you to browse it, of
course, but SYSKEY encrypted files will be awfully mangled.
> It is best to assume that if an attacker gets physical access in any
situation, its game over. Does that sensitive data need to be on a
laptop where its out of your control and
> often in harms way? Why not keep it on a company server and only
allow access through a secure VPN?
Not quite.
If the laptop has both BIOS POP and HDP set, then it boots into patched
XP with passphrase prompt for SYSKEY, and all sensitive information is
EFS encrypted, I consider it secure enough to be stolen... Of course as
a pentester I'll be DELIGHTED of someone proving me wrong ;-)))
HIGHLY sensitive information (why do you have it on a laptop in the
first place?) can be stored in PGP disks if you are a bit paranoid; I
agree with you on keeping it on a server (but probably it won't be
possible 100% of the time, for business reasons).
> I'm working on a paper about a much different way of preventing these
kinds of attacks. Mine is mostly aimed at recovering a stolen laptop,
but it uses a lot of misdirection
> which could be useful hiding sensitive data. The method is to prompt
the user with a standard login screen, and have a bad password fail into
booting a "fake" install which runs
> in emulation. As far as the attacker is concerned, they are inside a
standard windows install, and hopefully look around a bit at interesting
things we have left lying around.
> Underneath this emulated windows is another OS, such as linux, which
is running various scripts to log the attacker's keystrokes, his
activities, and to dial home with as
> much information as possible should be connect to the internet.
Cool. I'll be interested in reading it.
Just remember that security by obscurity (only) is no security, so your
idea will be good ON TOP of security ;-)
Cheers,
Miguel
***********************************************************************************************************
DISCLAIMER:
This e-mail contains proprietary information, some or all of which may be legally privileged.
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
disclose, distribute, copy, print or rely on this e-mail.
***********************************************************************************************************
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:03 EDT