RE: Laptop Security - Microsoft EFS
From: Burton M. Strauss III (bstrauss3@attbi.com)Date: 09/06/02
- Previous message: Torrance, Derek: "RE: Wireless Security for Home Users"
- In reply to: Jason Coombs: "RE: Laptop Security - Microsoft EFS"
- Next in thread: Jason Coombs: "RE: Laptop Security - Microsoft EFS"
- Reply: Jason Coombs: "RE: Laptop Security - Microsoft EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Burton M. Strauss III" <bstrauss3@attbi.com> To: <security-basics@securityfocus.com> Date: Fri, 6 Sep 2002 10:11:55 -0500
I think you're right but wrong...
Ultimately, the data has to be decrypted to be used, and at that time it's
vulnerable. It may require admin access to the box, or custom hardware, but
at SOME POINT in the chain it has to be decrypted. It's classic - don't
crack the encryption, stick a sniffer in there AFTER it's decrypted.
EFS has the added security of a second factor, namely the key (or recovery
keys) that have to be provided once you have physical access! So it's
CERTAINLY better than just a raw file system.
With EFS the key(s) are unique to the drive. If the key (or recovery key)
is compromised, well, you don't need anything else beyond physical access
(mount the hd in a box you control, and use the key). Recovery agents don't
change this, they just give more keys that have to be secured and thus form
an additional point of attack -- one that may not make evident the ultimate
target.
Without the key(s), you need a trojan to steal it. To install a
key-trapping trojan, you need admin access to the box, so you've already
compromised one of the factors.
Ultimately we're back to the ultimate vulnerability in ANY scheme - where
having (logical|physical) access to a non-tamper-(proof|resistant|evident)
system is the problem.
-----Burton
-----Original Message-----
From: Jason Coombs [mailto:jasonc@science.org]
Sent: Wednesday, September 04, 2002 2:07 PM
To: Bryan Allerdice; security-basics@securityfocus.com
Subject: RE: Laptop Security - Microsoft EFS
One of the things I was dissatisfied with when reviewing EFS was that it
only works for encrypting user data. Although programs installed by the user
for the user can also be encrypted, conceivably, it isn't possible to use
EFS to encrypt system files. So EFS prevents user data from being copied in
cleartext during a mount attack, but the easiest way for an attacker to gain
access to the contents of the encrypted files is to install a Trojan on the
drive during the mount attack and then put the drive back where the attacker
found it. When the user logs in, the Trojan will have access to the EFS key
if it's online, and can immediately access the plaintext of each encrypted
file. If the EFS key is not online, the Trojan has to wait for it to become
available -- which happens when the user accesses any encrypted file ...
thus giving the Trojan complete access to every file. The EFS key isn't
stored temporarily in process memory, it's cached for use during the entire
session (until the user logs out) by any code that tries to access encrypted
files.
Somebody tell me if my analysis was wrong.
Sincerely,
Jason Coombs
jasonc@science.org
-----Original Message-----
From: Bryan Allerdice [mailto:bryan@professionalhacker.com]
Sent: Tuesday, September 03, 2002 6:53 AM
To: security-basics@securityfocus.com
Subject: RE: Laptop Security - Microsoft EFS
One potential weakness to watch out for concerns Recover Agents.
When you use EFS (Encrypting File System), you can assign Recovery Agents
who can also decrypt the respective persons info. This is useful in a work
environment where an employee is allowed to encrypt their files, but when
they get fired and their replacement needs to continue working on their
projects, that info needs to be decrypted.
If the private key for the recovery agent sits on the very computer you are
trying to protect, then you may as well not encrypt anything, because it's
that key which an attacker would love to get their hands on. Recovery Agent
private keys should be exported to removable media and kept separate (and
safely secured) away from the computer.
BRYAN ALLERDICE
> -----Original Message-----
> From: larrylou@hushmail.com [mailto:larrylou@hushmail.com]
> Sent: Friday, August 30, 2002 11:22 AM
> To: security-basics@securityfocus.com
> Subject: Laptop Security - Microsoft EFS
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi everyone,
> I am reseaching data protection for my company laptop user. I
> have tested Guardian PC, the encryption time is long and very
> pricy. Have anyone heard if there is a way to performa a mount
> attack to MS EFS?
>
> Thanks,
>
> LL
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wl0EARECAB0FAj1vt9QWHGxhcnJ5bG91QGh1c2htYWlsLmNvbQAKCRAh5X9HwBwRQvnL
> AKCfEY5VIyR5wCVCPZPHCA1HypQkGACfWcmcqRJRsizwHF+TiSS/wh31LUE=
> =d9pc
> -----END PGP SIGNATURE-----
>
>
>
>
> Get your free encrypted email at https://www.hushmail.com
>
- Previous message: Torrance, Derek: "RE: Wireless Security for Home Users"
- In reply to: Jason Coombs: "RE: Laptop Security - Microsoft EFS"
- Next in thread: Jason Coombs: "RE: Laptop Security - Microsoft EFS"
- Reply: Jason Coombs: "RE: Laptop Security - Microsoft EFS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
