RE: Encryption on Laptops?
Bart.Lansing_at_kohls.com
Date: 03/19/04
- Previous message: Charles Otstot: "Re: Yet another thread on the legality of port scanning"
- In reply to: Aaron: "RE: Encryption on Laptops?"
- Next in thread: Alexander Lukyanenko: "Re[2]: Encryption on Laptops?"
- Reply: Alexander Lukyanenko: "Re[2]: Encryption on Laptops?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-basics@securityfocus.com Date: Fri, 19 Mar 2004 12:44:26 -0600
On Wed, 2004-03-17 at 23:48, Simon and Sara Zuckerbraun wrote:
> Honestly, protecting data on a laptop is very, very hard to accomplish.
Once
> an adversary gains physical control of a machine, there's not much that
can
> stop him from also gaining access to the data. I wish there were some
simple
> answers I could give you, but there just aren't. It's a tough subject.
>
> If you enable EFS on Windows XP, this provides you with 128-bit
encryption.
> This type of encryption is strong enough so that it can not be defeated
> directly using any technology currently known to man.
And by saying the above, managed to lose a certain amount of credibility.
While it is improbable that the required resources to break this encryption
scheme is unlikely, is is not impossible:
*
This is not to say that a DES-encrypted message cannot be "broken." Early
in 1997, RSA, owners of another encryption approach, offered a $10,000
reward for breaking a DES message. A cooperative effort on the Internet of
over 14,000 computer users trying out various keys finally deciphered the
message, discovering the key after running through only 18 quadrillion of
the 72 quadrillion possible keys! Few messages sent today with DES
encryption are likely to be subject to this kind of code-breaking effort. (
http://www.aces.att.com/glossary/des.htm)
*
Given forward leaps in technology, it is certainly the case that number of machines and the
time required has and will continue to drop. Even with EFS's use of DESX, it is possible
to break.
However, even easier...by far, is the use of products like Winternal Software's ERD
Commander, which allow the admin password to be easier changed...bypassing EFS
altogether...since, once admined., the EFK scheme is rendered moot. I simply change the
user account passwords on the box in question, log in as the user, and voila, I have the
files. Don't want to pay for ERD Commander? Well heck, download "ntpasswd" boot from it,
and watch a linxu distro magically mount NTFS for you and admin to your heart's content.
(http://www.sans.org/rr/papers/66/211.pdf). Yes, if you take the time and effort to use
appropriate syskey policies you can close this gaping hole as well...but while possible,
it's not practical at all in a large user base. Even if you use a win 2000 domain to keep
the SAM database and recovery key isolated...you're not going to travel very well...and
then...why was it you had a laptop?
EFS is good thing...it's just not the Holy Grail.
Bart Lansing
Manager, Desktop Services
Kohl's IT
CONFIDENTIALITY NOTICE:
This is a transmission from Kohl's Department Stores, Inc.
and may contain information which is confidential and proprietary.
If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited.
If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000.
CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time
without any further consent.
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Charles Otstot: "Re: Yet another thread on the legality of port scanning"
- In reply to: Aaron: "RE: Encryption on Laptops?"
- Next in thread: Alexander Lukyanenko: "Re[2]: Encryption on Laptops?"
- Reply: Alexander Lukyanenko: "Re[2]: Encryption on Laptops?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
