Re: Former Install Encryption Cracking
From: D. Cross [MS] (vaq130@hotmail.com)
Date: 05/30/02
- Next message: Dino: "Find audited folders"
- Previous message: D. Cross [MS]: "Re: Create certificates with CA"
- In reply to: x y: "Re: Former Install Encryption Cracking"
- Next in thread: Kerry Hoskin: "Re: Former Install Encryption Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "D. Cross [MS]" <vaq130@hotmail.com> Date: Thu, 30 May 2002 06:40:14 -0700
Note that the attacks you describe do not apply to Windows XP< they do not
apply to machines joined to a domain and they do not apply to machines that
have SYSKEY mode 2 or 3 applied.
http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/defa
ult.asp
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. "x y" <jamescagney90210@yahoo.com> wrote in message news:OJpw4vrBCHA.2656@tkmsftngp05... > "Laura A. Robinson" <usefirstinitiallastname@technologist.com> wrote in > message news:MPG.175c3609227e2bc4989def@msnews.microsoft.com... > > > Five days? As long as Windows was not reinstalled, it should have taken > > > them 15 minutes. [Maybe they should have posted here asking how to do > it.] > > > > > Okay, how do you decrypt an EFS-encrypted partition in 15 minutes? > > > > Laura > > I hate to say it out loud in public, but I think this is sort of common > knowledge. As long as you have physical access to the computer and Windows > is intact, and the computer was not in an Active Directory domain, then you > use any one of the six or twelve documented ways to either brute-force crack > or completely reset either the admin password or the user's password, both > of which can perform EFS recovery on the files. Unfortunately, this means > that many home users and non-AD laptops are vulnerable, including probably > the suspect that the FBI took four days to hack. Plus, EFS cannot encrypt > every file and folder on the computer, so that there is sure to be sensitive > data somewhere on the computer, and maybe even unencrypted copies of the > encrypted data in, for example, a temp folder. There is an excellent > article at www.sans.org on EFS vulnerabilities and how to try to close them. > > To be fair to the FBI, I suppose it could take 4 days to properly image the > hard drive so as to keep an unchanged copy of the data that would hold up in > court, and perhaps they felt brute-force cracking the password was a better > way to get the data from the drive without changing the evidence. Or, maybe > they have a brute-force cracker that works against EFS encryption keys. I > would think it's only a matter of time before such things are written, so > that the correct answer to "I can't read my EFS files" is no longer "They're > gone forever," but "go to l0pht.com." If the US allows an encryption > technology to be exported to other countries, I suspect it's because the > spooks are confident they have machines that can crack it quickly when it is > used by foreign powers. > > > >
- Next message: Dino: "Find audited folders"
- Previous message: D. Cross [MS]: "Re: Create certificates with CA"
- In reply to: x y: "Re: Former Install Encryption Cracking"
- Next in thread: Kerry Hoskin: "Re: Former Install Encryption Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
