Full Disk / Bitlocker Security Hackable

May
26
2010

Team:

Thanks to those folks who wrote in and thanked me for waving the banner around this issue.

Also, thanks to those folks who asked some clarifying questions. Okay, here are my summarized thoughts (basically, answers to your questions):

1. Sure, it would be great if copy machines could JOIN the Windows domain. Then, heck yeah, you could possibly use some GP trickery to make them more secure. BUT, that wasn’t what I was implying. :-)

2. I supplied some GP-based security tips yesterday. One that encrypted the page file, and another one which totally removed it at shutdown. I also said that the best (bestest?) way to get protected is via full disk encryption. So, I totally stand by that.. Full disk encryption is arguably, the best (fastest / intermediate) way to get “pretty darn secure.” I would however, also suggest that I would only perform the “remove page file at shutdown” for machines where there is no other possible solution for security.

Heck, let’s break this “are we secure?” problem down .. way way down, just for fun here.

 

Question :Okay… Does NTFS provide “security” ?
Answer: Sorry. No. So, in short, if I steal your laptop, and it’s got no full disk encryption, then I can boot it from a USB stick, CD-ROM, or just rip the hard drive out and mount it in my non-Windows (ie: Linux machine) and.. bingo.. I have your files.

Question: Does applying either / both of those policy settings I suggested yesterday really make you more “secure”?
Answer: It’s better than NOTHING for desktops that HAVE to be out in the open, and for whatever reason can not get full disk encryption. And even then, it only protects the page file, which may or may not contain interesting stuff. To be super clear, I would suggest against enabling the “remove page at logoff” for servers at all costs, because rebooting your servers (or workstations with large page files) could take a loooong time.

Question: Does EFS (encrypting file system) provide “security” ?
Answer:  While I haven’t personally attempted to “bypass” EFS, I’ve seen several writeups of how to bypass it. Indeed, this one tool (found by quick Internet search) claims to immediately make child’s play of EFS. (Again, untested.. http://tinyurl.com/2buburp)
PS: I swear I didn’t do anything special to get that TinyURL.. that was auto-assigned to me.

Question: Does full disk encryption provide “security” ?
Answer: It’s an excellent start. Again, it’s the best thing we can do for the majority of attacks. But there are still vulnerabilities.  

Question: Okay.. what vulnerabilities am I still exposed to?
Answer: Three parts

() This one I knew about (which was discovered at Princeton University):
This vulnerability is based on the idea that you can “copy” the memory of a PC. Very interesting.
http://www.youtube.com/watch?v=JDaicPIgn9U

() This one I didn’t. This uses Firewire to slurp out the computer’s memory via DMA:
http://tinyurl.com/2pea3y
Thanks to Darren Mar-Elia, fellow GP MVP for this lead.

() A little internet searching came up with this commercial tool to bust Bitlocker / Truecrypt:
http://www.lostpassword.com/kit-forensic.htm
This actually seems to be similar to the Princeton attack; and requires memory to be “captured.” Or, you can try a lengthy “brute force” attack if the machine was fully shutdown.

Also, I think  reasonable reading as well, is the Microsoft response to the Princeton attack, and you can find that here:

http://windowsteamblog.com/windows/b/windowssecurity/archive/2009/12/07/windows-bitlocker-claims.aspx

In short, I am in agreement with Microsoft’s summary of the assessment:

“This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world.”

Agreed.

If you’re concerned about attack #1 and #3, then make sure your computers settings are configured (using GP, of course!) to make the computer fully shut down (hibernate) on idle. Then require the Bitlocker password pin or USB key at startup. Yes, this is kind of a pain in the neck. But it is the way to prevent that attack.

If you’re concerned about attack #2, then use GP (again!) to disable built-in Firewire ports unless absolutely necessary.

To be superduper, crazy clear.. there is no “magic bullet” for security. Here’s some reading to get into the concept of “defense in depth.”

http://www.amazon.com/Protect-Your-Windows-Network-Perimeter/dp/0321336437

The book isn’t “super technical” in a “click here, do this” kind of way. But it did “get it into my thick skull” that I need to be doing everything I can, at multiple layers to thwart the bad guys and protect my network and keep my company safe.

So.. hopefully this article helps you out.

Here are some I can help you get more secure.

1) I do cover how to do both hardware lockout and power configuration (among many, many security items that I cover) in my GP class (coming soon to Washington, DC — July 19th! www.GPanswers.com/training !) A handful of seats left.

and

2) This whole “defense in depth” idea is why I designed PolicyPak. Group Policy does a great job configuring some of the in-the-box operating system items. But what about the rest of the operating system and add-on applications? Hope to see you today or next week online (www.PolicyPak.com/demo)

and

3) Of course, you can get a book. :-) www.GPanswers.com/book

That’s it. Talk with you soon!

 

Copyright © GPanswers.com. All rights reserved. GPanswers.com is a service of PolicyPak Software