Re: Bitlocker without PIN

[Susan Bradley]

How many laptops are sold with firewire ports?

Wouldn't one mitigation technique for a prudent CTO/CIO would be to spec 
all laptops without that?

On 2/24/2011 1:25 PM, Thor (Hammer of God) wrote:
I assume he's talking about after you have logged on and the computer is locked and you 
retrieve it from "live" memory a.k.a the memory freezing attack.  I would 
actually like to see that work IRL.  If it were that easy, you wouldn't need recovery 
agents :)

t

-----Original Message-----
From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On 
Behalf Of John Lightfoot
Sent: Thursday, February 24, 2011 12:37 PM
To: 'Per Thorsheim'; 'focus-ms'
Subject: RE: Bitlocker without PIN

I agree that transparent Bitlocker is a great security tool.

Per, could you provide more details where you say:

"Using Passware Forensic Toolkit you can extract the bitlocker key using live memory 
dumping through Firewire (either by using an existing Firewire port, or by inserting an 
pcmcia/expresscard firewire card). No need to logon to Windows there..."

My understanding of the way Bitlocker works is that when you enable full-disk 
encryption, Bitlocker creates a small, unencrypted partition that contains the 
Windows login module.  Once you've entered your credentials and they've been 
validated, the login module uses them to access the TPM for the key to decrypt 
the rest of the hard drive.  I do not believe the encryption key is resident in 
memory until after the login credentials are verified, so I don't think the 
firewire hack or other memory scanning techniques would allow you to retrieve 
the key prior to authentication.

-----Original Message-----
From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On 
Behalf Of Thor (Hammer of God)
Sent: Thursday, February 24, 2011 12:07 PM
To: Per Thorsheim; focus-ms
Subject: RE: Bitlocker without PIN

I don't agree with blanket statements like "is not a good idea in terms of 
security."

I'm willing to wager that insofar as "real world" application of security is 
concerned, that most people on this list are not designing solutions around what keys can 
be extracted from live memory via firewire.  Sure, it's cool, and l337, and provides for 
jazz-hand presentation content, but it is not the use-case that we are solving for.  If 
it is, then additional mechanisms should be employed.

Security is about risk mitigation - as such, transparent TPM-based Bitlocker 
can be an absolutely fantastic security control.  It can be seamlessly rolled 
out, controlled by group policy, and data can be protected by way of recover 
agents.  It provides disk encryption without requiring the user to remember 
PINs, etc.  Sure, PINs are better as I stated in my last email, but they 
require more administration.  This solves for the 90th percentile (if not more) 
of the cases I've seen where the asset is lost or stolen.

I have to reply like this because it would be a real shame if people saw the "not good for 
security" post and figured "ah, screw it then" and moved on.   We should solve for 
reasonable use cases appropriately in cost effective ways that reduce administration where 
possible.  Sure, they can extract keys from live memory via firewire - - and I can extract PINs 
from live people with a box cutter.  I think you see where I'm going with this...

 From a security standpoint, transparent bitlocker is a fantastic feature.  
PINs are better.  Everything should be put in proper perspective.

t

-----Original Message-----
From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On 
Behalf Of Per Thorsheim
Sent: Thursday, February 24, 2011 1:35 AM
To: focus-ms
Subject: RE: Bitlocker without PIN

"Transparent" Bitlocker with TPM and direct boot to Windows Logon is not a good 
idea in terms of security.

At the Passwords^10 conference in Dec 2010, Passware revealed their newest 
versio of their forensic toolkit. You probably want to see that:
ftp://ftp.ii.uib.no/pub/passwords10/

Using Passware Forensic Toolkit you can extract the bitlocker key using live 
memory dumping through Firewire (either by using an existing Firewire port, or 
by inserting an pcmcia/expresscard firewire card). No need to logon to Windows 
there...

Depending on your configuration, the hibernation file may be unencrypted. This 
can then be extracted from the disk and analyzed to get the bitlocker 
decryption key as well.

Lessons learned:
1. Superglue for your Firewire and pcmcia/expresscard ports 2. Do not allow 
hibernation mode OR encrypt the hibernation file as well 3. Always use Pre-Boot 
Authentication (PBA) in some form (pin, password,
smartcard..)

--
Best regards,
Per Thorsheim
securitynirvana.blogspot.com




On Wed, 2011-02-23 at 21:45 +0000, Alexander Kurt Keller wrote:
Speaking as an individual and not representing my institution. If you can 
handle the support overhead I would require the PIN or physical key in addition 
to the transparent TPM key for added protection.

Re: What happens if he boots with a linux live CD/USB? Can he decrypt the 
drive? The key is stored in the TPM. Does linux have access to the TPM?

No. This is not a viable attack, these links explain in a nutshell how TPM 
works:
http://windows.microsoft.com/en-US/windows-vista/BitLocker-Drive-Encry
ption-Overview
http://geekswithblogs.net/sdorman/archive/2006/07/04/84045.aspx

There are a number of viable attacks (and plenty more theoretical attacks) 
against all types of full drive encryption, including BitLocker, but it is not 
as trivial as using a Linux bootdisk.

Re: We are just not sure if the extra security worths having the users to type 
2 passwords to boot a laptop.

If the attacker can gain physical access to the computer, and it uses TPM and 
boots straight to Windows, then they could attack the computer at the network 
layer and at the console, or via one of the more advanced hardware attacks 
(chip cooling, hibernation file excavation, etc.). Requiring a PIN at boot adds 
an extra layer of protection before the OS starts.

It comes down to a risk analysis of your environment and what you are trying to 
protect. For my laptop I use TrueCrypt (which by design requires a PIN) because 
it is a transient computer at risk for theft and contains information that 
could be leveraged in an attack against our infrastructure. Furthermore I use 
KeePass to encrypt all passwords, and AxCrypt for all sensitive documents, 
which offers a second layer of protection should the computer be compromised 
while it is booted.

It should be pointed out that BitLocker/TrueCrypt/EFS/etc. will do little or 
nothing to stop an attack inbound from the network or malicious code that has 
been allowed to execute on the running OS.

Best,
alex


Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
Office: Burk Hall 153 Phone: (415)338-6117 Email: alkel...@sfsu.edu

-----Original Message-----
From: listbou...@securityfocus.com
[mailto:listbou...@securityfocus.com] On Behalf Of Shang Tsung
Sent: Thursday, February 17, 2011 3:07 AM
To: focus-ms@securityfocus.com
Subject: Bitlocker without PIN

Hello all,

We are on the process of setting up Bitlocker on our laptops for OS encryption 
and we are wandering if we should set up a PIN or not. If we do not, the 
attacker can get to Windows login screen, but this is where he will stop.

What happens if he boots with a linux live CD/USB? Can he decrypt the drive? 
The key is stored in the TPM. Does linux have access to the TPM?

We are just not sure if the extra security worths having the users to type 2 
passwords to boot a laptop.

ST