..a lot more than you might think include Firewire ports - the word "commodity" comes to mind. Even my Lenovo netbook has one and pretty much any desktop/workstation includes at least one Firewire port (they're very popular with digital musicians / producers, etc.).
The biggest problem with most M-L orgs is that they tend to standardize their hardware before anyone has done any threat modeling (assuming that happens at all). You'd have to issue a pretty big PO before most computer mfr would be willing to tweak the hardware options that much. Jim -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Susan Bradley Sent: Thursday, February 24, 2011 2:19 PM To: [email protected] Subject: Re: Bitlocker without PIN How many laptops are sold with firewire ports? Wouldn't one mitigation technique for a prudent CTO/CIO would be to spec all laptops without that? On 2/24/2011 1:25 PM, Thor (Hammer of God) wrote: > I assume he's talking about after you have logged on and the computer > is locked and you retrieve it from "live" memory a.k.a the memory > freezing attack. I would actually like to see that work IRL. If it > were that easy, you wouldn't need recovery agents :) > > t > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of John Lightfoot > Sent: Thursday, February 24, 2011 12:37 PM > To: 'Per Thorsheim'; 'focus-ms' > Subject: RE: Bitlocker without PIN > > I agree that transparent Bitlocker is a great security tool. > > Per, could you provide more details where you say: > > "Using Passware Forensic Toolkit you can extract the bitlocker key using live > memory dumping through Firewire (either by using an existing Firewire port, > or by inserting an pcmcia/expresscard firewire card). No need to logon to > Windows there..." > > My understanding of the way Bitlocker works is that when you enable full-disk > encryption, Bitlocker creates a small, unencrypted partition that contains > the Windows login module. Once you've entered your credentials and they've > been validated, the login module uses them to access the TPM for the key to > decrypt the rest of the hard drive. I do not believe the encryption key is > resident in memory until after the login credentials are verified, so I don't > think the firewire hack or other memory scanning techniques would allow you > to retrieve the key prior to authentication. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Thor (Hammer of > God) > Sent: Thursday, February 24, 2011 12:07 PM > To: Per Thorsheim; focus-ms > Subject: RE: Bitlocker without PIN > > I don't agree with blanket statements like "is not a good idea in terms of > security." > > I'm willing to wager that insofar as "real world" application of security is > concerned, that most people on this list are not designing solutions around > what keys can be extracted from live memory via firewire. Sure, it's cool, > and l337, and provides for jazz-hand presentation content, but it is not the > use-case that we are solving for. If it is, then additional mechanisms > should be employed. > > Security is about risk mitigation - as such, transparent TPM-based Bitlocker > can be an absolutely fantastic security control. It can be seamlessly rolled > out, controlled by group policy, and data can be protected by way of recover > agents. It provides disk encryption without requiring the user to remember > PINs, etc. Sure, PINs are better as I stated in my last email, but they > require more administration. This solves for the 90th percentile (if not > more) of the cases I've seen where the asset is lost or stolen. > > I have to reply like this because it would be a real shame if people saw the > "not good for security" post and figured "ah, screw it then" and moved on. > We should solve for reasonable use cases appropriately in cost effective ways > that reduce administration where possible. Sure, they can extract keys from > live memory via firewire - - and I can extract PINs from live people with a > box cutter. I think you see where I'm going with this... > > From a security standpoint, transparent bitlocker is a fantastic feature. > PINs are better. Everything should be put in proper perspective. > > t > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Per Thorsheim > Sent: Thursday, February 24, 2011 1:35 AM > To: focus-ms > Subject: RE: Bitlocker without PIN > > "Transparent" Bitlocker with TPM and direct boot to Windows Logon is not a > good idea in terms of security. > > At the Passwords^10 conference in Dec 2010, Passware revealed their newest > versio of their forensic toolkit. You probably want to see that: > ftp://ftp.ii.uib.no/pub/passwords10/ > > Using Passware Forensic Toolkit you can extract the bitlocker key using live > memory dumping through Firewire (either by using an existing Firewire port, > or by inserting an pcmcia/expresscard firewire card). No need to logon to > Windows there... > > Depending on your configuration, the hibernation file may be unencrypted. > This can then be extracted from the disk and analyzed to get the bitlocker > decryption key as well. > > Lessons learned: > 1. Superglue for your Firewire and pcmcia/expresscard ports 2. Do not > allow hibernation mode OR encrypt the hibernation file as well 3. > Always use Pre-Boot Authentication (PBA) in some form (pin, password, > smartcard..) > > -- > Best regards, > Per Thorsheim > securitynirvana.blogspot.com > > > > > On Wed, 2011-02-23 at 21:45 +0000, Alexander Kurt Keller wrote: >> Speaking as an individual and not representing my institution. If you can >> handle the support overhead I would require the PIN or physical key in >> addition to the transparent TPM key for added protection. >> >> Re: What happens if he boots with a linux live CD/USB? Can he decrypt the >> drive? The key is stored in the TPM. Does linux have access to the TPM? >> >> No. This is not a viable attack, these links explain in a nutshell how TPM >> works: >> http://windows.microsoft.com/en-US/windows-vista/BitLocker-Drive-Encr >> y >> ption-Overview >> http://geekswithblogs.net/sdorman/archive/2006/07/04/84045.aspx >> >> There are a number of viable attacks (and plenty more theoretical attacks) >> against all types of full drive encryption, including BitLocker, but it is >> not as trivial as using a Linux bootdisk. >> >> Re: We are just not sure if the extra security worths having the users to >> type 2 passwords to boot a laptop. >> >> If the attacker can gain physical access to the computer, and it uses TPM >> and boots straight to Windows, then they could attack the computer at the >> network layer and at the console, or via one of the more advanced hardware >> attacks (chip cooling, hibernation file excavation, etc.). Requiring a PIN >> at boot adds an extra layer of protection before the OS starts. >> >> It comes down to a risk analysis of your environment and what you are trying >> to protect. For my laptop I use TrueCrypt (which by design requires a PIN) >> because it is a transient computer at risk for theft and contains >> information that could be leveraged in an attack against our infrastructure. >> Furthermore I use KeePass to encrypt all passwords, and AxCrypt for all >> sensitive documents, which offers a second layer of protection should the >> computer be compromised while it is booted. >> >> It should be pointed out that BitLocker/TrueCrypt/EFS/etc. will do little or >> nothing to stop an attack inbound from the network or malicious code that >> has been allowed to execute on the running OS. >> >> Best, >> alex >> >> >> Alex Keller >> Systems Administrator >> Academic Technology, San Francisco State University >> Office: Burk Hall 153 Phone: (415)338-6117 Email: [email protected] >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Shang Tsung >> Sent: Thursday, February 17, 2011 3:07 AM >> To: [email protected] >> Subject: Bitlocker without PIN >> >> Hello all, >> >> We are on the process of setting up Bitlocker on our laptops for OS >> encryption and we are wandering if we should set up a PIN or not. If we do >> not, the attacker can get to Windows login screen, but this is where he will >> stop. >> >> What happens if he boots with a linux live CD/USB? Can he decrypt the drive? >> The key is stored in the TPM. Does linux have access to the TPM? >> >> We are just not sure if the extra security worths having the users to type 2 >> passwords to boot a laptop. >> >> ST
