One option would be to debug via a FW port. Another option would be to trick the user into installing this software, or trick the user into somehow giving away access to the machine (aka these APTs we keep hearing about) and layering this on top.
Cheers Ken -----Original Message----- From: David Lum [mailto:david....@nwea.org] Sent: Saturday, 22 December 2012 7:39 AM To: NT System Admin Issues Subject: RE: Disk encryption killer: Anyone see this? So I'm hearing we shouldn't be concerned about a PGP-encrypted laptop *unless* it's hibernation file is unencrypted (read, no full disk encryption)? A fully encrypted disk that has a screen saver password is going to be pretty secure? "You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack.." >> Ok how easy is it to get a memory dump from a running PC? "Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off" >> If the hiberfil.sys is encrypted, how do they get to it? Dave -----Original Message----- From: Steve Kradel [mailto:skra...@zetetic.net] Sent: Friday, December 21, 2012 10:59 AM To: NT System Admin Issues Subject: Re: Disk encryption killer: Anyone see this? I don't find this alarming at all: it requires access to the key data, and is useful if you have a memory dump or a cleartext hibernation file (hiberfil.sys is going to be *encrypted* on a hibernating machine with whole-disk encryption). This tool appears to be a good time-saver, given a memory dump, because it knows where to look in for the keys and how to extract them, but it does not attack any inherent cryptographic weakness or key management problems in PGP, TC, etc.. --Steve On Fri, Dec 21, 2012 at 1:34 PM, Matthew W. Ross <mr...@ephrataschools.org> wrote: > I'm no security expert. > > But I do assume that if the physical machine is compromised, then the data it > holds is as good as compromised as well, no matter what level of encryption > you have. > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: Ziots, Edward > [mailto:ezi...@lifespan.org] > To: NT System Admin Issues > [mailto:ntsysadmin@lyris.sunbelt-software.com] > Sent: Fri, 21 Dec 2012 > 09:57:51 -0800 > Subject: RE: Disk encryption killer: Anyone see this? > > >> I would say off the record no, if you used popular encryption >> software and a repeatable process, but when you lose physical >> security of an asset, given a reasonable amount of time and effort >> the encryption will be cracked and data will be obtained. >> >> >> >> Z >> >> >> >> Edward E. Ziots, CISSP, Security +, Network + >> >> Security Engineer >> >> Lifespan Organization >> >> ezi...@lifespan.org >> >> >> >> From: Chinnery, Paul [mailto:pa...@mmcwm.com] >> Sent: Friday, December 21, 2012 12:37 PM >> To: NT System Admin Issues >> Subject: RE: Disk encryption killer: Anyone see this? >> >> >> >> Oh, great. I wonder what view CMS will take if a laptop is >> stolen\lost and it's encrypted. Will they still say it's a HIPAA violation? >> >> >> >> From: David Lum [mailto:david....@nwea.org] >> Sent: Friday, December 21, 2012 12:29 PM >> To: NT System Admin Issues >> Subject: Disk encryption killer: Anyone see this? >> >> >> >> Comments anyone? Looks like bad news... >> >> http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly- >> cap able-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/ >> >> >> >> David Lum >> Sr. Systems Engineer // NWEATM >> Office 503.548.5229 // Cell (voice/text) 503.267.9764 >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
