Focus on Microsoft
RE: Bitlocker without PIN Feb 24 2011 09:34AM
Per Thorsheim (putilutt online no) (2 replies)
Re: Bitlocker without PIN Feb 25 2011 10:54AM
Ansgar Wiechers (bugtraq planetcobalt net)
RE: Bitlocker without PIN Feb 24 2011 05:07PM
Thor (Hammer of God) (thor hammerofgod com) (3 replies)
RE: Bitlocker without PIN Feb 24 2011 09:43PM
rwagg (at) robhome (dot) com [email concealed] (rwagg robhome com) (1 replies)
RE: Bitlocker without PIN Feb 24 2011 10:06PM
David Lum (David Lum NWEA org)
RE: Bitlocker without PIN Feb 24 2011 09:33PM
Per Thorsheim (putilutt online no)
Ah, forgive me for not doing the proper risk analysis here.

If you look at other (earlier) FDE products (at least those I've used at
work), they were all configured to do Pre-Boot Authentication. Why?
Probably because the vendors considered it a good idea.

As soon as Windows reaches the logon screen it will probably also have
an IP address, start talking on the network may have several ports open.
Give it some time, and you'll probably have remote exploits available as
well, that may give you access to the OS without knowing any logon
credentials.

IF one can successfully get access to the OS on the computer, you have
probably get access to most, if not all the data stored there. (Unless
someone is using additional file encryption, like MS Office document
password protection (AES in 2007-2010). Rather unlikely of course, at
least when they have FDE. What else can you get? Well, user credentials
and password hashes. Forgot to lower your "number of logo credentials to
cache" in Windows? Rather good chance of obtaining elevated domain
privileges through the credentials left behind by those who installed
your computer in the first place.

Board of directors, Executive team, legal department, HR or financial
department are travelling. A lot. At least many of them.

Cost of a toolkit to "attack" Bitlocker in direct-boot-to-Windows-Logon:
a couple of hundred USD. Compared to the value of the information you
might get access to? Most certainly worth the money and time - I'll
leave the "possibility of getting caught and spending time" analysis to
the bad guys.

But of course: all the above will most likely happen through a targeted
attack. YOU are not the target, your employer probably is. And you are
absolutely correct: http://xkcd.com/538/ will probably do the targeted
attack even faster and with better results.

As for the occasional theft, snooping or "lost my computer" cases,
Bitlocker will most certainly provide much better security no matter how
you configure it, compared to no FDE at all.

The current Wikipedia article on Bitlocker
(http://en.wikipedia.org/wiki/Bitlocker) lists 3 authentication
mechanisms: transparent (TPM), user authentication and USB key mode. In
addition there are 5 permutations to these modes:
TPM only
TPM + pin
TPM + pin + USB key
TPM + USB key
USB key

PIN? Probably 1234 or 1111 anyway.
USB key? Cumbersome, easily lost/stolen, extra piece of hardware that
may fail, maybe left in the computer permanently (which is strictly not
a hardware problem...)

So you can't really get 100% security (it doesn't exist), and you HAVE
to evaluate the risk, with a lot of factors affecting your decision:
- Risk of random/targeted attacks
- Information value of the information stored on computers
- Additional value/risk of data stored (logon credentials etc)
- Number of laptops (often out travelling) or just desktops inhouse
- Risk of users getting annoyed over security, and take risk/policy/law
into their own hands

So again; sorry about the wrong choice of words - I was probably
thinking too much about executives with laptops actually containing
valuable data.

Best regards,
Per Thorsheim
securitynirvana.blogspot.com

On Thu, 2011-02-24 at 17:07 +0000, Thor (Hammer of God) wrote:
> I don't agree with blanket statements like "is not a good idea in terms of security."
>
> I'm willing to wager that insofar as "real world" application of security is concerned, that most people on this list are not designing solutions around what keys can be extracted from live memory via firewire. Sure, it's cool, and l337, and provides for jazz-hand presentation content, but it is not the use-case that we are solving for. If it is, then additional mechanisms should be employed.
>
> Security is about risk mitigation - as such, transparent TPM-based Bitlocker can be an absolutely fantastic security control. It can be seamlessly rolled out, controlled by group policy, and data can be protected by way of recover agents. It provides disk encryption without requiring the user to remember PINs, etc. Sure, PINs are better as I stated in my last email, but they require more administration. This solves for the 90th percentile (if not more) of the cases I've seen where the asset is lost or stolen.
>
> I have to reply like this because it would be a real shame if people saw the "not good for security" post and figured "ah, screw it then" and moved on. We should solve for reasonable use cases appropriately in cost effective ways that reduce administration where possible. Sure, they can extract keys from live memory via firewire - - and I can extract PINs from live people with a box cutter. I think you see where I'm going with this...
>
> From a security standpoint, transparent bitlocker is a fantastic feature. PINs are better. Everything should be put in proper perspective.
>
> t
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Per Thorsheim
> Sent: Thursday, February 24, 2011 1:35 AM
> To: focus-ms
> Subject: RE: Bitlocker without PIN
>
> "Transparent" Bitlocker with TPM and direct boot to Windows Logon is not a good idea in terms of security.
>
> At the Passwords^10 conference in Dec 2010, Passware revealed their newest versio of their forensic toolkit. You probably want to see that:
> ftp://ftp.ii.uib.no/pub/passwords10/
>
> Using Passware Forensic Toolkit you can extract the bitlocker key using live memory dumping through Firewire (either by using an existing Firewire port, or by inserting an pcmcia/expresscard firewire card). No need to logon to Windows there...
>
> Depending on your configuration, the hibernation file may be unencrypted. This can then be extracted from the disk and analyzed to get the bitlocker decryption key as well.
>
> Lessons learned:
> 1. Superglue for your Firewire and pcmcia/expresscard ports 2. Do not allow hibernation mode OR encrypt the hibernation file as well 3. Always use Pre-Boot Authentication (PBA) in some form (pin, password,
> smartcard..)
>
> --
> Best regards,
> Per Thorsheim
> securitynirvana.blogspot.com
>
>
>
>
> On Wed, 2011-02-23 at 21:45 +0000, Alexander Kurt Keller wrote:
> > Speaking as an individual and not representing my institution. If you can handle the support overhead I would require the PIN or physical key in addition to the transparent TPM key for added protection.
> >
> > Re: What happens if he boots with a linux live CD/USB? Can he decrypt the drive? The key is stored in the TPM. Does linux have access to the TPM?
> >
> > No. This is not a viable attack, these links explain in a nutshell how TPM works:
> > http://windows.microsoft.com/en-US/windows-vista/BitLocker-Drive-Encry
> > ption-Overview
> > http://geekswithblogs.net/sdorman/archive/2006/07/04/84045.aspx
> >
> > There are a number of viable attacks (and plenty more theoretical attacks) against all types of full drive encryption, including BitLocker, but it is not as trivial as using a Linux bootdisk.
> >
> > Re: We are just not sure if the extra security worths having the users to type 2 passwords to boot a laptop.
> >
> > If the attacker can gain physical access to the computer, and it uses TPM and boots straight to Windows, then they could attack the computer at the network layer and at the console, or via one of the more advanced hardware attacks (chip cooling, hibernation file excavation, etc.). Requiring a PIN at boot adds an extra layer of protection before the OS starts.
> >
> > It comes down to a risk analysis of your environment and what you are trying to protect. For my laptop I use TrueCrypt (which by design requires a PIN) because it is a transient computer at risk for theft and contains information that could be leveraged in an attack against our infrastructure. Furthermore I use KeePass to encrypt all passwords, and AxCrypt for all sensitive documents, which offers a second layer of protection should the computer be compromised while it is booted.
> >
> > It should be pointed out that BitLocker/TrueCrypt/EFS/etc. will do little or nothing to stop an attack inbound from the network or malicious code that has been allowed to execute on the running OS.
> >
> > Best,
> > alex
> >
> >
> > Alex Keller
> > Systems Administrator
> > Academic Technology, San Francisco State University
> > Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller (at) sfsu (dot) edu [email concealed]
> >
> > -----Original Message-----
> > From: listbounce (at) securityfocus (dot) com [email concealed]
> > [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Shang Tsung
> > Sent: Thursday, February 17, 2011 3:07 AM
> > To: focus-ms (at) securityfocus (dot) com [email concealed]
> > Subject: Bitlocker without PIN
> >
> > Hello all,
> >
> > We are on the process of setting up Bitlocker on our laptops for OS encryption and we are wandering if we should set up a PIN or not. If we do not, the attacker can get to Windows login screen, but this is where he will stop.
> >
> > What happens if he boots with a linux live CD/USB? Can he decrypt the drive? The key is stored in the TPM. Does linux have access to the TPM?
> >
> > We are just not sure if the extra security worths having the users to type 2 passwords to boot a laptop.
> >
> > ST

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAk1mzq8ACgkQsXl+Y9DQrvbIuACgpjKOd+Gu8+pRBNbJVprXCloe
uXkAmgLq711tf4c9c+5TNaAidfLGQdEJ
=J0EZ
-----END PGP SIGNATURE-----

[ reply ]
RE: Bitlocker without PIN Feb 24 2011 08:37PM
John Lightfoot (jlightfoot gmail com) (2 replies)
RE: Bitlocker without PIN Feb 24 2011 10:42PM
Per Thorsheim (putilutt online no) (1 replies)
RE: Bitlocker without PIN Feb 25 2011 03:02AM
Thor (Hammer of God) (thor hammerofgod com)
RE: Bitlocker without PIN Feb 24 2011 09:25PM
Thor (Hammer of God) (thor hammerofgod com) (2 replies)
Re: Bitlocker without PIN Feb 24 2011 10:18PM
Susan Bradley (sbradcpa pacbell net) (1 replies)
RE: Bitlocker without PIN Feb 25 2011 03:41PM
Jim Harrison (Jim isatools org) (2 replies)
Re: Bitlocker without PIN Mar 04 2011 06:20PM
Susan Bradley (sbradcpa pacbell net)
RE: Bitlocker without PIN Feb 25 2011 06:01PM
Per Thorsheim (putilutt online no)
RE: Bitlocker without PIN Feb 24 2011 09:42PM
Per Thorsheim (putilutt online no)


 

Privacy Statement
Copyright 2010, SecurityFocus