Truecrypt...can it be defeated by a pro?

Smallguy

recently something happened in my work place which I suspect will mean that our security belts will have to be tightened for executive employees who travel frequently.

unfortunately no matter what we've tried certain people will always store documents they should not locally... and with no backing to enforce a policy stating no one should have local data the policy is pretty useless.

I've used gpg4win but with my limited knowledge of it it seems you have to encrypt files as go and specify what is encrypted... it won't as and example encrypt and entire drive and anything added to that drive afterwards.

I dug around and found Trucrypt is popular for entire HD encryption but how secure is it should someone get physical access to a laptop ? With a proper pass phrase of say 20+ characters mix of upper lower,, special characters, numbers etc and a solid algorithm.. are there features of Windows XP that make it possible for a pro to still realistically get the pass phrase... ie windows by default having that password cached somewhere or it is in the ram... or stored in the registry in plain text

veritas_libertas

Smallguy wrote: »

recently something happened in my work place which I suspect will mean that our security belts will have to be tightened for executive employees who travel frequently.

unfortunately no matter what we've tried certain people will always store documents they should not locally... and with no backing to enforce a policy stating no one should have local data the policy is pretty useless.

I've used gpg4win but with my limited knowledge of it it seems you have to encrypt files as go and specify what is encrypted... it won't as and example encrypt and entire drive and anything added to that drive afterwards.

I dug around and found Trucrypt is popular for entire HD encryption but how secure is it should someone get physical access to a laptop ? With a proper pass phrase of say 20+ characters mix of upper lower,, special characters, numbers etc and a solid algorithm.. are there features of Windows XP that make it possible for a pro to still realistically get the pass phrase... ie windows by default having that password cached somewhere or it is in the ram... or stored in the registry in plain text

It uses AES-256 Encryption and is very secure. We are using the same concept where I work. Note that you will need emphasize backing up there files to your local server. If the drive gets messed up they will most likely lose alot/everything. Whole Drive encryption definitely helps secure things but it can be a pain in the butt. Here are two Podcasts on TrueCrypt:


From GRC|Security Now!

http://media.grc.com/sn/sn-041.mp3
http://media.grc.com/sn/sn-133.mp3

Smallguy

I'm aware that AES 256 bit is very secure

I guess my concern is with physical access are they able to get passwords out of the ntlmhash or lmhash (pretty sure those are the hashes I'm thinking about) or hack the SAM hive and reset the local password with a disk like hirens

basically do any of the inherit security flaws in windows negate the abilities of 256-AES

kalebksp

TrueCrypt doesn't have any interaction with Windows authentication, it implements it's own pre-boot authentication. The only conceivable way to break into TrueCrypt (other than brute force or guessing the password) would be the cold boot attack, which all encryption methods I'm aware of are susceptible to.

I would not recommend TrueCrypt in a business environment, if a user forgets their password that data is gone for good. But if that's acceptable to you, go for it. My work uses GuardianEdge to encrypt hard drives, it works well enough but comes with a pretty good performance hit.

JDMurray

A big problem with full-disk encryption is that a disk error (bad block) can render the disk undecipherable.

In Soviet Russia, TrueCrypt Encrypts You! | TechExams.net Blogs

veritas_libertas

JDMurray wrote: »

A big problem with full-disk encryption is that a disk error (bad block) can render the disk undecipherable.

In Soviet Russia, TrueCrypt Encrypts You! | TechExams.net Blogs

Unfortunately for where I work it seems like an almost weekly problem, though think it's specific to the software we use. It's doesn't render it completely useless but it messes with something in the MBR I think.

Smallguy

what about Bit locker built in to windows 7 and Vista.... I know it is possiable to use the cold boot attack on it.

but other than that are their any known security risks?

has it been confirmed that TPM can be hacked... I know I read 2 brothers claimed to have hacked it but I did not see it was ever confirmed ?

what about recovering data of the drive should the drive ever get a bad sector like the Truecrypt bog above

GuardianEdge seems to have all the features though

veritas_libertas

Smallguy wrote: »

what about Bit locker built in to windows 7 and Vista.... I know it is possiable to use the cold boot attack on it.

but other than that are their any known security risks?

has it been confirmed that TPM can be hacked... I know I read 2 brothers claimed to have hacked it but I did not see it was ever confirmed ?

what about recovering data of the drive should the drive ever get a bad sector like the Truecrypt bog above

GuardianEdge seems to have all the features though

Is cost an issue for you? If not then get something like GuardianEdge or Check Point Full Disk Encryption. Remember the less you pay the worse the support. I am not sure about Bitlocker.

The reason I suggest these is that you are going to need some sort of Central management. The last thing you want is an angry VP who can't get access to his laptop because he change the password yesterday and cannot remember his password. Trust me on that one, I have been there. Not the VP, but almost as bad, an HR person.

JDMurray

Smallguy wrote: »

has it been confirmed that TPM can be hacked... I know I read 2 brothers claimed to have hacked it but I did not see it was ever confirmed ?

Nothing seems to have come from these guys attacking TPM directly: Cracking the TPM chip – is it possible?

But they figured out a possible kernel-level rootkit man-in-the-middle attack that can bypass DRM and get data after it has been decrypted using TPM, and without being detected: BitLocker, TPM Won't Defend All PCs Against VBootkit 2.0

The problem is that physical access to the machine is needed to install this rootkit. If the machine has both TPM and disk encryption then it is protected. However, most machines today lack either or both of these safeguards.

Hyper-Me

Remember with Bitlocker you can use GPO's to force the storage of bitlocker recovery data in Active Directory, if your domain controllers are Windows Server 2003 SP2 or better.

I dont think TrueCrypt or any other non-enterprise offering is going to do this for you.

tiersten

You have to consider how valuable this data is and how determined the person is who wants to gain access to it. You mentioned a cold boot attack as well which would imply that they're very determined to gain access to this data.

There isn't anything inherent in a stock Windows install that will compromise the security of a properly written and tested encryption package.

If they gain physical access to the laptop then its game over as they can install some sort of keylogger device inside and then return the laptop anyway. The rubber hose attack also works if they're sufficiently determined to gain access.

If the data is important enough to warrant these extra measures beyond basic file/disk encryption then it is important enough that this data never gets stored on laptops in the first place. It will have to be drummed in via training.

veritas_libertas

Hyper-Me wrote: »

Remember with Bitlocker you can use GPO's to force the storage of bitlocker recovery data in Active Directory, if your domain controllers are Windows Server 2003 SP2 or better.

I dont think TrueCrypt or any other non-enterprise offering is going to do this for you.

I didn't know that, thanks for info Hyper-Me.

wd40

we use safeboot

McAfee - about - McAfee, Inc. acquires SafeBoot

The most important thing before using any of these applications is to make sure that the user understands and signs documents that states if any thing goes wrong all the data stored locally will be gone.

dynamik

kalebksp wrote: »

TrueCrypt doesn't have any interaction with Windows authentication, it implements it's own pre-boot authentication. The only conceivable way to break into TrueCrypt (other than brute force or guessing the password) would be the cold boot attack, which all encryption methods I'm aware of are susceptible to.

I would not recommend TrueCrypt in a business environment, if a user forgets their password that data is gone for good. But if that's acceptable to you, go for it. My work uses GuardianEdge to encrypt hard drives, it works well enough but comes with a pretty good performance hit.

Great post.

We actually use TrueCrypt, but we're a group of security engineers. It's a great product, but there are better enterprise-class solutions for "regular users"

+1 for Tiersten's rubber hose attack. That's a classic!

tiersten

dynamik wrote: »

+1 for Tiersten's rubber hose attack. That's a classic!

Or a $5 Wrench.

miller811

Our company recently started using the product also...
Partioned the windows drive, to OS and then user data...
Company image easily replaced if password is lost, user data is users responsibility.

dynamik

miller811 wrote: »

Our company recently started using the product also...
Partioned the windows drive, to OS and then user data...
Company image easily replaced if password is lost, user data is users responsibility.

Are you referring to TrueCrypt or something else? With TrueCrypt, you just burn an .iso that contains recovery information. I assume other products provide something similar.

dales

Probably a bit random but we were sent a security alert about truecrypt the other day. basically theres a virus going round that can change the bootloader for truecrypt and keylog the response.

Still a good product though I think. We also had PGP in the other day to install the disk encryption server, turns out that their sales bods said yep it works with edirectory when in fact it doesnt. So we gotta look at other products now and PGP were banished from our office with their tales between their legs!

JDMurray

dales wrote: »

Probably a bit random but we were sent a security alert about truecrypt the other day. basically theres a virus going round that can change the bootloader for truecrypt and keylog the response.

Do you have the specific link to a security alert that describes this Malware?

Because TrueCrypt's whole-disk encryption puts its bootloader into the MBR, it might be possible to replaced it with a Trojan bootloader that writes the plain-text password someplace easily retrievable in memory. I assume TrueCrypt has defenses to detect this situation. I hadn't heard that this attack was found in Malware.

dales

It was just in a security email we regularly get, I think it was called evilmbr.

Troj/EvilMbr-A Trojan - Sophos security analysis

Hyper-Me

dynamik wrote: »

Are you referring to TrueCrypt or something else? With TrueCrypt, you just burn an .iso that contains recovery information. I assume other products provide something similar.

I wonder how many people keep the ISO on the computer, or burnt to a disc thats kept with the computer.

Zartanasaurus

Is TrueCrypt better or worse than PGP?

It's sort of implied that the govt didn't have the tools necessary to decrypt a hard drive in the Boucher case.

Secret Service Agent Matthew Fasvlo, who has experience and training in
computer forensics, testified that it is nearly impossible to access these encrypted files without knowing the password. There are no “back doors” or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords. According to the government, the process to unlock drive Z could take years, based on efforts to unlock similarly encrypted files in another case. Despite its best efforts, to date the government has been unable to learn the password to access drive Z.

Hyper-Me

Is there whole-disk encryption with PGP? I thought it was used for encypting individual files, generally to send to someone else and prevent them from being useable if intercepted.

miller811

dynamik wrote: »

Are you referring to TrueCrypt or something else? With TrueCrypt, you just burn an .iso that contains recovery information. I assume other products provide something similar.

Truecrpyt, company supplied laptop.
OS on C:\
all user data on \

powers up hard drive not found.... hidden Truecrypt password to boot up, then once windows loads, need to enter password to access d: drive with user data

kalebksp

Hyper-Me wrote: »

I wonder how many people keep the ISO on the computer, or burnt to a disc thats kept with the computer.

It wouldn't matter if they kept it with the computer, the disk has a copy of the boot loader and the encrypted master key. You still need the password for it to be any use.

Hyper-Me

So what if someone forgets the password entirely?

kalebksp

Hyper-Me wrote: »

So what if someone forgets the password entirely?

Then someone is screwed.

dynamik

Hyper-Me wrote: »

So what if someone forgets the password entirely?

He meant that you'd need the password to get to the .iso that's stored on the drive (in your hypothetical situation). If someone could already do that, the machine would already be compromised and having the .iso wouldn't provide any benefit. There's no security risk associated with storing the .iso on the drive that's encrypted.

If you're dumb enough to carry it with you, then you probably have more significant issues to worry about than full-disk encryption.

kalebksp

dynamik wrote: »

He meant that you'd need the password to get to the .iso that's stored on the drive (in your hypothetical situation). If someone could already do that, the machine would already be compromised and having the .iso wouldn't provide any benefit. There's no security risk associated with storing the .iso on the drive that's encrypted.

If you're dumb enough to carry it with you, then you probably have more significant issues to worry about than full-disk encryption.

There's no security risk carrying the CD around with you either. All the CD has on it is essentially a backup of the MBR, the same information could be retrieved with access to the laptop. It does not allow the drive to be decrypted without a password.

From the TrueCrypt Documentation:

Note that even if you lose your TrueCrypt Rescue Disk and an attacker finds it, he or she will not be able to decrypt the system partition or drive without the correct password.

dynamik

I stand corrected. That doesn't seem like much of a "rescue" though, especially if this is being used by less tech-savvy end users. I have my password backed up in a secure location, but that's not going to help my company retrieve anything off my machine if I get hit by a bus.

tiersten

dynamik wrote: »

I have my password backed up in a secure location, but that's not going to help my company retrieve anything off my machine if I get hit by a bus.

Tattoo on ass?