Options
Truecrypt...can it be defeated by a pro?
recently something happened in my work place which I suspect will mean that our security belts will have to be tightened for executive employees who travel frequently.
unfortunately no matter what we've tried certain people will always store documents they should not locally... and with no backing to enforce a policy stating no one should have local data the policy is pretty useless.
I've used gpg4win but with my limited knowledge of it it seems you have to encrypt files as go and specify what is encrypted... it won't as and example encrypt and entire drive and anything added to that drive afterwards.
I dug around and found Trucrypt is popular for entire HD encryption but how secure is it should someone get physical access to a laptop ? With a proper pass phrase of say 20+ characters mix of upper lower,, special characters, numbers etc and a solid algorithm.. are there features of Windows XP that make it possible for a pro to still realistically get the pass phrase... ie windows by default having that password cached somewhere or it is in the ram... or stored in the registry in plain text
unfortunately no matter what we've tried certain people will always store documents they should not locally... and with no backing to enforce a policy stating no one should have local data the policy is pretty useless.
I've used gpg4win but with my limited knowledge of it it seems you have to encrypt files as go and specify what is encrypted... it won't as and example encrypt and entire drive and anything added to that drive afterwards.
I dug around and found Trucrypt is popular for entire HD encryption but how secure is it should someone get physical access to a laptop ? With a proper pass phrase of say 20+ characters mix of upper lower,, special characters, numbers etc and a solid algorithm.. are there features of Windows XP that make it possible for a pro to still realistically get the pass phrase... ie windows by default having that password cached somewhere or it is in the ram... or stored in the registry in plain text
Comments
-
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■recently something happened in my work place which I suspect will mean that our security belts will have to be tightened for executive employees who travel frequently.
unfortunately no matter what we've tried certain people will always store documents they should not locally... and with no backing to enforce a policy stating no one should have local data the policy is pretty useless.
I've used gpg4win but with my limited knowledge of it it seems you have to encrypt files as go and specify what is encrypted... it won't as and example encrypt and entire drive and anything added to that drive afterwards.
I dug around and found Trucrypt is popular for entire HD encryption but how secure is it should someone get physical access to a laptop ? With a proper pass phrase of say 20+ characters mix of upper lower,, special characters, numbers etc and a solid algorithm.. are there features of Windows XP that make it possible for a pro to still realistically get the pass phrase... ie windows by default having that password cached somewhere or it is in the ram... or stored in the registry in plain text
It uses AES-256 Encryption and is very secure. We are using the same concept where I work. Note that you will need emphasize backing up there files to your local server. If the drive gets messed up they will most likely lose alot/everything. Whole Drive encryption definitely helps secure things but it can be a pain in the butt. Here are two Podcasts on TrueCrypt:
From GRC|Security Now!
http://media.grc.com/sn/sn-041.mp3
http://media.grc.com/sn/sn-133.mp3 -
OptionsSmallguy Member Posts: 597I'm aware that AES 256 bit is very secure
I guess my concern is with physical access are they able to get passwords out of the ntlmhash or lmhash (pretty sure those are the hashes I'm thinking about) or hack the SAM hive and reset the local password with a disk like hirens
basically do any of the inherit security flaws in windows negate the abilities of 256-AES -
Optionskalebksp Member Posts: 1,033 ■■■■■□□□□□TrueCrypt doesn't have any interaction with Windows authentication, it implements it's own pre-boot authentication. The only conceivable way to break into TrueCrypt (other than brute force or guessing the password) would be the cold boot attack, which all encryption methods I'm aware of are susceptible to.
I would not recommend TrueCrypt in a business environment, if a user forgets their password that data is gone for good. But if that's acceptable to you, go for it. My work uses GuardianEdge to encrypt hard drives, it works well enough but comes with a pretty good performance hit. -
OptionsJDMurray Admin Posts: 13,049 AdminA big problem with full-disk encryption is that a disk error (bad block) can render the disk undecipherable.
In Soviet Russia, TrueCrypt Encrypts You! | TechExams.net Blogs
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray -
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■A big problem with full-disk encryption is that a disk error (bad block) can render the disk undecipherable.
In Soviet Russia, TrueCrypt Encrypts You! | TechExams.net Blogs
Unfortunately for where I work it seems like an almost weekly problem, though think it's specific to the software we use. It's doesn't render it completely useless but it messes with something in the MBR I think. -
OptionsSmallguy Member Posts: 597what about Bit locker built in to windows 7 and Vista.... I know it is possiable to use the cold boot attack on it.
but other than that are their any known security risks?
has it been confirmed that TPM can be hacked... I know I read 2 brothers claimed to have hacked it but I did not see it was ever confirmed ?
what about recovering data of the drive should the drive ever get a bad sector like the Truecrypt bog above
GuardianEdge seems to have all the features though -
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■what about Bit locker built in to windows 7 and Vista.... I know it is possiable to use the cold boot attack on it.
but other than that are their any known security risks?
has it been confirmed that TPM can be hacked... I know I read 2 brothers claimed to have hacked it but I did not see it was ever confirmed ?
what about recovering data of the drive should the drive ever get a bad sector like the Truecrypt bog above
GuardianEdge seems to have all the features though
Is cost an issue for you? If not then get something like GuardianEdge or Check Point Full Disk Encryption. Remember the less you pay the worse the support. I am not sure about Bitlocker.
The reason I suggest these is that you are going to need some sort of Central management. The last thing you want is an angry VP who can't get access to his laptop because he change the password yesterday and cannot remember his password. Trust me on that one, I have been there. Not the VP, but almost as bad, an HR person. -
OptionsJDMurray Admin Posts: 13,049 Adminhas it been confirmed that TPM can be hacked... I know I read 2 brothers claimed to have hacked it but I did not see it was ever confirmed ?
But they figured out a possible kernel-level rootkit man-in-the-middle attack that can bypass DRM and get data after it has been decrypted using TPM, and without being detected: BitLocker, TPM Won't Defend All PCs Against VBootkit 2.0
The problem is that physical access to the machine is needed to install this rootkit. If the machine has both TPM and disk encryption then it is protected. However, most machines today lack either or both of these safeguards.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray -
OptionsHyper-Me Banned Posts: 2,059Remember with Bitlocker you can use GPO's to force the storage of bitlocker recovery data in Active Directory, if your domain controllers are Windows Server 2003 SP2 or better.
I dont think TrueCrypt or any other non-enterprise offering is going to do this for you. -
Optionstiersten Member Posts: 4,505You have to consider how valuable this data is and how determined the person is who wants to gain access to it. You mentioned a cold boot attack as well which would imply that they're very determined to gain access to this data.
There isn't anything inherent in a stock Windows install that will compromise the security of a properly written and tested encryption package.
If they gain physical access to the laptop then its game over as they can install some sort of keylogger device inside and then return the laptop anyway. The rubber hose attack also works if they're sufficiently determined to gain access.
If the data is important enough to warrant these extra measures beyond basic file/disk encryption then it is important enough that this data never gets stored on laptops in the first place. It will have to be drummed in via training. -
Optionsveritas_libertas Member Posts: 5,746 ■■■■■■■■■■Remember with Bitlocker you can use GPO's to force the storage of bitlocker recovery data in Active Directory, if your domain controllers are Windows Server 2003 SP2 or better.
I dont think TrueCrypt or any other non-enterprise offering is going to do this for you.
I didn't know that, thanks for info Hyper-Me. -
Optionswd40 Member Posts: 1,017 ■■■■□□□□□□we use safeboot
McAfee - about - McAfee, Inc. acquires SafeBoot
The most important thing before using any of these applications is to make sure that the user understands and signs documents that states if any thing goes wrong all the data stored locally will be gone. -
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□TrueCrypt doesn't have any interaction with Windows authentication, it implements it's own pre-boot authentication. The only conceivable way to break into TrueCrypt (other than brute force or guessing the password) would be the cold boot attack, which all encryption methods I'm aware of are susceptible to.
I would not recommend TrueCrypt in a business environment, if a user forgets their password that data is gone for good. But if that's acceptable to you, go for it. My work uses GuardianEdge to encrypt hard drives, it works well enough but comes with a pretty good performance hit.
Great post.
We actually use TrueCrypt, but we're a group of security engineers. It's a great product, but there are better enterprise-class solutions for "regular users"
+1 for Tiersten's rubber hose attack. That's a classic! -
Optionsmiller811 Member Posts: 897Our company recently started using the product also...
Partioned the windows drive, to OS and then user data...
Company image easily replaced if password is lost, user data is users responsibility.I don't claim to be an expert, but I sure would like to become one someday.
Quest for 11K pages read in 2011
Page Count total to date - 1283 -
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□Our company recently started using the product also...
Partioned the windows drive, to OS and then user data...
Company image easily replaced if password is lost, user data is users responsibility.
Are you referring to TrueCrypt or something else? With TrueCrypt, you just burn an .iso that contains recovery information. I assume other products provide something similar. -
Optionsdales Member Posts: 225Probably a bit random but we were sent a security alert about truecrypt the other day. basically theres a virus going round that can change the bootloader for truecrypt and keylog the response.
Still a good product though I think. We also had PGP in the other day to install the disk encryption server, turns out that their sales bods said yep it works with edirectory when in fact it doesnt. So we gotta look at other products now and PGP were banished from our office with their tales between their legs!Kind Regards
Dale Scriven
Twitter:dscriven
Blog: vhorizon.co.uk -
OptionsJDMurray Admin Posts: 13,049 AdminProbably a bit random but we were sent a security alert about truecrypt the other day. basically theres a virus going round that can change the bootloader for truecrypt and keylog the response.
Because TrueCrypt's whole-disk encryption puts its bootloader into the MBR, it might be possible to replaced it with a Trojan bootloader that writes the plain-text password someplace easily retrievable in memory. I assume TrueCrypt has defenses to detect this situation. I hadn't heard that this attack was found in Malware.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray -
Optionsdales Member Posts: 225It was just in a security email we regularly get, I think it was called evilmbr.
Troj/EvilMbr-A Trojan - Sophos security analysisKind Regards
Dale Scriven
Twitter:dscriven
Blog: vhorizon.co.uk -
OptionsHyper-Me Banned Posts: 2,059Are you referring to TrueCrypt or something else? With TrueCrypt, you just burn an .iso that contains recovery information. I assume other products provide something similar.
I wonder how many people keep the ISO on the computer, or burnt to a disc thats kept with the computer. -
OptionsZartanasaurus Member Posts: 2,008 ■■■■■■■■■□Is TrueCrypt better or worse than PGP?
It's sort of implied that the govt didn't have the tools necessary to decrypt a hard drive in the Boucher case.
Secret Service Agent Matthew Fasvlo, who has experience and training in
computer forensics, testified that it is nearly impossible to access these encrypted files without knowing the password. There are no “back doors” or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords. According to the government, the process to unlock drive Z could take years, based on efforts to unlock similarly encrypted files in another case. Despite its best efforts, to date the government has been unable to learn the password to access drive Z.Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8% -
OptionsHyper-Me Banned Posts: 2,059Is there whole-disk encryption with PGP? I thought it was used for encypting individual files, generally to send to someone else and prevent them from being useable if intercepted.
-
Optionsmiller811 Member Posts: 897Are you referring to TrueCrypt or something else? With TrueCrypt, you just burn an .iso that contains recovery information. I assume other products provide something similar.
Truecrpyt, company supplied laptop.
OS on C:\
all user data on \
powers up hard drive not found.... hidden Truecrypt password to boot up, then once windows loads, need to enter password to access d: drive with user dataI don't claim to be an expert, but I sure would like to become one someday.
Quest for 11K pages read in 2011
Page Count total to date - 1283 -
Optionskalebksp Member Posts: 1,033 ■■■■■□□□□□I wonder how many people keep the ISO on the computer, or burnt to a disc thats kept with the computer.
It wouldn't matter if they kept it with the computer, the disk has a copy of the boot loader and the encrypted master key. You still need the password for it to be any use. -
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□So what if someone forgets the password entirely?
He meant that you'd need the password to get to the .iso that's stored on the drive (in your hypothetical situation). If someone could already do that, the machine would already be compromised and having the .iso wouldn't provide any benefit. There's no security risk associated with storing the .iso on the drive that's encrypted.
If you're dumb enough to carry it with you, then you probably have more significant issues to worry about than full-disk encryption. -
Optionskalebksp Member Posts: 1,033 ■■■■■□□□□□He meant that you'd need the password to get to the .iso that's stored on the drive (in your hypothetical situation). If someone could already do that, the machine would already be compromised and having the .iso wouldn't provide any benefit. There's no security risk associated with storing the .iso on the drive that's encrypted.
If you're dumb enough to carry it with you, then you probably have more significant issues to worry about than full-disk encryption.
There's no security risk carrying the CD around with you either. All the CD has on it is essentially a backup of the MBR, the same information could be retrieved with access to the laptop. It does not allow the drive to be decrypted without a password.
From the TrueCrypt Documentation:Note that even if you lose your TrueCrypt Rescue Disk and an attacker finds it, he or she will not be able to decrypt the system partition or drive without the correct password. -
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□I stand corrected. That doesn't seem like much of a "rescue" though, especially if this is being used by less tech-savvy end users. I have my password backed up in a secure location, but that's not going to help my company retrieve anything off my machine if I get hit by a bus.
-
Optionstiersten Member Posts: 4,505I have my password backed up in a secure location, but that's not going to help my company retrieve anything off my machine if I get hit by a bus.