+ Reply to Thread
Page 1 of 3 1 23 Last
Results 1 to 25 of 51
  1. Senior Member
    Join Date
    Sep 2005
    Posts
    598

    Certifications
    A+ Network+ MCP, MCSA
    #1

    Default Truecrypt...can it be defeated by a pro?

    recently something happened in my work place which I suspect will mean that our security belts will have to be tightened for executive employees who travel frequently.

    unfortunately no matter what we've tried certain people will always store documents they should not locally... and with no backing to enforce a policy stating no one should have local data the policy is pretty useless.

    I've used gpg4win but with my limited knowledge of it it seems you have to encrypt files as go and specify what is encrypted... it won't as and example encrypt and entire drive and anything added to that drive afterwards.

    I dug around and found Trucrypt is popular for entire HD encryption but how secure is it should someone get physical access to a laptop ? With a proper pass phrase of say 20+ characters mix of upper lower,, special characters, numbers etc and a solid algorithm.. are there features of Windows XP that make it possible for a pro to still realistically get the pass phrase... ie windows by default having that password cached somewhere or it is in the ram... or stored in the registry in plain text
    Reply With Quote Quote  

  2. SS -->
  3. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,654

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #2
    Quote Originally Posted by Smallguy View Post
    recently something happened in my work place which I suspect will mean that our security belts will have to be tightened for executive employees who travel frequently.

    unfortunately no matter what we've tried certain people will always store documents they should not locally... and with no backing to enforce a policy stating no one should have local data the policy is pretty useless.

    I've used gpg4win but with my limited knowledge of it it seems you have to encrypt files as go and specify what is encrypted... it won't as and example encrypt and entire drive and anything added to that drive afterwards.

    I dug around and found Trucrypt is popular for entire HD encryption but how secure is it should someone get physical access to a laptop ? With a proper pass phrase of say 20+ characters mix of upper lower,, special characters, numbers etc and a solid algorithm.. are there features of Windows XP that make it possible for a pro to still realistically get the pass phrase... ie windows by default having that password cached somewhere or it is in the ram... or stored in the registry in plain text
    It uses AES-256 Encryption and is very secure. We are using the same concept where I work. Note that you will need emphasize backing up there files to your local server. If the drive gets messed up they will most likely lose alot/everything. Whole Drive encryption definitely helps secure things but it can be a pain in the butt. Here are two Podcasts on TrueCrypt:


    From GRC|Security Now!

    http://media.grc.com/sn/sn-041.mp3
    http://media.grc.com/sn/sn-133.mp3
    Last edited by veritas_libertas; 11-20-2009 at 05:29 PM.
    Currently working on: Resting
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Sep 2005
    Posts
    598

    Certifications
    A+ Network+ MCP, MCSA
    #3
    I'm aware that AES 256 bit is very secure

    I guess my concern is with physical access are they able to get passwords out of the ntlmhash or lmhash (pretty sure those are the hashes I'm thinking about) or hack the SAM hive and reset the local password with a disk like hirens

    basically do any of the inherit security flaws in windows negate the abilities of 256-AES
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Oct 2005
    Posts
    1,030

    Certifications
    CCNP (R&S/Voice), CCDP, CCIP, VCP, NCDA, MCSE, CCNA Security
    #4
    TrueCrypt doesn't have any interaction with Windows authentication, it implements it's own pre-boot authentication. The only conceivable way to break into TrueCrypt (other than brute force or guessing the password) would be the cold boot attack, which all encryption methods I'm aware of are susceptible to.

    I would not recommend TrueCrypt in a business environment, if a user forgets their password that data is gone for good. But if that's acceptable to you, go for it. My work uses GuardianEdge to encrypt hard drives, it works well enough but comes with a pretty good performance hit.
    Last edited by kalebksp; 11-20-2009 at 05:54 PM.
    Reply With Quote Quote  

  6. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #5
    A big problem with full-disk encryption is that a disk error (bad block) can render the disk undecipherable.

    In Soviet Russia, TrueCrypt Encrypts You! | TechExams.net Blogs
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  7. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,654

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #6
    Quote Originally Posted by JDMurray View Post
    A big problem with full-disk encryption is that a disk error (bad block) can render the disk undecipherable.

    In Soviet Russia, TrueCrypt Encrypts You! | TechExams.net Blogs
    Unfortunately for where I work it seems like an almost weekly problem, though think it's specific to the software we use. It's doesn't render it completely useless but it messes with something in the MBR I think.
    Currently working on: Resting
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Sep 2005
    Posts
    598

    Certifications
    A+ Network+ MCP, MCSA
    #7
    what about Bit locker built in to windows 7 and Vista.... I know it is possiable to use the cold boot attack on it.

    but other than that are their any known security risks?

    has it been confirmed that TPM can be hacked... I know I read 2 brothers claimed to have hacked it but I did not see it was ever confirmed ?

    what about recovering data of the drive should the drive ever get a bad sector like the Truecrypt bog above

    GuardianEdge seems to have all the features though
    Reply With Quote Quote  

  9. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,654

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #8
    Quote Originally Posted by Smallguy View Post
    what about Bit locker built in to windows 7 and Vista.... I know it is possiable to use the cold boot attack on it.

    but other than that are their any known security risks?

    has it been confirmed that TPM can be hacked... I know I read 2 brothers claimed to have hacked it but I did not see it was ever confirmed ?

    what about recovering data of the drive should the drive ever get a bad sector like the Truecrypt bog above

    GuardianEdge seems to have all the features though
    Is cost an issue for you? If not then get something like GuardianEdge or Check Point Full Disk Encryption. Remember the less you pay the worse the support. I am not sure about Bitlocker.

    The reason I suggest these is that you are going to need some sort of Central management. The last thing you want is an angry VP who can't get access to his laptop because he change the password yesterday and cannot remember his password. Trust me on that one, I have been there. Not the VP, but almost as bad, an HR person.
    Last edited by veritas_libertas; 11-20-2009 at 07:59 PM.
    Currently working on: Resting
    Reply With Quote Quote  

  10. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #9
    Quote Originally Posted by Smallguy View Post
    has it been confirmed that TPM can be hacked... I know I read 2 brothers claimed to have hacked it but I did not see it was ever confirmed ?
    Nothing seems to have come from these guys attacking TPM directly: Cracking the TPM chip – is it possible?

    But they figured out a possible kernel-level rootkit man-in-the-middle attack that can bypass DRM and get data after it has been decrypted using TPM, and without being detected: BitLocker, TPM Won't Defend All PCs Against VBootkit 2.0

    The problem is that physical access to the machine is needed to install this rootkit. If the machine has both TPM and disk encryption then it is protected. However, most machines today lack either or both of these safeguards.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #10
    Remember with Bitlocker you can use GPO's to force the storage of bitlocker recovery data in Active Directory, if your domain controllers are Windows Server 2003 SP2 or better.

    I dont think TrueCrypt or any other non-enterprise offering is going to do this for you.
    Reply With Quote Quote  

  12. was here.
    Join Date
    Apr 2008
    Posts
    4,504
    #11
    You have to consider how valuable this data is and how determined the person is who wants to gain access to it. You mentioned a cold boot attack as well which would imply that they're very determined to gain access to this data.

    There isn't anything inherent in a stock Windows install that will compromise the security of a properly written and tested encryption package.

    If they gain physical access to the laptop then its game over as they can install some sort of keylogger device inside and then return the laptop anyway. The rubber hose attack also works if they're sufficiently determined to gain access.

    If the data is important enough to warrant these extra measures beyond basic file/disk encryption then it is important enough that this data never gets stored on laptops in the first place. It will have to be drummed in via training.
    Reply With Quote Quote  

  13. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,654

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #12
    Quote Originally Posted by Hyper-Me View Post
    Remember with Bitlocker you can use GPO's to force the storage of bitlocker recovery data in Active Directory, if your domain controllers are Windows Server 2003 SP2 or better.

    I dont think TrueCrypt or any other non-enterprise offering is going to do this for you.
    I didn't know that, thanks for info Hyper-Me.
    Currently working on: Resting
    Reply With Quote Quote  

  14. Senior Member wd40's Avatar
    Join Date
    May 2007
    Location
    Bahrain
    Posts
    911

    Certifications
    CISA, eJPT, CompTIA x 6, MCP, MCTS
    #13
    we use safeboot

    McAfee - about - McAfee, Inc. acquires SafeBoot

    The most important thing before using any of these applications is to make sure that the user understands and signs documents that states if any thing goes wrong all the data stored locally will be gone.
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #14
    Quote Originally Posted by kalebksp View Post
    TrueCrypt doesn't have any interaction with Windows authentication, it implements it's own pre-boot authentication. The only conceivable way to break into TrueCrypt (other than brute force or guessing the password) would be the cold boot attack, which all encryption methods I'm aware of are susceptible to.

    I would not recommend TrueCrypt in a business environment, if a user forgets their password that data is gone for good. But if that's acceptable to you, go for it. My work uses GuardianEdge to encrypt hard drives, it works well enough but comes with a pretty good performance hit.
    Great post.

    We actually use TrueCrypt, but we're a group of security engineers. It's a great product, but there are better enterprise-class solutions for "regular users"

    +1 for Tiersten's rubber hose attack. That's a classic!
    Reply With Quote Quote  

  16. was here.
    Join Date
    Apr 2008
    Posts
    4,504
    #15
    Quote Originally Posted by dynamik View Post
    +1 for Tiersten's rubber hose attack. That's a classic!
    Or a $5 Wrench.
    Reply With Quote Quote  

  17. Senior Member miller811's Avatar
    Join Date
    Oct 2007
    Location
    Nashville
    Posts
    896

    Certifications
    CCNP, CCDP, MCSA, Security +. Network +, A+
    #16
    Our company recently started using the product also...
    Partioned the windows drive, to OS and then user data...
    Company image easily replaced if password is lost, user data is users responsibility.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #17
    Quote Originally Posted by miller811 View Post
    Our company recently started using the product also...
    Partioned the windows drive, to OS and then user data...
    Company image easily replaced if password is lost, user data is users responsibility.
    Are you referring to TrueCrypt or something else? With TrueCrypt, you just burn an .iso that contains recovery information. I assume other products provide something similar.
    Reply With Quote Quote  

  19. Its all smoke and mirrors dales's Avatar
    Join Date
    Jan 2008
    Posts
    223

    Certifications
    vExpert 2014+2015, VCP5-DT,VCP3+5, CCE-V, CCE-AD, CCP-AD ,CCEE, CCAA XenApp, CCA Netscaler,Xenapp 6.5,Xendesktop 5 & Xenserver 6,MCSA, MCDST, MCP, A+
    #18
    Probably a bit random but we were sent a security alert about truecrypt the other day. basically theres a virus going round that can change the bootloader for truecrypt and keylog the response.

    Still a good product though I think. We also had PGP in the other day to install the disk encryption server, turns out that their sales bods said yep it works with edirectory when in fact it doesnt. So we gotta look at other products now and PGP were banished from our office with their tales between their legs!
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
    Reply With Quote Quote  

  20. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #19
    Quote Originally Posted by dales View Post
    Probably a bit random but we were sent a security alert about truecrypt the other day. basically theres a virus going round that can change the bootloader for truecrypt and keylog the response.
    Do you have the specific link to a security alert that describes this Malware?

    Because TrueCrypt's whole-disk encryption puts its bootloader into the MBR, it might be possible to replaced it with a Trojan bootloader that writes the plain-text password someplace easily retrievable in memory. I assume TrueCrypt has defenses to detect this situation. I hadn't heard that this attack was found in Malware.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  21. Its all smoke and mirrors dales's Avatar
    Join Date
    Jan 2008
    Posts
    223

    Certifications
    vExpert 2014+2015, VCP5-DT,VCP3+5, CCE-V, CCE-AD, CCP-AD ,CCEE, CCAA XenApp, CCA Netscaler,Xenapp 6.5,Xendesktop 5 & Xenserver 6,MCSA, MCDST, MCP, A+
    #20
    It was just in a security email we regularly get, I think it was called evilmbr.

    Troj/EvilMbr-A Trojan - Sophos security analysis
    Kind Regards
    Dale Scriven

    Twitter:dscriven
    Blog: vhorizon.co.uk
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #21
    Quote Originally Posted by dynamik View Post
    Are you referring to TrueCrypt or something else? With TrueCrypt, you just burn an .iso that contains recovery information. I assume other products provide something similar.
    I wonder how many people keep the ISO on the computer, or burnt to a disc thats kept with the computer.
    Reply With Quote Quote  

  23. He Hate Me Zartanasaurus's Avatar
    Join Date
    Sep 2009
    Posts
    1,978

    Certifications
    CCIE:R&S
    #22
    Is TrueCrypt better or worse than PGP?

    It's sort of implied that the govt didn't have the tools necessary to decrypt a hard drive in the Boucher case.

    Secret Service Agent Matthew Fasvlo, who has experience and training in
    computer forensics, testified that it is nearly impossible to access these encrypted files without knowing the password. There are no “back doors” or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords. According to the government, the process to unlock drive Z could take years, based on efforts to unlock similarly encrypted files in another case. Despite its best efforts, to date the government has been unable to learn the password to access drive Z.
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #23
    Is there whole-disk encryption with PGP? I thought it was used for encypting individual files, generally to send to someone else and prevent them from being useable if intercepted.
    Reply With Quote Quote  

  25. Senior Member miller811's Avatar
    Join Date
    Oct 2007
    Location
    Nashville
    Posts
    896

    Certifications
    CCNP, CCDP, MCSA, Security +. Network +, A+
    #24
    Quote Originally Posted by dynamik View Post
    Are you referring to TrueCrypt or something else? With TrueCrypt, you just burn an .iso that contains recovery information. I assume other products provide something similar.
    Truecrpyt, company supplied laptop.
    OS on C:\
    all user data on D:\

    powers up hard drive not found.... hidden Truecrypt password to boot up, then once windows loads, need to enter password to access d: drive with user data
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Oct 2005
    Posts
    1,030

    Certifications
    CCNP (R&S/Voice), CCDP, CCIP, VCP, NCDA, MCSE, CCNA Security
    #25
    Quote Originally Posted by Hyper-Me View Post
    I wonder how many people keep the ISO on the computer, or burnt to a disc thats kept with the computer.
    It wouldn't matter if they kept it with the computer, the disk has a copy of the boot loader and the encrypted master key. You still need the password for it to be any use.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 3 1 23 Last

Social Networking & Bookmarks