Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Attacking and Defending Full Disk Encryption
Upcoming SlideShare
Loading in …5
×

Attacking and Defending Full Disk Encryption

4,983 views

Published on

One of your company's laptops was just stolen.  You know that there was sensitive information on the machine.  You also know that full disk encryption was deployed.  Is your data safe?  Can you prove it?

Many organizations are flocking to full disk encryption as a solution to their data security requirements.  Unfortunately, many of these installations view the deployment of full disk encryption as a panacea for any and all security concerns for their laptop fleets.  All too often, these systems are neither properly configured nor adequately tested.

In this talk, Tom will analyze the challenges associated with both attacking and defending systems protected with full disk encryption.  Many of the examples provided will draw from Tom's personal experience, including a case where a fully encrypted and powered down system was able to be fully compromised as part of a penetration test.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,983
On SlideShare
0
From Embeds
0
Number of Embeds
3,417
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Questions: How many of you use laptops? FDE on Company Machines (laptops/desktops) FDE on personal laptops FDE on Desktops? Servers? (would expect less)
  • Adds another layer of complexity for investigators, can often foil attempts
  • "Dead" analysis: Drive image, Searching for deleted and hidden files, Evidence must never change New technologies making this more challenging - Full disk encryption/hardware encryption, Solid State Drives
  • Memory analysis - becoming increasingly important Capturing this evidence often requires modifying evidence - capture tools need to access/write to memory Some evidence may only exist in memory
  • -Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems
  • -Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems If system was stolen, can you say with confidence that the data is safe?
  • -XKCD comic: million-dollar supercomputer cluster to break encryption or $5 wrench to convince someone to give up their password
  • Example of actual forensic penetration test for client Next slide --- Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
  • Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
  • Zero knowledge attack - identical to a real attack Authenticated testing - allows for testing specific scenarios
  • Laptop was fully encrypted Administrator confident no information could be retrieved or leaked
  • Full disk images - physical and digital Write blocker used, system never booted using original disk (critical step!) - Scratch disk could be restored, no evidence of attack Initial reconnaissance: laptop, standard interfaces, Symantec Endpoint Encryption Solution
  • Grace period - window of time where system was allowed to boot normally -passphrase was required after timeout. Images/repeated imaging allowed us to work indefinitely System booted to Windows during grace period - no need to attack encryption directly, memory analysis techniques
  • -Downgrade system memory -Leverage DMA to dump memory - firewire -Exploit operating system structure in memory (Inception tool) -Result - full admin access
  • We didn’t need to break the encryption -leveraged configuration oversights, key may still be in memory -Convenience vs. Security, resulted in total failure -Zero Knowledge - both ways - company would not be able to determine information was stolen
  • As seen in the pentest, if there’s even a small window where pre-boot authentication is not necessary, encryption can be completely worked around
  • On most laptops, this can be done in the BIOS Not just firewire, but ExpressCard and PCMCIA also provide this functionality Consider usability - are these really needed? Often no.
  • Standby allows machine to be taken/stolen with operating system in memory - can allow encryption to be bypassed Hibernation often loads running state of machine into memory without any authentication If hibernation is required, consider ATA drive password combined with power on password. If you have to pick one, ATA is a better option.
  • Different methods for handling lockouts - master password, challenge/response, etc Helpdesk social engineering
  • A locked laptop, unattended, could still be compromised using these techniques Some laptops (eg, Toughbooks) have option to have hard drive removed when leaving machine
  • Forensic penetration test for encryption verification
  • ×