One of your company's laptops was just stolen. You know that there was sensitive information on the machine. You also know that full disk encryption was deployed. Is your data safe? Can you prove it?
Many organizations are flocking to full disk encryption as a solution to their data security requirements. Unfortunately, many of these installations view the deployment of full disk encryption as a panacea for any and all security concerns for their laptop fleets. All too often, these systems are neither properly configured nor adequately tested.
In this talk, Tom will analyze the challenges associated with both attacking and defending systems protected with full disk encryption. Many of the examples provided will draw from Tom's personal experience, including a case where a fully encrypted and powered down system was able to be fully compromised as part of a penetration test.
ICT role in 21st century education and its challenges
Notas do Editor
Questions: How many of you use laptops? FDE on Company Machines (laptops/desktops) FDE on personal laptops FDE on Desktops? Servers? (would expect less)
Adds another layer of complexity for investigators, can often foil attempts
"Dead" analysis: Drive image, Searching for deleted and hidden files, Evidence must never change New technologies making this more challenging - Full disk encryption/hardware encryption, Solid State Drives
Memory analysis - becoming increasingly important Capturing this evidence often requires modifying evidence - capture tools need to access/write to memory Some evidence may only exist in memory
-Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems
-Checkbox - trust but verify -Simulate an actual attack - Zero-knowledge attacks -Identify shortcomings before they become problems If system was stolen, can you say with confidence that the data is safe?
-XKCD comic: million-dollar supercomputer cluster to break encryption or $5 wrench to convince someone to give up their password
Example of actual forensic penetration test for client Next slide --- Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
Setting the scene: Company laptop is stolen, full disk encryption employed. Is your data safe? How do you know?
Zero knowledge attack - identical to a real attack Authenticated testing - allows for testing specific scenarios
Laptop was fully encrypted Administrator confident no information could be retrieved or leaked
Full disk images - physical and digital Write blocker used, system never booted using original disk (critical step!) - Scratch disk could be restored, no evidence of attack Initial reconnaissance: laptop, standard interfaces, Symantec Endpoint Encryption Solution
Grace period - window of time where system was allowed to boot normally -passphrase was required after timeout. Images/repeated imaging allowed us to work indefinitely System booted to Windows during grace period - no need to attack encryption directly, memory analysis techniques
-Downgrade system memory -Leverage DMA to dump memory - firewire -Exploit operating system structure in memory (Inception tool) -Result - full admin access
We didn’t need to break the encryption -leveraged configuration oversights, key may still be in memory -Convenience vs. Security, resulted in total failure -Zero Knowledge - both ways - company would not be able to determine information was stolen
As seen in the pentest, if there’s even a small window where pre-boot authentication is not necessary, encryption can be completely worked around
On most laptops, this can be done in the BIOS Not just firewire, but ExpressCard and PCMCIA also provide this functionality Consider usability - are these really needed? Often no.
Standby allows machine to be taken/stolen with operating system in memory - can allow encryption to be bypassed Hibernation often loads running state of machine into memory without any authentication If hibernation is required, consider ATA drive password combined with power on password. If you have to pick one, ATA is a better option.
Different methods for handling lockouts - master password, challenge/response, etc Helpdesk social engineering
A locked laptop, unattended, could still be compromised using these techniques Some laptops (eg, Toughbooks) have option to have hard drive removed when leaving machine
Forensic penetration test for encryption verification