Not past the screensaver as such, but many/most/all machines with firewire ports are vulnerable. http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
So, turn off firewire in the BIOS, I guess. On Fri, Dec 21, 2012 at 1:01 PM, David Lum <[email protected]> wrote: > Simple to get past the screensaver password then? > > -----Original Message----- > From: Ziots, Edward [mailto:[email protected]] > Sent: Friday, December 21, 2012 12:59 PM > To: NT System Admin Issues > Subject: RE: Disk encryption killer: Anyone see this? > > Its not hard to get a memory dump from a PC that is running, and you have the > tools and the appropriate skilset. If the box is open and running, then have > a field day... > > Z > > Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan > Organization [email protected] > > > -----Original Message----- > From: David Lum [mailto:[email protected]] > Sent: Friday, December 21, 2012 3:39 PM > To: NT System Admin Issues > Subject: RE: Disk encryption killer: Anyone see this? > > So I'm hearing we shouldn't be concerned about a PGP-encrypted laptop > *unless* it's hibernation file is unencrypted (read, no full disk > encryption)? A fully encrypted disk that has a screen saver password is going > to be pretty secure? > > "You'll thus need to get a memory dump from a running PC (locked or > unlocked) with encrypted volumes mounted, via a standard forensic product or > via a FireWire attack.." >>> Ok how easy is it to get a memory dump from a running PC? > > "Alternatively, decryption keys can also be derived from hibernation files if > a target PC is turned off" >>> If the hiberfil.sys is encrypted, how do they get to it? > > Dave > > -----Original Message----- > From: Steve Kradel [mailto:[email protected]] > Sent: Friday, December 21, 2012 10:59 AM > To: NT System Admin Issues > Subject: Re: Disk encryption killer: Anyone see this? > > I don't find this alarming at all: it requires access to the key data, and is > useful if you have a memory dump or a cleartext hibernation file > (hiberfil.sys is going to be *encrypted* on a hibernating machine with > whole-disk encryption). This tool appears to be a good time-saver, given a > memory dump, because it knows where to look in for the keys and how to > extract them, but it does not attack any inherent cryptographic weakness or > key management problems in PGP, TC, etc.. > > --Steve > > On Fri, Dec 21, 2012 at 1:34 PM, Matthew W. Ross <[email protected]> > wrote: >> I'm no security expert. >> >> But I do assume that if the physical machine is compromised, then the > data it holds is as good as compromised as well, no matter what level of > encryption you have. >> >> >> --Matt Ross >> Ephrata School District >> >> >> ----- Original Message ----- >> From: Ziots, Edward >> [mailto:[email protected]] >> To: NT System Admin Issues >> [mailto:[email protected]] >> Sent: Fri, 21 Dec 2012 >> 09:57:51 -0800 >> Subject: RE: Disk encryption killer: Anyone see this? >> >> >>> I would say off the record no, if you used popular encryption >>> software and a repeatable process, but when you lose physical >>> security of an asset, given a reasonable amount of time and effort >>> the encryption will be cracked and data will be obtained. >>> >>> >>> >>> Z >>> >>> >>> >>> Edward E. Ziots, CISSP, Security +, Network + >>> >>> Security Engineer >>> >>> Lifespan Organization >>> >>> [email protected] >>> >>> >>> >>> From: Chinnery, Paul [mailto:[email protected]] >>> Sent: Friday, December 21, 2012 12:37 PM >>> To: NT System Admin Issues >>> Subject: RE: Disk encryption killer: Anyone see this? >>> >>> >>> >>> Oh, great. I wonder what view CMS will take if a laptop is >>> stolen\lost and it's encrypted. Will they still say it's a HIPAA > violation? >>> >>> >>> >>> From: David Lum [mailto:[email protected]] >>> Sent: Friday, December 21, 2012 12:29 PM >>> To: NT System Admin Issues >>> Subject: Disk encryption killer: Anyone see this? >>> >>> >>> >>> Comments anyone? Looks like bad news... >>> >>> http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly- >>> cap able-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/ >>> >>> >>> >>> David Lum >>> Sr. Systems Engineer // NWEATM >>> Office 503.548.5229 // Cell (voice/text) 503.267.9764 >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
