On Fri, Apr 24, 2009 at 5:30 PM, Mike Gill <[email protected]> wrote: > If the computer boots to a Truecrypt boot loader, and waits for a valid > password to be supplied so that the disk can be decrypted and Windows may at > that point come into the picture and begin loading; you're saying this > defeats all that? It's not a decryption tool.
Ah. No, it won't defeat a encryption tool like that. If you need to provide a password to decrypt the disk, it won't bypass that. I was thinking of disk decryption with a hardware gadget and was assuming that was present. Bad assumption on my part. This scenario sounds plausible though: 1. Attacker preps system by inserting his bootable debugger; leaves vicinity. 2. Users comes in, boots system, enters decrypt key, leaves vicinity with system running at an OS password prompt (maybe screen lock). 3. Attacker comes back, bypasses logon/screen lock with debugger. It is, of course, a best practice to never leave the system unattended while the decrypt is active. But many take the stance that "Once booted, the system is safe from hard disk analysis; the only way they can read the hard disk directly is to shut it down and remove it; that will clear the decrypt key." Whether the scenario I describe above is really a use of this new attack, or just a failure to follow best practices for disk encryption, is left to the reader. :) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
