mOses, What I found with Checkpoint/Pointsec FDE is that it does not work regardless if WIL is enabled or not. I had originaly thought it did work when WIL (auto pre-boot login - urg) was enabled but it acts differently once the system is encrypted. Checkpoint FDE is reboot tolerant during its encryption process so it worked fine up until it reached 100%.
My thought is that the tool may need to read the disk to determine what it is going to load into memory, win xp, 7 or linux (i don't know enough about how it works to know for sure) Once it is encrypted its a non starter. Does LUKS encrypt the whole drive with a pre-boot auth or does it leave enough behind unencrypted for kon-boot to determine what to load? D > -----Original Message----- > From: mOses <[email protected]> > > Date: Wed, 08 Jul 2009 23:17:32 > To: PaulDotCom Security Weekly Mailing List<[email protected] > > > Subject: Re: [Pauldotcom] Kon-Boot on a USB > > > Well I can tell you that it will work again active directory accounts > HOWEVER when you read the documentation and in your testing what > you'll find is that since the credentials entered do not match the > active directory network credentials you don't have access to network > resources. It would seem to me that what this does is that it will > patch the system in memory in order to tell the local system service > (or winlogon) that your username did match what was in the LSASS > process (or something to that). > > Now what I was trying to prove was that it will work when WIL (windows > integrated login; meaning no actual password prompt in the FDE/WDE in > pointsec is required). > > now secondly and more interestingly I tested this on an encrypted > debian system by entering the decryption password (which is different > than root) and it worked! (kon-usr was able to login!). > > So basically COLD-BOOT attack against LUKS + Kon-Boot on ubuntu/debian > will work.... scary. > > M > On Jul 8, 2009, at 10:27 PM, PJ Velasco wrote: > > > I use PGP Desktop 9.10 full disk encryption on a Windows XP SP3 laptop > > and it did not work because I got the PGP prompt to unlock the disk > > after the initial KonBoot splash screen. I entered my PGP password to > > continue the boot process, but I had to enter my actual Windows > > credentials at the Windows login screen to successfully log in, so no > > go even if someone knows the PGP password. I also have an Ubuntu 9.10 > > laptop running disk encryption and the result was just like the PGP > > result. I successfully got it to work on a Debian system (VMware > > guest), but not my Fedora Core system (again VMWare guest). Very > > sweet tool. I showed all the guys at work and they loved it. > > Tomorrow we are going to see if it will work with an Active Directory > > account. I have only tested with local accounts. > > > > On Wed, Jul 8, 2009 at 9:16 PM, mOses<[email protected]> > > wrote: > >> Just wanted to put my 2 cents on testing for everyone on the list > >> interested. > >> > >> Kon-Boot on a Windows XP SP3 box w/ TrueCrypt WDE (FDE) did not work. > >> Gave me an error about the BIOS being to big and that it wanted me to > >> change the motherboard(?) > >> > >> Kon-Boot on a Windows Vista Business running PointSec for PC (server/ > >> client edition) with Windows Integrated Login (which I don't enjoy > >> having) did not work either. Dies right before the OS loads. > >> > >> Irongeek USB Boot did not work at all on that box it hung at a place > >> before that (loading the Pointsec system). > >> > >> Anyone else try with Bitlocker or another type of FDE/WDE like PGP > >> enterprise? > >> > >> I think the author can fix these issues or if he opens the source > >> someone else may do it, although it was all written in TASM32 so > >> probably only those who remember what TSR programs were can do it :) > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > >> > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
