|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [VulnDiscuss] EFS vs. Elcomsoft
dave
immunitysec.com
Date: Tue Jun 17 2003 - 10:58:23 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Well, I naively assumed that the user's password was also a factor. If
that was the case, it would at least require the Elcomsoft program to
crack a password to get at my sensitive files. From what Microsoft says in
the link below - it IS the case, but only for a machine that is part of a
domain or has gone through the floppy fun.
Couldn't they at least encrypt the recovery key to the Administrator
password in the non-domain case? This way would seem to me to be "failing
open".
"EFS was designed to thwart an attack in which an attacker who has
physical control of a Windows 2000 machine would boot the stolen machine
using an operating system that doesn't respect the Windows 2000 access
controls, then copy the files. EFS blocks this attack by encrypting
user-specified files. If an attacker stole these encrypted files, he would
need to conduct a separate brute-force cryptographic attack against each
file in order to read its contents. (Unless you aren't part of a domain
and haven't gone through some weird magic with a floppy, in which case he
can just decrypt them right away.)" :>
Dave Aitel
Immunity, Inc.
>
> Isn't this a well known issue? EFS is only secure if the computer is part
> of a domain or the user uses one of the stronger syskey modes: password
> prompt or key on floppy. A cryptosystem that has all the keys sitting
> there for an adversary to deobfuscate can never be secure.
>
> Elcomsoft info:
> http://www.elcomsoft.com/AEFSDR/readme.txt
>
> Microsoft info:
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/efs.asp
>
> -Chris
>
> On Tue, 17 Jun 2003 daveimmunitysec.com wrote:
>
>> So I think it's interesting that no one has made special note that
>> Elcomsoft totally smashed through Microsoft's encrypted file system, and
>> now sells an application that allows people to easily unencrypt files
>> from
>> disk images. I know a lot of CxO's that think encrypting their company's
>> documents with EFS is making them more secure, but it turns out
>> apparantly
>> the key is stored in the registry. Elcomsoft did a talk on it for
>> BlackHat
>> Europe, but nothing has been posted to anywhere that stressed that for
>> 99
>> bucks, every CxO's documents on a imaged disk are all cleartext.
>>
>> Dave Aitel
>> Immunity, Inc.
>>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]