Recently in FDE Category
After reading about a firewire memory attack against windows (also effects other operating systems). I figured it wouldn't take long before someone demonstrated the use of that against full disk encryption. After all, why bother booting to USB, or freezing the RAM if you can just hook up a firewire connection and access the memory.
Today, I saw a Dark Reading article where a group/vendor has penetrated a Pointsec encrypted computer through the use of the firewire technique.
This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator.
It is important to note that pre-boot authentication was not enabled on this computer. If it had been the attack would not have succeeded. I can't imagine deploying FDE without pre-boot authentication. This article could have described an attack against any FDE vendor not using pre-boot authentication.
I've disabled the firewire port on my laptop. I haven't looked at what it would take to disable the firewire port in an enterprise. Perhaps its time for more spelunking in devcon. Or may google will have an easy answer. I wonder how many "port control" products include firewire.
At the beginning of the year, Guardian Edge transitioned support to an integrated voice response (IVR) system. Since then it seems impossible to call and speak to a live person.
I don't generally like to call any support phone number. Most matters should be resolvable by checking the manual, reading the knowledge base, or opening a ticket via email or web form. When I do have to call support its because I really need an answer now, and don't mind waiting on hold for a bit to get it.
The old Guardian Edge support fit that model perfectly. I could call, and normally get someone right away.
The new Guardian Edge support model is geared toward never speaking to anyone. If you call, a voice response system asks if the number you are calling from is the one associated with your account. Next even though they've already identified you by phone number the IVR asks for your support ID number. After that you can leave voice mail describing your case. In each case I've had since this change, the support technician replies by email in 4-6 hours. God help you if that answer doesn't resolve the issue because the case will get lost after that.
We paid for phone support. This doesn't seem like phone support to me. I have tried to address these concerns with Guardian Edge.. The person heading the project corrected a routing problem with my support ticket. They did not address what I feel is a loss of service.
This sort of thing happens a lot with expanding companies. They have more callers and don't have the trained bodies to handle the calls. I still find it very disappointing
Guardian Edge Encryption Anywhere Hard Disk is Full Disk Encryption product that in the words of their website offers a "unique integration with Microsoft Active Directory for Group Policy Object based policy management ".
Some policies can only be set at installation, but other settings can be configured through Group Policy. They provided Group Policy Administrative Templates (ADM files) that are imported into Group Policy and deployed to the users. Guardian Edge recommends that access to these Group Policy snap-ins be restricted (which can be done in group policy). This prevents a local administrator from importing the ADM file into their local group policy and modifying settings themselves.
By opening the ADM files in a text editor, it is apparent what registry keys are modified by each policy. I haven't tested this out since enabling the Group Policy snap-in restriction, but I am reasonably sure that no Group Policy snap-in restriction will prevent me from directly creating these registry keys. Malicious code, or a user trying to escape perceived encryption slowness could then bypass the normal administration methods and decrypt the hard drive.
Disabling security products is often step 1 for malware when it finds a new computer to infect. Why not decrypt the drive too? That sort of thing wouldn't help an attacker motivated by money, but there are still plenty motivated by mischief making.
I approached Guardian Edge support to ask them if this was indeed a viable attack. Is it desirable to place an ACL on this registry key? Could an ACL even be placed on the registry keys used by a policy? They responded:
"We totally depend on the Windows/Active Directory Security models. As of today, Microsoft has provided fixes for all the publicly known security holes for those models."
Do you really want your Full Disk Encryption totally dependent on Windows for security?
The bottom line is that Guardian Edge's Full Disk Encryption does what its designed for. A stolen computer will be protected by the pre-boot logon as long as the user has shut the machine done.
These are my notes from the vendor panel at the SANS Secure Storage and Encryption Summit.
Guardian Edge
If we haven't had enough statement of the problem, I like the way they put it.
Data is disappearing out of the organization and you don't know it.
81 percent of companies report the loss of one or more laptops containing sensitive data in the past 12 months. Would we even know what was on the laptop?
53 % believe that their companies would be unable to determine what sensitive or confidential info resided on a usb memory stick if it were lost.
PGP
- The PGP piece on the blackberry is there by default. You just need to license it. It actually will connect to your PGP Universal server. That sounds kind of neat.
Seagate
Seagate admits that its a hard drive solution only. You need to do something else for your thumb drive, and email, etc.
FIPS 140 in progress for the Seagate (I assume that is FIPS 140-2. I dont think they do 140-1 anymore).
They also have the DoD evaluating for the secure wipe. Seagate just removes the encryption key.
The PGP guy made an analogy to when 3-d graphics cards came out. Something about it not puting software rendering out of business, it works together.
Q- Why would we need this (any of the vendors) when bitlocker comes out.
A - better management tools
- mature product
- OS support, bitlocker is obviously vista only and reportedly the more expensive versions of vista.
- No requirement for TPM. bitlocker is better with TPM.
Again these are my notes from the SANS Secure Storage and Encryption Conference. In Session 1.3 four companies discuss their experiences deploying encryption.
JP Morgan Chase - Guardian Edge EPHD
48k laptops deployed.
They found problems due to standardization issues and multiple support teams.
Key Challenges
- If your goal is to encrypt data on laptops specifically you need to be able to find the laptops and know how many you have.
- multiple support organizations
- New login for users
I didn't quite understand the login issue. Are their users now faced with a dual login where they authenticate to the encryption software and then again to Active Directory?
Reports! Produce reports showing install rates. Highlight the departments doing good.
Your biggest problem will be the guy who likes to screw around with hacker tools even though its not part of his job.
You need to be able to validate that encryption has occurred and continues to occur.
Backups are crucial.
They found that if you boot to safe mode and run defrag you will kill your master boot record. I wonder what that says about booting to safe mode to fix spyware issues. HMMMM.
People think this will slow down their PC. They wont do it on their own. (I would say that the users who have customers demanding it will do it.).
Q - How do you deal with the engineer/hacker wannabe who thinks they know better
A - Log agent with central aggregator.
Northrop Grumman - also using Guardian Edge
High level buy-in is key
They had lots of pushback initially, but the installs turned out to be not that big of an issue.
You don't want your customer coming back to you and saying your encryption isn't good enough. That is why they did full disk AES 256.
They spent a lot of time with legal on export control issues. We all know about the axis of evil countries where you cant send export software. But what about less known laws where bringing an encrypted laptop in can cause problems. They have a list of 20 countries that they cant go with their computer. Corporate Security and the Travel office coordinate so people going to these countries dont have sensitive info and use a vanilla PC without encryption.
Communication is key in the deployment. The initial encryption time can be an issue.
Northwest Mutual - Safeboot, Credent Mobile Guardian
q - how did you verify that the solution is installed
a - They used altiris to look for specific EXEs.
Q - how did you handle multi-user pcs
a- I didn't quite get this. It sounded like you have to assign each user the rights to logon.
use full disk encryption - you dont want to leave the decision in the user's hands.
users would reboot on their way out for the day. As a result unattended SMS installs did not work. They had to change user behavior.
FDIC Credent Mobile Guardian
Credent does GINA Chaining
In your project you need to give users the confidence that you aren't going to disrupt them.
Don't go for the big bang. Test in small groups and deploy.
Lessons Learned -
-Confirm product's ability to encrypt data regardless of location type and structure. Fill in the gaps where necessary. ( my comment. it can be a real issue when the project scope is defined one way and people start asking about other features)
- Don't deploy to many things at once. Everything will get blamed on the encryption.
