Posts tagged ‘Bitlocker’

Hibernate and FDE

December 16, 2010, 11:50 am

Earlier this week, I read this article reporting on Passware’s presentation at Password^20.   It reported that if you are using BitLocker or TrueCrypt and you’ve ever used hibernate, then Passware Kit Forensic is able to recover the encryption key from the Hibernate file.   The recommendation was “NEVER EVER EVER EVER allow hibernation for any computer.”

I found this hard to believe.    So I watched the presentation.  The Q and A made it clear that if the disk is truly fully encrypted, that is including the hibernate files, and the system is off.

I’m not as familiar with BitLocker or TrueCrypt as I am with the product I use with at work.   Apparently people using TrueCrypt or BitLocker often only encrypt data volumes.   Certainly that leaves you more vulnerable.   The product I use actually encrypts the full drive,and provides pre-boot authentication at all times.   So I think the advice to never use hibernate isn’t correct if you truly have full disk encryption.

Tags: , , ,
Category: FDE, Microsoft  |  3 Comments

GuardianEdge Windows 7 Looking Back

July 30, 2010, 6:13 am

Like a lot of companies we are trying to go to Windows 7 sooner rather than later. We skipped Vista and XP is starting to seem a bit old. One of the things holding us back is GuardianEdge’s Full Disk Encryption product. Here’s our timeline.

In October 2009 I asked GuardianEdge about Windows 7 support and Windows 7 64 bit support. They said both would available in version 9.5 due out in December 2009.

When GuardianEdge Hard Disk Encryption 9.5 was released (January or February), I found that there was no support for preboot authentication. Without preboot authentication, I think the encryption is pretty worthless. Support tells me 9.5.1 will include preboot authentication and be available in April 2010.

9.5.1 is released and I find it doesn’t work on my Toshiba Portege with windows 7 32 bit installed. I decide this may be a one-off. I’m the only one using the Toshiba so I try it out on a few Dell E6500 computers with Windows XP and Windows 7. This failed miserably. It turns out this was a known issue with Dell E6500 and GuardianEdge was working on a patch.

GEHD 9.5.1 patch 1 came out. While it fixed the assorted problems with the E6500, I now see in the release notes:

There are known issues with GuardianEdge Hard Disk on various configurations of the following Dell computer models
■ Dell E4310
■ Dell E6410
■ Dell E6510
■ Dell E5410, and
■ Dell E5510

Unfortunately the E6410 and the E6510 are two of the three systems listed on our standard configuration page. The third E4300, I suspect would really be the E4310.

GuardianEdge says this will be fixed in September 2010.

I wouldn’t this be surprised if this led to looking at other solutions and revisiting Bitlocker. I wrote about Bitlocker in March. These pretzels are making me thirsty.

Tags: , , , ,
Category: FDE  |  3 Comments

iPhone (in)security in the enterprise – Followup

April 7, 2010, 8:32 pm

Back in November I wrote a summary of several concerns we have about the iPhone in the enterprise.
Four months later lets take a look at see what’s changed.
One of the other guys at work took that list of concerns to our AT&T rep, who then took them to a unnamed, untitled Apple contact. Next they ran it the questions by the magic 8 ball. The responses are below.
Problem 1: Encryption and PIN bypasses reported at iPhoneinsecurity.com
Apple’s Response:
We take iPhone security very seriously and have made consistent improvements in all areas.For example, in the most recent iPhone 3.1.3 update we made the changes detailed in the following KB – http://support.apple.com/kb/HT4013 One to highlight is CVE-ID: CVE-2010-0038 related to recovery mode. This is a big improvement to thwart those who are using tools to modify the iPhone software.
That doesn’t really answer the question though. Is the encryption bypass which Zdziarski is only talking to law enforcement about fixed or not? Due to the lack of public disclosure there is no way to know. Zdziarski does mention using recovery mode so it is possible that the attack is patched. But I dont give the benefit of the doubt to non-disclosers.
I suppose some would argue that the evil maid attack allows bypass of Full Disk Encryption on computers so I shouldn’t have my data there either. Of course using a smart card or bitlocker with TPM I could protect myself from this attack.
The evil maid attack requires an attacker to have physical access to the device. Then I log in. The the maid returns to harvest the results. The iPhone encryption bypass can occur when you leave the iPhone unattended for a few minutes. I dont think that is comparable.
2. iphoneinsecurity shows a password bypass in addition to the encryption bypass.
Apple’s” response indicates that the enterprise passcode policy is completely different than the consumer four diget pin and thus not vulnerable. I’m not sure I’m buying that.
3. Lack of Centralized Config Management
Apple’s Response indicates that its possible to force the iphone to have enterprises configuration in order to be able to connect in order to connect to the enterprise. I’m not sure exactly how that is supposed to be done.
Further Apple claims that the iPhone is more secure than the Blackberry because its Unix. Its also more secure because you can only run one application at a time and every app is approved by Apple. lolz.
4. Patching
With the BES we can deploy them as forced updates over the air.
Apple’s Response:
We (Apple) don’t view them as patches, but as major, free OS upgrades and updates..a typical OS update for us is 200-300 meg ( very unwieldy to do OTA) and is packed with useful new features , security upgrades, OS enhancements, etc…
“we dont view them as patches”. Sorry, I didn’t read the rest. Laughing too hard.
5. iTunes
Apple Responded that its best practice to not supply full itunes to everyone. Apparently there is some way to skinny down itunes so its basically a sync software.
6. App Store
This issue goes back to is this a business device or not. Are the users going to have the device on their Apple account and take the applications with them or what?
Apple’s response was basically, yes the user takes the app with them when they leave the company even though the company bought the app.
7. Jailbroken phones maybe less secure.
Apple’s response is dont let jailbroken phones connect to the network. No word on how to do that. Authentication alone doesn’t do that. Is ActiveSync going to check for that? I think not.
8. Repeaters. This is more an ATT issue. If we buy X iphone’s can we get repeaters for free.

Tags: , , , ,
Category: Apple  |  Comment

BitLocker vs Third Party FDE

March 30, 2010, 9:59 am

Like many organizations, we skipped Vista. So with Windows 7 we are facing the question “is Windows 7 good enough” or do we still need to pay for a third-party full disk encryption (FDE) product.

This question was asked back in 2006 at the SANS Desktop Encryption Summit. The FDE vender’s felt their product was better because:
1. Better Management tools
2. Mature product
3. Multiple OS support
4. No requirement for TPM.

BitLocker is no longer a first gen product. Let’s look at today’s reasons for purchasing or continuing to use a third-party FDE product.
BitLocker Minimum Requirements
“BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, so you must have either a computer with a Trusted Platform Module (TPM) or a removable USB memory device.”
USB memory devices would tend to be stored in the laptop bag, so that isn’t a secure solution.
TPMs are an additional thing to manage. Perhaps it’s not as difficult as I envision. When I did a WAVE eval, I had to go into the BIOS to enable the TPM and set a master TPM password. That doesn’t scale.
“The computer must have been configured with an additional separate active partition to be used as a system partition.”
This extra step now happens automatically, so I don’t think that is a big deal.
“The BIOS must be compatible with TPM and/or support usb devices during computer startup”
It may be necessary to upgrade the BIOS. While probably not an issue on the newer computers we would be using, this could be an issue on upgrades in place.
None of these prerequisite requirements is particularly burdensome. However it leaves out one key minimum requirement: Vista or Windows 7 Enterprise. Our XP systems would still be on the current FDE product requiring two management methods.

OTHER BitLocker Considerations
1. Provable Encryption
With the current FDE product, if a computer is lost I would be able to tell that it was actually encrypted when it was last seen on $date $time. Can BitLocker say the same? I don’t know.
Many states have an encryption safe harbor. Meaning if the lost system was provably encrypted, breach notification provisions do not apply.
2. Usability
The current FDE product syncs the domain password to the pre-boot environment. The user does not need to know a second password. The normal password requirements apply.
With BitLocker the PIN is just that. An enhanced PIN can be required but it is possible that some system BIOS will not support alphanumeric entry in the pre-boot environment. Does this PIN ever expire? It doesn’t seem like it.
3. Recoverability
The standard recovery method is to use a recovery password. This is a 48 digit number backed up to Active Directory. Enjoy typing that in when the user forgets their password.
This method is not FIPS compliant and must be disabled. Instead there are other two options
A recovery key is a 256 bit key that is saved to a flash drive. This method must be done by the end-user and they need to store the key securely. Obviously that isn’t enterprise ready.
The third option is a data recovery agent. A public key is distributed to all BitLocker protected devices. Someone with the matching private key (e.g. me) would need to be physically present at the computer. Apparently even then the OS drive must be installed on another computer running Windows 7 as a data drive.
So basically no recovery options work for us.
4. Standby
BitLocker protection is in effect only when the computer is turned off or in hibernation.
Our current FDE product protects in standby, hibernation or when the computer is off.
Update:This is is no longer true.   a preboot authentication in standby is a false sense of security.
5. Enterprise Manageability
While BitLocker has caught up with third-party encryption products in its ability to encrypt USB drives there are still other areas where FDE vender’s shine. Many FDE vender’s can also encrypt phones and managed hardware based encryption products. It’s a lot more convenient to manage these devices through one vendor.
From my limited reading it seems that there are still a number of items that argue for the continued use of a non-Microsoft FDE product.

Tags: , , , ,
Category: FDE, Microsoft  |  4 Comments

iPhone (in)security in the enterprise

November 30, 2009, 11:06 pm

Just when you thought you’d successfully killed it off, its back. The email from management who is getting pressure from the c levels asking why the iPhone isn’t supported. It comes in on schedule every two month.
“iPhone version 3.1 has solved all the security problems, right?”
Um, no.
“There is now a Wolfram Alpha app for the iPhone. This would really help our business development”
Are you serious?
Who can blame them. Apple and their willing co-conspirators in the tech media have been repeating the mantra. “iPhone 3GS is secure for the enterprise.” Secure or not companies are adopting the iPhone, even to the point of allowing personal devices. Lets summarize what we know and what we dont know about the
Problem 1: Encryption
It is of critical importance to protect data privacy through encryption. iphoneinsecurity.com, a site dedicated to iphone forensics has posted video demonstrating the bypass of the iPhone 3GS encryption.
I suppose some would argue that the evil maid attack allows bypass of Full Disk Encryption on computers so I shouldn’t have my data there either. Of course using a smart card or bitlocker with TPM I could protect myself from this attack.
Problem 2: passcode bypass
The passcode on a iPhone is bypassable
Problem 3: Lack of Central Config Management
Enterprises are used to controlling phone configuration centrally a la through a Blackberry Enterprise Server. iPhones configuration is sort of voluntary. TrustDigital would say they solve that issue. I need to talk with them (again) because I think they can enforce a configuration at the time the iPhone connects to the server, but I dont think they have a permanent enforcement agent. Could be wrong.
Problem 4: patching
While patches can be pushed from the BES, iPhone users need to install each patch individually through iTunes
Problem 5: iTunes
Speaking of iTunes, that isn’t exactly a corporate type product. What if we dont want that on our computers. RIM has worked to make Blackberry work without installing any desktop software in a BES environment.
Problem 6: App Store
Whose account is used in iTunes? Do they use their personal account? In that case the end user really owns any applications purchased by the corporation on that account. When the employee terminates they would essentially walk out with the applications the company owns. If a corporate account is created then the opposite problem occurs.
Problem 7: Jailbroken phones
Jailbroken phones are susceptible to security problems. Besides the ikee worm, they allow unapproved applications to be run, bypassing Apple’s whitelisting security model. How can an enterprise prevent jail broken phones from being used?
Problem 8: Repeaters
Like a lot of company headquarters, ours is like a unintentional Faraday Cage. We’ve had to put up repeaters for Verizon and Nextel. Are we supposed to pony up and install AT&T repeaters?
While the iPhone remains exceedingly popular, it still has Apple’s consumer mindset at the core. (sorry bad pun) At least at our company I dont see it making headway until the encryption issue is solved. Then I’ll talk with TrustDigital again about their management solution.
update
The day I posted this I got emailed an announcement of Good Technology’s support for the iPhone. Good uses their own application and would keep the corporate email encrypted in that. However any other corporate data that made its way on to there wouldn’t be protected. In an era of cutbacks its hard to provide support for both Good and Blackberry.
Commenters have pointed out that the iPhone still does not support S/MIME or PGP. I had thought to check on that but it didn’t make the article. S/MIME support is mandatory for my company.

Tags: , , , ,
Category: Apple  |  8 Comments

Bitlocker podcast with Paul Cook

September 17, 2008, 2:01 pm

Today I listened to a recording of Paul Cooke posted at MyitForum, Director in the Windows Client division specializing in security, where he discusses BitLocker Drive Encryption, and how it has been extended in Windows Vista SP1.
Its been a while since I’d read anything on bitlocker. Since GuardianEdge did a number on my laptop I am interested to see if its worth continuing with GE if we ever upgrade to Vista.
SP1 enhancements:
- Can now require TPM, PIN and USB all together.
- Can now encrypt data volumes instead of only the OS/primary volume.
TPM 1.2 is required (if you use the TPM option). That sounds like quite a hassle, making sure the TPM chip is enabled on the computers that are coming in.
Recovery involves a 48 digit PIN. That sounds like a real joy to read off to the end user. What rights does the helpdesk need to access that number anyway? With our current product while you are reading off numbers to the user, there is a check digit returned to verify correct entry.

Tags: ,
Category: Microsoft  |  1 Comment

Managing Emotions Under Pressure – part 2

May 22, 2008, 9:28 pm

This is part 2 of a series posts reflecting on a Fred Pryor class titled Managing Your Emotions Under Pressure.
There is more pressure than ever in the workplace. There is just a lot of information to absorb and a lot of tasks to perform. Most of my readers will understand that. They use RSS feeds to sip from the firehose of information that is the Internet. Many of my readers will like me be in Information Security. We’ve got to stay one step ahead of a motivated attacker and protect the business even when the users don’t want to be protected.
Pressure can lead to overreacting emotionally. Overreacting emotionally can have great negative effect on the career.
We’re supposed to be always learning and building our skills. Skills aren’t just picking up another certification, or studying up on the benefits/drawbacks of bitlocker when compared to GuardianEdge. Skills include managing your emotions.
Doing so isn’t easy. Stephen Covey says it takes 6 times to learn and 21 times for it to become a habit. Making changes could be a lifelong effort.

Tags: , ,
Category: Uncategorized  |  Comment

SANS Session 2.1

December 7, 2006, 10:33 pm

The first session of the second day at the SANS Secure Storage and Encryption Summit was presented by Jason Fossen. Jason teaches the Securing Windows Track at many SANS conferences. Today he is speaking on Vista Bitlocker as well as EFS.
I missed the first 5 or 10 minutes thanks to DC area traffic. I’m kind of angry about that, but what are you going to do. It look me 15 minutes longer on Thursday than on Wednesday to get there.
With EFS you can encrypt anything not in the Windows folder and without the system bit set.
The ultimate strength of the encryption is in the password complexity.
EFS is NTFS only.
The problems you get into is that you are relying on the users to select folders for encryption and put sensitive data in those folders. Also EFS is for folders only. You would need a separate solution for email and for all your electronic toys.
With Bitlocker and EFS in Vista you’d have to have a compelling case for purchasing the third party whole desk encryption programs. (assuming you’re a windows shop who is upgrading to vista anyway). The main argument for third party is the usb fobs and phones.
Doesn’t EFS has horrendous vulnerabilities?
-By default the local admin in windows 2000 was the recovery agent. This was listed in the help file. There were ways to deal with that. After the uproar, that was no longer the default in XP but in many minds the damage was done.
- You should always encrypt at the folder level to avoid an issue.
- Swapfile and hibernate are issues that should be considered
What about commercial EFS crackers?
They require the password to work.
Bitlocker – system must be partitioned in 2 volumes, boot and OS. Only OS volume can be encrypted in Vista. In Longhorn (server) any non-boot volume can be encrypted.
Bitlocker provides verification of the integrity of the boot-up files which can help prevent rootkits and other malware. Note you need TPM for this feature.
Bitlocker provides sector level encryption of the entire hard drive.
Steps to enable TPM
1. Verify your Bios supports TPM 1.2 (make sure you have latest BIOS)
2. Enable TPM in BIOS
3. Turn on TPM in Windows (tpm.msc)
4. Initialize the TPM with an owners pass.
There are options that involve still using a USB token containing a key in combination with the TPM to provide a multi-factor authentication. It seems to me the USB is likely to be left in the laptop bag so why bother. Its nice to have that level of security available where necessary.
There is a script manage-bde.wsf to manage TPM and bitlocker from the command line.
Takes about 1 minute per GB when enabling bitlocker. You can reboot! you are able to work while its performing its initial encryption.
**Gotcha** if you don’t disable bitlocker during a bios update it will freak out. So you can temporarily disable it while updating bios or boot files.
So what if the TPM is pooched, how do you get your data? There is a 48 digit recovery password. This is stored in the computer account in Active Directory. You should require in Group Policy to have this PIN stored before bitlocker can enable.
Best Practices:
- Make sure your new hardware supports tpm 1.2.
- It may save time to have the hardware vendor partition with two partitions.
- Enforce a strong passphrase policy
use 128 bit AES. 512 bit is overkill for most.
Bitlocker doesn’t replace EFS it enhances it.
Q – Can bitlocker use third party certs?
A- no, it doesn’t not use certs per se
Q – is a schema mod required for bitlocker
A – yes not only that, You must be running Windows 2003 SP1 domain controllers with a Schema mod.
Q- Forensics?
A- Well, if you left the door open for forensics, the bad guy could look at the file too. With all these whole disk encryption products, you pretty much need to decrypt the disk to use an encase.
Q- Can malware disable bitlocker? You mentioned a script to enable/disable
A- If you’re running as admin and malware gets installed, sure. But then you’ve got a bad enough problem already if malware is running as admin. Why are you running as admin?
ALLOWING USERS TO SELECT FOLDERS FOR ENCRYPTION IS A DISASTER!!!

Tags: , , ,
Category: General  |  Comment

SANS Session 1.5 Encryption Tools

December 6, 2006, 10:37 pm

These are my notes from the vendor panel at the SANS Secure Storage and Encryption Summit.
Guardian Edge
If we haven’t had enough statement of the problem, I like the way they put it.
Data is disappearing out of the organization and you don’t know it.
81 percent of companies report the loss of one or more laptops containing sensitive data in the past 12 months. Would we even know what was on the laptop?
53 % believe that their companies would be unable to determine what sensitive or confidential info resided on a usb memory stick if it were lost.
PGP
- The PGP piece on the blackberry is there by default. You just need to license it. It actually will connect to your PGP Universal server. That sounds kind of neat.
Seagate
Seagate admits that its a hard drive solution only. You need to do something else for your thumb drive, and email, etc.
FIPS 140 in progress for the Seagate (I assume that is FIPS 140-2. I dont think they do 140-1 anymore).
They also have the DoD evaluating for the secure wipe. Seagate just removes the encryption key.
The PGP guy made an analogy to when 3-d graphics cards came out. Something about it not puting software rendering out of business, it works together.
Q- Why would we need this (any of the vendors) when bitlocker comes out.
A – better management tools
- mature product
- OS support, bitlocker is obviously vista only and reportedly the more expensive versions of vista.
- No requirement for TPM. bitlocker is better with TPM.

Tags: , , ,
Category: FDE, General  |  Comment

Bitlocker cryptographic algorithm published

September 30, 2006, 10:30 pm

The Microsoft System Integrity Team Blog has posted a link to the Bitlocker Cryptographic algorithm.
The amazing thing is that the paper is from Microsoft, on Microsoft’s site, yet its in PDF. I’m kind of used to Microsoft documentation being placed in a signed self-extracting archive. In the article they discuss why existing ciphers were not satisfactory. They are using AES in CBC mode, but using a dedicated diffuser for security against manipulation attacks.
In the crypto world, an algorithm needs to be widely examined before it is trusted for use. In this paper, Microsoft explains why they have combined a widely tested AES-CBC with a new component, the Elephant diffuser. They feel that this gives the best of both worlds, the tested security of AES-CBC, and the additional security properties of the diffuser.

Tags: , ,
Category: Microsoft  |  Comment