Many people have contacted my team and I over the last few days about the recent announcement by ElcomSoft, that they offer a tool to decrypt Bitlocker, PGP and Truecrypt volumes.
This $299 tool is advertised as getting you access to this encrypted data quickly and easily…
Now, this may sound exciting, but as they say, there’s always a catch – you need a memory dump from the machine from when it was authenticated to use this tool – yes, no recovery if you find a cold machine. You have to get access to it while it’s on and the user has logged in, then, after they switch it off, you can recover the data..
NOTE – Production-ready version 5.63 (as far as I am aware) is now available on CTOGoneWild
This version is a real departure from the 5.2 and before series, as I got rid of the dependence on IE for the UI – it was becoming a real pain, with IE trying to display first run screens, telling me it was not installed etc. Generally the IE object was unreliable to say the least.
Instead, I used a whole bunch of HTAs – This is nicer architecturally as each stands alone and can be modified as you see fit, so you can change the UI without changing the logic of the script, plus they run independently so if they crash and burn, again, no problems for the script.
Other than that, there were some more changes to make the “Run On Logon” code asynchronous, so it does not stall the user experience when provisioning them. You can find a full list of changes at the top of the autodomain.vbs script.
Finally, if you enjoy this tool and it saves you a whole bunch of time and effort, you might want to send me something from my Amazon Gift List? Thanks!
You can read more about the current version on my previous blog on this topic.
I finally got around to posting ToastCache to my CTOGoneWild site. This is a simple script which uses a couple of tricks, and a kludge to force the EEM v5 Name index to rebuild on demand.
The EEM Name Index is one of the most useful performance enhancements you can enable within the product – certainly any database running more than 2000 machines needs it turned on to give reasonable performance. The Index speeds up Name>ID resolution. Without it, the server has to crawl the entire database searching for an object which matches the name it’s looking for – This means that logging on slows down for new users (they are placed at the end of the db), and also creating new things takes more time (as the DB has to be trawled end-to-end looking to see if the name is already in use).
The index resolves both of these, and more scenarios by maintaining a “bucket list” of hashed names>IDs. Read more…
This post originally placed on my McAfee Blog - http://blogs.mcafee.com/corporate/cto/improving-security-on-solid-state-drives
Well, One week into the Intel/McAfee relationship and I am pleased to say it’s already bearing fruit. Over the last few days I’ve been reaching out to all my Intel peers, making the connections with people which were simply impossible while the deal was going through all the evaluations.
This week, Jaikumar Vijayan at Computerworld posted an interesting article about new Chinese rules designed to control the import of non-domestic encryption products.
Many people have infered that these new rules will mean products imported into China will be somehow compromised, or unsafe, because their details will have been released to the Chinese Government.
Nothing could be further from the truth.. Read more…
Following on from my post “10 Things You Don’t Want To Know About Bitlocker”, “TPM Undressed” and “Firewire Attacks Revisited” it recently came to my attention that Passware, Inc. A feisty California company has released a version of their forensic software which will decrypt Bitlocker and TrueCrypt protected hard disks via the classic Firewire vulnerabilities.
A full write-up can be found on the Passware site, but simply, given a machine that’s running, but has encrypted drives (for example one using Bitlocker in TPM-only mode, or a machine which is suspended, not hibernated). As to how to do it, well they have implemented the exploit in a very neat and usable way:
Last month Joanna Rutkowska posted a very interesting article showing a practical “Evil Maid” attack against the open-source TrueCrypt FDE product. The attack is reasonably simple, subvert the pre-boot authentication engine of the full-disk encryption product in question to add a password-sniffing routine, then wait for the unsuspecting user to authenticate to their machine and then retrieve the credentials at a later stage.
Evil Maid is simply hooking the pre-boot code of TrueCrypt and adding a routine to store the users password. Because the TrueCrypt code is quite simple, it’s a relatively easy thing to do, but the attack is theoretically valid regardless of this fact, just the effort to make the hook code increases with the sophistication of the pre-boot environment. Read more…