Re: Bootkit bypasses TrueCrypt hard disk encryption

nobody@xxxxxxxxxxxxxxx wrote in news:7e5c49F2en58fU1@xxxxxxxxxxxxxxxxxx:

nemo_outis wrote:

http://www.h-online.com/security/Bootkit-bypasses-hard-disk-encrypti
on- -/news/113884

Truecrypt (like others of the breed) protects data *at rest* (i.e.,
when encrypted data is not-mounted/not-in-use);

In case a Truecrypt encrypted Laptop (powered off) gets stolen: if I
understand the article right, someone could install "Stoned" into the
MBR, boot the Laptop and get access to the data stored on the
harddisk. Is that correct?

No, it is not correct. If someone steals a powered-off laptop there is
*nothing* he can do to access Truecrypt data (by installing "stoned" or
otherwise).


"Stoned injects itself into the Master Boot Record (MBR), a record
which remains unencrypted even if the hard disk itself is fully
encrypted. During startup, the BIOS first calls the bootkit, which in
turn starts the TrueCrypt boot loader."

The only thing "stoned" does is set itself to execute first all
*subsequent* times the computer is powered on. If on one of those
subsequent power-ups the *true owner* enters his Truecrypt password then
"stoned" can harvest the password (or, better still, the key in memory).
The "bad guy" would then have to access the machine a second time to pick
up the password (or conceivably an improved "stoned" could send it by
internet if the laptop is connected).

In short, the "bad guy" must have surreptitious direct physical access to
the computer to install "stoned" prior to the password being typed
(including admin rights, not that that's a big deal) and possibly
afterwards as well. But if he could do that, he could have installed a
hardware keylogger, a video camera, a microphone, a BIOS kludge, or have
compromised the security of the computer in numerous other ways.
Physical security (continuous control & custody) is the bedrock of
security - if you don't have that, all bets are off.

Regards,

PS For what it's worth it is a trivial matter to protect against
"stoned." Make a "known-good" copy of the MBR/track 0 and restore it
before using the computer (thus overwriting any MBR/track 0 that may have
"stoned" on it). A bootable USB stick or CD is handy for this. It would
take only a minute or so each time you boot up (effectively you boot up
twice). There are a zillion utilities to do this (including some that
come as part of the "restoration" package for various encryption
programs). One example (just an example - I'm not pushing it
particularly) is MBRtool:

http://www.diydatarecovery.nl/mbrtool.htm

However, it would be better practice to make sure your computer cannot be
surreptitiously accessed.

PPS Incidentally, one trick I use to check my computer for surreptitious
access is to look at the SMART data for the hard drive (there are a
number of programs that can monitor SMART data). Amongst other things
SMART shows the number of times the drive has been spun up. If you
record what that count is just before ending a session you can check it
again the next time you fire up. It should only have increased by 1 - if
more, someone else has fired up your computer in the interim. This
method won't thwart TLAs, but it will work up to moderately serious
adversaries (local law enforcement, company sysadmins, etc.).




.

Relevant Pages

  • Re: Install XP from file
    ... The laptop is a Dell Inspiron, ... I'm trying to install XP Pro SP2 in a separate ... machine and was able to boot off of the XP installation CD. ... > a) Is there a file version for XP Pro that I can download from the MS ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Bootkit bypasses TrueCrypt hard disk encryption
    ... boot the Laptop and get access to the data stored on the ... The "bad guy" would then have to access the machine a second time to pick up the password (or conceivably an improved "stoned" could send it by internet if the laptop is connected). ... In short, the "bad guy" must have surreptitious direct physical access to the computer to install "stoned" prior to the password being typed and possibly afterwards as well. ... one trick I use to check my computer for surreptitious access is to look at the SMART data for the hard drive. ...
    (alt.privacy)
  • Re: Bootkit bypasses TrueCrypt hard disk encryption
    ... boot the Laptop and get access to the data stored on the ... The "bad guy" would then have to access the machine a second time to pick up the password (or conceivably an improved "stoned" could send it by internet if the laptop is connected). ... In short, the "bad guy" must have surreptitious direct physical access to the computer to install "stoned" prior to the password being typed and possibly afterwards as well. ... one trick I use to check my computer for surreptitious access is to look at the SMART data for the hard drive. ...
    (alt.privacy)
  • Re: freebsd-questions Digest, Vol 250, Issue 2
    ... FreeBSD 7.1R on laptop ... Busy disk and page fault ... Re: Which install? ...
    (freebsd-questions)
  • Re: XP HOME BOOT FAILURE
    ... Boot the system, start tapping F8, when the menu appears, select ... download install and run the application: ... A repair install should bypass that but it will ... >> on, follow the screens. ...
    (microsoft.public.windowsxp.accessibility)
Loading