Re: Bootkit bypasses TrueCrypt hard disk encryption

nobody@xxxxxxxxxxxxxxx wrote in news:7e5c49F2en58fU1@xxxxxxxxxxxxxxxxxx:

nemo_outis wrote:

http://www.h-online.com/security/Bootkit-bypasses-hard-disk-encrypti
on- -/news/113884

Truecrypt (like others of the breed) protects data *at rest* (i.e.,
when encrypted data is not-mounted/not-in-use);

In case a Truecrypt encrypted Laptop (powered off) gets stolen: if I
understand the article right, someone could install "Stoned" into the
MBR, boot the Laptop and get access to the data stored on the
harddisk. Is that correct?

No, it is not correct. If someone steals a powered-off laptop there is *nothing* he can do to access Truecrypt data (by installing "stoned" or otherwise).

"Stoned injects itself into the Master Boot Record (MBR), a record
which remains unencrypted even if the hard disk itself is fully
encrypted. During startup, the BIOS first calls the bootkit, which in
turn starts the TrueCrypt boot loader."

The only thing "stoned" does is set itself to execute first all *subsequent* times the computer is powered on. If on one of those subsequent power-ups the *true owner* enters his Truecrypt password then "stoned" can harvest the password (or, better still, the key in memory). The "bad guy" would then have to access the machine a second time to pick up the password (or conceivably an improved "stoned" could send it by internet if the laptop is connected).

In short, the "bad guy" must have surreptitious direct physical access to the computer to install "stoned" prior to the password being typed (including admin rights, not that that's a big deal) and possibly afterwards as well. But if he could do that, he could have installed a hardware keylogger, a video camera, a microphone, a BIOS kludge, or have compromised the security of the computer in numerous other ways. Physical security (continuous control & custody) is the bedrock of security - if you don't have that, all bets are off.

Regards,

PS For what it's worth it is a trivial matter to protect against "stoned." Make a "known-good" copy of the MBR/track 0 and restore it before using the computer (thus overwriting any MBR/track 0 that may have "stoned" on it). A bootable USB stick or CD is handy for this. It would take only a minute or so each time you boot up (effectively you boot up twice). There are a zillion utilities to do this (including some that come as part of the "restoration" package for various encryption programs). One example (just an example - I'm not pushing it particularly) is MBRtool:

http://www.diydatarecovery.nl/mbrtool.htm

However, it would be better practice to make sure your computer cannot be surreptitiously accessed.

PPS Incidentally, one trick I use to check my computer for surreptitious access is to look at the SMART data for the hard drive (there are a number of programs that can monitor SMART data). Amongst other things SMART shows the number of times the drive has been spun up. If you record what that count is just before ending a session you can check it again the next time you fire up. It should only have increased by 1 - if more, someone else has fired up your computer in the interim. This method won't thwart TLAs, but it will work up to moderately serious adversaries (local law enforcement, company sysadmins, etc.).

Nice bit of information. mbrtool seems to be free also.

This seems to be a SMART data tool:
http://sourceforge.net/projects/smartmontools/


.

Relevant Pages

  • Re: Bootkit bypasses TrueCrypt hard disk encryption
    ... In case a Truecrypt encrypted Laptop gets stolen: ... someone could install "Stoned" into the ... boot the Laptop and get access to the data stored on the ... If someone steals a powered-off laptop there is ...
    (alt.privacy)
  • Re: Install XP from file
    ... The laptop is a Dell Inspiron, ... I'm trying to install XP Pro SP2 in a separate ... machine and was able to boot off of the XP installation CD. ... > a) Is there a file version for XP Pro that I can download from the MS ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Bootkit bypasses TrueCrypt hard disk encryption
    ... boot the Laptop and get access to the data stored on the ... The "bad guy" would then have to access the machine a second time to pick up the password (or conceivably an improved "stoned" could send it by internet if the laptop is connected). ... In short, the "bad guy" must have surreptitious direct physical access to the computer to install "stoned" prior to the password being typed and possibly afterwards as well. ... one trick I use to check my computer for surreptitious access is to look at the SMART data for the hard drive. ...
    (alt.privacy)
  • Re: XP HOME BOOT FAILURE
    ... Boot the system, start tapping F8, when the menu appears, select ... download install and run the application: ... A repair install should bypass that but it will ... >> on, follow the screens. ...
    (microsoft.public.windowsxp.accessibility)
  • Re: Dual Boot; worried about overwriting C: Boot Drive with Win2k
    ... > replacement, I decided to install that as a slave drive, but I have not ... I also want to dual boot, ... DO NOT install the Linux boot loader on ...
    (alt.os.linux.redhat)