Protecting the Operating System

Protecting the Operating System
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Protecting the Operating System Ricardo 09-23-2006
Posted by Ricardo on September 23, 2006, 2:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,
I have just come to the conclusion that the only way to protect the machine
with free physical access to anauthorized personnel is... to encrypt it.
Unfortunately it seems that this can be done only the lonely by DriveCrypt
software which costs a lot. It's wonderful stuff indeed allowing to encrypt
the drive with authentication feature at the pre-boot level! The encryption
seems excellent AES-256 algotithm. It's only drawback (except for the price)
is that it doesn't see Linux partitions (not to mention that it doesn't run
on Linux)which makes them liable to potential attack. It looks like for now
only Windows operationg system may be securely locked unless you run Linux
as a VMware guest system on the DriveCrypted Windows host. I wonder what are
your experiences with respect to securing the stand alone box with
uncontrolled physical access, like at the University (my case).
P.S. Have just noticed free stuff called CompuSec PC Security Suite which
seems both Windows and Linux compatible though as compared to DriveCrypt it
uses weaker encrypting algorithm AES-128 and looks like is much slower. I
cannot wait to hear your comments.
Kindest regards,
--
Ricardo



Posted by Sebastian Gottschalk on September 23, 2006, 4:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Ricardo wrote:

> Hello, I have just come to the conclusion that the only way to protect
> the machine with free physical access to anauthorized personnel is... to
> encrypt it.

No. Encryption of all storage media only protects cold filesystems. In
runtime, one could hook the motherboards connection lines to gain full
access to the RAM, CPU or whatever you like.

> Unfortunately it seems that this can be done only the lonely by
> DriveCrypt software which costs a lot.

Bullshit. There are numerous products available, f.e. SafeBoot Solo and
PGP Desktop Security Professional, as well as many non-serious and broken
ones.

> It's wonderful stuff indeed allowing to encrypt the drive with
> authentication feature at the pre-boot level!

And it's utterly useless that you can't put the initial boot code on any
secondary media to boot from. An attacker would simply modify the
bootloader to, beside the normal functionality, store the password
somewhere.

> The encryption seems excellent AES-256 algotithm. It's only drawback
> (except for the price) is that it doesn't see Linux partitions (not to
> mention that it doesn't run on Linux)which makes them liable to
> potential attack.

It's most obvious and not the only drawback that's it's pure snakeoil,
horribly broken and horribly insecure. Not to mention that it's closed
source.

> I wonder what are your experiences with respect to securing the stand
> alone box with uncontrolled physical access, like at the University (my
> case).

What about installing a physical lock on the PC case?

> P.S. Have just noticed free stuff called CompuSec PC Security
> Suite which seems both Windows and Linux compatible though as compared
> to DriveCrypt it uses weaker encrypting algorithm AES-128 and looks like
> is much slower.

To me, it looks like it's broken as the bootloader crashes on my test
machine. In contrast, DriveCrypt wasn't even worth being looked at.

Posted by Saqib Ali on September 24, 2006, 6:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Ricardo,

There are a dozen or so full/whole disc encryption solutions available
with pre-boot authentication option. See the URL below for list:

http://www.full-disc-encryption.com/Full_Disc_Encryption.html

I use CompuSec. It is free and has support for Linux. It has pre-boot
authentication and has a builting credential manager. One thing that is
missing support for Trusted Platform Module (TPM). TPM can make the key
recovery possible and simplify single sign on.

You might also want to take a look at hardware based Full Disc
Encryption. There are few vendors that provide that. The above URL
lists a few. Hardware based FDE works regardless of the OS you are
using.

If you are using a notebook Ce-Infosys has PCMCIA card or Seagate
Technology will soon have FDE HDD for notebooks:
http://www.seagate.com/docs/pdf/marketing/po_momentus_5400_fde_bb.pdf

Also check out the Wikipedia article about Full Disc Encryption:
http://en.wikipedia.org/wiki/FDE
It talks about "Full disk encryption vs. file or directory encryption"

P.S. If you have any feedback about DriveCrypt, please do send it to
me. I am looking to buy that product as well.


Ricardo wrote:
> Hello,
> I have just come to the conclusion that the only way to protect the machine
> with free physical access to anauthorized personnel is... to encrypt it.
> Unfortunately it seems that this can be done only the lonely by DriveCrypt
> software which costs a lot. It's wonderful stuff indeed allowing to encrypt
> the drive with authentication feature at the pre-boot level! The encryption
> seems excellent AES-256 algotithm. It's only drawback (except for the price)
> is that it doesn't see Linux partitions (not to mention that it doesn't run
> on Linux)which makes them liable to potential attack. It looks like for now
> only Windows operationg system may be securely locked unless you run Linux
> as a VMware guest system on the DriveCrypted Windows host. I wonder what are
> your experiences with respect to securing the stand alone box with
> uncontrolled physical access, like at the University (my case).
> P.S. Have just noticed free stuff called CompuSec PC Security Suite which
> seems both Windows and Linux compatible though as compared to DriveCrypt it
> uses weaker encrypting algorithm AES-128 and looks like is much slower. I
> cannot wait to hear your comments.
> Kindest regards,
> --
> Ricardo


Posted by Sebastian Gottschalk on September 24, 2006, 10:24 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Saqib Ali wrote:

> There are a dozen or so full/whole disc encryption solutions available
> with pre-boot authentication option. See the URL below for list:
>
> http://www.full-disc-encryption.com/Full_Disc_Encryption.html
>
> I use CompuSec. It is free and has support for Linux.

Well, FDE has never been an issue on Linux. Just put your boot partition
on an external media and mount the existing partitions with a crypto-loop.


> It has pre-boot authentication and has a builting credential manager. One
> thing that is missing support for Trusted Platform Module (TPM). TPM can
> make the key recovery possible and simplify single sign on.

Yeah, it makes key recovery possible for every sufficient powerful
attacker which could conventionally break the hardware, which seems to be
quite easy. A well-known anti-feature.

> You might also want to take a look at hardware based Full Disc
> Encryption. There are few vendors that provide that. The above URL lists
> a few. Hardware based FDE works regardless of the OS you are using.

And most implementations are shit. Slow 3DES with ECB mode and no MAC.

> P.S. If you have any feedback about DriveCrypt, please do send it to me.
> I am looking to buy that product as well.

"1344 bit military strong encryption" matches very well with the crypto
snake-oil FAQ.

Posted by Saqib Ali on September 25, 2006, 11:49 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> "1344 bit military strong encryption" matches very well with the crypto
> snake-oil FAQ.

hehe. i m in total agreement with that. when will crypto vendors learn
that proprietary algorithms are NOT a selling point?



--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------


Similar ThreadsPosted
Password protecting? May 12, 2005, 10:37 pm
Protecting Folder November 7, 2008, 8:52 pm
Question from a newbie -- protecting files July 20, 2005, 3:01 pm
Protecting the Network with Homogeneous servers July 24, 2006, 5:02 am
Passphraselessly protecting dictionary relations May 10, 2007, 4:13 am
Please help with buying a UPS for my system October 14, 2005, 2:01 pm
Vulnerabilities Management System June 11, 2004, 4:50 am
NTFS - System files... January 4, 2005, 2:21 pm
Bad System Architecture, Accountability June 14, 2005, 8:14 am
Advice pls on what is happening on my system December 9, 2005, 5:14 am

The site map in XML format XML site map

Contact Us | Privacy Policy