lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <86F17B5164304AF4B535C7BA977FB1B1@localhost>
Date: Mon, 10 Mar 2008 15:12:31 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <full-disclosure@...ts.grok.org.uk>
Cc: "Larry Seltzer" <Larry@...ryseltzer.com>,
	<bugtraq@...urityfocus.com>
Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista

Larry Seltzer wrote:

>>>WRT the DMA access over FireWire it's but a bad response since it
>doesn't get the point!
>>>1. Drive encryption won't help against reading the memory.
>>>2. The typical user authentication won't help, we're at hardware level
>>>   here, and no OS needs to be involved.
>>>3. The computer is up (and running; see above), no hibernate or sleep
>>>   is involved here.
>
> So on a freshly-booted system with drive encryption you can read
> whatever you want on the disk? 

No. As another poster already wrote: there's no(t yet a) disk involved.

The attacker just reads the memory and can then try to find cached
credentials or cryptographic keys (as described in the paper by Ed Felten
et al).

But let's take it further: Windows uses TCP/IP over IEEE 1394 in
standard setup, so after getting the cached credentials of an
Administrator from memory an attacker can successfully (I assume a
standard setup where the Windows firewall allows accesses from the own
subnet) mount \\target\C$ or \\target\ADMIN$ and thus read the files
on the disk. If only drive encryption is used, the files are decrypted
by the target.

>>>4. Group policies can be circumvented, even by a limited user.
>>>
><http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventi
>ng-group-policy-as-a-limited-user.aspx> 
>
>What he says is that some group policies, not including system-wide
>security settings, maybe circumvented, even by a limited user.

Right. The point is that group policies can/might help, but are not
"fool proof".

Stefan Kanthak

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ