[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <85B0B893C775469987222CBF5A31A860@localhost>
Date: Sun, 9 Mar 2008 17:27:26 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <full-disclosure@...ts.grok.org.uk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Firewire Attack on Windows Vista
Larry Seltzer wrote:
> I actually do have a response fom Microsoft on the broader issue, but it
> doesn't address these issues or even concded that there's necessarily
> anything they can do about it. They instead speak of the same
> precautions for physical access that they spoke of a couple weeks ago
> with respect to the "frozen notebook memory" attack - use drive
> encryption, use 2-factor authentication, use hibernate instead of sleep,
> use group policy to enforce them. I don't think it's a bad response
> under the circumstances.
WRT the DMA access over FireWire it's but a bad response since it doesn't
get the point!
1. Drive encryption won't help against reading the memory.
2. The typical user authentication won't help, we're at hardware level
here, and no OS needs to be involved.
3. The computer is up (and running; see above), no hibernate or sleep
is involved here.
4. Group policies can be circumvented, even by a limited user.
<http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx>
Stefan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists