lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20130714205426.2407D600AC@smtp.hushmail.com>
Date: Sun, 14 Jul 2013 21:54:25 +0100
From: whizzbang@...h.ai
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Abusing Windows 7 Recovery Process‏

Genius !

"Both McAfee RootKit Detective
(http://vil.nai.com/vil/stinger/rkstinger.aspx) and SysInternals
RootKitRevealer
(http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx),  as
well as others provide tools to do exactly this kind of detection, 
and of course, with a reputable AV/Malware product on your machine in 
the first place, the only way Stoned Bootkit is going to get a hold on
your computer, is if someone physically puts it there."

we *were* talking about physical access, were we not, that being the
point of the whole thread ?  If anyone with any skills gets ahold of
your machine then you'll be giving them your passphrase next time you
think you're logging in - to use along with their image of said drive.
By the time your given AV kicks in it'll be way too late. Maybe once
the OS starts, everything has been rewritten as it once was ? I guess
if there's no remote access to be had from the box (to regain the
stolen passphrase remotely) the attacker might have to gain physical
access twice, but when they've already done it once then that's
probably no great trick eh. Or maybe your box now contains a little
extra hardware that's shitting out your keystrokes elsewhere over
various wireless technologies ? The point is, physical access is
pretty much always game over, AFAIK.

When I said 'with a bootkit' I meant consider the technique, not go
google 'bootkit' - sorry if I came across as flippant. Good luck with
Mcafee protecting you against this type of thing :)
 Oh wait - and the best bit from Mcafee's page regarding this:

"The adage, If you let your computer out of your sight, it’s no
longer your computer, rings true with this exploit."
On 14 July 2013 at 2:38 PM, "Alex"  wrote:  

	Mcafee KB 66153
	Am 14. Juli 2013 06:40:57 schrieb whizzbang@...h.ai:  
	> You didn't tell us how you cracked the full disc encryption. (There
are 
> ways around controls, but that is why we have multiple security
layers.)
 With a bootkit, of course. (That is why we have multiple tools.)
   
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ