Drive Encryption Useless Against Some Online Attacks

Tuesday, January 11, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

When securing your system, drive encryption is heavily recommended, and it works very well. But just how well will it protect you from online attacks?

Well, truth be told, in some situations it may not help you at all.

I wanted to see how well drive encryption would protect a Windows XP SP3 machine from a common online Java based attack.

So I installed the latest version of TrueCrypt (a popular open source encryption program) on a test system. I encrypted the whole drive just to be safe:

image 

I then rebooted to verify that the system would not boot without the TrueCrypt password:

image 

But let’s take this one step further. One level of encryption is good, but I have a very important file that I do not want read by others. And I definetly do not want someone else to be able to copy this to a different system.

I encrypted the “Super Secret” folder and the goldmine file “Secret.txt” on the victims machine with Windows built in Encrypting File System (EFS):

image

All right, green means encrypted, we are good to go. The whole drive is encrypted with one level of encryption and the target file itself is encrypted with another encryption technique.

To see how well the encryption would stand up to an online attack, I used a Linux system running Backtrack 4’s Social Engineering Toolkit, and set up a simulated malicious Java Attack.

On the target machine, once I clicked on and allowed the malicious Java file to run, I received a remote shell to the victim machine. Issuing a directory command on the attacker machine’s remote shell I received this:

image 

A full directory of the victims encrypted root drive. Well, that is not good. The “Super Secret” directory shows up in the list, I wonder if I can access it:

image

Absolutely, not only could I read the directory and it’s contents remotely, I was able to view the contents of the encrypted file itself. Well, that is not a fair test.

I could read it, but would I be able to copy that double encrypted file to a different computer?

image 

Okay, it copied without error, but being encrypted, there is no way I should be able to read it on a different machine…

image 

This is a picture of the file in Ubuntu’s Kate Text Editor. After copying the “secret” text file to my remote Linux attacking machine, it opened with no issues and was completely readable. The secret message now unencrypted and on a remote machine says:

Super Secret Insider Tip: Sell all stocks and buy Tacos.

“Buy Tacos”, that’s a good tip, and it didn’t even come from Wikileaks. Well maybe it will be in the next release.

Okay, how was this possible? Encryption works very good when your machine is off and someone is trying to access it. Or if another user on the local machine or LAN is trying to read it.

But since this online attack dropped the attacker into the current logged in user session, the attacker could read all of the encrypted information. The encryption system could not tell that the attacker was a remote attacker, but thought it was the local user.

* Side note – if your laptop is encrypted, and is stolen while it is turned on, even though it might be locked, it could be vulnerable to a cold boot attack.

What do you do to defend yourself against this type of online attack? Do not surf the web from secure systems. Use a virtual machine or a different machine altogether. If you must surf from your encrypted machine, do not allow online programs to run on it.

Java applets, online “free” virus scanners, many “free” games, and even the bogus “you need to install this missing video codex” driver install are all things to avoid.

Encryption works very well at what it does, but it can be vulnerable to some online attacks.

Cross-posted from Cyber Arms

Possibly Related Articles:
17318
General
Encryption Java malware Attack Backtrack TrueCrypt
Post Rating I Like this!
7e6249b5c7f6b63c28587c820b16edcb
Robert Gezelter Dan,

Thank you for taking the time to write this article. Drive encryption software truly only protects against "cold" machines being separated from their owners. When the machine is running, indeed a program operating above the level of the encrypter can of course access all devices, physical and container file.

I have long practiced and recommended the use of virtual machines for browsing as a safety measure. I refer to them as "disposable virtual machines". Like the ubiquitous disposable gloves used in medical settings, the presumption is that they are a barrier, and are to be discarded after use as a precaution.

I have also used this same technique with situations involving client VPNs, to avoid VPN kit fratricide with similar software.

I presented this technique at last year's Trenton Computer Festival, and published an entry about it in my blog in an entry entitled "Disposable Virtual Machines: Deliberately Expendable". The blog entry (and the presentation slides) can be accessed at http://www.rlgsc.com/blog/ruminations/disposable-virtual-machines.html.

Once again, thank you for reminding people of the limitations of drive encryption.
1294828391
059d3bdea9e3ebd6304856af36ec76f4
Shiv Ram You could encrypt information using a remote device such as your cellphone and use that to unlock the encrypted info on your drive. We have done this with passwords.
1294863002
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle @Robert - Thank you for the information, I will check that out!
1294944781
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle @Gurudatt - Very interesting point. Would you need to use the Cell phone to decrypt the file each time you access it? How would that work?

It would seem that if you just had to unlock it once at boot up, it would still be vulnerable to this technique.

Thanks!
1294944909
059d3bdea9e3ebd6304856af36ec76f4
Shiv Ram The solution we have developed is an online app that encrypts and decrypts passwords and data.

The owner has to sign in to an account using a paraphrase from their cellphone and the password would be unlocked for the website that uses such a feature. It is another way of two factor authentication using a device you own.

With regards to files, if the file is stored online, then the same process will apply. An online file decrypt function will decrypt the file only if the user unlocks the key used to encrypt the file using their cellphone sign in.

However, if the file is stored locally on a device an app will have to be created that connects online and checks if the key used to encrypt the file is unlocked and then go on to decrypt the device.

To make life easier, the user can register devices that does not require the him or her to use the cellphone to unlock the key and thus open the file from any one of the registered devices.
1295027700
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.