CG2 - Attacking and Defending Full Disk Encryption - Tom Kopchak

well it's good to see everyone here good morning how's everyone doing everyone enjoying the conference so far that's good I know it hasn't been too much I'm from the East side eastern time so it's weird that this is morning still I'm used to this being called afternoon but uh seeing emails from my co-workers at 6: a.m. like well everyone got up early time zones are like that I guess but just to get an idea how many of you are kind of from the Las Vegas area wow we are in Las Vegas that's that's not what I'm used to seeing suburb Val so uh how many of you are more from uh West Coast side of

things can can a central us solid east east side west coast well it's good to see such a diverse crowd and hopefully the conference will go well for everyone and thank you very much for coming and listening to this presentation today we're going to talk today I'm going to talk to you about a topic that I think is really really cool and very very relevant um all so often we're seeing companies deploying full disc encryption and people using on their personal machines too but a lot of the problem I see uh with implementations of dis encryption we see encryption as this magical black box that just solves all our problems it's encrypted we're good you don't have to

worry about anything but the plain fact is full dis encryption like any other security technology it can and is vulnerable to different forms of attacks and there's things that we can do better than just enabling it and setting it forget it so to speak uh to better protect it and uh I'm going to cover both sides of the coin the ways that you can attack a full dis encrypted system and also ways that you can better defend these systems to protect that information and ultimately protect your company's uh company's data your company's intellectual property so without further Ado just a a little bit about myself I'm a security engineer at Hurricane Labs which is a Cleveland

based uh security company uh we're an MSP that does everything from checkpoint supps blun management uh network monitoring all all the full nine yards so um get to get my hands into a whole bunch of different things monitor systems across the world across our customers and it's been a great experience prior to joining hurricane Labs I was a student at the Rochester Institute of Technology uh studied uh Computing security and informations insurance for my masters um kind of focus on forensics and uh data storage for some of research in that area as well as being a graduate assistant and for undergrad on that I studied appw system administration so have the security and the kind of the networking

side of the point um what really got me into security was the CCDC competition do we have people who participated in that before it's good to good to see a couple we my shirt right now yeah I can't quite see that but yeah that's because it's like five years old so it's dark green on black hey you know color colors work like that that's why we're security people not our PES uh but uh that that kind of really set me into the Mind mindset of what it's like to defend uh systems and what what it's really like to get attacked constantly and kind way I kind of see it is it's my job now and my life

is CCDC every day almost so that's there's good and bad things with that but it's definitely never a dull day for sure um just to kind of get a a feel for the audience and get everyone thinking about this topic how many of you currently U this is my fake show everyone's awake many of you work for a company or personally use a laptop hey good you guys are awake how many of you uh either part of the C as part of your company's deployment either require full disc encryption or have it deployed on at least a set of systems it's probably why you're here good uh how many view is it mandatory on every laptop system in your

organization still a pretty good size I would say probably about two3 um how many of you will do that on your personal machines as well pretty good I expected that to be a little bit less um than the company mandate just because it's it's different but it was a slight different set of the crowd but still about two3 which is good to see uh how many of you or in your organization uh require this on other machines like desktops I don't expect to see as many okay but there are some people who do that on their desktops what about servers is there anyone who's making servers have full disc encription one person or two person

three people what are the reasons for doing servers that's just something that

isn't Drive deiss being able to decomission you're moving boxes from one Geographic one point to another's

there how do you deal with reboots something like then decrypted D or it's built into the controllers the N device so automa that perspective so it's an automatic decryption but it's kind of seamless to the we'll kind of talk about the some aspects of that too I think as part of this presentation I kind of think about elements of that as well but just to kind of get everyone on the same page I know with the audience that we have here you're all at least familiar with full dis encryption and some way shape or form so this will be kind of a review and just get everyone up to the same speed but some of the

challengs that are introduced management it's a it's a new it's a new Step it's a new technology that has to be dealt with uh it's no longer the case of we just give someone a laptop that has operating system on it you have to have this encryption layer that's added in so how do we manage getting that onto all our systems how do we manage dealing with the user aspect uh you have to ask some way to decrypt the information for it to be useful and how do you uh deal with uh updating uh the encryption uh say someone needs a key reset or if your whole organ organization needs their encryption reset or if you're she have a master

password of some sort that gets reset how do you how do you deal with this it's something new it's an extra step and uh as security we don't always like to have extra steps although sometimes we do um the other aspect of performance implications this was more of an issue when full disc encryption first started to be uh deployed where people would really do drastic things in order to try to deal with the fact that their computer is acting slower because it has this encryption layer the CPU is working harder uh the drive some of the Technologies solid state drives for example they can't do the same uh data duplication management that would do um

if it was full disc encrypted or if it wasn't uh so there are performance implications less and less now just because computers have gotten faster CPUs are better at dealing with this um another one of the uh data recovery uh encryption is really annoying sometimes when you're trying to get data uh beforehand you could just toss a drive into a machine copy everything you wanted off of it and you'd be good which is bad if you know who takes the drive is a bad guy but if you're a good guy and you really need that data back and you have encryption to deal with that's not really the best thing all the time kind of to go hand in

hand with the data recovery are your forensics uh traditional forensics are going to be looking at the dead analysis of a disc so everyone you would pretty much you get a drive as a forensics investigator uh you'd make a cool of the disc and you'd be able to work on it your md5 Su at the beginning will Max the MD 5 some at the end you can recover deleted files and everything works great you throw encryption in the process and then it's not so nice anymore you have to try to work around the encryption or encrypt the drive or anything like that just because it's an additional layer and I'm kind of going to the forensics a

little more because I'm going to touch on this in the attacking side of things because data recovery forensics and encryption kind of are all they all kind of go together um and just to kind of touch on another aspect is as forensics has evolved uh memory is becoming a bigger bigger aspect of trying to manage a forensics investigation whereas this was a difficult shift for a forensics investigator and for forensics investigators in general just because the the mentality was from the beginning once you have data you do not modify it in any way shape or form that being said with memory you the issue of in order to capture memory you have to load something into the memory to capture the

memory often and you're coming with the point is yes we are manipulating data and how do we get around this uh the plain fact is the information that's in memory is often valuable enough that it's worth manipulating that data uh in order to capture that information because quite frankly some evidence only does exist in memory and in the case of encryption there are the possibility of encryption keys all that stuff being in memory and when an operating system is running there is decryption that's happening as the operating system is executed so that's kind of how forensics touches onto this and obviously I'm going to go into more detail as we go on one of the things that we constantly

talk about in this industry is the whole idea of verification uh the problem I see all too often especially with the management side is you'll see security as just a check box okay guys for this audit for PCI compliance for hipa compliance we need to have full dis encryption that's what your auditor says you deploy full dis encryption you get a check box you have full disc encryption you pass unfortunately a lot of the times we don't do that and that brings up the important concept of trust but verify and I know I've heard this once already today and you'll probably hear it throughout the conference um the whole idea of trust would verify to make sure

that what you're deploying does what it says it does and also try to attack something and try to see where the vulnerabilities exist in whatever your testing uh there's two ways that this can be done in the case of dis uh forensics or even in forensic penetration testing um where you would uh first you'd have a zero knowledge attack where let's just say a laptop was stolen you know nothing about the organization the thing could even be powered off uh it's just there nothing about no passwords nothing like that and you just try to see what you can do knowing nothing about the machine at all that would be a zero knowledge attack uh you can also do a more authenticated

approach where you can simulate certain scenarios uh say for example the machine was powered out when it was running uh what kind of how does that throw into the equation um but the whole idea is you want to be able to do this like any other test that you would do on any other system we have penetration tests for a reason you want to find problem in your environment before the bad guys find them um same thing for something like full disc encryption identify the shortcomings before they become problems that being said pretty much everyone here has some way shape or form that they're deploying full disc encryption let's just say that there's a laptop in your organization that was

stole and it could be yours right now how many of you can say with confidence that that data is not able to be recovered so we had almost everyone deployed encryption and only two people are able to say that next question how can you say that tried it myself and I think I'm pretty good I think you're pretty good how many of here can say that they think they're pretty good I really expected more so so we all say we all suck you know we go home no's room for improv there always is room for improvement absolutely but you know since he thinks he's pretty good he deserves a shirt right yeah I do so that being said yeah uh which really

really most of us can't say without a shadow of a doubt or at least have some independent verification that yes our encryption deployment is vetted and it's safe so quite frankly from what I'm getting from the audience here we've deployed encryption we think it's we think it solves a problem but we don't know for sure is that kind of the general consensus that I'm I'm getting from this room I see I see some nods and I see some nose so I guess we'll just keep barging forward and we'll see we'll see how this goes and this is the part that everyone who does any kind of talking at a security conference they want to talk about the the hacking into

things the breaking stuff it's the sexy part of security quite frankly but attacking full disc encryption um the plain fact is breaking encryption is hard they don't unless of course someone's coming up with their own encryption and in a lot of cases that's not really encryption at all they're just doing some kind of encoding or not but pretty much everyone is using some form of AES and that's not just something that someone's going to say okay I'm going to break this tomorrow it exists for a reason it's not easy to break encryption so in that case a lot of times as a security researcher as an attacker as a pen tester you're looking for the weakest link I like to

think of the uh XKCD com comic on trying to break into an encrypted system uh they present the idea of okay this is encrypted let's spend millions of dollars on the supercomputer to craft the encryption and they're like okay but it's this form of encryption we're not going to be able to do it anyway but we still have this cluster so we can just try to crack it anyway what really happens the other side of the com comic on the right side you spend $5 on a wrench and torture the person till they give up their password which is a problem that we as an industry face the technology is very very good A lot of times but the people

using it or some other aspect of it something very very simple something Stone AG so to speak you don't need a wrench you can just pick up a rock on the ground and to accomplish the same thing zero budget and you don't even have to worry about approval and all that kind of stuff so but something like that it's really really simple anyone can do it and what you spent all this time and money and effort on can be rendered absolutely worthless and it's a problem that we face but I I don't want to look at this from perspective of we're going to try to prevent users from giving up information when they're tortured because that's not really a problem that

we're here to solve um but the whole idea of as someone who's trying to break into something we've got to think outside the box a lot of times and full dis encryption is no exception so I want to jump a little to Story Time with to here um this is kind of an example of an actual forensics penetration test that I did for one of our customers uh and it kind of goes listen to the details of what can be done and obviously the reason why I'm talking about this is not because I wasn't able to get in um so to set the scene for this there was an encrypted laptop that was stol and you can say

this was left on you know wherever completely powered off no information about the company nothing besides here's the laptop there's some data on it we know it's Eng griped one would think that that's safe show hands yeah you guys that should be fine question yes which Inc are we assuming that it's going to be full disc not partial encryption we're assuming absolutely full disk um there in this case it was semantic solution so it's your standard enterprise system it's it's basically what you'd kind of expect from a full dis encryption solution decrypted boot or decrypted uh it's a supposed to be decrypted boot which and I get more to the details yes initially it looked that way okay

TPM on or off uh no TPM in this case uh but passphrase decryption decryption pass phrase wasn't pass it was not password I had no idea what that was and I did not need was um but for generally when you think of that scenario we're not dealing with you know something that's powered on that we can dump the RAM and get the encryption key and all that kind of stuff this is a powered off system it seems like the case for something that should not be able to get broken into and quite frankly when I when I thought about this the first time I was presented with this how am I going to do that you have you know the FBI

someone comes across the border with a laptop the in the agents at the border see on the screen incriminating data the person Powers off the laptop this is an actual court case they aren't able to decrypt it they're throwing all you know all the power the NSA and the FBI at this thing to try to break the darn thing and they can't get in how the heck am I supposed to be able to get into this thing got to get the wrench yeah unfortunately when this machine was stolen I I didn't know who I stole it from so I couldn't torture them which you know I try to be a nice guy but sometimes you know you got to

yeah usually most company laptops have the username on a label on it somewhere yeah for some reason when they stole it it blew away I got to talk to our project manager about that the help that is an option but it was not deployed in this case and quite frankly there was no information on there to indicate what company this was from so I'd be calling every help which I probably get some decription keys or some resets but wouldn't help to much in whatt it it's a

d I like the way you think but okay so the way we're going to kind of look at this is from a friends exp penetration perspective and I I know I mentioned about the zero knowledge versus authenticated testing initially I planed to look at this from a zero knowledge perspective no information about machine whatsoever it's just there and try to get to do what I can based on that information authenticated testing was going to be the next step for this uh where I wanted to try to simulate different scenarios say if someone left the machine they went to the restroom and someone tried to get the Ram the information out of memory didn't actually have to do that

but in some cases if you're trying to do a forensic penetration test for encryption verification you want to look at it from both scenarios uh so the real test on this fully encrypted machine um the person who gave this to us for this test they were completely confident that wasn't any going to be anything we'd find and I really was skeptical to and for most people here uh there is reason to believe that this should be fine um the things that I noticed about this um got the machine it was powered off first thing anything you do in a case of a forensics investigation or forensics pen test immediately you image the disc you don't try to turn on don't try to

investigate anything you make a full disc image you have your evidence drive that you never touch again and then you have a working scratch dis and that you can use to make duplicates of and work off of so that was kind of the the start of the process and then once I had a working copy uh I started kind of seeing what was involved so we had our standard D laptop you had your standard interfaces on it USB parallel uh Fireware p nothing special just your standard is a a d520 laptop um but the other thing to mention about when I did the Clone used a right blocker so there wasn't any chance of manipulating the original

Source dis at all which is kind of cool because let's say for example this machine was stolen um you could put the drive back in the company would have no idea what happened too if they looked at it or even hired someone to look at it they wouldn't see anything that would indicate the machine was um I fired up the machine you got your semantic uh login screen basically prompting for preboot authentication so it looked like kind of pretty standard from what you'd expect um was it dis res or was it res it was dis resident so um if I put it in a different machine for example I would still get the same thing uh if I

didn't have that drive in the laptop I could just use it astop so it was all built into the desk and that information was copied over when I cloned the driver so the breakr the Breakthrough on this was a grace period for preb authentication that existed and the way that this was discovered was a bunch of trial and error uh there was at one point when the system was used that there was a period of time where you could reboot the machine and it would not PR for an authentication window and the hard drive has no sense of time so once I discovered what this was and it took a lot of you know booing up

the machine and just this was just a stab in the dark but as soon as you boot it up the disc knows that it's excessed and it's locked but going back I was able to locate the period of time from when it was last used to when this was allowed and that was my working window I could clone my source disc uh my original state of the machine reset the clock on the machine to that time and basically have an indefinite time of working on the system once you see an operating system loading on an encrypted machine you know that there is some form of decryption taking place and then you don't have to worry about the encryption

you essentially can look at the operating system itself in this case it was Windows XP so you know that happens not the most secure operating system but any operating system that's running is subject to more attacks and it's more vulnerable than something such as old dis encryption so the whole idea of repeatedly Imaging the drive to find where this window was and quite frankly there is a lot of luck involved in something like this uh but it's not something that you would necessarily expect to find either once that was found I could basically work on this machine

indefinitely uh you the way the machine was configured you couldn't but it was just a the BIOS that being said it was a D model where even if they change the BIOS password there are the reverse you know master password off of the service tag available for that so can you explain this a little B absolutely no it is it is encrypted if you looked at the drive during this window it would look completely encrypted you couldn't read anything there was just some um it was basically tying the OS authentication to the preboot authentication kind of in the sense of it would allow you to reboot within a certain amount of time it was basically

making it more convenient for the

users yes def configuration that I'm not sure I I'm not all that familiar with the semantic solution but um when I presented it to the customer they didn't really know that that existed so I would assume it was probably but it's about an 8 hour period or something like that where if you're authenticated you can reboot the system and it will log you not log you in the operating system but it will uh just bring you into the operating system logos to Mak a so was there a dis flag that was set for the time with the machine that then bypass the preboot authentication or I mean this has to be set somewhere on dis for the system to

realize that it's part of the the boot partition or the pre-boot authentication so but you didn't do any further investigation about where this bit actually live and you can set in your disc image or any of that no I didn't look into that but it just that was something that was found and it wasn't tied to the specific disc either uh so this could work on whatever disc I so was definitely something on the partition manag

off uh I don't think it was set up this way but yes it did have to talk to a server to get information uh I didn't have the server or anything I this was completely done off their nwork so whatever information controlled that I didn't have access to or didn't need access to this was just the Machine by itself so were the boot files decrypted on the disc or was there keys sitting there wasn't any key sitting on there it was just that I could find at least uh but the boot partition for a pre-boot authentication it has to be decrypted uh just because the computer's not going to be able to boot otherwise so something has to the has to be

depending on what point in the process you end putting password difference absolutely and even though that this was at the beginning when it should be the fact that that was it just basically prompt you and say hey yeah you'll you'll need to reauthenticate in the next you know so many hours I'm like oh that's nice okay oh windows

that I'm not 100% sure about and I think it's something that could be researched into a little

more this was semantics I I when they did a r test they used a different uh product and I couldn't find anything similar for that that being said one of the recommendations was to force preboot authentication and they absolutely did that um so any product that gives a grace period or does something that loads the operating system into memory is vulnerable to something like this

yes well the P phrase is essentially what decrypts the key generally so um it seems like there's something that's causing it to unlock that or there is something on there that's storing it what exactly is going on behind the scenes that I can't say for sure but uh for some reason there would be some way to access the key because obviously the machine is accessing them um how that's being stored if it's something that's unlocked with the pass sprays or if it's something that could be pulled off the drive yeah I'm not 100% sure on that but obviously once I had the machine running the operating system in this case uh for something forensics obviously you want to have the smallest

amount of data to work with possibly just because you're looking through needle and Hast so in this case you downgrade the Ram from 2 gigs to 512 Megs uh just to make it a small working environment and I had full control to do whatever I wanted and uh using the Fireware interface in the laptop which is a dma interface direct me memory access uh and that allows you to access the lower four gigs of memory without going through uh the operating system or the CPU it just basically is directly accessible so I dumped the ram in that case to have an image of memory that should have contained the encrytion key and quite frankly that wasn't absolutely

necessary because there's this tool called Inception that you can use to basically replace the password check checking mechanism of the windows OS uh and basically bypass that completely so you can run this tool it successfully replaces the code in memory you walk up to it type whatever administrator password you want and enter you're logged in it's really nice um the end result in that was full admin access to system uh the system was encrypted the whole time but if you're running in an operating system that you're logged into Z admin it really doesn't matter if the whole thing's encrypted you can just pull whatever you want so if that had whatever information was on that drive I

had full access to it that point I did this

ex yeah there's memory is kind of that that if you're dealing with full dis encryption you almost automatically have to look at numbering too they do go hand in hand but a lot of people and this audience is not going to say this of course because you guys are more familiar with this they might think that oh our encryption failed no no no encryption did not fail but the implementation of it did fail uh and this was one of the case where a user convenience setting uh hey we don't want to have to have our users type in Long passwords every time they l in they just need to reboot it during the day but one

little detail like that that you don't think would cause a lot of problems it resulted in a complete failure of this whole deployment and basically every single one of their laptops that was deployed at that point in time was vulnerable to this which is a huge issue um and this was a zero knowledge attack both ways as an attacker I didn't have to know anything about it in advance in order to get in and if that machine was returned to them the origal that I manipulated nothing on they would not know that their information was taken they would not know that their customer information could have been taken by an attacker until of course it showed up on

pacin um which since this was a test it it fortunately worked out well for them but it could have been a lot worse so now the things that kind of set the scenario of full disc encryption basically completely failing the question how do we secure this and that's what's what's all in your minds right now most importantly understanding the vulnerabilities and uh these are applicable to pretty much any full dis encryption deployment uh obviously physical access most of the time the reason you're deploying encryption is physical access because if a server is sitting on the internet a web server for example typically your average attacker is not going to drive to that data center and steal the server to get the

information off they're going to do a sequel injection attack or they're going to do something else like that to get the information exploit the operating system system again but full disc encryption is more of we have machines that people can take and we want to protect that um obviously what goes hand inand with people taking machines is your unended machines um something that can be stolen obviously is much higher risk than something that isn't going to be stolen of course um your past phrases and your decryption Keys those are kind of the keys to the kingdom in a full dis encryption deployment um P phrases and trusting users are P phrases can't be the best thing so getting that

information is obviously going to be easier than trying to break into the encryption directly and then you have also the memory resident information that exists whenever the machine is running typically when people have laptops for some reason they want to turn them on and do things not quite sure why but that's a important aspect machine has to be running in order to be usable so what I like to say a system that's completely usable is completely insecure likewise a system that's completely secure is completely un usable and we have to have a balance between the two and this comes into the case of usability versus security uh some of these recommendations that I'm going to

have will have minor impact and there can be something that you can go home and on Monday you can implement this other ones they might be a little more drastic and harder uh to implement in an organization you might receive course back from your users and depending on what you're trying to secure and the risk of the information that are that is on the system that you're trying to protect it might not be worth it and quite frankly that's what we must manage in security uh but you really need to consider what options are the absolute best for you to deployment and kind of choose the balance that's best so I'm not saying to do everything uh but one

thing I definitely am saying is preboot authentication is absolutely not an option use it require it anything that's a system that's going to be out there every time it boots up must have a pre-boot authentication password before any operating system LS period otherwise as we saw in the pentest there is a chance although remote that that could be bypassed if that that window can be discovered if such a thing exists so reboot authentication absolutely implemented now also this might be a little bit more difficult to implement but consider disabling your dma interfaces in the case of the test this was fire wire but there are other interfaces that do offer dma uh Express card BCM CIA um quite frankly those

aren't used all that often uh I would say that the majority of people who have those interfaces enabled uh pretty much every laptop will have something that's dma Fireware is obviously the most convenient uh but that being said if a laptop has an expansion card you throw a card into it uh through the magic of plugin play you now have a fire wire interface that provides dma don't forget Thunderbolt yes Thunderbolt is a big one uh and that definitely has the same vulnerabilities as well so and that one is since it's a display port as well people aren't really disabling that as much so definitely something to consider and I don't even know if there's a good way on

a Mac to disable that um a lot of your corporate laptops they have the BIOS options to turn that off and the plain fact is is I know bios and all that can be worked around in most laptops but what you're doing is by disabling those interfaces you're forcing someone trying to break in to have the machine powered off in order to do that for access the BIOS because it's very rare to be able to change bio settings within an operating system I know there's ways to do that as well but quite frankly most frequently you're going to be doing that with the machine powered off and in the Bios at that point you reset the

information that's in memory and you don't make that something that someone can just grab easily um but the thought on the dma interface is for most of your users I would be willing to say that they're not required and it's something that can be disabled uh the exceptions would be say fire wire for your digital cameras and digital video capture uh Thunderbolt like he mentioned I think he deserves a shirt for that so do you think it's really worth the loss of convenience to somebody working there when all you got to do is take the out of computer another well to take a disc out of a computer there's no memory that's transferred so the disc is encrypted

um you once you take out the disc basically your the attacker gains enough oh you're talking about inst on yeah yeah so if the interface is disabled by default someone steals the machine and still line if they can't get to that memory information you've essentially protected that system from that kind of upside down let me don't get me started on that that is really really really hard I I I've tried to do the the the the cold boot stuff and I it sounds awesome to be able to to do that I've never been able to uh implement it successfully trying across different machines trying you know the exactly what they say using various tools it's it's never been

something I've been able to pull off and if you're ever where you're considering that you better damn well try every other option first before you try a cold because it's it's slim to none that you're ever going to pull that off so that's just being being realistic um other options is disabling standby and also understanding the risk of hybriding standby essentially a machine is powered off with ram completely activated and containing all the information that's in there so if aine ma that's in standby is stolen that information can be retrieved and hdate even nicer because a lot of times it'll just boot up the operating system and bypass your pre-boot you make a clone of

the drive you have a working snapshot of the machine and it's kind enough to copy the memory to the same state every time you turn it out so as a forensics investigator trying to do a forensics penetration test on something like that it's almost like a dream come true so if you have something like that if you need a deploy hibernate a BIOS password or power on password isn't really a good option because it can be bypassed you almost wanted to look at an ATA password on the hard drive to make that drive not accessible but then again and that's very difficult to break into the actual hard drive password but you're also bypassing the

full dis encryption so kind of got to consider like on my laptop I use the power on password I use a supervisor password use a hard drive password and an encryption key and I I'm okay but there's there's a lot of a lot of different things to to consider also the management side of things uh users are going to forget their password and their past phrases and someone there's got to be some way to get around this because users don't like to hear well you like that data I'm sorry you're not going to get that back um which might be an option but uh most of the time you have a help desk that's going to deal with password resets and

quite frankly they can be vulnerable to social engineering and if say for example the same uh master password is used across an organization I've seen this happen uh someone gets that and you can decrypt every laptop in the company uh without any problems so you just need to get that um and it would just be a matter of making sure your health desk does not just give these out freely and also that stolen machines are reported immediately which is difficult to do and backups backups are always good anyone who says backup I'm not going to give you another shirt but anyone who says backups someone else says backups I'll good shirt back yep there we go backups backups are

always good uh and also the policy issue uh leaving machines attended unattended while they're powered on um someone walks away to the restroom uh you as the sneaky attacker type can uh just plug into their firew war port assuming they didn't listen to the rest of this presentation basically get into their operating system copy whatever information you want off of the machine lock the machine when you walk away they'll come back and nothing happens uh so some laptops actually have the option that the tough books for example where you can physically take the drive out of the machine whenever you have to leave it alone as opposed to carrying the machine that seems a lot more painful than just

taking the machine with you but uh something like that where you just do not leave the machine powered on uh and unattended because there is a risk of that and it all depends on your company has and what you're trying to protect if there's actually a risk where whatever information on your machine you have actively people stalking your employees trying to get this information well that kind of sucks for them too but you just want to make sure that that doesn't happen and also independent verification um this would be the case of where you have one company that says hey company a our laptop was stolen it had the the database records 10,000 of our employe

our customers on there uh we have full disc encryption so we should be fine for Company B that says yeah one of our laptops was stolen uh it had that information of 10,000 of our customers on it we have full disc encryption deployed fortunately this this was verified by an independent third party penetration test and they tried a bunch of different haacks and weren't abl to break into the system so we have reason to believe that our information is secure what company would you feel better about uh company a or Company B B B yes so it at least demonstrates due diligence uh and uh having that independent verification is not something that a lot of people think

about but it is a valuable step in it's case of something like this so our conclusions for this talk uh full dis encryption it's not full proof it's not a check box that magically solves your problems and it is vulnerable that being said faure description is something that is quite rare uh it's the external factors that you need to consider uh the possibility of a machine being attached through a direct membering access uh something else you didn't expect expect such as uh a pre- authentication window but it's important to understand these risks and vulnerabilities and imp improve wherever possible so with that I wrap things up and take some time for questions so so how often do you run into uh um

the password reset option enabled in these deployments it's it's pretty common um just because you have remote users and a lot of times companies are valuable valuing the uh the pro productivity of their employees more than they're valuing the security of their data so so if you have a user that has to be down for a period of time at a remote site that's often unaccept unacceptable uh wonderful opportunity what color is your car what was your what was your first car absolutely

y you don't really know and there's also options inside some deoy where you can just run a command the operating system there's a lot of different Windows unforunately a lot of questions any other questions we have you describe that for those who aren't familiar with

that that is absolutely possible uh unfortunately for something like that is it often breaks the operating system really badly um I know we actually that was something that we actually tried to implement at someone in our company that we didn't like that much uh By try to to basically rootkit the uh initial loading of that to try to get their decryption key and I think they pretty much had to rebuild the laptop cuz someone didn't do something right but uh uh definitely something like key Lo logger uh within the boot loader sure that that's completely vulnerable Hardware key logger would obviously be an easier way to do that but that would be hard easier to detect as well or something like

you're suggesting that would be harder did I give you a shirt yet no okay thank you you're welcome so what about the scenarios where using like a pki certificate smart card pki certificate the do does that change the scenario much at all because you're not relying on a password in some ways yes in some ways no um if some obviously if someone's able to steal both the laptop and the card at the same time then it's a lot easier because you'll have the both factors there at least one of the factors yeah you would have the pin you would have the pin but you'd at least have the the harder part of it to do the

games assum assuming that they couldn't use the card because of the p is there still does it close Some Loops but some open to get around that it's it's different so um I think a lot like a government situation would be a case where it's a lot easier to enforce some of the other policies we talked about absolutely so it does make it basically from talking to people I know who worked in these sorts of envir where do you have the pki in like that the Navy for example anytime something like that happens it's it's a huge problem and the government can do things like that that a private company can't do too but it does change things so so harder

that way it's harder in the sense of you don't have a pass word like that thanks so the reason I really like K was you could take memory snapshots without having to alter the memory before taking the so you like load it up like the thing have you tested secure do ever encrytion yeah so you can actually if you build up to a light CD you can set the Q to boot off the hard dis instead and it'll load the uh secure the pre-boot authentication into memory into a small virtual machine that you can persist to disc you can take a snapshot of of it's exact State whatever disc of USB drive or something like that and

then you can use like strings or you can do any type of file you can carve the file system because it's a Rand so you carve the file system out of the snapshot and you peruse it get to the ETC Shadow all that kind of stuff and I was I was able to get to the root hatches uh and only crack one of them for the secure doc stuff but this one also had a if you press F12 you can get a web browser and PR authentication that called secure dock yeah don't use it

preice wireless keyboards is that what you're you're thinking this was no not wireless keyboard this a keyboard with a buil oh so someone wired a keyer inside of the keyboard and it was broadcasting wirelessly separ

Dev

passw so maybe those people who are in concrete boxes with the parad cages are not completely insane like that have you have you used VMware to do any like preboot authentication attacks meaning if the preboot authentication is not there you take let's say bit locker and you have a usable disc that's not dependent on okay bit Locker is on TPM but you take something that's not on PPM true for example true boot into a Windows okay F dma doesn't work have you had have you been able to use VMware to boot that disc in VMware and just copy the vman file out of that the VM file is basically a snapshot of R yeah so you uh have you had to use

VMware in any situation to do this not not for some of these um but that being said that definitely the same approach that you do on a physical machine with the pull difference being it's a lot easier to work with so uh the techniques would be very simple yes how do you feel about theprint I think that a good product for what it offers but that being said there are ways to configure it poly so uh that anything we deal with let's just say you buy a firewall um we've got a firewall first rule any any except you have a firewall that's a router same thing for like trpr you could uh deploy it and have a really bad pass rate then

uh make the the prop that comes off password is password

so if anyone wants to chat about anything afterwards hit me up where is it there's a there'll be a Q&A session down by the stairs underneath the stairs they're going to hide you they don't want room underneath the stairs it's below the escalators you came up to the confence okay okay if anyone wants to follow me and chat about I'm to everyone thank you for attending always good to have good audience particip

something that people