DELETED_5350
- Thread starter DELETED_5350
- Start date
Associate
- Joined
- 17 Sep 2008
- Posts
- 1,765
Truecrypt will do full-disk encryption with boot-time authentication, works with any version of Windows.
It might take a while to carry out in-place encryption of nearly 14TB however... I don't mean to be nosey (oh all right, yes I do), but what on earth do you need to hide which consumes that much space?
It might take a while to carry out in-place encryption of nearly 14TB however... I don't mean to be nosey (oh all right, yes I do), but what on earth do you need to hide which consumes that much space?
Truecrypt will do it, but as mentioned 14TB is going to be a hell of a grind. It takes a few hours doing a regular desktop disk.
I'd be tempted to look into securing the case as your joe average burglar isn't going to waste time taking a PC that chained to a desk.
I'd be tempted to look into securing the case as your joe average burglar isn't going to waste time taking a PC that chained to a desk.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,717
It's not secure. Quite frankly if you have something worth encrypting - do it right. If the OP is doing it For the luls then use for the luls encryption - Use BitLocker.
Vista is still not patched to a HUGGGGGGGGGGGGGGGGGGGGGEEEE security hole. HUGE. (as in, drop a command prompt running as NT Authority\SYSTEM at the login screen OH HAI BitLocker data insecure)
Vista is still not patched to a HUGGGGGGGGGGGGGGGGGGGGGEEEE security hole. HUGE. (as in, drop a command prompt running as NT Authority\SYSTEM at the login screen OH HAI BitLocker data insecure)
Sitting next to a guy who was in a team paid to show the security hole by a certain large corporate security vendor and being shown it first hand. It's been publicised, MS know about it, you can Google for it - it's not been fixed. If you have something worth protecting then do it right. Most people have nothing worth encrypting, but in the hands of someone who knows what they want BL is probably not the best choice of defence.
For home use against the muppet who stole your laptop, yeah - it'll probably be enough. I just do not like using something extreme to protect my data when in extreme circumstances it can be thwarted.
Last edited:
What about it exactly is insecure? Talking full volume/drive encryption here not just file encryption.
Genuinely want to know, I know of a very large UK company who are in the process of implementing Bitlocker and I'd be interested to know people's informed opinions on it.
To be honest you could say that about a lot of FDE products, not just bitlocker.
Once the OS is up and running, past pre boot authentication etc, then the same would happen. That vulnerability has no bearing on bit locker as such I'd have thought.
To get the machine to boot the OS you've got to get past the pre boot auth stage, you're not in a position to exploit that vuln until the machine is even booted up.
Then there's the fact that I'd have thought most people would be using 7 rather than Vista (if they've got sense
)Which vulnerability is that by the way, the one about replacing the utilman file with a cmd exe? I forget exactly but remember reading something? Or is it something else, got the MS KB or CVE number for it?
Last edited:
On a corporate level BitLocker is somewhat flawed.
I am no security guru but from a security point of view if one of your administrators go into your Active Directory and nuke your BitLocker keys you are screwed. If any one person can deny the company any access to it's data it's a pretty big deal. The company I used to work for and who now do corporate security stuff would never advise the use of BitLocker and actively encourage against it. Maybe you can look at that from a "It;s free and we want to sell our product" point of view, but there are well known and well publicised issues with BitLocker so it's not like it's the mecca of free encryption that competitors don't want you to know about.
As far as I know there is no MS acknowledgement of that flaw, it's not been patched out. You mess with Ease of Access files which are not protected like critical system files are. (It's not protected in post boot on the pulse checks or at boot itself)
Once you drop a cmd prompt as NT AUTHORITY\System you auth against the domain. If you were, to example, launch IE and browse the internet via TMG it would auth you and let you out. If you can masquerade as SYSTEM on a domain then yeah....not cool?
I am no security guru but from a security point of view if one of your administrators go into your Active Directory and nuke your BitLocker keys you are screwed. If any one person can deny the company any access to it's data it's a pretty big deal. The company I used to work for and who now do corporate security stuff would never advise the use of BitLocker and actively encourage against it. Maybe you can look at that from a "It;s free and we want to sell our product" point of view, but there are well known and well publicised issues with BitLocker so it's not like it's the mecca of free encryption that competitors don't want you to know about.
As far as I know there is no MS acknowledgement of that flaw, it's not been patched out. You mess with Ease of Access files which are not protected like critical system files are. (It's not protected in post boot on the pulse checks or at boot itself)
Once you drop a cmd prompt as NT AUTHORITY\System you auth against the domain. If you were, to example, launch IE and browse the internet via TMG it would auth you and let you out. If you can masquerade as SYSTEM on a domain then yeah....not cool?
True, but couldn't you say that of any encryption product that uses some kind of central key escrow system (i.e. most of them)? Plus you don't have to use it in thay way if you don't want to.
You could use a third party key management tool with split passwords for access.
Keys would also be held on some form of backup (which in itself would be encrypted naturally
) I'd have thought.Link to any of the issues you're thinking of? Again I'm not posting that as an 'I don't believe you' way, genuinely trying to learn a bit more about it. Majority of the things I've read haven't been too scathing, and the issues are usually present in other products as well.
Yeah it's a bit of a bad one really, but again that's all assuming you can get the access to change the file. Plus, and I could be totally wrong here as not used TMG, couldn't you have it setup so that a machine account itself doesn't necessarily have authorisation to browse? wouldn't it be done on a domain user level?
If the machine is off, has FDE with pre boot auth on, and has the trusted boot stuff enabled I believe it wouldn't that easy.
I generally don't have a massive opinion either way on Bitlocker so am interested to hear as much discussion as I can on it as I should be doing some security testing on it soon
Last edited:
I think the vulnerability is ifs and buts.
If you can get past pre-boot if you have your domain setup insecurely including the configuration of TMG. The main problem falls in getting past the pre-boot authentication - if you can't get past that then no amount of system compomises are going to help as you can't get into the sytem. The flaw also relies on someone logging into the PC - which is that you have to have someone who can authenticate - again another problem.
With regards to the keys - yes potentially some muppet could remove the keys and everyone is screwed but that requires sufficient permissions in AD (i.e. domain admin). If you give anyone domain admin rights then that person has to be in a position of trust (because there are so many way to screw over AD if you have the rights).
Personally I wouldn't overly worry about it - especially if money is a problem.
M.
If you can get past pre-boot if you have your domain setup insecurely including the configuration of TMG. The main problem falls in getting past the pre-boot authentication - if you can't get past that then no amount of system compomises are going to help as you can't get into the sytem. The flaw also relies on someone logging into the PC - which is that you have to have someone who can authenticate - again another problem.
With regards to the keys - yes potentially some muppet could remove the keys and everyone is screwed but that requires sufficient permissions in AD (i.e. domain admin). If you give anyone domain admin rights then that person has to be in a position of trust (because there are so many way to screw over AD if you have the rights).
Personally I wouldn't overly worry about it - especially if money is a problem.
M.