Posted: 7/31/2009 7:24:32 AM EDT
http://www.h-online.com/security/Bootkit-bypasses-hard-disk-encryption––/news/113884
|
|
Quoted:
WOW just WOW! I knew some one would figure a way around it.. Lets just hope the feds dont get there hands on it.. TrueCrypt is OpenSource, so a fix for this will be released *very* soon. Edit: Hmm, may be more tricky than that, after re-reading the article. |
| This was mentioned as a theoretical security threat in Truecrypt's documentation for years. I've always assumed that law enforcement and intelligence agencies have programs that do this already. A way around this is to boot from the TC rescue CD instead of the hard disk's MBR, but if you've got an intelligence agency using malware to spy on you I'd think you have bigger worries. |
|
Quoted:
Quoted:
WOW just WOW! I knew some one would figure a way around it.. Lets just hope the feds dont get there hands on it.. TrueCrypt is OpenSource, so a fix for this will be released *very* soon. Edit: Hmm, may be more tricky than that, after re-reading the article. ya sounds like the only way to fix it using TPM for now.. |
|
Quoted: ‘administrator privileges or physical access to a system are required for an infection’ If your opponent has these, you’re already compromised. BSW I was going to say. If someone already has those, it doesn't matter if you are using encryption or not. The person most likely to have both of those is the administrator installing TrueCrypt  |
|
This is just an exploit that lets you boot a protected system partition, correct?
If I have a thumbdrive or USB hard drive that's not a boot device, but I do have full disk encryption, I assume this does not make it vulnerable to someone getting at the data without knowing my decryption password. |
|
Quoted:
This is just an exploit that lets you boot a protected system partition, correct? If I have a thumbdrive or USB hard drive that's not a boot device, but I do have full disk encryption, I assume this does not make it vulnerable to someone getting at the data without knowing my decryption password. I'd also appreciate an answer, as only my data drives are encrypted. I don't care if folks know I'm running SolidWorks, Quickbooks, TurboTax, etc. I do care if they can access the files generated by these applications. |
|
Whole disk encryption is to keep people who don't have any business using the drive from using the drive in the case it gets stolen or subpoenaed. TrueCrypt never has had nor claims to have had the ability to protect against a compromised or easily compromise operating system.
Though interesting, this "hack" isn't any more sophisticated than any other keylogger or security problem with the OS (which TrueCrypt doesn't protect against in the first place) AND it requires physical access. (And any IT guy worth his salt knows physical access = fucked) If you cannot trust the OS or hardware, do not mount your encrypted volumes. If someone has had physical access, you cannot trust the OS or the hardware. Non story. |
|
Quoted:
This is just an exploit that lets you boot a protected system partition, correct? If I have a thumbdrive or USB hard drive that's not a boot device, but I do have full disk encryption, I assume this does not make it vulnerable to someone getting at the data without knowing my decryption password. I believe this is the case, as you'd only need the MBR available unencrypted on your boot device. This really isn't anything new, MBR virii have been around forever, this is just one that targets truecrypt directly. Any decent anti-virus software will detect and prevent unauthorized changes to the MBR. |
|
Quoted:
This is just an exploit that lets you boot a protected system partition, correct? No. It loads and runs in memory before the user starts TrueCrypt and then watches from there. If I have a thumbdrive or USB hard drive that's not a boot device, but I do have full disk encryption, I assume this does not make it vulnerable to someone getting at the data without knowing my decryption password. This won't do anything to that, and wouldn't be useful in that case, they would just install a root kit in the unencrypted partition, wait for you to boot and mount the encrypted drive and get data from there. |
|
Quoted: This is just an exploit that lets you boot a protected system partition, correct? If I have a thumbdrive or USB hard drive that's not a boot device, but I do have full disk encryption, I assume this does not make it vulnerable to someone getting at the data without knowing my decryption password. Yes, you must boot for the exploit to work. |
|
Quoted:
screw truecrypt I have a container that I can no longer open because it somehow fucked up the password. Yes I have the password right, I've been using it for a year. It just quit working. you probably have a bad block on that sector, try and copy the container to another drive. I bet it will error out. If thats the case then you have to run a program like spinrite to fix the bad block |