TrueCrypt breached!

[iMONITOR]

I know many of you on RR rely on TrueCrypt to keep your information safe and secure on your computer. Heads up!

Bootkit bypasses TrueCrypt hard disk encryption :: Hack In The Box :: Keeping Knowledge Free

 

[poltergeisty]

I use Truecrypt. Been using it for 3 years now. Never for the entire hard drive. Only in container format, and some of those are on CD inside other data which is inside other data, i.e. Steganography which is further encrypted with a cascade of ciphers. Gots to protect my porn somehow. :lol: J/K

I also have a VMware VMDK file in Truecrypt container. So that means the entire OS is protected. So how do you bypass that?

Available as source code, Kleissner's bootkit can infect any currently available 32-bit variety of Windows from Windows 2000 to Windows Vista and the Windows 7

Linux isn't mentiod.

This is the second hack attempt to Truecrypt that I know of. I'm sure the authors will find a way of addressing any sign of I/O attacks...

It's kinda like WPA in WIFI security. It can be broken, there is a hack plus it can be brute forced providing the key isn't long and complex. But, BUT, the ones who pay attention to Bruce Schneier's blog will know how to address that possibility...

SANS is good to keep up with too.

 

[poltergeisty]

Original story Bootkit bypasses hard disk encryption - News - The H Security: News and features

Once installed, Stoned cannot be detected with traditional anti-virus software because no modifications of Windows components take place in memory

Avira does have a boot records scan. Not sure if this could do it, providing a defintion where to be made.

However, administrator privileges or physical access to a system are required for an infection. At present, only machines running the traditional BIOS are vulnerable.

This is why you should always run in a limited account. Administrator accounts are for...administration. :lol:

Kleissner didn't have an answer to the question whether a hardware-encrypted hard disk is capable of preventing an infection.

That's what I'm wondering. I think it might have an effect on the rootkit, though the encryption scheme used is in the hard drive is on a chip of the hard drive. So I speculate that perhaps it wouldn't matter, so long as the OS is runing and the rootkit infects the MBR.

What you need here is a mechanism that tracks hash values in the MBR.

These two think it's bogus, but I think it has its merits. Bootkit bypasses hard disk encryption | security News Forums

 

[tbiggums]

I'm hardly an expert in this area, but I use TrueCrypt on my whole hard drive...

My reason for using TrueCrypt is to make sure that if someone steals my PC in a powered-off state, they won't be able to get any data off it. Of course if they manage to steal it while it's powered up and logged in, I'd expect to be screwed.

Correct me if I'm wrong, but it seems that as long as I didn't install this bootkit (or any other malicious software), and was careful to at least log off or power down the machine when I'm not around, if someone were to steal my PC in a powered off state, they still wouldn't be able to access the TrueCrypt encrypted data on my hard drive.

 

[RedPenguin]

Well....

This is actually somewhat like what the Internet TV Show called Hak5 talked about when they discussed TrueCrypt.

They stated how someone who could access your PC long enough, could take a snapshot of your memory using win32dd or mdd (possibly some others) on a thumb drive, and then use a program called Volatility using a plugin extract the AES key (if using AES), and I can't remember the name but I believe they claim their is an AES key brute-force tool.

NOTE: You need Admin rights to use mdd and win32dd now with 2003 SP1 and above, yet due to how IEEE 1394/Firewire's standard is written, you could eventually get a firewire thumb drive and still do this method because apparently since Firewire does DMA (Direct Memory Access) it gets kernel-level memory, instead of user-level memory, which is what you want (kernel-level).

Also, you could steal Windows's SAM files, which obviously stores passwords.

What's bad about this whole thing is, once you stole a snapshot of the person's RAM, you are free to crack the passwords in the comfort of your own home, basically bypassing any attempt that would be imposed on the target it self against brute-force or even sometimes dictionary attacks.

 

[poltergeisty]

What's the connection between RAM and this apparent hack?


If someone were to get access to the RAM while you had a Truecrypt container mounted, the data would not be encrypted anyway. Unless your trying to grab SAM and EFS stuff.


Truecrypt recommends that you run a few apps after dismounting so that you cycle the RAM. But that's if you work for the CIA. :lol:

 

[RedPenguin]

Welll

What's the connection between RAM and this apparent hack?


If someone were to get access to the RAM while you had a Truecrypt container mounted, the data would not be encrypted anyway. Unless your trying to grab SAM and EFS stuff.


Truecrypt recommends that you run a few apps after dismounting so that you cycle the RAM. But that's if you work for the CIA. :lol:

Well, the connection I saw was, TrueCrypt was being mentioned and I was just mentioning something else for others to worry about when you are using TrueCrypt.

 

[iMONITOR]

Evil Maid goes after TrueCrypt!
The Invisible Things Lab's blog: Evil Maid goes after TrueCrypt!

 

[poltergeisty]

So our trusty Polish hacker is at it again. :lol:

let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop,

Lets assume that one use containers....

All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick.

Lets assume that it takes a verrrry long time to crack the BIOS pasword to allow a USB stick to boot the OS...


Now lets also assume that our poor maid wasted her time because while the genius laptop user was downstairs pulling some slots, the encrypted container was stored in his MP3 player that he was listening to. :lol:

Do It Again - Steely Dan - Pandora Internet Radio

 

[Nubz]

if someone steals my PC in a powered-off state, they won't be able to get any data off it

well
we can all have little hopes and dreams

 

[poltergeisty]

Where did that quote come from? I can't find it.