RE: Attacking EFS through cached domain logon credentials

From: John Howie (JHowieat_private)
Date: Mon Jan 20 2003 - 22:32:12 PST

Next message: mattmurphyat_private: "Path Parsing Errata in Apache HTTP Server"

Previous message: Frog Man: "PHPMyPub (PHP)"
Maybe in reply to: Todd Sabin: "Attacking EFS through cached domain logon credentials"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Todd (and lists),

You wrote:

> 
> This is not completely correct, and I wanted to clarify how an attack
> against a domain-member's EFS encrypted files can work.  The threat
> model is this:
> 

It is important to distinguish between a weakness in EFS (there is none,
as described here) and the risk associated with using cached logon
credentials.

It is not just EFS which is at risk through 'cracking' an account like
you describe, there are so many other 'secrets' in a user's profile
including passwords to websites remembered by IE, POP3 email account
passwords in Outlook and Outlook Express, VPN passwords, etc.

Truly sensitive data should not be stored on a laptop, and when it must
use two-factor authentication such as a Smart Card (which does reduce
the risk associated with cached logon credentials) or a SecureID token.
If nothing else, some laptops these days come with passwords to
lock/unlock the hard drive.

Regards,

John Howie CISSP MCSE
President, Security Toolkit LLC

Next message: mattmurphyat_private: "Path Parsing Errata in Apache HTTP Server"
Previous message: Frog Man: "PHPMyPub (PHP)"
Maybe in reply to: Todd Sabin: "Attacking EFS through cached domain logon credentials"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 11:32:05 PST