On Mon, Feb 17, 2003 at 05:40:23PM -0800, Richardson, John wrote:
> 1. On laptops, setting the BIOS password can also be used to have the disk
> controller perform disk encryption. I don't know how strong it REALLY is,
> but at least with IBM laptops, you can send the hard disk out to some outfit
> and for $100 they will return it to you unlocked in a couple of weeks. That
> does raise the bar a little.
Note that some PKzip encryption-breaking software has some busy loops
embedded to give the illusion that the software actually has work to do.
("Gee, I paid $50 for this, and it is done in under a second!?!")
> 2. On XP, and Win2K also, if you use EFS (Encrypting File System) the OS
> will decrypt the files for users with access to the keys. Does this
> vulnerability hit the system at a level where having the Administrator
> password means you also get the EFS password?
As I recall the EFS design, the keys are encrypted with the NTLM hash
of the login password for the user in question. Changing the password
outside of the system may very well cause all the data encrypted by the
account in question to be lost. (Changing the password back to its old
value will probably result in a different NTML hash, otherwise dictionary
attacks would probably be far easier, so I'd bet changing the password
back to the original password would not restore the data.)
> 3. (so I can't count) I run a product that encrypts the disk below the OS.
> That should help a little with this vulnerability, though I'm sure there are
> many others that it won't protect me from.
Really? Is it a hardware or software product? (I thought all software
based products were operating-system dependent, and I don't know of any
hardware products.)
--
"Security for who?" -- Crispin Cowan
This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 00:41:29 PST