Re: looking for EFS weaknesses

From: Tom Bowers (bowerstat_private)
Date: Fri Jun 27 2003 - 06:20:18 PDT

Next message: Levinson, Karl: "Re: looking for EFS weaknesses"

Previous message: Roger A. Grimes: "Re: looking for EFS weaknesses"
Maybe in reply to: Ryan Smith: "looking for EFS weaknesses"
Next in thread: Levinson, Karl: "Re: looking for EFS weaknesses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The weaknesses of W2K EFS are as follows:

1.  The default recovery agent for encrypted files is the W2K
Administrator account. Therefore if you can compromise the Administrator
account and login as the same you have access to ALL encrypted files.
This compromise is very easily accomplished with Peter Nordahl's Linux
boot disk. It can be found at:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

2.  Elcomsoft has developed a tool that locates and attempts to
break/interpret the private keys being used for EFS in a GUI based tool.
It can be found at:
      http://www.elcomsoft.com/aefsdr.html# 

3.  Yes both of these solutions require physical access to the affected
PC but if we assume a stolen laptop with company proprietory data on
it......

When we architected W2K for Wyeth we had high hopes for EFS. They were
soon dashed because of the weaknesses listed above and in your email.
EFS in XP does not share these weaknesses due to a change in how they
handle their key pairs.

Respectfully,



Tom Bowers, CISSP
Wyeth Pharamceuticals
Lead Desktop & Firewall Engineer


>>> Ryan Smith <ryansmithat_private> 6/26/2003 11:53:30 AM >>>


After some research, I am considering rolling out an encryption
solution 
based on win2k EFS. I know of one weakness, that encrypting a file that

already exists will leave behind an insecurely deleted plaintext file.

This means anyone with any decent forensics tool could bypass the OS
and 
easily read it directly off the hard drive. 

It also transfers files insecurely across the network.  SSL should
solve 
for that.

Does anyone know of any other major weaknesses in the EFS encryption, 
certificate handling, encryption, etc?  For this group I'm particularly
 
looking for areas of the hard drive that may contain hidden plaintext 
copies of normally encrypted documents.  

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com 


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Levinson, Karl: "Re: looking for EFS weaknesses"
Previous message: Roger A. Grimes: "Re: looking for EFS weaknesses"
Maybe in reply to: Ryan Smith: "looking for EFS weaknesses"
Next in thread: Levinson, Karl: "Re: looking for EFS weaknesses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 27 2003 - 06:25:20 PDT