Why EFS is not a good idea (was Re: IP tracking software)
Jeremy Pullicino
- EFS keys are stored on the computer, with physical access to the system the enemy can retrieve them and decrypt the files
- EFS keys are automatically loaded and used when the user logs on; with physcial access retrieving the login password is trivial, so th enemy can log in and decypt the files
- When a file is encrypted with EFS, the original file is deleted. With disk imaging software (e.g. dd) one and read the 'free' or 'slack' space and retrieve the original file
- When EFS files are copied onto an external or network drive encryption is automatically removed, sometimes without notice. EFS files are only protected on your own computer.
- When on a windows AD domain with a CA properly configured EFS files can be copied to network drives and retain their encryption, however during the network transfer the file is unencrypted so the enemy can read out the file by sniffing his network.
- There are some issues with the microsoft certifiate management that make it possible to mistakenly lose keys, thus losing all your encrypted files
Jeremy.
Why is EFS not a good idea?
From: Forens...@googlegroups.com [mailto:Forens...@googlegroups.com] On Behalf Of Jeremy Pullicino
Sent: Thursday, May 07, 2009 4:14 PM
To: Forens...@googlegroups.com
Subject: Re: IP tracking software
Hi,
My 2 euro cents worth...
These methods assume you have physical access to the system - passwords do a good job of protecting access via the network/internet.
When your 'enemy' has physical access to the system there is very little you can do - if he wants he can steal your hard disk, or even destroy the computer - no passwords will protect from that...
If you have sensitive files on your PC then I recommend either storing them in a secure remote location, or using strong encryption on the files (note: EFS is not a good idea).
Best regards,
Jeremy Pullicino
Security Consultant
On Wed, May 6, 2009 at 2:56 PM, Geoffrey Alexander <h1eve...@hotmail.com> wrote:
If by-passing or cracking Windows passwords is as easy as this, why bother setting them up at all?
Am I the only one to conclude that even a novice 'hacker' could access any 'password-protected' computer?
- Geoffrey.
From: mindst...@hotmail.com
To: forens...@googlegroups.com
Subject: RE: IP tracking softwareDate: Fri, 1 May 2009 22:28:00 -0400
If you are able to Login using the GUEST ACCOUNT; you can then run this keyfinder:
http://downloads.sourceforge.net/keyfinder/keyfinder.2.0.1.zip?use_mirror=osdn
If you do not have a guest account available then this software will allow you to blank the admin password:
http://home.eunet.no/pnordahl/ntpasswd/
Do read the FAQ and other available support pages before attempting this because the software boots into a minimal Command Line Linux environment and could be a little scary if you have not used DOS in the past. Lots of luck
Dan
From: amyd...@live.com
To: forens...@googlegroups.com
Subject: RE: IP tracking software
Date: Thu, 30 Apr 2009 15:24:43 -0400
I think someone has been on my laptop. I have a desk top I use most of the time, the laptop is mostly for use when I'm out of town. Mysteriously, I cannot locate the windows cd, which I thought was in a locked file drawer, in my home office, and I don't remember creating a backup disk. There is a new user account I don't remember creating, or have access to. But my orignal password works, but I don't remember the admin-password, so that's why I was wondering if someone could bypass, or somehow retrieve my windows password without changing it.
</html</html
Stefan Engelbert
Hi,
thanks for the deteailed list J
I agree with the keys stored on the computer. In fact software certificates are always a theoretical risk. That’s why smartcards should be used.
Regarding Network transfers, temp files etc. That I do have to agree. In fact when using EFS such points have to be considered.
Stefan