D6 Research

The Intersect of Physical and Cybersecurity

  • Company
    • Company Overview
    • Practice Areas
    • Neutrality
    • Bios
    • Contact Us
  • Advisory
    • Advisory Overview
    • Advisory for Enterprises
  • Research
    • Research Overview
    • Surveys
  • Buy
    • D6 eStore
    • Cart
    • My account
    • Licensing Info
    • Pricing Info
  • Resources
    • FAQ Central
    • Policy Central
    • Free Papers & Downloads
    • Events
    • Glossary
  • Blog
  • Contact
  • (714) 202-2966
You are here: Home » Blog » Exploiting Full Disk Encryption & How to Mitigate

Exploiting Full Disk Encryption & How to Mitigate

By Terry Gold


Full disk-encryption is viewed by some enterprises as a cure all for laptop security. Many organizations have requirements that at least some systems be encrypted – especially those that are used by individuals that might have access to sensitive and/or proprietary information. Taking things a step further, many organizations are moving towards a model where all of their corporate-owned laptops are encrypted by default.

When full-disk encryption is deployed, it is assumed to be a black-box panacea for all data security issues. Like any tool or system designed for security, however, full-disk encryption is by no means bulletproof. Unfortunately, full-disk encryption is often implemented but rarely verified or tested. The vulnerabilities, configuration oversights and potential weaknesses of different technologies and implementations are only infrequently discussed and worse still, are rarely understood.

Terry Gold caught up with Tom Kopchak, a security researcher with Hurricane Labs, who demonstrated at Security B Sides in Las Vegas how he was able to subvert a popular full-disk encryption product in just a few minutes. Tom states that he did this because “one of our customers was interested in having us evaluate the security of their full disk encryption deployment as part of their regular penetration test schedule.” – 

Multi-factor authentication solutions, such as smart cards, can be used in conjunction with full-disk encryption for a better, more secure solution.

What were you expecting to find going into this engagement?

I did not necessarily expect there to be any groundbreaking findings for this test, as the prospects of gaining access to a fully encrypted machine without any ancillary information seemed very unlikely. I am confident that anyone in my position that had been asked to do the same testing would have felt similarly.

What were your initial thoughts on strategy and how did you decide to approach the test?

The objective of the penetration test was to simulate an attack on my client’s encrypted data and ultimately see if and how I could be successful in decrypting it given the controls that they had in place. I decided to approach the entire penetration test as a forensic investigation. This was done to preserve the original state of the machine as evidence, which proved to be a critical step in the overall success of my work.

Before we get into details, can you highlight your technical approach?

Using drive images and a forensic writeblocker, I was able to use several hard drives to create physical snapshots of the machine. After the initial drive image, the source drive remained untouched – and for all intents and purposes uncompromised. All of my work was performed on a series of scratch disks.

And ultimately, what did you find?

Well, I was able to accomplish the objective. Further, I was able to take it from several hours down to just a few minutes. Also, moving away from reliance on knowledge-based credentials for Windows Login, such as passwords, can mitigate the attack. In part, going with a hardware token with PKI could have helped stop this particular attack.

Tell us about how you simulated the attack?

The first stage of the test was reconnaissance; much like an actual attacker would approach an unfamiliar machine that they had obtained…..

Read the full article at Secure ID News

Filed Under: Blog, PII, Security, Smart Cards, Uncategorized, Vulnerability

Recent posts

  • Download The White Paper >>
  • Story From the Vault: A Day of Reckoning for a CISO About His Physical (in)Security
  • Now the Hangover Begins. After the Physical Security Industry Finally Welcomes Cybersecurity.
  • My 15-Year Journey of Cyber Security Within an Industry in Denial
  • The Future of Physical Security: The Decade Ahead

Events

  • Cyber Secured Forum06/05/2018, Denver, CO:
    Terry Gold will present at the first annual Cyber Secured Forum, “A Call For a More Responsible Security Industry” which will detail research regarding the current-state of industry preparedness and guidance for measurable improvement.
  • 04/15/2018, San Francisco, CA (Metreon):
    Terry Gold and Eric Michaud of Rift Recon will jointly instruct a workshop at theBSidesSF hacker conference in San Francisco on red teaming corporate physical access control systems.

Copyright © 2021 · D6 Research · Terms & Conditions · Privacy · All Rights Reserved