dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1031
share rss forum feed


haroldo

join:2004-01-16
united state
kudos:1

[Security] Mac FileVault 2's full disk encryption can be broken

(full disclosure...article is from a web site of a company that sells antivirus software, so...)

quote:
Mac FileVault 2's full disk encryption can be broken in less than 40 minutes

by Joshua Long on February 2, 2012

California-based forensics software vendor Passware has released the latest version of its toolkit, which the company claims can bypass Apple's FileVault 2 disk encryption "in minutes," as well as volumes encrypted with TrueCrypt.

The software is reportedly able to capture the contents of a computer's memory via FireWire (also known as IEEE 1394 or i.LINK), analyze the memory dump, and extract the encryption keys. Passware claims that the software can recover passwords from decrypted Mac OS X keychain files as well.

Previous and current versions of Passware's software are also able to bypass Microsoft's BitLocker encryption which is built into some editions of Windows.

Although Passware seems to mainly market its software to government and law enforcement agencies and military organizations, anyone with US $795 can purchase an edition of Passware Kit that includes these features. Interestingly, Passware also lists Apple, Microsoft, Intel, and several other major tech companies among its customers...

»nakedsecurity.sophos.com/2012/02···-broken/

Daemon
Premium
join:2003-06-29
Berkeley, CA

Re: [Security] Mac FileVault 2's full disk encryption can be bro

so if the police break down my door, I should force power off my MBA ASAP.
--
-Ryan
I use Linux, OS X, iOS and Windows. Let the OS wars die.


haroldo

join:2004-01-16
united state
kudos:1
Millions of computers are left, turned on, by the owners.

gaining physical access of a computer that's powered on is not a difficult task


Fronkman
An Apple a day keeps the doctor away
Premium
join:2003-06-23
Saint Louis, MO

1 recommendation

reply to haroldo
i am amused that the OSX cracking software costs $800 while the windows version is $40.

are they trying to price they software on par with apple pricing standard or was it just that much easier to crack windows that they can't justify a higher price...
--
Everyone should own a Mac! Go Bucks!


Fronkman
An Apple a day keeps the doctor away
Premium
join:2003-06-23
Saint Louis, MO
reply to haroldo
also of note:

a couple of quick changes to prevent someone from accessing your computer's RAM via the firewire DMA attack.

»www.frameloss.org/2011/09/18/fir···ryption/

following those few steps means that the only way your RAM contents can be dumped is if it is logged in and not locked or if you have logged in and then logged out and it is sitting at the login screen (thus is past the filevault preboot screen).

also important to note: these people have not "decrypted" the encrypted disk, they just found a bug.
--
Everyone should own a Mac! Go Bucks!

Daemon
Premium
join:2003-06-29
Berkeley, CA
Reviews:
·Comcast
·webpass.net

1 edit
reply to haroldo
If you read the linked article, the exploit is stupidly simple. Just dump memory and grep the password, which is returned as plain text. Since my mac is set to prompt for password on wake from sleep, it appears I would be invulnerable to this particular attack unless the raiding enforcement team preserved my computer and did not let it go idle for more than a few minutes or let it sleep. A smart hacker would only have to close the lid, or, if running closed on an external monitor, pull the power cable.

I went reading the pmset man page after reading the linked article and found this gem:

We do not recommend modifying hibernation settings. 
Any changes you make are not supported. 
If you choose to do so anyway, we recommend using one of these three settings. 
For your sake and mine, please don't use anything other 0, 3, or 25.
 

--
-Ryan
I use Linux, OS X, iOS and Windows. Let the OS wars die.