dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6600
alien8
join:2004-03-03
UK

2 edits

alien8

Member

PGP, TrueCrypt-encrypted files CRACKED by £300 tool

ElcomSoft has built a utility that forages for encryption keys in snapshots of a PC's memory to decrypt PGP and TrueCrypt-protected data...

ElcomSoft's gear can extract these decryption keys from a copy of the computer's memory, typically captured using a forensic tool or acquired over Firewire. Once it has the key, the protected data can be unlocked.

Source:

»www.theregister.co.uk/20 ··· pts_pgp/

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

The main thing is that the computer has to either be on or have hibernation enabled. If neither of those is met, and the password is good, then the data is still secure.

morbo
Complete Your Transaction
join:2002-01-22
00000

morbo

Member

"Coincidentally, I looked at the Truecrypt website yesterday and noted that it said on the site that it does on-the-fly encrypting and decrypting, which means that the key must be in the RAM."
Expand your moderator at work
OZO
Premium Member
join:2003-01-17

OZO to alien8

Premium Member

to alien8

Re: PGP, TrueCrypt-encrypted files CRACKED by £300 tool

I'm not running the latest version of TrueCrypt, but doesn't it have an option to forget (erase) the password, when computer goes to hibernate, standby, etc? It seems logical to me...

THZNDUP
Deorum Offensa Diis Curae
Premium Member
join:2003-09-18
Lard

1 recommendation

THZNDUP

Premium Member

For 7.0a, it's actually 'Dismount all when: entering power saving mode' along with 'Wipe cached passwords on auto-dismount'. Two different options.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

2 recommendations

Blackbird to alien8

Premium Member

to alien8
I'm trying not to be too picky about wording, but how does one "crack" PGP or TrueCrypted files if they've simply found a way to retrieve the actual encryption key independently of the files themselves? I think that process really falls into the realm of ordinary "decryption", not "cracking"... unintentional or not.
TheMG
Premium Member
join:2007-09-04
Canada
MikroTik RB450G
Cisco DPC3008
Cisco SPA112

1 recommendation

TheMG

Premium Member

said by Blackbird:

I think that process really falls into the realm of ordinary "decryption", not "cracking"... unintentional or not.

Agreed. They aren't cracking anything, just decrypting the information using a key that they've been able to extract.

It would be like finding a hidden spare key to unlock the door on someone's house, then claiming you've "picked" the lock. No, you've simply unlocked it using a key.

KodiacZiller
Premium Member
join:2008-09-04
73368

1 recommendation

KodiacZiller to alien8

Premium Member

to alien8
Encryption keys can be extracted from the RAM of a running machine. In other news, the sky is blue.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

Indeed, I thought this has long been known to be possible.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by sivran:

Indeed, I thought this has long been known to be possible.

The news is not that it's possible; the news is that there's a readily-available commercial tool that packages up the smarts required to pull it off for Joe End User.

ashrc4
Premium Member
join:2009-02-06
australia

ashrc4 to alien8

Premium Member

to alien8
I guess caution when letting someone borrow your laptop etc. comes into play here.
Expand your moderator at work

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to alien8

Premium Member

to alien8

Re: PGP, TrueCrypt-encrypted files CRACKED by £300 tool

I believe Encase can do the same thing with its memory dump features.

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to alien8

Premium Member

to alien8
I understood this to be possible for years as well. The "news" is that this company wants to sell their tool and got some free publicity.

Physical security of your computer is important as well. If you really need to secure information on your PC, you can make sure you power it completely off when it's unattended by you or umount encrypted drives. If a Truecrypt drive is mounted, they can just copy the files to a Flash drive if they had access to your machine.
The Snowman
Premium Member
join:2007-05-20

The Snowman to KodiacZiller

Premium Member

to KodiacZiller
KodiacZ........be so kind as to explain to the boys and girls what happens to "RAM" once a computer is turned off..............not so sure some of them understand.

______________________________

TOWIT:

This topic Title is incorrect....PGP..., TrueCrypt IS NOT cracked by the mentioned Tool........other Posters have correctly point this out as well...........
An No this is not at all New.......of course this is not a subject the the average computer user would be "up" on........

angussf
Premium Member
join:2002-01-11
Tucson, AZ

angussf to Kilroy

Premium Member

to Kilroy
said by Kilroy:

The main thing is that the computer has to either be on or have hibernation enabled. If neither of those is met, and the password is good, then the data is still secure.

In the current version of TrueCrypt (7.1a) you are protected against this if you have whole-disk encryption enabled and the hibernation file is on an encrypted partition.
TrueCrypt - Free Open-Source Disk Encryption Software - Documentation - Hibernation File
»www.truecrypt.org/docs/h ··· ion-file
Note: The issue described below does not affect you if the system partition or system drive is encrypted* (for more information, see the chapter System Encryption) and if the hibernation file is located on any of the partitions within the key scope of system encryption (which it typically is, by default), for example, on the partition where Windows is installed. When the computer hibernates, data are encrypted on the fly before they are written to the hibernation file.

When a computer hibernates (or enters a power-saving mode), the content of its system memory is written to a so-called hibernation file on the hard drive. You can configure TrueCrypt (Settings > Preferences > Dismount all when: Entering power saving mode) to automatically dismount all mounted TrueCrypt volumes, erase their master keys stored in RAM, and cached passwords (stored in RAM), if there are any, before a computer hibernates (or enters a power-saving mode). However, keep in mind, that if you do not use system encryption (see the chapter System Encryption), TrueCrypt still cannot reliably prevent the contents of sensitive files opened in RAM from being saved unencrypted to a hibernation file. Note that when you open a file stored on a TrueCrypt volume, for example, in a text editor, then the content of the file is stored unencrypted in RAM (and it may remain unencrypted in RAM until the computer is turned off).

Note that when Windows enters Sleep mode, it may be actually configured to enter so-called Hybrid Sleep mode, which involves hibernation. Also note that the operating system may be configured to hibernate or enter the Hybrid Sleep mode when you click or select "Shut down" (for more information, please see the documentation for your operating system).

To prevent the issues described above, encrypt the system partition/drive (for information on how to do so, see the chapter System Encryption) and make sure that the hibernation file is located on one the partitions within the key scope of system encryption (which it typically is, by default), for example, on the partition where Windows is installed. When the computer hibernates, data will be encrypted on the fly before they are written to the hibernation file.

Boricua
Premium Member
join:2002-01-26
Sacramuerto

Boricua to alien8

Premium Member

to alien8
I'm using TrueCrypt right now with a very strong password. Looks like I'll have to take a look at my settings and check their website for updates.
dsilvers
join:2009-05-17
Canyon Lake, TX

dsilvers to alien8

Member

to alien8
said by elcomsoft site :
Three Ways to Acquire Encryption Keys

•By analyzing the hibernation file (if the PC being analyzed is turned off);
•By analyzing a memory dump file *
•By performing a FireWire attack ** (PC being analyzed must be running with encrypted volumes mounted).


•Turn off hibernation in power settings then delete the hibernation file. If hibernation is off the system will not rebuild the file.

•Open Truecrypt > Settings > Preferences > Uncheck Cache passwords in driver memory. If i remember correctly that is a default setting.

•Disable any firewire ports in network connections. Open Truecrypt > Settings > Preferences > Check everything under Auto-Dismount.

•Don't run as administrator and most importantly use strong passwords.

•If the black helicopters start circling pull the plug.

This is mostly snake oil. They use a cuda based password cracker, BFD, use a strong password. They use some marketing buzz at their site that would make some think encryption was vulnerable such as "near 100% results".

As others have mentioned their is nothing new here. On the other hand I suppose you can become vulnerable if you try hard enough.
MaynardKrebs
We did it. We heaved Steve. Yipee.
Premium Member
join:2009-06-17

MaynardKrebs to alien8

Premium Member

to alien8
Can anyone familiar with FileVault2, PGP, & Truecrypt offer any observations on the protection of keys if you simply kill the power to your computer when you hear the flashbangs go off? ie. what if anything is recoverable by a LEO when volumes are not gracefully dismounted and shutdown?

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

said by MaynardKrebs:

Skill the power to your computer when you hear the flashbangs go off?

You obviously have no experience with a flashbang. When they go off you're not going to be killing the power as it won't even be a thought.
MaynardKrebs
We did it. We heaved Steve. Yipee.
Premium Member
join:2009-06-17

MaynardKrebs

Premium Member

said by Kilroy:

said by MaynardKrebs:

Skill the power to your computer when you hear the flashbangs go off?

You obviously have no experience with a flashbang. When they go off you're not going to be killing the power as it won't even be a thought.

One could be in the next room, upstairs, in the basement, or the 'safe' room, or your "Tempest' room...... plenty of time to pull the plug.
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

Kearnstd to alien8

Premium Member

to alien8
this is not cracking really, it is more like finding the keys under the welcome mat.
dsilvers
join:2009-05-17
Canyon Lake, TX

1 edit

dsilvers to MaynardKrebs

Member

to MaynardKrebs
said by MaynardKrebs :
Can anyone familiar with FileVault2, PGP, & Truecrypt offer any observations on the protection of keys if you simply kill the power to your computer when you hear the flashbangs go off? ie. what if anything is recoverable by a LEO when volumes are not gracefully dismounted and shutdown?

Software likes an orderly shutdown to correctly close everything that is running. Without that it is possible to suffer corruption and loose anything you were working on. If your system hangs it is better to use the power button as it is more equivalent to using the start menu shut down button.

When you hear the flashbangs and pull the plug you will experience and extremely disorderly shut down. Everything simply stops working and your ram will clear in few minutes. If that three letter agency is using flashbangs they already have enough on you to make life miserable.

I suspose you could still be vulnerable to a cold boot attack. If time permits it might be better to click > dismount all, as Truecrypt can over write encryption keys in memory if the settings are correct. I am not familiar with PGP or FileVault2.

Edit: spelling
Expand your moderator at work

dsilv3rs
@anonymouse.org

dsilv3rs to dsilvers

Anon

to dsilvers

Re: PGP, TrueCrypt-encrypted files CRACKED by £300 tool

One can disable the IEE1394 host controllers once and for all if don't need it, go to device manager, right click IEE1394 host controllers, disable. Now that when the forensics tool plugin your firewire port under the the lock screen, OS simply has no response

ashrc4
Premium Member
join:2009-02-06
australia

ashrc4 to The Snowman

Premium Member

to The Snowman
said by The Snowman:

This topic Title is incorrect....PGP..., TrueCrypt IS NOT cracked by the mentioned Tool........other Posters have correctly point this out as well...........
An No this is not at all New.......of course this is not a subject the the average computer user would be "up" on........

Nor would it be the only TOOL on the market.

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to MaynardKrebs

Premium Member

to MaynardKrebs
said by MaynardKrebs:

Can anyone familiar with FileVault2, PGP, & Truecrypt offer any observations on the protection of keys if you simply kill the power to your computer when you hear the flashbangs go off? ie. what if anything is recoverable by a LEO when volumes are not gracefully dismounted and shutdown?

The present recommendation for first responders who find it necessary to power down a computer is to pull the plug.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

said by EGeezer:

The present recommendation for first responders who find it necessary to power down a computer is to pull the plug.

My Googlefu is weak this morning, no coffee yet, but there is a product that is basically a UPS that you plug into another socket in line with the computer so that you can remove power and keep the machine running. So, it charges when plugged in and when power is lost it reverses power direction to supply power to the circuit. It has been out for a few years.

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to alien8

Premium Member

to alien8
Correct me if I'm wrong, but if you check the box below about un-mounting when entering a power saving state, this should theoretically wipe keys from memory before a memory dump file was taken, right?