I should get around to getting subscribed under the same email
address micronet and to ucb-security. Anyway:
Supposed software to "recover" EFS secured data:
http://www.crackpassword.com/products/prs/mswin/efs/
Possible Ideas on bypassing EFS:
http://www.geocities.com/babarnazmi/EFS.html
http://www.windowsitpro.com/Article/ArticleID/25484/25484.html
Windows EFS in Win2k used 3DES as I recall, recent patchlevels
of XP support DESX and AES256. So, brute force attacks on the
key itself should be harder in Win XP.
Just doing a quick google search, some of this should be get a
"reality check" somewhere just for the hell of it.
--Jon
"Ryan L. Means" <rmeans@law.berkeley.edu> wrote:
: Sorry for replying to myself here, but to clarify, resetting passwords (ratehr
: than changing them yourself) actually invalidates encryption keys. If you reset
: a password you need to create a new encryption key. Try it yourself: Go into
: "Computer Mangagement" in XP and try to change the password for an account. Read
: the warning message about what will be lost if you do it.
:
: Ryan
:
: On 3/30/2005 10:38 AM, Ryan L. Means wrote:
: > Alex,
: >
: > I believe that the original Administrator password is used as the
: > passphrase for the EFS recovery key, so using NTAccess will not give you
: > access to the recovery key. It can replace the Administrator password in
: > the SAM with a new one, but it can't change the passphrase on the
: > recovery key without knowing the original. That is of course the
: > official line from Microsoft and I have not verified it. :)
: >
: > Ryan
: >
: >
: > On 3/30/2005 10:26 AM, Alexander Brown wrote:
: >
: >> Maybe I'm missing something about EFS, but it seems to me that it's
: >> not really all that useful in preventing a data-loss-by-physical-theft
: >> problem, if you have a clueful attacker who is really after the data.
: >>
: >> For example:
: >>
: >> 1) Evil bad guy steals XP laptop with encrypted sensitive data on it,
: >> in order to acquire the data.
: >>
: >> 2) Evil bad guy breaks the administrator password on the laptop, using
: >> NTAccess or similar.
: >>
: >> 3a) Evil bad guy uses administrator credentials to recover the
: >> encryption key and decrypt data, and goes off and sells the data to
: >> the mafia.
: >>
: >> OR
: >>
: >> 3b) Somewhat lazier evil bad guy uses administrator credentials to
: >> reset the password on the account that owns the encrypted data, logs
: >> in with the account of the data owner, and goes off and sells the data
: >> to the mafia.
: >>
: >> I'm not convinced that EFS would be a substantial barrier to
: >> information disclosure in a situation like the recent laptop
: >> incident. Others may, just possibly, disagree... :>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Wed Mar 30 11:15:00 2005
This archive was generated by hypermail 2.1.8 : Wed Mar 30 2005 - 11:15:00 PST