SANS ISC: Pointsec Full Disk Encryption cracked

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Castor, one of our readers, wrote in to let us know about this article over at DarkReading.

Headline: LuciData successfully cracks a laptop encrypted with Pointsec Full Disk Encryption on behalf of corporate client

Copy and Paste from article:

"This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator.

This attack is made possible because the operating system on the computer loads and boots directly into Windows without first asking for a Pointsec ‘preboot authentication’ password. Normally, with whole disk encryption, a user is required to enter a password immediately upon turning the machine on. That password is what unlocks the decryption key and allows the rest of the operating system to load and execute. This FireWire attack would not be successful in that case, because the attack requires that Windows already be up and running. In the circumstance of a properly configured encrypted computer, a stolen system that is powered off would be well protected from unauthorized access and this type of attack."

The workaround for this according to Pointsec (Checkpoint) is to have the administrators that have the Pointsec solution deployed in their networks to re-deploy it with the "Pre-boot authentication" enabled.

Joel Esler

http://www.joelesler.net