 Computer is taking the copious amounts of time it does to boot. I'll start with some giveaways. I've got some Some stress balls for everybody if anybody wants some Here I got some other stuff too, so Takes up the extra time There's some key chains with pocket nice in them too. So don't cut each other up. Okay. There you go All right. Well, my machine should finish booting up here any second I don't want to carry this home. So take it all. Okay. I don't want to carry any of it back with me All right, well, what I'm gonna show you today just so I can say your expectations Everything I'm gonna be demoing to you today is relatively simple if you are writing your own exploits if you're doing all sorts of Fancy cool stuff, then you're probably in the wrong place I'm doing a lot of Penetration testing and penetration Physical security for machines Really my focus for the talk and actually what I do in real life is Protecting physical machines. Somebody comes sits down at your machine wants access to your machine Making sure that they don't get on there. I Think that's it for the giveaway. Sorry about that too late too slow Anyway, let me show you let me bring my slides up now. We good on the other systems All right What I'm gonna show you today here we go Still being slow. Oh resolution of my monitor doesn't match up. Hey, thank you It's wonderful when you get to do your you know first dry run with the AV equipment right when you're doing the presentation It's always a plus Let me Change that if my machine decides that it wants to do that, too Yeah, 10 minutes startup sequence exact That looks a little bit better There we go Yeah, I know too much tray. All right. Let's see if the tray will do 10 24 We'll do 800. All right. Here we go Let's just get going. I've got a lot of junk, don't I? See I should sing or something Yeah, exactly Boring lull You can tell I was on the devcom network today Switch over here. So what I'm gonna do today is Show you basically some lame security methods for protecting information on your machine Who am I what am I all that good stuff the audience I already told you I'm gonna show you pretty basic stuff This is not rocket science I would know that I do have a degree in astrophysics. So it is not Ryan's rocket science. However, this is all crap Just basic stuff, but most of the people in business in the real world don't understand Even one or two of these things although a lot of you may already Who am I? I'm Brian Glancy. I already mentioned that I Run a professional services team in the United States To deploy security countermeasures to different companies. Let's just leave it at that Told you what I do What am I gonna do today? I already told you about that. I'm going to show you some of the different I'm not gonna show you anything since the switch decided to go out I Good My agenda for today, I'm gonna show you some bad security measures I'm gonna show you some stupid things that are built and sold to all of them sorts of companies even today As security and are basically stupid They're only security against really dumb people Really give you no way no protection no method of keeping your information safe Nothing like that and I'll mention Also towards the end. I'll mention some things that you can do about it some ways that you can actually keep your stuff Secure and you can manage to keep other people out of your machine So when you get rated by the Fed panel, they can't actually take all your kitty porn off your machine and all that good stuff I'm also going to talk a little bit about information gathering tools. I'm gonna talk really simple stuff Sector editors in case you guys aren't familiar with them Very simplistic show you how they work show you how you can garnish information from them You know, they actually give classes on this stuff, which is kind of scary as like forensic adventure Investigation tools just going to show you some basic things about how they work what they do what sort of information you can find and Also why most of the security products that are sold don't Protect at all against most things like that. Then I'll talk a little bit about countermeasures So where did this presentation come from? Last year I've been to Defcom for the last four years I do a lot of speaking not usually yet. This is my first time speaking at Defcom But I do a lot of speaking at security conferences For the industry for business and things like that And I always come to Defcom and last year Bruce was a little bit more animated than he was this year And he had a lot of lot to say about stupid Security systems, so I thought about making up a presentation about different things that are sold to people You know buy our friends at anybody from Microsoft to all different sorts of companies that pass for security products But actually have you know do no security whatsoever because they either have bad implementations or they don't really protect any information and the thing that gave me the Title for my speech is really not the TV show believe it or not, but Bruce's book Secrets and Lies Has got a lot of stuff in it about The your security only being as strong as your weakest link I want to start off with something a statement that was recently Circulated around all over the place and a lot of people called me and asked me about it and a Lot of companies have brought it up Regarding this statement is from Microsoft this is cut right off their website I have it posted at the bottom the URL for it on the bottom Basically what their point was they were getting nailed all the time about EFS I know most of you have probably installed or played with or looked at EFS and They were getting nailed constantly Because people were saying well EFS is not really secure. There's so many tools out there that I can break it with There's easy ways to circumvent it I can steal the certificates I can attack it in a number of different ways and Microsoft basically came back with this this response And what they basically said is if you have physical access to the machine There is absolutely nothing that can be done to keep you out of the machine Which is not true there's there's there are solutions that you can do to secure yourself against secure your operating system whether it be something like the steel or Secure your access to the machine Which there's a lot of different people that have products and different pieces that do that but Microsoft of course does not see that and they named a new set of security laws called the ten immutable laws of security now in case anybody Doesn't know what immutable means and I didn't know I had to go look it up Unchanging or unchangeable So they have the they had the balls to do a press release about this to the whole world and say that There was no way that anybody could ever guarantee if they have physical access to the system that you Cannot have access to all the information on that system Which I think is rather a stupid thing to say but Here's the law if a bad guy has unrestricted physical access to your computer. It's not your computer anymore Well, I would agree that it's not your computer, but I would say it's still your information I would hope that if somebody comes into my house and takes my computer That the information is still mine and they're not going to be able to just take it off there and do whatever they want with it Or you know interpret it in any way Microsoft followed up with If they attack or has physical access to your machine They have all that they can get all the data they want and you have no method of defense And I say develop a little bit of better security and then they will have a little bit of the defense So who cares about this problem? Who cares about information on machines? Well, I definitely care about it And I think that anybody cares about it that if you use your computer at home or work for confidential business or personal use if you have Documents medical records Whatever they may be correspondence on your machine that you don't want somebody to be able to use your computer To be able to get that information if they take your computer Then you care about what happens if somebody has physical access to your machine if you travel with a laptop like a lot of people do these days How if your machine is stolen? Are you going to know that nobody has? that information now all of you probably have seen all the wonderful hacking news in the in the media about things like You know executives at Qualcomm losing their laptop and having beyond secret information about the running of the security infrastructure of the United States on there All different sorts of people from financial institutions losing your credit card numbers that are on their machines and all those wonderful Great things that happen You know, I think that there's a lot of different security that can be done to prevent this but of course we have to be educated and Companies have to be educated to know that we require this of them that they keep our information Confidential and that they actually take security measures to make it so not just anybody can get into to anything they want Okay, so Now we get around to some demos. We're heading in the right direction now and hopefully the KVM is going to work when I go to switch What we're going to demo it is hot. Wow What we're going to demo we're going to demo stuff about bias passwords I see a lot of people that use bias passwords. They have the stupidest friggin thing ever invented in the world I have no idea why anybody would ever use them or what the purpose of them was or what the person that wrote them was actually thinking and I think the most hilarious thing about it, I think is that The people that wrote the bias password utilities quite often are the same people that had to write for their companies The bias reset utilities for when a user forgets his password you can reset the bias to a blank password It's a really useful security measure when you can actually even reset it when it at your at your whim So we're going to show a little bit about that Then I'm going to show a little bit about boot locks. Some of you may have seen a there's a lot of different boot lockers out there There was a product out there that I used to love to rip up by Norton semantic called for your eyes only that sucked and was just basically a Feeble attempt at a security that you could hack really easily They're gone now they went out of business, but there are still a lot of other ones I just actually bought the one that I'm going to hack I bought last week and you're going to see it's pretty dumb Then we're going to talk a little bit about file level passwords Any password prompt that comes up into you up to you inside windows? And what the problems with those are and then I'm going to talk a little bit about EFS and Why what what the problems with EFS are? Okay so Our first demo is bias bias passwords. Let me see what we've got over here with our machines are Art Let's see this computer We need the Thank you to my wonderful helpers by the way Help for helping me out to run this whole thing and put it all together kind of quickly Put the keyboard All right, so a bias password. What does it look like? Let's see if we can switch over I'm sure you've all seen them assuming the KVM decides it wants to switch. What cable is that for? One second Yeah, it's it's doing it right now Thank you There we go That's what a bias level password looks like pretty Pretty easy to use pretty dumb just comes up. So as you turn the machine on this is the prompting that you get Lot to machines have different levels of bias passwords. They have a bias password that comes on for access of information and They also have a bias level password for changing any of them information in the bias Well, so what do we do about this if we are an attacker and we want to get the information off this machine? How difficult is it? Well I've got another machine Right here. We have a keyboard for this guy Okay, too much equipment for one place Not yet, but it will be by the end of the day Actually mail it mail to bry bry at point sec calm and I'll mail it to you or I'll mail you the Earl Okay, so We have our bias password up. We want to get the information off that machine. Well, how do we do it? Well, I've got another machine. That's just like it right here All right. I want to take the information off this. I take the machine I'm over. I'm visiting a company. I'm doing whatever I want the information off there I pop the drive out takes me a couple seconds comes right out in one hand Turn off my other computer and as you all know as soon as I plug this drive in here The bias password is not going to port with the machine The bias password is localized Only to that machine It's not localized to the hardware Now there are a couple in that's a very good point very good question there are a couple companies out there that make encrypting hard drive controllers that link and Those companies are doing a very good job. One of them is IBM They have a link encrypting controller and That encrypting controller links to your bias password and that's not bad But the only big problem about it is what happens when you lose your password That's not a good situation so anyway See if I can toggle systems now to this This is my bias Password system. So as I plug the drive into another machine comes right up Actually had a CD in there. So It actually booted to the CD. That's the net one of the other demonstrations, but it will boot directly to the machine. So Basically the bias passwords the it doesn't don't protect any of the information on the machine They don't encrypt the information on the machine except for the specialized bias encrypting passwords. This one just booted right up Now this is a wussy 98 machine. I know I just use it for demonstration now. Here we go. Let's switch to Back to the presentation machine here Okay so bias passwords Random people can't just sit down at your computer and use it bad part is What happens when you get when you forget your password one bad thing the what you have to do is Reset your bias or pull the battery off your motherboard. That's the other one thing you can do Now the other question is You can wipe What am I looking at here can be wiped through motherboard access We talked about that you move the drive to another machine, which is what we just did and you have full access to the machine Check the web for bias password crackers. There's also a lot of bias pack password crackers out there So basically that's no security at all. So bias passwords are stupid. Okay boot lock This boot lock program that I'm going to demonstrate to you today is is Freely available on the web or I shouldn't say freely available. I paid $29.95 for it actually And what it basically do basically does is it prevents the normal booting of a machine by Intercepting your boot sector now for any of you that know how hard drives work When you load turn on your machine as soon as you turn it on it reads out your master boot record Rude you read your master boot record determines what your active partition is and then reads that active partition that Partition which is Mac mark active Reads the boot code off the the boot sector off the beginning of that drive. That's where this whole thing comes into play They actually start up as soon as you try to load from that drive And they prevent you from just getting in they look Pretty simplistic all they do Yeah, good all they really do is When you boot them up they Give you a password some of them have passwords for multiple people They have the ability to let administrators get in they have ability to do all different sorts of cool things like that real problem is They don't have Anything linking any security linking to them on the back end that would prevent you from bypassing them You could do anything from rewriting the boot sector, which is really easy to Just booting off of the disk, which is really the easiest thing to do in this situation You can take a boot floppy you drop a little sucker in there It'll come right up and it'll it'll work for you. Let me show you what these guys look like to Hey It's deciding to work a little quicker now three Three is not working yet. Is that four or three four? Sorry about that. Whatever. Yeah, blah. Oh, that's our bias password. Oh, okay Yeah, let me switch it. All right, here we go That was take so much longer. All right, so here's my computer booting up booting up off the hard drive and the first thing that we get is the intercepted boot code and it prompts us With the bias password with the pardon pardon me the bootlocker password Now this password is a little bit better than the bias one that we just tried to defeat in That it is ported with a hard drive. It's actually modifying the hard drive So if we take the drive out, we're still going to have this security when we go on to the next computer But it's not really any better because if we put a floppy disk in it which I think we have our floppy disk rate Is this a bootable? No, it doesn't matter. As soon as we boot it to a floppy It's going to come up. Oh, you're right. Oh, that's the machine As soon as we boot it to a floppy We can have all of the information out of it because we're not actually encrypting the information Protecting the information or protecting the partition table or any of that good stuff. All we're doing is Making it harder to boot the computer. So this doesn't really protect us either and we're also still We still have the regular problems with What happens if we forget our password? What if we want to do reset all that good stuff? This is a bootable CD that I just dropped in here. So as I drop the bootable CD in You'll notice that even though I've got that that boot lock product installed on here. I Go to my C drive. I do a directory There's all my files so I could copy any file. I want off here. I could do anything I want to the machine. There is no access control whatsoever Now this is the same situation There's a lot of products out here that that fall into this area and there's a lot of people that spend a lot of money way too much on buying them There's products like Norton for your eyes only that I mentioned There's this boot locker and basically if you go on the web and use you do a query for boot lock You're going to find a lot of different people that sell this sort of thing, but it's pretty much junk Doesn't really give you any security easy to get around Doesn't really protect you from anybody that knows what they're doing so What do we do from there pardon question? With the question was with Norton for your eyes only you actually couldn't see the C drive when you boot it up That's correct, but if you rewrote the partition table, you could see the C drive F this slash NBR. Yes, you could do it with F this slash NBR Or you could do it with a something like this get it from Norton utilities, which is what I usually use It works a little bit more Controllably reliably it's not in Microsoft that sort of thing Here we go So With that What have we done? So so far we've circumvented a bias password system. We've circumvented a boot lock system Now the boot lock was easy to circumvent just because it doesn't didn't really have a lot of back-end security None it's a true point that Norton for your eyes only Had a little bit more security, but it actually doesn't have security against the next set of tools Which we're talking about which are sector editors sector editors can retrieve all the information off the machine Regardless of whether you mess up the partition table or not because it just reads the information directly off the machine All your file structures are there all the file Beginning and ending all that stuff is there and you could easily get it off and copy it to a floppy and take whatever information you want So boot locks not really a good idea File encryption There's a lot of different things out there for file encryption And I'm going to show you a couple different things a lot of these things you may know some you may not the bad things The bad thing about file encryption and basically all security products that run Inside Windows after the operating system has started is that they're Cursed with having to run in a multitasking environment. So as soon as you start up Windows or whatever operating system You're talking about and you have a product that asks you for authentication You have an opportunity to have another product attacking or another program attacking that authentication scheme So as long as you're using Regular passwords and you're not using something like smart cards or two-factor authentication You're open for open season on attacking that program You also have another problem with things like file encryption, which is recovery lost passwords Also, you have an assurance problem, which is a big problem for People that have secure information that they want to make sure stay secure How do you know that they haven't been able to break it? And you really don't have a way if they can take the file away with them and work on it on their leisure Then you have no way to guarantee your only real weight is to make sure that they can't get in the file system at all So what am I going to show you on that? So file encryption it allows you to protect your information with strong encryption weakest link is that it It's runs in a multitasking environment password security is only as strong as the password which is true So we're going to show you some of the different tools you can use to attack it There are some possible mitigations things like dynamic tokens x not 9.9 challenge response tokens Which I don't know if some of you guys are familiar with they're basically hard work tokens with an encryption scheme built into them So you have to have the token In order to authenticate against your machine. There's also smart cards that you can authenticate against your machine And if you don't have the the key that's burnt into that smart card, you can't access the information So if for example a good example would be if you encrypted on a smart card and you put that information On your machine But you took the smart card and you had in your pocket Somebody could run off with the machine and do whatever they wanted to do and they wouldn't be able to decrypted unless they were had The actual physical key that you had USB tokens another good example They have some weaknesses also. They have been attacked in a couple different ways, but generally they're pretty darn good There's also biometrics and things like that. Let's look a little bit at what these things do and how to attack All right. Well, we got a couple different things here first thing we can take a look at is Basically How to attack a file with a windows password prompt? Let's look at that Here we go I'm going to open up a file now that has been protected. This is just a simple demonstration of a password If we open up this document, this is a protected word document now. It's protected against change When I try to unprotect it, it's going to give me a password prompt in just a regular box And we're going to use that it for our demonstration. Okay. There's lots of other things you could hack against I often demonstrate this in hacking against the the PGP windows prompt where you can do a passphrase That's another good example. This is a pretty simplistic one. Let me show you how this guy works as soon as you Go to unprotect this guy Pops you with it pops you with an authentication screen. Okay. Now this authentication screen is a screen in itself You notice it floats around it does all the good stuff if you're a programmer out there You know that you know this box has controls. It's got a name. It's got a box. It's got Different actions that can perform a gun against it. You could of course snoop this box Which I'll show you in a second so you could find out what all the controls are doing What anything that's being entered in here and I'm going to show you in a second Even when it enters star star star, of course, you can get it to reveal all that because it has to broadcast it as part of the control That's rather an obvious thing, but I'll show it to you in a minute. Anyway Generally, let me show you an attack on this guy This box is up. We're going to now Find my absolute let's just do it this way. We're going to run an old program It works really really good though It's called claymore. You can get it on all the good hacking sites hackers calm all over the place Works really well at really really well, and it's really really easy So that's why I like to demo with it. Let me show you what it does Basically what claymore is is it's a very simplistic program that allows you to use dictionary attack or Random character generated brute force attacks What it does is it gets the focus of a window and then it just throws passwords at it until it's successful There's lots of different ones of these utilities It's actually not that hard to even write one of these because all you're doing is going through a file Reading the output and then sending it out to the screen. It's it's not hard at all. It's really simplistic So let me show you how this guy works if I choose a file. I'm going to choose a dictionary file for this This has got a whole bunch of different Passwords in it. It could be a dictionary file like user dict off the internet It could be my there's lots of different Linux password crackers They use large dictionaries that you can get off the internet. This dictionary file is not that big Because it's only for the sake of example, but you can get really huge ones I then entered the strokes that I wanted to do after it Interes its password and so it goes through the entries one at a time Interes the password and then it does these keys to finish up I could also have a whole set of keys that it has to do. It has a control left one Switch around change window focus do a whole bunch of things before it runs But in this case, it's pretty simplistic So what it's going to do is it's going to go through these words one at a time So I hit start it's going to start counting down Then I point it at what I want it to break. I point it right here It's going to count down and then it's just going to start going crazy on that window and throwing passwords Until it gets in and it got in pretty quick and you notice if I let it keep running You're going to see all the passwords that it's throwing at it and it throws them fast fast fast fast fast This is it's running pretty slow because it's running inside word. I did it a text editor You see it even runs faster than this So it just goes through until it finds the password and then it's it actually just keep going anyway But you can use that against anything that has a windows password prompt anything Doesn't matter what it is unless it's got unless they're smart enough to put something in like a maximum number of attempts Something like that other than that you can use this against that in your you'd be surprised how many things don't put Maximum level of things the other good counter measure to this when you're programming is putting in the time limitations But you can't account for that in this you could restart the you could restart open the document again Or something like that you could have a news setup sequence in the beginning of the document to close it and then open It again, and then you may get around the timeout. You may not have to wait 30 seconds or whatever So this is a simplistic thing the next thing I'm going to show you also to go with this That's also simplistic is what I was just talking about and that is the The sniffer for windows Again, this is a just a regular hacker tool that you can get off hackers.com and get it all over the place It's actually just a small Almost like a VB debugging type of tool because if you'll notice you'll notice if I put this up here This is the window that reads my The tax out right if I take this cursor and I put it across anything. That's a control You'll notice that it's going to bring up what that control does check for update about That's the name of the control Okay, all these things are broadcasted If I bring it up here on top of the password there It tells me that the password that I entered under all those stars is def com This works really well for Anything that stores a password if you you know forget your password for anything And it comes up star star star. It will always decrypt that there are a couple companies that have done a good job of Subverting this and they basically don't let the password even enter in the program. They're not entered into the window Old versions of PGP actually they still came up new versions of PGP PGP actually block this now So it doesn't broadcast the password out but most programs that you get anything that you get this star star star with you can get the password out by just Snooping the window and it will give you the password that you entered pretty simplistic pretty easy Pretty effective. It's it gets the password out really quick. So that's that guy. So we're not going to change now alright so The bad part about file encryption or any sort of file password prompt is that it runs in multi-threatened tasking environment and the other bad part is that the password security is the only is Only or I should say the securities only as strong as the password Two-factor authentication helps you out a little bit here because you can't hack at two-factor authentication It's you know, you need a little bit. You need an encryption key. You need a response It might change multiple times. There's lots of different things you can do for this Yeah, what if you lose your smart card? That's a good question The answer is that there's a lot of different things out there that Work in an infrastructure. So more than one person have has access to your information There's a couple different systems that are built to run inside like an administrative interface whether you are your own backdoor or administrator or You know somebody else's you could lock it to two smart cards lock it to Something different a smart card in a token or lock it to a have a fixed password as a backdoor But have it like 50 characters something crazy like that So you don't have to type it in every time rent something randomly generated lots of different things okay, so Now on to some different tools that we have to work with on this whole thing if we want to get the information off of a machine some of the tools that we have available to us is sector editors sector editor there I'm going to show you today is Norton utilities 2001 disc edit works really simply it's got a lot of nice features in there It's got searching. It's got spanning you can look all over the disc So even if you were in a situation like Norton for your eyes only which messed up the boot record a little bit I could still search for any information. I want it on the disc and take it all off. So a confidential document a PowerPoint anything like that. I could go around it and just zoom right through it There are a lot of other Sector editors that are available on the market. It's actually not that hard of a thing to even write a sector editor if you wanted to The if you go to a query on like download calm You'll notice that there's a bunch of them like win hacks and things like that that are pretty darn good sector editors So let's switch over here And we'll take a look at what they do That's now that's a good question This is an effective sector editors are not effective on things that do encryption on the data That's correct. You have to tack things that do encryption on the data You would need to attack them through the method like I was just showing where it throws multiple passwords or Through attacking them through actually I shouldn't say that I shouldn't say this is an effective on Things that encrypt the data. Let me give you an example EFS which is coming up in probably three or four slides That's true. That's true. Yeah things that are implemented Well, if they encrypt the data and they implemented well and they trash all of the old temp files And they do all that good stuff this This attack method does not work, but if they have implemented their encryption of the data in any Dumb sort of way that they don't encrypt the temp file They don't encrypt the page file. There's lots of different things, you know That could have information left in them then you can get all that to all that information with a sector editor So let's take a look at what the sector editor looks like see Not that guy Okay, here we go Okay, our sector editor if we started up as I said, I'm going to use the Norton one just because it's pretty and It shows kind of well, but there's a lot of other ones. Oh I'm yeah, I'm on the wrong drive. Yeah, I need to reboot it Here we go, let me boot up onto this boot disk and enable the The disk so I can see all the information on it By the way, if you're if you are looking at trying to get information off machines a really good utility to make is There's a CD burner and program out there called Waxia, which a lot of you may use You'll notice that they give you an option to build a bootable CD Which is really useful if you want to be able to go to a machine and get anything you want off of it Because you can basically mount 600 to 50 megs of pools to play with whatever and do whatever you want with on that machine Which is what I'm doing in this particular case Okay, disk edit So I'm going to bring this up in a read-only mode. Take a look at my C drive You'll notice that in most cases disk edit understands even your file system So it makes it vastly simplistic. It sees all my files. It sees all my directories I don't even have to look at this in hex or all those other things I could pick up any one of these files and take a look at it I'm going to change the view a little bit So we could take a look You can look at it as different file systems. You can look at the partition table You can look at the boot record. You could modify this guy's however you want We could also look at what the information is looking like on the actual disk and search through it Search through it one piece at a time to try to find the data So if we were looking for data on somebody's machine or something that we lost All we have to do is zip through here and we can have any data that we want off this machine And this is reading it at bypassing all security file level security everything All we're doing is taking this directly off the the sectors of the drive pretty simplistic But it's pretty powerful So that's what they look like. I don't know if you guys have had a chance to look at them before Let me show you what the partition table and everything looks like You could tell what operating system is on the machine just by booting to it. Even if it were protected You could tell Even with file encryption What type of operating system attack you wanted to do if you wanted to plug in a key logger underneath So you could pick up the keys that were being entered for authentication to pick up open up a file encryption You could do that. You could tell which partition is being booted from so you could intercept that and put in a false boot sector You could do pretty much anything you want Disk editors are your favorite tool for taking a look at Everything on that machine So they're pretty comprehensive. They really let you have a lot of access to the machine alright again that That one was Norton utilities, but you can get a lot of free ones off the internet if you wanted to just take a look at your machine It's pretty easy. You can't hurt anything as long as you leave it in read-only mode And it's definitely interesting reading to figure out how the file system works and how it's storing information And how it retrieves it and it's definitely important if you want to try to keep your information secure from other people getting into it Okay, so how does this? Link up with the encrypting file system. Well The encrypting file system EFS by Microsoft is a popular topic out there In government in companies all over the place and a lot of people are implementing it and a lot of people It's like PKI was a couple years ago. You know, everybody thinks Thought PKI was the end of the universe and that it was a solution to every security problem EFS is what that is now Everybody you've talked to in a company. They're all EFS is unbelievable. You can protect against it, but Really, there's a lot of attacks against EFS most of which you've probably read about on the internet Nt bug track has got a lot of good stuff about it Microsoft themselves In that URL that I started off with there They talk a lot about all the different attack methods that have been used against EFS and are all successful And that's why they basically said that thing about if you have physical access to the machine There's no way that they can prevent you from having access to it because they don't have a way to secure EFS right now one of the Agree of the two main ways that you that EFS Stinks is if you encrypt information quite often unless you're creating Information in an encrypted directory and leaving it in an encrypted directory. It's got a big problem with temp files I don't know if any of you have seen it played with it or tried it, but if you were to actually look For a temp file you encrypt a word document you encrypt Excel file you encrypt a PowerPoint presentation something like that You would find that the temp files For that file when you move it into an encrypted directory still exist and you can read all the information fully Encrypted so you actually get two copies of your data one encrypted one not encrypted the unencrypted one fully accessible You can read it anytime you want and The encrypted one with your certificate encryption now the other really interesting way and I Almost thought about demoing it today But it takes a lot of switching and you can see how interesting the switching already works out to be switching between multiple computers is the recovery agent attack and Most of you must have already read about this when you set up EFS originally EFS by default sets your local administrator to be if the machine is not part of an active directory domain Sets your local administrator to be the recovery agent what the recovery agent is is The person that is able to save you if you screw yourself by forgetting your password It's a password backup utility and most Programs that encrypt data have this sort of thought built-in So basically if you mess yourself up you have somebody you can go cry to or Either an administrator you can cry to or your own backdoor that you put into the encryption when you set it up So you can get your data back if you forget your password or you forget your attention authentication scheme But basically the bad thing about local local administrator becoming the recovery agent is I don't know how many of you have ever played with utility called loaf crack, but It's pretty easy to get local administrator anyway from bring up into NTFS DOS and Taking the SAM file and hacking the SAM file so you can log in as administrator to You know just deleting the SAM file entirely Which I'm sure some of you know if you delete the SAM file entirely Windows has to recreate it in you in order to be able to Start up again So you end up with an administrator with a blank password that is the recovery agent and the local administrator So you have access to all the files So if you have physical access to the machine again, you can get anything you want other bad thing about Filing about EFS is that it has You know the regular baggage that comes with PKI now there's a lot of people that are really hot on PKI I think PKI has its place particularly in things like email and in exchanges And things of that sort, but I don't really think that it's good for encryption general encryption of sitting data And one of those problem one of those reasons is certificate theft one of the big problems with storing information in Companies in your house in anywhere is that the people that are likely to get attack to attack it is not You know some foreign government or something like that It's more likely somebody that knows something about the computer somebody that knows something about you has done research about you Or your mom or something like that, you know somebody that That knows something about you and can make guesses about your password or knows your machine And they may can get physical access to your machine. Well, if they can get physical access to your machine They can steal your certificate Now certificates are somebody's going to raise their hand in two seconds and say yes certificates are protected They're not protected very well. There's a lot of different ways out there to get the pins off certificates Lots of different ways to attack certificates as soon as you own the certificate you own all the data You can do both two things first thing you can decrypt anything you want and second thing you can pose as anybody you want And if you can pose as anybody you want with a certificate I mean as far as the certificate goes if you're using certificate as authentication Then there's not much purpose to it So EFS Has a lot of flaws in it. It's not really generally very secure So how do we how do we attack a machine before it started? Oh, I'm sorry It's cut off a little bit at the top there. How can I attack a machine before it starts? Well? I think I showed you a couple different ways you can steal the hard drive You can boot from a boot disk. You're gonna see whatever information you want You can play with NTFS DOS Which a lot of you have definitely played with NTFS DOS lets you mount anything that's NTFS From a Windows NT or 2000 machine in DOS look at it read write it edit it do whatever you need to do NT the locksmith another product from the same company lets you basically rewrite the SAM hashes So you can inject your own account There's also some more interesting things as we get down to its bottom love crack everybody knows about let's you Do the NT LM hashes Basically try to decipher passwords out of your your SAM database Then of course, there's the new hot topic for hackers, which is actor directory Injection basically I can inject any data. I want to in an active Directory with no way of tracing it Or taking it out or anything like that. So there's a lot of companies now that are basing their security Their mail systems there everything on active directory They're they're trying to move everything into to running off that system And there's really no way that they can prevent you from injecting your own email accounts you know Brian Glancy at White House dot gov for example or Whatever you want into the system if you have physical access But all these attacks occur by using an alternative operating system against The machine you boot up into DOS you boot up into another operating system Linux Or something like that and then you attack the operating system when it's not in a started up state And there's it's very very hard to prevent only real rated prevented is to Maybe either encrypt all the information on the machine beginning to end or have I know there's some military installations That have hardware encryption basically encrypting cards that encrypt all the data on the drive and basically if you don't have that card You can't get the data off the drive. There's a couple different installations floppy locks exactly Here the tools from sister sister turner. So you should take a look at if you're interested in the doing this sort of thing NTFS DOS Does what I just talked about it lets you mount NTFS read write from a floppy disk So you could do anything you want to to a NT system whether it is take the SAM Whether it's take the files off there Whether it's try to defeat EFS by deleting the SAM and restarting the recovery agent whether it's in Injection into active directory So basically with this type of attack and NTFS DOS You know if you need if you had physical access to a server for any company you could inject anything you wanted from You know your own email account to your own bank account if it were a bank to whatever you wanted if you have physical access to that machine you can inject into the system and T locksmith just a Utility that lets you reset inject accounts into SAM Pretty simplistic all it does is reset the hashes to known value That way you can you know the password for administrator all of a sudden works like a charm for every system You Basically just boot up from it and you run it and then on the system on the target system and then all of a sudden boom You've got root. You've got system administrator access What that's a good question. Yes, the question was that NT locksmith requires an ERD and NTFS DOS requires two machines NTFS DOS requires that you had made the disk in advance I've made these I made the floppies my NTFS DOS floppies. I don't know six months ago I carry them around with me whenever I need them. I just pop them in my machine So I had to have a machine sometime in order to create the NTFS DOS floppies I don't need anything else. I just stick them in there and then boom. I got it now regarding Regarding the question about NT locksmith. It does require an ERD in some circumstances But there's some they have some advanced options that you can do to work around it. Even if you don't have the ERD Lovecrack, we've probably all played with it easy fun fast. It'll basically doesn't fail It's got a lot of different ways for you to hack all of the passwords Inside an NT system and NT domain You can take down either just take the same file crack it offline Which is nice and safe because you don't have to worry about sitting at a desk inside a company or something like that or wherever you may be and taking all the files off there or The other thing you could of course do is you could sit it down at that computer put it in and Run it inside windows and run it real-time Everybody's probably seen it Works really simplistically dumps all your passwords and then it cracks them all one at a time works very quickly hard That's right. Yeah, exactly John the Ripper. So you don't have to pay. There's a lot of utilities like this I usually use loft. You're right. It's it's you do have to pay for loft. You could use it for 30 days for free So anyway And by the way if you start Playing when I'm playing with a Sam file the Sam file moved just so everybody knows Sam file used to be in system root on NT for now. It's in system 32 config Sam files still in there Great so I Have a section in here on how hard drives work. I think we've already covered a lot of this at the low-level hard drives are just ones and zeros All information that we place on it all the different file systems operating systems and everything are just manifestations of that Every time we look at a sector editor you usually look at those things in hex The hex is just a higher level interpretation of that binary that's being written on that disk so There's it's very hard to protect the information that you're writing down to that disk unless you encrypt it at the low-level or You were to you know do the floppy lock like where you're talking about or protect the thing the authentication against that On the low level of these machines They include partitions the partitions are just basically logical drives. Everybody knows this The math the master boot record which has a record of all the information the partitions that are on this disk How they start where they go how big they are all that good stuff when you pick it up You could take a look at it in disc edit and a lot of the utilities to And basically you could see where your partitions are you could resize it things like partition magic This is where they play all they do is change the numbers in there All they do is resize the beginning and end sectors beginning and end cylinders to change the size of your drive It's pretty pretty simplistic stuff The next part of the whole the whole story is your boot sec Of course, which is where you actually get into your operating system the master boot record as I mentioned before Contains a marker for active. It's a single bit actually a marker for or bite. I'm sorry for Active partition the active partition is the partition that you want to boot from all it does is repeat the same process that it did For the master boot record actually I have it up here on the screen The same process that it went through for the master boot record reads that information into memory and executes it So it reads the beginning 446 bytes off that that drive and then executes that program So if that program were you it would execute you If it were a boot locker it would execute the boot locker if you had a boot locker on it and you wanted to execute you All you do is replace it with a regular Windows 95 boot sector and you're fine so Basically all the boot boot sector does is point to the operating system that you're going to load and say you know dump to Win NT or dump to NT loader dump to command calm. That's all it really does okay, so Examples of secure authentication One of the ways to mitigate all this stuff is to figure out a good way to authenticate yourself and there's some cheap ways and there's some expensive ways Expensive ways include things like biometrics even though they're getting cheaper There's a lot of really good ones that you guys may or may not have played with There's a lot of cheap fingerprint readers. There's actually a Some good new ones that are PCM say I had cards that pop out right outside of your machine Some really good stuff out there other forms of two-factor authentication that are the less expensive Include USB tokens people that make these are like Aladdin and Rainbow They make very cheap authentication tokens that have an encryption algorithm built into them So basically you put this USB token on your key ring You carry it around with you if somebody turns on your computer when you're gone and they don't have that key in there It's not going to read any information off there So and they're actually quite strongly encrypted. They give you there's they're really hard to attack So if you have information on your machine that you don't want people to be able to get to This is a good way to protect it. There are also smart cards out there a lot of people make smart cards They're a little bit more expensive because you got to invest in a reader a little bit of a pain in the butt But they're not bad Challenging response tokens. There's a lot of different people that also make something. There's a standard for it x9.9 Challenging response tokens, but what they basically are our tokens that have a little encryption algorithm built into them and basically The computer knows you're the you're the encryption algorithm and the card does and it generates a challenge of response That goes back and forth between you and the computer in order for you to Authenticate yourself if you miss it, you don't get into the computer. So This is another good method and it's really a good one All these different ones are really good If you want to be able to maintain control of your information even when you're gone Somebody comes and tries to get the information. You've got the physical token and they got to say give me that physical token before I get