RE: Encryption on Laptops?

[Bart.Lansing () kohls com]

On Wed, 2004-03-17 at 23:48, Simon and Sara Zuckerbraun wrote:

> Honestly, protecting data on a laptop is very, very hard to accomplish.
Once
> an adversary gains physical control of a machine, there's not much that
can
> stop him from also gaining access to the data. I wish there were some
simple
> answers I could give you, but there just aren't. It's a tough subject.
>
> If you enable EFS on Windows XP, this provides you with 128-bit
encryption.
> This type of encryption is strong enough so that it can not be defeated
> directly using any technology currently known to man.

And by saying the above, managed to lose a certain amount of credibility.
While it is improbable that the required resources to break this encryption
scheme is unlikely, is is not impossible:

*
This is not to say that a DES-encrypted message cannot be "broken." Early
in 1997, RSA, owners of another encryption approach, offered a $10,000
reward for breaking a DES message. A cooperative effort on the Internet of
over 14,000 computer users trying out various keys finally deciphered the
message, discovering the key after running through only 18 quadrillion of
the 72 quadrillion possible keys! Few messages sent today with DES
encryption are likely to be subject to this kind of code-breaking effort. (
http://www.aces.att.com/glossary/des.htm)
                                                                                              
 *                                                                                            
 Given forward leaps in technology, it is certainly the case that number of machines and the  
 time required has and will continue to drop.  Even with EFS's use of DESX,  it is possible   
 to break.                                                                                    
                                                                                              
 However, even easier...by far, is the use of products like Winternal Software's ERD          
 Commander, which allow the admin password to be easier changed...bypassing EFS               
 altogether...since, once admined., the EFK scheme is rendered moot.  I simply change the     
 user account passwords on the box in question, log in as the user, and voila, I have the     
 files.  Don't want to pay for ERD Commander? Well heck, download "ntpasswd" boot from it,    
 and watch a linxu distro magically mount NTFS for you and admin to your heart's content.     
 (http://www.sans.org/rr/papers/66/211.pdf).  Yes, if you take the time and effort to use     
 appropriate syskey policies you can close this gaping hole as well...but while possible,     
 it's not practical at all in a large user base.  Even if you use a win 2000 domain to keep   
 the SAM database and recovery key isolated...you're not going to travel very well...and      
 then...why was it you had a laptop?                                                          
                                                                                              
 EFS is good thing...it's just not the Holy Grail.                                            
                                                                                              



Bart Lansing
Manager, Desktop Services
Kohl's IT


CONFIDENTIALITY NOTICE: 
This is a transmission from Kohl's Department Stores, Inc.
and may contain information which is confidential and proprietary.
If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is 
expressly prohibited.
If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000.

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message 
created, sent and received.  Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time
without any further consent.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------