Bugtraq mailing list archives
Re: BugTraq: EFS Win 2000 flaw
From: Russ <Russ.Cooper () RC ON CA>
Date: Tue, 23 Jan 2001 09:51:22 -0500
In case anyone's interested, here's a summary of the responses I received to my incorrect assertions; I should say that I was under the honest belief that companies, such as OnTrack, made available services which could recover overwritten data at a reasonable price. I called them this morning and asked, they responded that if the data was overwritten then it was basically not possible to recover. They wouldn't say whether they did make such a service available, but the implication is clearly that its not as trivial, or inexpensive, as I believed it to be. Thanks to Ryan Russell for setting me straight on that. ---- Frank Knobbe <FKnobbe () KnobbeITS com> pointed out that PCGuardian's Encryption Plus Hard Disk software works well on Windows 2000 and does complete disk encryption (enter password at boot to decrypted system files), solving the EFS issues posed by Rickard. Kris Kennaway <kris () FreeBSD org> was succinct; "Don't be silly. If the file was overwritten even once then it can't be recovered in software. Not many people have access to expensive scanning equipment which can pick up residual magnetisation of the storage medium." Camillo Särs <Camillo.Sars () F-Secure com> said; "F-Secure FileCrypto does a secure delete, that is overwrite, of the original when doing an initial encryption. Nevertheless, any files created after encryption comes into effect are immediately written to disk in encrypted form, without any intermediate steps of writing temporary plaintext to disk." Roman Fischer <roman.fischer () ubs com> said; "PGPDisk creates one large file. On this file, it reads/writes the data. Thus it overwrites the same parts of the file all the time, not leaving any temp files behind (other than maybe in swap space or memory)." ---- Its probably also interesting to note that Microsoft makes significant mention of EFS' ability to encrypt temporary files created by applications (e.g. Word), thereby protecting encrypted data from leakage, in their EFS White Paper; http://www.microsoft.com/technet/win2000/win2ksrv/technote/nt5efs.asp "EFS is integrated with the operating system so that it stops the leaking of key information to page files and ensures that all temporary copies of an encrypted file are encrypted." Note they mention "that all temporary copies of an encrypted file are encrypted", which doesn't address Rickard's observations of the plaintext copy of a file being encrypted. They also make no mention of the temporary file being created in their graphic "Figure 1 File Encryption Process" on that page. Bottom line is that my assertion was wrong that it was naive to believe that over-writing was a resolution to the problems observed by Rickard. While not assuring files couldn't be obtained, it does offer significant resistance to attack (Dan Kaminsky's phrase.) Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Current thread:
- Re: BugTraq: EFS Win 2000 flaw, (continued)
- Re: BugTraq: EFS Win 2000 flaw Dan Kaminsky (Jan 23)
- Re: BugTraq: EFS Win 2000 flaw Timothy J. Miller (Jan 23)
- Re: BugTraq: EFS Win 2000 flaw Ryan Russell (Jan 23)
- Re: BugTraq: EFS Win 2000 flaw Jeremy Epstein (Jan 23)
- Re: BugTraq: EFS Win 2000 flaw Attonbitus Deus (Jan 23)
- Re: BugTraq: EFS Win 2000 flaw Dan Kaminsky (Jan 24)
- Re: BugTraq: EFS Win 2000 flaw Attonbitus Deus (Jan 25)
- Re: BugTraq: EFS Win 2000 flaw Kirk Corey (Jan 25)
- Re: BugTraq: EFS Win 2000 flaw Attonbitus Deus (Jan 25)
- Re: BugTraq: EFS Win 2000 flaw Dan Kaminsky (Jan 23)
- Re: BugTraq: EFS Win 2000 flaw Ryan Russell (Jan 24)