RE: Attacking EFS through cached domain logon credentials

["John Howie" <JHowie () securitytoolkit com>]

Todd (and lists),

You wrote:

> This is not completely correct, and I wanted to clarify how an attack
> against a domain-member's EFS encrypted files can work.  The threat
> model is this:

It is important to distinguish between a weakness in EFS (there is none,
as described here) and the risk associated with using cached logon
credentials.

It is not just EFS which is at risk through 'cracking' an account like
you describe, there are so many other 'secrets' in a user's profile
including passwords to websites remembered by IE, POP3 email account
passwords in Outlook and Outlook Express, VPN passwords, etc.

Truly sensitive data should not be stored on a laptop, and when it must
use two-factor authentication such as a Smart Card (which does reduce
the risk associated with cached logon credentials) or a SecureID token.
If nothing else, some laptops these days come with passwords to
lock/unlock the hard drive.

Regards,

John Howie CISSP MCSE
President, Security Toolkit LLC