|
Title: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases Post by: Dark_Knight on October 23, 2009, 08:09:43 PM http://blogs.zdnet.com/security/?p=4662 (http://blogs.zdnet.com/security/?p=4662)
Quote How the Evil Maid USB works The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk. Title: Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases Post by: UNIX on October 30, 2009, 05:37:57 AM Interesting article, seems to be similar to a hardware keylogger though.
As the record is stored on the disk itself, the attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)? Title: Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases Post by: dalepearson on October 30, 2009, 06:25:55 AM I made a post about this on my blog.
I have tried this a couple of times, but couldnt get it to work. I am not sure if its an issue with the image file, or something I am doing wrong, but its just not doing what it says on the tin. Title: Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases Post by: timmedin on November 09, 2009, 11:35:21 PM attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)? Yes, it does require access a second time. Title: Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases Post by: slimjim100 on November 10, 2009, 08:07:58 AM Anytime you have physical access to a PC you can call it quits for security. I think the Evil Maid stuff is just a little over the top.
Brian Title: Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases Post by: timmedin on November 15, 2009, 10:47:32 AM According to a Bruce Shneier and a commenter on his blog:
"Actually Bitlocker is the only Microsoft product that does support Trusted Computing, and thus (if configured that way) will prevent exactly that attack (different bootloader = TPM won't release the Key). And what used to be called Palladium is going much further than TPMs, it more corresponds to, for example, Intel Trusted Execution Technology." So when the victim returns to use the laptop it won't boot since the bootloader has been modified. A clear indication that it has been tampered with. The problem is BitLocker doesn't natively support pre-boot authentication so without a 3rd-party plug-in KonBoot would work fine. Title: Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases Post by: dalepearson on November 18, 2009, 08:24:08 AM I have spoken to a few encryption companies, and many have no plans to utilise TPM, and some didnt even know what it was :)
Title: Re: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases Post by: timmedin on November 28, 2009, 10:58:18 PM I have spoken to a few encryption companies, and many have no plans to utilise TPM, and some didnt even know what it was :) That is extremely suprising to me.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |