HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 47 guests online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Otherarrow 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases
EH-Net
May 22, 2013, 09:35:38 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: 'Evil Maid' USB stick attack keylogs TrueCrypt passphrases  (Read 12088 times)
0 Members and 1 Guest are viewing this topic.
Dark_Knight
Sr. Member
****
Offline Offline

Posts: 292


View Profile WWW
« on: October 23, 2009, 08:09:43 PM »
http://blogs.zdnet.com/security/?p=4662

Quote
How the Evil Maid USB works
The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.
Logged
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
UNIX
Hero Member
*****
Offline Offline

Posts: 1235


View Profile
« Reply #1 on: October 30, 2009, 05:37:57 AM »
Interesting article, seems to be similar to a hardware keylogger though.
As the record is stored on the disk itself, the attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)?
Logged
dalepearson
Sr. Member
****
Offline Offline

Posts: 357


View Profile WWW
« Reply #2 on: October 30, 2009, 06:25:55 AM »
I made a post about this on my blog.
I have tried this a couple of times, but couldnt get it to work.
I am not sure if its an issue with the image file, or something I am doing wrong, but its just not doing what it says on the tin.
Logged
:: Subliminal Hacking :: / :: Security Active Blog ::
timmedin
Sr. Member
****
Offline Offline

Posts: 469



View Profile WWW
« Reply #3 on: November 09, 2009, 11:35:21 PM »
Quote from: awesec on October 30, 2009, 05:37:57 AM
attacker would need access to the machine again or did I miss something (as (automatic) transmission through network is not available yet)?

Yes, it does require access a second time.
Logged
twitter.com/timmedin | http://blog.securitywhole.com
slimjim100
EH-Net Columnist
Sr. Member
*****
Offline Offline

Posts: 385



View Profile WWW
« Reply #4 on: November 10, 2009, 08:07:58 AM »
Anytime you have physical access to a PC you can call it quits for security. I think the Evil Maid stuff is just a little over the top.

Brian
Logged
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
timmedin
Sr. Member
****
Offline Offline

Posts: 469



View Profile WWW
« Reply #5 on: November 15, 2009, 10:47:32 AM »
According to a Bruce Shneier and a commenter on his blog:

"Actually Bitlocker is the only Microsoft product that does support Trusted Computing, and thus (if configured that way) will prevent exactly that attack (different bootloader = TPM won't release the Key).
And what used to be called Palladium is going much further than TPMs, it more corresponds to, for example, Intel Trusted Execution Technology."

So when the victim returns to use the laptop it won't boot since the bootloader has been modified. A clear indication that it has been tampered with.

The problem is BitLocker doesn't natively support pre-boot authentication so without a 3rd-party plug-in KonBoot would work fine.
Logged
twitter.com/timmedin | http://blog.securitywhole.com
dalepearson
Sr. Member
****
Offline Offline

Posts: 357


View Profile WWW
« Reply #6 on: November 18, 2009, 08:24:08 AM »
I have spoken to a few encryption companies, and many have no plans to utilise TPM, and some didnt even know what it was Smiley
Logged
:: Subliminal Hacking :: / :: Security Active Blog ::
timmedin
Sr. Member
****
Offline Offline

Posts: 469



View Profile WWW
« Reply #7 on: November 28, 2009, 10:58:18 PM »
Quote from: dalepearson on November 18, 2009, 08:24:08 AM
I have spoken to a few encryption companies, and many have no plans to utilise TPM, and some didnt even know what it was Smiley

That is extremely suprising to me.
Logged
twitter.com/timmedin | http://blog.securitywhole.com
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.085 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.