Hosting Provided By

Re: looking for EFS weaknesses

From: Tom Bowers <bowerst(at)wyeth.com>
Date: Fri Jun 27 2003 - 09:20:18 EDT

The weaknesses of W2K EFS are as follows:

The default recovery agent for encrypted files is the W2K Administrator account. Therefore if you can compromise the Administrator account and login as the same you have access to ALL encrypted files. This compromise is very easily accomplished with Peter Nordahl's Linux boot disk. It can be found at: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
Elcomsoft has developed a tool that locates and attempts to break/interpret the private keys being used for EFS in a GUI based tool. It can be found at: http://www.elcomsoft.com/aefsdr.html#
Yes both of these solutions require physical access to the affected PC but if we assume a stolen laptop with company proprietory data on it......

When we architected W2K for Wyeth we had high hopes for EFS. They were soon dashed because of the weaknesses listed above and in your email. EFS in XP does not share these weaknesses due to a change in how they handle their key pairs.

Respectfully,

Tom Bowers, CISSP
Wyeth Pharamceuticals
Lead Desktop & Firewall Engineer

>>> Ryan Smith <ryansmith@mail.utexas.edu> 6/26/2003 11:53:30 AM >>>

After some research, I am considering rolling out an encryption solution
based on win2k EFS. I know of one weakness, that encrypting a file that

already exists will leave behind an insecurely deleted plaintext file.

This means anyone with any decent forensics tool could bypass the OS and
easily read it directly off the hard drive.

Do you need help?

It also transfers files insecurely across the network. SSL should solve
for that.

Does anyone know of any other major weaknesses in the EFS encryption, certificate handling, encryption, etc? For this group I'm particularly

looking for areas of the hard drive that may contain hidden plaintext copies of normally encrypted documents.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Jun 27 09:38:30 2003

This message: [ Message body ]
Next message: Levinson, Karl: "Re: looking for EFS weaknesses"
Previous message: Roger A. Grimes: "Re: looking for EFS weaknesses"
Maybe in reply to: Ryan Smith: "looking for EFS weaknesses"
Next in thread: Mark G. Spencer: "Remnants of .. Wiping??"
Reply: Mark G. Spencer: "Remnants of .. Wiping??"
Reply: Netprouk Services: "RE: looking for EFS weaknesses"
Reply: Ryan Smith: "Re: looking for EFS weaknesses"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT