Drive Encryption Useless against Online Attacks?
When securing your system, drive encryption is heavily recommended, and it works very well. But just how well will it protect you from online attacks? Well, truth be told, in some situations it may not help you at all.
I wanted to see how well drive encryption would protect a Windows XP SP3 machine from a common online Java based attack. So I installed the latest version of TrueCrypt (a popular open source encryption program) on a test system. I encrypted the whole drive just to be safe:
I then rebooted to verify that the system would not boot without the TrueCrypt password:
But let’s take this one step further. One level of encryption is good, but I have a very important file that I do not want read by others. And I definetly do not want someone else to be able to copy this to a different system. I encrypted the “Super Secret” folder and the goldmine file “Secret.txt” on the victims machine with Windows built in Encrypting File System (EFS):
All right, green means encrypted, we are good to go. The whole drive is encrypted with one level of encryption and the target file itself is encrypted with another encryption technique.
To see how well the encryption would stand up to an online attack, I used a Linux system running Backtrack 4’s Social Engineering Toolkit, and set up a simulated malicious Java Attack. On the target machine, once I clicked on and allowed the malicious Java file to run, I received a remote shell to the victim machine. Issuing a directory command on the attacker machine’s remote shell I received this:
A full directory of the victims encrypted root drive. Well, that is not good. The “Super Secret” directory shows up in the list, I wonder if I can access it:
Absolutely, not only could I read the directory and it’s contents remotely, I was able to view the contents of the encrypted file itself. Well, that is not a fair test. I could read it, but would I be able to copy that double encrypted file to a different computer?
Okay, it copied without error, but being encrypted, there is no way I should be able to read it on a different machine…
This is a picture of the file in Ubuntu’s Kate Text Editor. After copying the “secret” text file to my remote Linux attacking machine, it opened with no issues and was completely readable. The secret message now unencrypted and on a remote machine says:
Super Secret Insider Tip:
Sell all stocks and buy Tacos.
“Buy Tacos”, that’s a good tip, and it didn’t even come from Wikileaks. Well maybe it will be in the next release.
Okay, how was this possible? Encryption works very good when your machine is off and someone is trying to access it. Or if another user on the local machine or LAN is trying to read it. But since this online attack dropped the attacker into the current logged in user session, the attacker could read all of the encrypted information. The encryption system could not tell that the attacker was a remote attacker, but thought it was the local user.
* Side note – if your laptop is encrypted, and is stolen while it is turned on, even though it might be locked, it could be vulnerable to a cold boot attack.
What do you do to defend yourself against this type of online attack? Do not surf the web from secure systems. Use a virtual machine or a different machine altogether. If you must surf from your encrypted machine, do not allow online programs to run on it. Java applets, online “free” virus scanners, many “free” games, and even the bogus “you need to install this missing video codex” driver install are all things to avoid.
Encryption works very well at what it does, but it can be vulnerable to some online attacks.