-{ Quote: "Earlier this month, Joanna Rutkowska implemented the "evil maid" attack against TrueCrypt. The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. Basically, the attack works like this:

Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume. The attacker writes a hacked bootloader onto your system, then shuts it down.

Step 2: You boot your computer using the attacker's hacked bootloader, entering your encryption key. Once the disk is unlocked, the hacked bootloader does its mischief. It might install malware to capture the key and send it over the Internet somewhere, or store it in some location on the disk to be retrieved later, or whatever.

You can see why it's called the "evil maid" attack; a likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. The same maid could even sneak back the next night and erase any traces of her actions." }-Bruce Schneier (http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html)

Before you leave your hotel room, turn off your laptop and store it properly in your suitcase (http://www.car-safe.com/notebook-case.htm).

Problem solved.

(I'll not comment on software protection (there are several, such as checking the integrity of the MBR, use live CDs for the bootloader ...) We have been thoroughly reviewed when it appeared the Stoned Bootkit and here the method not only uses Windows with admin privileges to be installed, but the technique is the same as the Stoned: install malicious software on the master boot record.)

-{ Quote: "Bruce Schneier (http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html)" }-

FWIW, most commercial-grade encryption products protect MBR (both their own and original Windows) either via encryption or some other method, so installing a malicious bootloader won't get you anywhere on those.
This might work on TrueCrypt, though.

Also, according to Mr. Schneier:

-{ Quote: "BitLocker, the one thing that has come out of Microsoft's Trusted Computing initiative in the seven-plus years they've been working on it, can prevent these sorts of attacks if the computer has a TPM module on the motherboard. (Note: Not all computers do.)" }-

-{ Quote: "FWIW, most commercial-grade encryption products protect MBR (both their own and original Windows) either via encryption or some other method, so installing a malicious bootloader won't get you anywhere on those.
This might work on TrueCrypt, though." }-

Do you have any prove or an article that supports your claim?
Does PGP, for example, have this?

-{ Quote: "Do you have any prove or an article that supports your claim?
Does PGP, for example, have this?" }-

I'm sure PGP Whole Disk Encryption does, it would be insane if they didn't. Utimaco (Sophos) SafeGuard Enterprise does for sure, and so did Guardian Edge when I tested it.

-{ Quote: "FWIW, most commercial-grade encryption products protect MBR (both their own and original Windows) either via encryption or some other method, so installing a malicious bootloader won't get you anywhere on those.
" }-
Ok, then how is the boot code executed if it's encrypted ? The BIOS gives control to a segment of code, usually located on the HDD (in case of HDD boot), and that segment of code can't be encrypted. It is this portion of code that is not possible to protect and that can be exploited by an "evil maid" attack.

Clearly the best thing is to keep your laptop with you. With netbooks, it's much easier than before.

Otherwise, all bets are off. The best that can be done to prevent anything like this is to make it obvious you have been compromised. At least then, you know.

Hint: Check out Predator at http://www.montpellier-informatique.com/predator/en/index.php


edit to include link

-{ Quote: "Clearly the best thing is to keep your laptop with you. With netbooks, it's much easier than before.

Otherwise, all bets are off. The best that can be done to prevent anything like this is to make it obvious you have been compromised. At least then, you know.

Hint: Check out Predator at http://www.montpellier-informatique.com/predator/en/index.php


edit to include link" }-

There are, of course, still risks with doing this. There's the cold boot attack, which requires freezing the RAM. Now instead of two steps for a compromise, it only takes one. Extract the key from RAM and have full access to the drive.

The second attack involves DMA (direct memory access) through firewire or other ports capable of this. This probably can't be prevented by this technology. This technique, again, allows the extraction of the key from RAM in one step.

For the average user, it's probably safer to just shut off the computer. There are probably ways to prevent the above attacks, but not much that the average user will be able to do. Some people want perfect security, but there always has to be something unencrypted somewhere to allow you to authenticate yourself. This is the vulnerability. Having near perfect security will probably only be achieved by people willing to do whatever it takes to plug any vulnerability. For the rest of us, there's always some risk.

I personally don't mind TrueCrypt's approach. KISS. TrueCrypt isn't anti-malware, and trying to implement these features will simply add a lot of complexity to the code. Also, from my experience, TrueCrypt's approach is usually all-or-nothing. If they don't have a way to completely plug a vulnerability, they usually won't implement it. I don't know what the commercial vendors do, but it's probably not 100% effective.

In a paranoia scenario, then you dont use the bootloader stored in the hard disk to boot the computer, you could use your recovery live CD to boot Truecrypt and permanently delete your hard disk computer bootloader with WinHex.

You would still have to store that live CD in a safe place to avoid someone tampering with it, maybe sign it.

-{ Quote: "Ok, then how is the boot code executed if it's encrypted ? The BIOS gives control to a segment of code, usually located on the HDD (in case of HDD boot), and that segment of code can't be encrypted. It is this portion of code that is not possible to protect and that can be exploited by an "evil maid" attack." }-

Most run a secured version of Linux or OpenBSD and replace (or pad) existing MBR with their own, protected one. So in short, its own protected MBR runs, that in turn, points to original or modified MBR that is normally encrypted, but becomes accessible after preboot authentication is completed, and filter drivers are loaded.
Hope this makes sense.

-{ Quote: "I'm sure PGP Whole Disk Encryption does, it would be insane if they didn't. Utimaco (Sophos) SafeGuard Enterprise does for sure, and so did Guardian Edge when I tested it." }-
With all due respect, but that's an assumption concerning PGP.

-{ Quote: "With all due respect, but that's an assumption concerning PGP." }-

Point taken, I have no hands-on experience with their Enterprise suite. But as I said, it would be crazy if they didn't have something similar in place. ;)

im not computer savvy but i noticed when i was looking at the services on my vista home basic computer that i have this running TPM Base Services and the description is that it protects your keys. So if windows vista has this wouldnt evil maid be ineffective?

-{ Quote: "In a paranoia scenario, then you dont use the bootloader stored in the hard disk to boot the computer, you could use your recovery live CD to boot Truecrypt and permanently delete your hard disk computer bootloader with WinHex.

You would still have to store that live CD in a safe place to avoid someone tampering with it, maybe sign it." }-

http://www.truecrypt.org/docs/?s=rescue-disk

Here's a description of how to boot directly from the rescue disk, thus bypassing the TrueCrypt bootloader on the hard drive entirely.

-{ Quote: " Most run a secured version of Linux or OpenBSD and replace (or pad) existing MBR with their own, protected one. So in short, its own protected MBR runs, that in turn, points to original or modified MBR that is normally encrypted, but becomes accessible after preboot authentication is completed, and filter drivers are loaded.
Hope this makes sense. " }-

I don't fully understand that. Do you have links to a description of this from one of the commercial vendors?

-{ Quote: "im not computer savvy but i noticed when i was looking at the services on my vista home basic computer that i have this running TPM Base Services and the description is that it protects your keys. So if windows vista has this wouldnt evil maid be ineffective?" }-

I know nothing about Vista, TPM, or bitlocker, by I'm pretty sure it can't protect your bootloader while using anything other than bitlocker. How well it works with bitlocker, I have no idea.

-{ Quote: "With all due respect, but that's an assumption concerning PGP." }-
According to the PGP Desktop User’s Guide, the boot record is encrypted by the PGP Whole Disk Encryption product. Thus, replacing the boot loader with a malicious counterpart would cause a boot failure and thereby maintain the integrity of a PGP encrypted volume -- correct?

Also, note that PGP Whole Disk Encryption supports Trusted Platform Module (TPM) authentication.

-{ Quote: "I don't fully understand that. Do you have links to a description of this from one of the commercial vendors?" }-


See Pleonasm's post below (or above my post), as this is exactly what he's talking about and he's 100% correct: replacing PGP's MBR with your own won't get you anywhere, as something needs to authenticate you, load filter driver(s) and decrypt original Windows MBR that has been padded further up the drive and encrypted.
So, in short it works like this:
BIOS->Encryption Vendor MBR->Preboot authentication->Filter Driver(s) loaded->Original (encrypted) MBR executed->OS loads
This is obviously oversimplified, but you get the idea.

-{ Quote: "

Also, note that PGP Whole Disk Encryption supports Trusted Platform Module (TPM) authentication." }-

I stand corrected.

-{ Quote: "
BIOS->Encryption Vendor MBR->Preboot authentication->Filter Driver(s) loaded->Original (encrypted) MBR executed->OS loads
This is obviously oversimplified, but you get the idea." }-

Why can't some malware be loaded into the area of the hard drive containing the preboot authentication or any unencrypted area of the drive prior to the encrypted MBR? Couldn't malware loaded there in turn do something to the encrypted MBR after it's decrypted?

My point is you're still executing something that's unencrypted prior to the encrypted MBR. So, how do you know this unencrypted code is immune to malware?

Another strategy to help ameliorate this “evil maid” threat is the use of a power-on password, supported by some BIOS implementations. It is not foolproof, however, because the setting can be circumvented by manipulating a jumper.

-{ Quote: "Why can't some malware be loaded into the area of the hard drive containing the preboot authentication or any unencrypted area of the drive prior to the encrypted MBR?" }-
Ah, now I see your point.

* * * * * * * * * * * * * * *

Commentary from PGP on this subject...

-{ Quote: "No security product on the market today can protect you if the underlying computer has been compromised by malware with root level administrative privileges. That said, there exists well-understood common sense defenses against “Cold Boot,” “Stoned Boot,” “Evil Maid,” and many other attacks yet to be named and publicized.

PGP Whole Disk Encryption offers a range of options that will make it difficult for the “Evil Maid” to clean out your laptop:

Much of the malware found in the wild will capture your passwords, be that the login password to your laptop or the website password for your bank. Two-factor authentication should be your first line of defense against password loggers.

PGP Whole Disk Encryption has supported the use of smartcards from day one. If you use a smartcard to authenticate to PGP Whole Disk Encryption, the ”Maid” will learn your smartcard’s PIN, but without the smartcard in your wallet or the cryptographic USB token on your keychain she cannot use this information to log into your laptop to compromise your data.

Source: Evil Maid Attack (http://blog.pgp.com/index.php/2009/10/evil-maid-attack/)" }-
In addition...

-{ Quote: " PGP WDE {Whole Disk Encryption} has a clever feature in it — WDE prevents you from writing over the MBR. Consequently, it’s impossible to install MBR-level malware on a system with PGP WDE for that simple reason.

This particular piece of malware very cleverly installs itself in the MBR and performs a judo move on TrueCrypt. That particular judo move wouldn’t work on PGP WDE because we protect the MBR. It wouldn’t work on a system that protects the MBR some other way, like with a Trusted Platform Module (TPM).

Source: Stoned Boot Attack (http://blog.pgp.com/index.php/2009/08/stoned-boot-attack/)" }-

Just like pleonasm posted, most (if not all) full-disk encryption vendors have a way of securing their MBR. You can't just overwrite the OS MBR that has been padded further up the drive, it's encrypted and you will need to be authenticated to preboot before you can make any changes to it that would give you any results.
You can blow away vendor's preboot space and MBR, or replace it with your own trojaned version, but this won't get you anywhere, as decryption mechanism and loading of filter drivers is extremely proprietary and protected by the developer. You'll have your super-sneaky MBR that sits on top of encrypted, inaccessible drive.

-{ Quote: "There are, of course, still risks with doing this. There's the cold boot attack, which requires freezing the RAM. Now instead of two steps for a compromise, it only takes one. Extract the key from RAM and have full access to the drive.

The second attack involves DMA (direct memory access) through firewire or other ports capable of this. This probably can't be prevented by this technology. This technique, again, allows the extraction of the key from RAM in one step.

For the average user, it's probably safer to just shut off the computer. There are probably ways to prevent the above attacks, but not much that the average user will be able to do. Some people want perfect security, but there always has to be something unencrypted somewhere to allow you to authenticate yourself. This is the vulnerability. Having near perfect security will probably only be achieved by people willing to do whatever it takes to plug any vulnerability. For the rest of us, there's always some risk.

I personally don't mind TrueCrypt's approach. KISS. TrueCrypt isn't anti-malware, and trying to implement these features will simply add a lot of complexity to the code. Also, from my experience, TrueCrypt's approach is usually all-or-nothing. If they don't have a way to completely plug a vulnerability, they usually won't implement it. I don't know what the commercial vendors do, but it's probably not 100% effective." }-

thats true but if your usb and dvd rom and computer screen is locked how many people are going to know how to bypass such layers? is it that easy?

edit: thats nice preditor keeps logs of activity so you know whats going on with your computer and if anything happened

-{ Quote: "thats true but if your usb and dvd rom and computer screen is locked how many people are going to know how to bypass such layers? is it that easy? " }-

Who are you protecting against? It's not easy, but it's possible. The RAM freezing attack can be performed by anyone who's ever heard of it. You just open the case, freeze the RAM, and stick it in another computer. You image the RAM with the other computer, then that's where the real skill is needed. Extract the key from the RAM.

But, all steps prior to the key extraction are easy, and the key extraction has no time limit. Once you have the image of the RAM, you can give it to an expert to extract any time you want.

-{ Quote: " edit: thats nice preditor keeps logs of activity so you know whats going on with your computer and if anything happened" }-

A log won't help you in this case. Your key is extracted in one step. You aren't required to come back and enter the password. So, all they do is image the RAM, take your computer (or just the hard drive) with them, then extract the key in the lab and access your encrypted drive.

You won't even have a computer to give you a log.

your right but how many people would actually go that far. Bringing a computer to a expert or lab i dont know thats sounds pretty extreme. If someone is that determined to get your stuff then your screwed anyways because he will eventually regardless what you would do

-{ Quote: "In a paranoia scenario, then you dont use the bootloader stored in the hard disk to boot the computer, you could use your recovery live CD to boot Truecrypt and permanently delete your hard disk computer bootloader with WinHex.

You would still have to store that live CD in a safe place to avoid someone tampering with it, maybe sign it." }-


or you can just change passwords everytime you use the computer

-{ Quote: "You image the RAM with the other computer, then that's where the real skill is needed. Extract the key from the RAM." }-
FYI -- PGP takes precautions to minimize the likelihood of success of an “extract-from-RAM” strategy...

-{ Quote: "When you protect a disk or partition with PGP Whole Disk Encryption, your passphrase is turned into a key. This key is used to encrypt and decrypt the data on the encrypted disk or partition. While the passphrase is erased from memory immediately, the key (from which your passphrase cannot be derived) remains in memory.

This key is protected from virtual memory; however, if a certain section of memory stores the exact same data for extremely long periods of time without being turned off or reset, that memory tends to retain a static charge, which could be read by attackers. If your encrypted disk or partition is decrypted for long periods, over time, detectable traces of your key could be retained in memory. Devices exist that could recover the key. You won’t find such devices at your neighborhood electronics shop, but major governments are likely to have a few.

PGP Desktop protects against this by keeping two copies of the key in RAM, one normal copy and one bit-inverted copy, and inverting both copies every few seconds.

Source: PGP Desktop User's Guide" }-

-{ Quote: "FYI -- PGP takes precautions to minimize the likelihood of success of an “extract-from-RAM” strategy..." }-

That's all well and good, but it's simply a reduction of risk. They're not completely eliminating the vulnerability. I think it's the same with the MBR protection. The risk isn't completely eliminated, just reduced.

Regarding the bit flipping, that probably won't be effective at all against an attack using DMA. It might be effective against RAM freezing.

There's also something to be said for a minimalist strategy.

-{ Quote: "That's all well and good, but it's simply a reduction of risk. They're not completely eliminating the vulnerability." }-
Correct. However, when choosing between a mitigated risk and an uncontrolled risk, the former is obviously to be preferred.

-{ Quote: "There's also something to be said for a minimalist strategy." }-
Not sure that I understand the “minimalist strategy.” Can you kindly elaborate? (Thank you.)

-{ Quote: "Correct. However, when choosing between a mitigated risk and an uncontrolled risk, the former is obviously to be preferred." }-


-{ Quote: " PGP uses a technique to avoid memory “burn-in” of the key bits in many places. This might be a partial amelioration. It might cause the key bits to fade a little faster. It might keep key bits from being captured from a suspended system (for example), but it is unlikely to help much. A number of people have asked me about this, and I don’t think it helps much. Alex Halderman (one of the researchers), kindly gave me a heads-up about the research before it was announced. I asked him about this and he didn’t think it would do much, either. The correct answer is to clear the memory. " }-

This is a quote from http://blog.pgp.com/index.php/category/pgp_advisory_board/page/2/

I'm surprised to hear this on that site, but it's entirely correct. I have to say the honesty of Jon Callas seems to be second to none. So, I'm not going to go any further or attempt to use his words against him. Suffice it to say, there's no software FDE that protects against this.


-{ Quote: " Not sure that I understand the “minimalist strategy.” Can you kindly elaborate? (Thank you.)" }-

http://en.wikipedia.org/wiki/KISS_principle

There's no need to try to fix a problem if you don't have a complete solution. It just adds extra code and extra complexity.

i run most progs from memory stick and save onto same stick or external drive which i unplug and take with me so all evil maid would see is an operating system ;D

-{ Quote: "I have to say the honesty of Jon Callas seems to be second to none. So, I'm not going to go any further or attempt to use his words against him. Suffice it to say, there's no software FDE that protects against this." }-
A very interesting blog post, indeed! As Callas states, “This is a hardware problem, and comprehensive solutions for it require hardware support.” The software approach implemented by PGP can’t overcome this limitation, but it may be a (small) step in the right direction. Consider: since the publication of Callas’ blog post, PGP has added its anti-burn-in system to the PGP Whole Disk Encryption product, an indication of the company's perspective that the approach “might be a partial amelioration.”

On a more general point, I disagree with the argument that if a privacy solution is imperfect, then it is therefore without merit or value. The objective isn’t to achieve perfection -- rather, it is to maximize “total protection,” which may be conceived as a sum of the products of the (a) probability of a threat occurring and (b) the probability of the solution against that threat being effective. As long as the latter quantity is greater than zero, "total protection" will be enhanced -- and, it is rare indeed that any solution to a privacy problem is without limitations.

:)

can't you just scan the usb ports for malware when you boot up. Wouldnt that tell if a evila maid was installed