NTFS Vulnerability

Discussion in 'privacy technology' started by rubberducky, Mar 17, 2009.

Thread Status:
Not open for further replies.
  1. rubberducky

    rubberducky Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    31
    If your laptop is stolen, how easy is it to break into password protected NTFS File System?
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The NTFS filesystem itself isn't really the component you need to worry about, and your question isn't specific enough. Are you referring to circumventing the Windows logon password, or is your question more about vulnerabilities in the Windows encrypting file system (EFS) and/or third-party encryption?
     
  3. jonw

    jonw Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    83
    If your just talking about how easy it is to get into a unencrypted laptop then it is very easy to get in, I could be in your laptop within minutes.
     
  4. rubberducky

    rubberducky Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    31
    I am talking about circumventing Windows logon password, with no encryption at all.
     
  5. jonw

    jonw Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    83
    Yea there are tools out there to do that, and if your talking about the files on your computer a linux live cd will do that.
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The Windows logon password is relatively easy to defeat. Is some cases the PW can be cracked, especially if it is shorter than 15 characters. The existing PW can also be cleared by using an easily-obtainable PW-reset utility. And finally, all of the data on the drive can be easily accessed from another system, either by booting the laptop from a CD that contains an independent operating system or by removing the laptop's hard drive and slaving it to another computer.

    The only way to truly secure your data is to encrypt it. There are various approaches you can take, depending on your needs.
     
  7. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Funny :)
     
  8. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    Man you're slow. ;)

    As stated above, there are numerous "offline" util's that allow you to reset the local account passwords (you CANNOT reset a network logon in this manner.) Once you have reset the admin pwd, boot into windows, and the machine is yours. That said, I have never tested the limits of a domain computer with NTFS and removing the local admin from NTFS ACL's, along with GPO's and other domain tools to see if you could truly restrict the local admin account (or even just removing the admin from the admins group, although i think thats prohibited.) Without some serious setup, a physically compromised machine is easily defeated, NTFS provides no protection. That said, if the machine's bios is set to not allow booting to anything but the 1st HDD, then you would have some protection (no CD/USB/Floppy/etc boot)

    Even if you were to secure ALL of the above, a screwdriver and a $15 adapter will circumvent it all. I keep an IDE/ATA to USB adapter in my desk next to my screwdrivers, and it would take about 5 mins to remove the drive, connect it to my USB port and pull the data. NTFS can provide minor protection here, where if you are not an admin, and you are loading the extracted drive on the same domain as the target machine, ACL's can prevent access, but lets be real, thats not happening. Once that drive is connected to another machine, it becomes a removable device, and that host machine has full privileges over that drive. At worst, you would have to do a "Take Ownership" on the drive, and thats not likely as is.

    For the average Joe, finding a laptop in a coffee shop, the data is probably safe. For anyone with an ounce of computer ability, that data is compromised the second it is in an enemy's hands. This is the point of encryption.
     
  9. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Well, by "password protected NTFS File System" I mean file system encrypted with EFS... otherwise the question would be... meaningless. So, supposing the use of EFS together with a strong password, the encrypted data on a lost computer is reasonably safe. I can bet you couldn't be in such a laptop in five minutes... not even ten. :)
     
  10. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    Maybe, maybe not. :D

    If you are talking about using the Windowz integrated encryption, then if you are logging into a machine with a NON domain account, all the above rule apply. The strength of your password matters not, because it doesnt matter if you have a 25char alpha/num/symb password on a local user account, that password can be bypassed in about 90seconds. Once that password is bypassed, you are logged on as that user, and then all the files encrypted using windowz are now accessible.

    If you are using a domain account and logging on using cached credentials, then this becomes harder. Not impossible, but harder than what the average hacker would go through, but not unheard of.

    If you are using a 3rd party encryption method, then this all becomes moot, as does the file system type, and all becomes dependent on the quality of the encryption sw, strength of password, keyfiles, etc.
     
  11. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Mmmh... "if you have a 25char alpha/num/symb password on a local user account" which is not banally guessable, it won't get bruteforced in a reasonable amount of time, not even using rainbow tables (which, if I recall well, don't even exist for such large passwords, since they would take just too much space). So the encrypted files remain private.
     
  12. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Correct me if I'm wrong, but as far as I am aware, if you reset a user password in Windows, you lose access to your encrypted files. From "Offline NT Password & Registry Editor" site, referring to the situation when you reset a password: "If used on users that have EFS encrypted files, and the system is XP or Vista, all encrypted files for that user will be UNREADABLE! and cannot be recovered unless you remember the old password again"
     
  13. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    Wrong. Do you not realize that the password is IRRELEVENT? I dont need to know the password to reset it. It doesnt matter how complex the password, resetting the password is a simple process that requires NO PART OF THE PASSWORD.

    With the standard *nix reset tools, I believe that is correct. However, there are tools out there that will reset/reveal the windows password without effect to EFS, they are just a bit harder to find. Admittedly, I have not used any of them, as no one really uses EFS, and rarely do you need to get to EFS'd files on a machine - but the tools exist.

    Bottom line, no matter what the variables, if you are depending strictly on WINDOWZ for you security and protection, you dont have much security or protection. Windowz EFS is only slightly more secure than a normal NTFS setup. If you want real encryption protection, Windowz is NOT the tool to use, be it EFS or the often discussed Vista BitLocker crap.

    It's kinna like bike locks. Sure a $5 cable combo lock from WalMart will secure your bike to a pole, but it can easily be defeated in many ways. If you want to secure your bike to a pole, you need to buy a good lock that is harder to defeat, say like a solid U shaped lock with a barrel key. Even better, multiple locks of multiple types will secure your bike better.

    It's the age old question: how important is the data to protect, and what are your expected attack vectors? Once you decide that, then you apply the proper implementations of security and encryption.

    Secure is a relative concept.

    And remember this adage I discovered years ago when it comes to computer security:

    You can have 2 of the following 3, but not all 3: Secure, Easy to use, Cheap
    -If its secure and easy to use, it wont be cheap
    -If its cheap and secure, it wont be easy to use
    -If its cheap and easy to use, it wont be secure
     
  14. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    I have never heard of such a magic tool, which in fact I believe DOES NOT exist. Cause if you reset the password, you won't be able to access the files encrypted with EFS, and if the password is strong enough, you won't be able to guess it.
    If I don't remember wrong, EFS encrypts files using a key protected by a digital certificate; such certificate's passphrase is the windows password. So, to make it easy to understand: no password --> no access to encryption key --> no access to encrypted files.

    On the other hand, if you can provide an example of tool that will reset a windows password making it still possible to access files encrypted with EFS, you are welcome to demonstrate it. Thank you.
     
  15. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    As for a straight password reset, there are probably 100 of them, google can point you there, however the best known would be: http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html
    However as mentioned above, it may or may not work with EFS.

    As for EFS specific, the best known would be a service that is free (paid if you want expedited processing) available here: http://www.loginrecovery.com/

    I personally have not used the latter, although I have talked to people who have, and have had good experiences with them and EFS.

    My intention is not to start a war here over this topic, I am just lending what I know, and my experiences with windowz security.

    I maintain, regardless, if you are depending on windowz alone for security and privacy, you mine as well depend on nothing. If windowz provided a secure platform out of the box 90% of this forum would not exist. Windowz is NOT designed to be the solution for security and privacy - it may have some features to help, but that alone, is NOT enough, IMO.

    Again, for BASIC privacy and security, sure EFS and other windowz components are fine, however if you need anymore protection than the most basic, windowz is NOT the answer.

    If all you are worried about is losing your laptop at the airport and the average Joe picking it up and you dont want him to be able to get to your tax returns stored in My Docs, then EFS will probably suit you fine. If you are carrying proprietary information, trade secrets, confidential records, etc, depending on EFS is not only NOT good enough, it is a liability.

    Why would you depend on EFS for critical information, when there are plenty of alternatives out there, free and paid, that will secure your data FAR FAR FAR more securely, with minimal additional attention and intervention?

    Either I'm drunk, or I am missing the objective here.
     
  16. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    As mentioned above, IT DOES NOT WORK (the quote I gave you was from their site).

    This has no connection to EFS. It is a password cracking service, and I am a bit skeptical about them. Even if they would do as they say, they can't recover any password: "By following three simple steps, 98.5% of passwords are recovered in less than ten minutes."

    Unless someone shows me how can I RELIABLY recover any password from Windows (by reading data from HDD, not by brute force or dictionary attack), I dare say there is no way to do it.
     
  17. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    I didnt disagree, I said may or may not. Again, I have stated, I have no need to crack EFS when i reset a local account pwd so I have never even cared to know (previous to this discussion) if it could or couldnt.
    It has EVERY connection to EFS.

    It goes straight to markoman's post before mine. If we accept that tools such as the offline editor will fail to provide access to EFS, then the answer will require a password, which their service provides. Again, I have not used them, I only have spoke to people who claim it has worked and read a few reviews over time.

    Can they crack a 49char alpha/num/symb password, I dont know. I dont know their methods. Maybe they have found an exploit in the SAM architecture, or the hashing function, or in stored credentials - all are possible, but like I said, I dont know what they use.

    I go back, again, to what I said. EFS is FINE for basic use, but I would not trust it further than that, nor would I recommend it.

    Here's a perfect reason why. Lets say I find your laptop, and you have used EFS under your logon "Nebulus". Lets also say I notice a nice "Designed for Windows 2000" sticker on the laptop, or I notice it looks like this XP machine was upgraded from 2k. Welp, ill boot to the std nix pwd reset tool, reset the ADMIN account, login as admin, and decrypt your EFS files using the recovery agent as the admin.

    Given, it has to be an upgrade for this to work, but its an EXAMPLE of WHY I wouldnt trust EFS - because its BASED ON WINDOWZ which has MULTITUDES of security issues, both discovered and undiscovered.

    Or if its a domain machine and I reset the local admin pwd, I have a good chance of the same being possible, without an upgrade, depending on the recovery agent policy - which is usually the admin in most basic implementations.

    REGARDLESS, I will say it again, if you want to use EFS, FINE. If YOU trust it with vital data, FINE. I DONT. I dont believe it is secure enough to support vital data and furthermore the available options that I believe DO support vital data have a great cost/benefit ratio. The cost/benefit ratio to me says it all. Not why WOULDNT you use EFS, but with all the other options, why WOULD you?

    Thats just me. I wouldnt lock the deadbolt on my house and expect a priceless painting to not get stolen, because I know someone could throw a brick through the window. The cost of that "data," to me, is worth adding the alarm monitoring, and securing that painting in other ways. But if you dont have a priceless painting in the house, the deadbolt is probably fine.
     
  18. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I don't use EFS either, so we are in agreement here :). The reason I don't use it might be a bit different than yours, though: I can't peek inside it's source code, and I made a habit of using only open source tools for encryption.
    I tried to explain though, that used with care, EFS can be relatively safe. Just because I don't use it or I don't recommend it, that doesn't mean it's useless.
     
  19. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72

    I agree, and have said so quite a few posts ago, for basic use, its just fine. Just knowing windowz, im not going to trust it to work for me safely - especially on a domain, or on a removable disk that goes from machine to machine, in and out of domains.

    Conversely, I do find it interesting enough that they moved to BitLocker, adn there is all the talk of govt backdoors, which I never heard with EFS. So maybe EFS is a great solution, so much so that the govt said, stop using it and create something we can break....who knows.
     
  20. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Well I don't use EFS allone either! I am sure that nobody on this forum does... On the other hand, EFS if used correctly can be extremely useful. And especially, it is EASY to use for anybody.
    Of course windows is not the answer to the need of a secure OS.

    The online service you pointed to gets your password file and tries to crack it, I guess using rainbow tables. They probably have extended rainbow tables, but for sure not enough to cover 25 charachters long passwords.
     
  21. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    I believe the best laptop security is an encrypted hard drive that uses a keyfile on a usb stick that is on something you will always put away (like a key ring that has your keys on it in your pocket). Good asymmetric encryption requires a good password and there are many products on the market today that will provide a key generator making sufficiently strong passwords. Just my humble opinion and 8 cents worth (inflation acknowledged).
    SourMilk out
     
Thread Status:
Not open for further replies.