True crypt can be broken? read this!

Discussion in 'privacy technology' started by demoneye, Jun 22, 2011.

Thread Status:
Not open for further replies.
  1. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
  2. box750

    box750 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    259
    The most important part of that page is this one:

    Passware Kit scans the physical memory image file (acquired while the encrypted BitLocker or TrueCrypt disk was mounted, even if the target computer was locked)

    For this to work your fully encrypted drive needs to be mounted and decrypted when someone gets hold of it, and if someone can get hold of your computer while it is mounted and decrypted, the less of your worries is some program pulling the encryption key from RAM and reusing it, if you switch your computer off when you are not around you are safe, if you use a screensaver (locked), you are not.
     
  3. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    oww...

    its so dummy approach so i misunderstood it maybe :)
    if its all about when your pc is mounted and decrypted u can EVEN insert a usb hd and copy al the data HAHA why using all this dump and stuff :)

    10x mate for lighting it to me
     
  4. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    But the "hacker" should be able to unlock (password protected) your pc first? no?

    If I disable the hibernation I'm protected?

    BTW nice blog, although I miss RSS
     
    Last edited: Jun 22, 2011
  5. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    I don't know about bitlocker but if you read the Truecrypt docs you will find a warning(s?) about using hibernation.
    In theory, if you are using full system/disk encryption of all disks in the machine, the hiberfil.sys file should also be encrypted. To be sure, don't use hibernation and turn off your computer when you leave.

    Bottom line is that encryption is not magic. If you don't understand the details of how it works your data is much more vulnerable.

    I suspect local law enforcement counts on stupid criminals blindly trusting encryption to lock their data. I just hate to see police having to purchase software like Passware Kit at such a high price.
     
  6. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    police and other law enforcement groups as far as i know cant break true crypt by it password .

    i mean ignore the stupid users , they cant brake it by software or any trap doors
     
  7. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    A stupid user is someone that uses truecrypt but doesn't understand what they are doing. An example is someone that uses file based containers because full system encryption is to hard to figure out.
    For example, if you use a file based container, hibernate your system and leave your computer unattended. In that case, passware like programs have no problem capturing the master keys from hiberfil.sys

    If you are not stupid and have data you want kept secret, use full system encryption and turn off hibernation. Never walk away from your system without a full shutdown. In that case it is impossible for even the NSA to crack your encryption.
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Just because you're using file based containers doesn't mean you're stupid and don't understand truecrypt. Some people don't need to encrypt their entire system, only very important files.

    I do somewhat agree with your second statement though (except hiberfil.sys can be easily encrypted).
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    or encrypt specific files and turn off hibernation... lmao
     
  10. x942

    x942 Guest

    Both encrypt it if you encrypt all partitions. Bitlocker disables sleep mode when using it. I also recommend enabling encrypted page file and hibernation file in gpedit this adds a second layer of AES-256 bit encryption to those files.

    As long as the computer is hibernated it is safe however if an attacker can intercept the hibernation file at boot time than you can be compromised. All in all don't hibernate or at least don't resume in an unsafe location.
     
  11. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    this refer only to full hd encryption ? not container file encryption? :rolleyes:
     
  12. box750

    box750 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    259
    There is no need to "unlock" your password protected screensaver, it is possible to plug in a USB thumbdrive that will use Windows autorun to execute a script and get your encryption keys from RAM. If your computer is not hibernating then disabling hibernation will not protect you, the encryption keys will be found in RAM memory.
     
    Last edited: Jun 23, 2011
  13. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    If they have physical access to your PC with the disk mounted, you have more serious things to worry about ;Ð
     
  14. x942

    x942 Guest

    Encrypting page file works in both cases however if you use a container it is not recommended to hibernate UNLESS you clear it from cache. I don't bother with hibernate but with FDE it should be fine as long as the resume process isn't intercepted and you don't allow an attacker access when mounted.

    box750:

    Yes and no. While a screensaver wont do anything you can mitigate it by disabling autorun and using window 7's lockscreen. This is much harder to bypass but not by much I recommend shutting down or only using it in a trusted location to keep the honest people out ;)
     
  15. x942

    x942 Guest

    Also according to TrueCrypt FDE protects hibernation and page file:


    And this disclaimer about XP and windows 2003:

    Source

    Same goes for Paging Files and Memory Dumps

    As long as the disk is NOT mounted you are safe and CAN use hibernation without compromise. HOWEVER if an attacker has the mounted disk they CAN, obviously, copy those files and grab the key latter on.

    So don't boot in a hostile environment unless you can protect your computer physically and do NOT walk away in such an environment leaving it logged on. At least hibernate it.
     
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    That assumes that you have malware on your computer.
     
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    But if you dismount TrueCrypt and restart your computer, then nothing, at that point, other than some type of installed keylogger can get anything, correct?
     
  18. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    Eh??

    The OP noted that a program called "Passware" can extract encryption keys from memory and/or hiberfil.sys
    No malware required. Of course if your system is compromised with malware, encryption can't be trusted to protect you.

    The real bottom line is that modern encryption is mathematically unbreakable. It is pointless to try to bruteforce guess strong passwords for something like Truecrypt. The only way to "break" the encryption is to bypass it by capturing passwords after they are entered. To ensure your data is safe from sophisticated attacks, never connect to a network, only enter your passwords in a secured area, and shut down your system if you leave.
    Even if you operate with this level of security, your adversary could suddenly break down your door and prevent you from shutting down your system. In that case you would need some sort of hardware based security that automatically shut down your system under such circumstances. This may or may not be possible.
     
  19. x942

    x942 Guest

    I know this isn't what you mean but interestingly Avast detects it as a PUP (potentially unwanted program). I guess some AV's don't like this thing anyways.:thumb:
     
Loading...
Thread Status:
Not open for further replies.