If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(The Register)   It turns out PGP isn't as good as you think   (theregister.co.uk) divider line 34
    More: Interesting, PGP, TrueCrypt, encryption key, decoding, analyzer, foraging, file folders, forensics  
•       •       •

4427 clicks; posted to Geek » on 20 Dec 2012 at 3:28 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



34 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2012-12-20 11:45:21 AM
It turns out that if a safe is wide open, people can take things from it, even if it has a really good combination.
 
Who knew?
 
2012-12-20 12:00:58 PM
It's got nothing to do with PGP, but what people do with their PGP keys.    The most expensive lock in the world is no good if I just put the key under the doormat.
 
ZAZ [TotalFark]
2012-12-20 12:43:33 PM
It's not great, but it's pretty good.
 
2012-12-20 01:40:35 PM

ZAZ: It's not great, but it's pretty good.


/shakes fist
 
2012-12-20 02:11:24 PM
Encrypted drives must be mounted at the time a memory dump is taken or else the process will fail to work. For this, and other reasons, considerable skill is needed to use the tool properly.
 
That's an understatement.  Always unmount your encrypted drives when not in use, I guess.  If you can get this software/virus on their computer while the user is unaware, it seems like a keylogger would be simpler.
 
2012-12-20 02:27:44 PM
So you can buy this software for $300 to grab the encryption keys out of ram, or you can go to this website https://citp.princeton.edu/research/memory/  at princeton and get software that does the same thing for free. 
 
Oh... and it's been available since July of 2008.  Not exactly current news.
 
2012-12-20 02:49:35 PM

pudding7: ZAZ: It's not great, but it's pretty good.

/shakes fist


You and me both.

/also shakes fist
 
2012-12-20 02:54:50 PM

labman: Oh... and it's been available since July of 2008. Not exactly current news.


That experiment they mention looks pretty cool. I think I'll try it on my linux box for shiats and giggles.
 
2012-12-20 03:35:48 PM
My lyrics get stolen by sucker MCs,
I gotta sign my rhymes with PGP;
But I keep on generatin' like a CFG
'Cause there's so much drama in the PhD.
 
 
=D
 
2012-12-20 03:35:58 PM
Known attack is known.
 
/what year is this? 2002?
//all someone did is finally commercialize a common method for retrieving keys for specific encryption products
 
2012-12-20 03:38:26 PM
you down with PGP?
yeah, you know me!
 
2012-12-20 03:52:14 PM
www.blogcdn.com
 
2012-12-20 03:56:13 PM
yay, The Register is partaking in FUD now. wheee.
 
2012-12-20 04:16:11 PM

olapbill: you down with PGP?
yeah, you know me!


You're a bad man.

Also, let's just say that if you have access to not only the encrypted drive but also the physical computer that last accessed it, yeah, you're in.
 
2012-12-20 04:18:53 PM
This tool is stupid. From another article on this:
 
"So, how does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off. "
 
Seriously, the person who runs this attack has to have physical access to my PC while it's on and with my encrypted volumes open or with access to my hibernation files. Seriously, if you're the kind of guy who  uses encrypted volumes for sensitive data, what are the chances you're going to be leaving your machine unattended with the encrypted volume mounted at all times? Also, if you have hibernation enabled - turn it off.
 
2012-12-20 04:22:45 PM
If your encrypted volume is mounted, why the hell would you need to crack it anyway? The files are already completely accessible to you.
 
2012-12-20 04:24:44 PM

RexTalionis: This tool is stupid. From another article on this:

"So, how does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off. "

Seriously, the person who runs this attack has to have physical access to my PC while it's on and with my encrypted volumes open or with access to my hibernation files. Seriously, if you're the kind of guy who  uses encrypted volumes for sensitive data, what are the chances you're going to be leaving your machine unattended with the encrypted volume mounted at all times? Also, if you have hibernation enabled - turn it off.


Your average MBA on a business trip, that's who.
 
2012-12-20 04:28:23 PM
<b>PGP, TrueCrypt-encrypted files CRACKED by £300 tool</b>

<i>Encrypted drives must be mounted at the time a memory dump is taken or else the process will fail to work</i>

So, basically, if you open up your encrypted volume file and leave it open so you can see the shiat that's in it, then you hibernate the computer so everything gets written to the hard drive, people can use the shiat on the hard drive to see the shiat that's in the encrypted volume.

Drrrr.....

You mean when I open things they're open? NO WAY.
 
2012-12-20 04:29:45 PM

BumpInTheNight: RexTalionis: This tool is stupid. From another article on this:

"So, how does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off. "

Seriously, the person who runs this attack has to have physical access to my PC while it's on and with my encrypted volumes open or with access to my hibernation files. Seriously, if you're the kind of guy who  uses encrypted volumes for sensitive data, what are the chances you're going to be leaving your machine unattended with the encrypted volume mounted at all times? Also, if you have hibernation enabled - turn it off.

Your average MBA on a business trip, that's who.


Your average MBA on a business trip wouldn't know what PGP or TrueCrypt is.
 
2012-12-20 04:32:12 PM

RexTalionis: BumpInTheNight: RexTalionis: This tool is stupid. From another article on this:

"So, how does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off. "

Seriously, the person who runs this attack has to have physical access to my PC while it's on and with my encrypted volumes open or with access to my hibernation files. Seriously, if you're the kind of guy who  uses encrypted volumes for sensitive data, what are the chances you're going to be leaving your machine unattended with the encrypted volume mounted at all times? Also, if you have hibernation enabled - turn it off.

Your average MBA on a business trip, that's who.

Your average MBA on a business trip wouldn't know what PGP or TrueCrypt is.


No, but their IT department does and tried to use it to secure the MBA's computer but all's for naught because they just closed the lid and left it on the table before heading off to the bar for the evening. True story.
 
2012-12-20 04:33:36 PM

BumpInTheNight: RexTalionis: BumpInTheNight: RexTalionis: This tool is stupid. From another article on this:

"So, how does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off. "

Seriously, the person who runs this attack has to have physical access to my PC while it's on and with my encrypted volumes open or with access to my hibernation files. Seriously, if you're the kind of guy who  uses encrypted volumes for sensitive data, what are the chances you're going to be leaving your machine unattended with the encrypted volume mounted at all times? Also, if you have hibernation enabled - turn it off.

Your average MBA on a business trip, that's who.

Your average MBA on a business trip wouldn't know what PGP or TrueCrypt is.

No, but their IT department does and tried to use it to secure the MBA's computer but all's for naught because they just closed the lid and left it on the table before heading off to the bar for the evening. True story.


By why to through the trouble of getting the decryption key when you already have access to the device and it's mounted and open to you?
 
2012-12-20 04:35:43 PM
it's a royal pain in the arsch.
 
2012-12-20 05:04:00 PM
I see The Register has gone from 3rd rate tech journalism to copying and pasting press releases.
 
2012-12-20 05:12:24 PM

BumpInTheNight: Your average MBA on a business trip, that's who.

 
As an MBA, I agree wholeheartedly with  BumpInTheNight.  I also have a CS degree and got the MBA only because it was the only degree for which my company would pay my tuition.   I went to an MBA program ranked in the top 10 in the US and was appalled by the caliber of students that made up about 75% of the program.  If they set the admission and academic performance bars any lower I'm pretty sure my dog could earn one.  I'm scared to even think about what it's like in the MBA classes for one of those degree-mill for-profit schools!
 
It was 100% paid for and I got to meet some interesting new people though, so all in all it was not a bad experience.
 
2012-12-20 05:14:34 PM

RexTalionis: If your encrypted volume is mounted, why the hell would you need to crack it anyway? The files are already completely accessible to you.


My only guess would be that if the computer is from an organization with horrible security practices, then all computers might share the same encryption key. So if you crack the key for one computer then you have it for all computers. But as I said, that would be a horrible security practice.
 
2012-12-20 05:15:56 PM

MrEricSir: I see The Register has gone from 3rd rate tech journalism to copying and pasting press releases.


I would say it's a step up for them.
 
2012-12-20 05:29:10 PM
Pro tip for morons: Even a one time pad is farking useless if you don't protect the pad.
 
2012-12-20 05:47:31 PM
This is sorta meh... That hack has always been there for anything you could mention. If you're able to do a memory dump on a system then you must be pretty cozy with it in the first place.

On the plus side, even Microsoft has some very nice and easy to use encryption classes that, *if used properly* would obviate this, they have classes to do work entirely encrypted... On the Linux side, it's a default anymore for most distros to encrypt both the swap disk and the home directory.
 
2012-12-20 05:48:41 PM
Sheeeit, it's pretty good. Next thing I knew I was in Debo's chicken coop, sweatin' like a slave, and the only person that could get me out was my mama.
 
2012-12-20 06:11:51 PM

RexTalionis: Also, if you have hibernation enabled - turn it off.


Or get an encryption system that doesn't store the encryption keys when it hibernates. It's not really unreasonable to prompt the user for their password again before the disk can be re-mounted.
 
2012-12-20 06:16:18 PM

RexTalionis: By why to through the trouble of getting the decryption key when you already have access to the device and it's mounted and open to you?


Primarily for forensics use I would guess. It's less about stealing files (though that's what the article talks about) and more about carefully collecting evidence. They also make systems designed to let you unplug and transport a computer without turning it off -- that is, to transfer it to a UPS while it's running -- so they can continue to access files/keys/etc. that would become inaccessible after power-down.
 
2012-12-20 07:39:44 PM

gingerjet: Known attack is known.

/what year is this? 2002?
//all someone did is finally commercialize a common method for retrieving keys for specific encryption products


Doesn't truecrypt have an option specifically to prevent this (ie a checkbox you can set while creating a volume? Not that I particularly care as I just use truecrypt to store files/prevent violating HIPAA (pretty sure nobody will use forensic methods to get at them/if someone does I still made a good faith effort), but I am pretty sure the software is able to prevent this.
 
2012-12-21 03:53:54 AM

RexTalionis: By why to through the trouble of getting the decryption key when you already have access to the device and it's mounted and open to you?


So you can turn the computer off, pull the drive, and decrypt it on some other machine, make duplicates for evidence etc. etc. etc.
 
2012-12-22 05:35:04 AM
I keep my private keys on 8" floppies.

RAM is your friend (in the tropics) NVRAM is the devil!

always power off your machine and make sure you have to type your password before it decrypts.
 
Displayed 34 of 34 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report