PGP Whole Disk Encryption — Authentication Bypass

There has recently been some atten­tion to a bypass fea­ture in PGP Cor­po­ra­tion’s Whole Disk Encryp­tion prod­uct line. The gist of it seems to be that it is pos­si­ble for an encrypted vol­ume to be set so that the passphrase require­ment is waived (bypass­ing the authen­ti­ca­tion) for a sin­gle reboot.

While this comes across as con­cern­ing at first, after read­ing the PGP Knowl­edge­base Arti­cle #750, it appears that the risk is min­i­mal. I feel that if I were a gov­ern­ment orga­ni­za­tion, such as the CIA,NSA,FBI, DHS, etc, then I’d be wor­ried about the types of advi­sories the anony­mous author of securol­ogy men­tions. How­ever, most lap­top thefts are by com­mon crim­i­nals look­ing to make some money in a pawn shop or oth­er­wise. I doubt there will be many if any cases of a mali­cious tro­jan that not only replaces PGPs Boot­guard with a mali­cious one to extend the num­ber of unau­then­ti­cated bypasses ad infini­tum, but also infects machines that the attacker can get phys­i­cal access to. This would require being able to reverse engi­neer the PGP Boot­Guard code that so far even the fine folks over at Guid­ance Soft­ware haven’t been able to do.

As part of risk man­age­ment, there is a cer­tain level of risk that has to be accepted. We can not live in a world with­out risks and should only worry about the ones that have a rea­son­able chance of occurring.

The post­ing lists 4 points that he/she would like addressed.

  1. The fea­ture was doc­u­mented clearly, includ­ing a secu­rity warn­ing cov­er­ing the risks of its use/presence in such a way that admin­is­tra­tors must see it.
  2. The fea­ture could be per­ma­nently dis­abled– not just ignored or left seem­ingly unused.
  3. The intended use of the fea­ture did not require the cre­ation of a passphrase with cryp­to­graphic access to the Vol­ume Mas­ter Key.
  4. The intended use of the fea­ture did not require the dis­tri­b­u­tion of plain text scripts with an embed­ded passphrase to N clients each and every time that fea­ture is needed.

The first point I absolutely agree with. How­ever, it’s worth men­tion­ing that PGP doc­u­mented this fea­ture back on July 27th of 2007. I would like to see the secu­rity warn­ing though, as I per­son­ally had no knowl­edge of this fea­ture until I went look­ing for it. Could PGP have back­dated the doc­u­ment? Of course, but I’m hop­ing the com­pany mak­ing my encryp­tion solu­tion isn’t that shady.

PGP Bypass Document

The sec­ond point seems aca­d­e­mic in nature to me. There are plenty of pro­grams used in every com­pany of every nation that have fea­tures which would be inse­cure. For instance, Microsoft Active Direc­tory can allow user accounts to have blank pass­words. Shouldn’t we be sat­is­fied that in our envi­ron­ment the fea­ture is dis­abled? Demand­ing that Microsoft remove the fea­ture from the code base sim­ply because it would be unfa­vor­able if enabled is ridicu­lous. I feel like that’s what’s being demand­ing of PGP here. It might be a risk a 3 Let­ter Agency should worry about, but cer­tainly not your typ­i­cal business.

For the third point I’m inter­ested to see what his pro­posed solu­tion is that doesn’t allow cryp­to­graphic access to the Vol­ume Mas­ter Key. I may be mis­in­formed but I’d think that with­out access to the VMK the lap­top wouldn’t be able to decrypt any­thing and thus it would be impos­si­ble to boot.

I com­pletely agree with this fourth point. I’ve always been against devel­op­ers hard cod­ing pass­words into bina­ries, and espe­cially into plain text script files. PGP should allow an alter­nate form of authen­ti­ca­tion that doesn’t require dis­play­ing the pass­word. I have some thoughts on this but will likely post them later.

Over­all though I’m very impressed with the writ­ing style and depth of thought that the author behind Securol­ogy has shown. I plan to keep read­ing and keep learning.

Customizing bash and vim

Post­ing here for my ref­er­ence the next time I need to con­fig­ure my prompt and vim. I cur­rently do all of my school­work on a CLI only linux box and even though I don’t need a GUI, I do enjoy some color dur­ing my ses­sions. The prompt and vim con­fig pro­vide just that. If you’d like to make your own prompt sim­ply replace the quoted char­ac­ters of PS1 with what you would like using this and this as ref­er­ences.

[email protected]: [~]: uname –a
Linux suse 2.6.18.8–0.5-default #1 SMP Fri Jun 22 12:17:53 UTC 2007 i686 athlon i386 GNU/Linux
[email protected]: [~]: tail –n 2 .bashrc
alias ls=‘ls –color’
export PS1=”\[\033[1;33m\]\u\[\033[0m\]@\h: \[\033[36m\][\w]:\[\033[0m\] “
[email protected]: [~]:

This is a fan­tas­tic .vimrc posted by some­one that knows more about vim con­fig­u­ra­tion than I care to. The main thing I enjoy is the fixed back­space key (it actu­ally works), the col­or­ing, and the 4 spaces inserted for a TAB. I also very much appre­ci­ate that the file is thor­oughly com­mented so that any­one who wants to understand/modify it can. I for instance changed his set­ting of 2 spaces per TAB to 4 spaces per TAB. Thanks for the great infor­ma­tion Stripey!

Configuring Port Forwarding

I recently acquired a Juniper NetScreen SSG5 and have been play­ing around with it. One task that took some time due to the fact that the mul­ti­ple online resources I found had out dated syn­tax was that of port forwarding.

The Goal

Take port 443 on my pub­lic IP via cable modem and for­ward traf­fic to a SUSE 10.2 vir­tual machine con­nected in bridged mode on my inter­nal net­work on port 22. (i.e. SSH on 443 –> Pub­lic IP –> SSH on 22 –> Pri­vate IP)

The Solu­tion

set inter­face ethernet0/0 vip untrust 21 “SSH” 172.22.102.53 man­ual
set pol­icy id 10 from untrust to trust any vip(ethernet0/0) “HTTPS” per­mit log count

Thoughts

Syn­tax is everything!

Unblocking “Dangerous” Attachments in Outlook 2007

I recently came across an email that had an attach­ment of a very spe­cific file type. I was expect­ing this email and the attach­ment. Out­look how­ever, didn’t know about this file exten­sion and decided that it should be blocked. After some search­ing I came across this KB Arti­cle that describes how to reme­di­ate this issue in Out­look 2000.

Some minor tweaks and it works for Out­look 2007 too!

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security
Name: Level1Remove
Type: REG_SZ
Data: List of file exten­sions sep­a­rated with a comma includ­ing the period. (Ex: .mdb,.xnk)

If you want to block exten­sions nor­mally allowed mod­ify Level1Add instead of Level1Remove.