Tuesday, September 21, 2010 3:22 AM
I understand that if someone steals a laptop protected by Bitlocker+TMP alone (i.e. no Windows Login password) this security combination alone will not protect the HD contents and that consequently an additional security layer is required. My understanding is that 'Windows Login' passwords alone is inadequate as it can be relatively easily broken/accessed using various attack methods. However, I also understand that attack methods typically change/access BIOS and other settings on the computer. So the question is 'would these attempted attacks trigger Bitlocker to lock the computer? If they do, a good Windows Login password in combination with Bitlocker+TPM would provide a good measure of security. Does this theory match reality?
Tuesday, September 21, 2010 2:33 PM
For any system that a person could have physical access to, pretty much all bets are off on securing it indefinately, and that includes if the system is using Bitlocker with or without TPM and with or without logon passwords. Bitlocker and TrueCrypt and other encryption algorithm software is better than none, but it is not a silver bullet.
The only practical method is to ensure policies are in place to force users to adhere to best security standards, and to use multiple technologies & layers in securing the systems.
The Stoned-bootkit has been shown to overcome Bitlocker.
A little more dated, the Cold-Boot attack has been shown to be effective too.
- Proposed As Answer by cschaar Monday, October 04, 2010 8:13 PM
Tuesday, September 21, 2010 9:50 PM
Cschaar, thanks for your comments and links. As I see it, virus-based security attacks such as the Stoned Bootkit virus needs to be installed on the computer before they can work around Bitlocker. So provided I can prevent Stoned Bootkit and similar being installed on my computer, they shouldn't pose a threat to Bitlocker's effectiveness. Regarding cold boot attacks, I'll just have to make sure that my computer isn't stolen until the memory modules have cooled down!
Provided I can prevent the installation of virus-based security attacks, do you think that Bitlocker+TPM would provide a good measure of protection against attempts to break the Windows Login password?
Wednesday, September 22, 2010 3:22 PM
"do you think that Bitlocker+TPM would provide a good measure of protection against attempts to break the Windows Login password?"
Not sure it really matters in the abstract. The password is there as a layer to secure the system for authorized access, but the encryption is there to secure the data on that system, so if a person has already gained physcial access and has decrypted the contents on the disc (using stonedboot live cd, or other), having a valid windows login or not is a non factor as they're already able to access the decrypted data.
It's certainly better than nothing at all, but if they get physical access for an extended period of time, they basically own it.
Wednesday, September 22, 2010 8:29 PM
Cschaar, thanks again for your response. Suppose the following scenario. The HD is bitlocker encrypted and it is clean of Stoned Bootkit or similar viruses and a Windows Login password required to access the system. The computer is then stolen. As I see it, for the thief to get access to the data on the HD the first step would be to try to break the Windows Login password. If this is the case, the question is 'would attempts to break the Windows Login password using conventional cracking tools trigger changes in the BIOS or other settings and in so doing cause Bitlocker+TPM to lock the computer down?'
My scenario presumes that it isn't possible for the thief to install Stoned Bootkit or similar onto the HD without first breaking the Windows Login password.
Thursday, September 23, 2010 4:01 PM
Assuming it's clean in terms of viruses/rootkits, and then it's stolen, I think a person could still decrypt the contents using the Coldboot method, assuming of course that the system is on or running in a standyby sleep/hibernation mode.
Even still, there are apparently methods for using LiveCD's to get the system to a logon prompt, even if it's bitlocker encrypted, & then the person would just need a utility to wipe the SAM DB and it's over.
Thursday, September 23, 2010 9:03 PM
Thanks for your comments and explanations. By the sound of it, only a really computer-security savvy thief who was careful not to trigger Bitlocker by first trying a 'conventional' Windows Login crack and who also tried Coldboot before trying to crack the Windows Login would have a reasonable chance of accessing the HD contents. That being the case, I'll just have to hope that if the computer is stolen, it is an 'impulse steal' by someone not specifically interested in my HD contents and that the Bitlocker+Windows Login protection would kick in before the thief realised that s/he needed to run coldboot to get around the protection.
It's a dangerous world out there!