[HN Gopher] From Stolen Laptop to Inside the Company Network
___________________________________________________________________
From Stolen Laptop to Inside the Company Network
Author : nyx
Score : 52 points
Date : 2021-07-28 17:17 UTC (1 hours ago)
(HTM) web link (dolosgroup.io)
(TXT) w3m dump (dolosgroup.io)
| mjevans wrote:
| The 'stolen laptop' attack vector, as well as 'evil maid' attacks
| are my general security nightmare in professional environments.
|
| Users are told how the security works, but OpSec is _difficult_.
| Which means it'll only take that one time the user is lazy and an
| attacker gets lucky.
| hoppyhoppy2 wrote:
| You can do real damage even without this level of sophistication
| or physical access: my state's largest hospital system had a
| month-long computer outage because of a ransomware attack. It was
| traced back to an employee opening a malicious email attachment
| on a hospital laptop while they were on vacation.
|
| It brought down the medical records systems and cost the hospital
| between $40 million and $50 million (mostly in lost revenue
| because they basically had to cancel non-emergency visits and
| procedures for a whole month). Quite an expensive email!
|
| https://vtdigger.org/2021/07/21/malware-on-employees-company...
| [deleted]
| fmakunbound wrote:
| So would it be more secure to enter in the bitlocker passphrase
| at boot rather than rely on tpm?
| staticassertion wrote:
| It depends. My expectation is that the TPM holds a key that's
| used for FDE, and if you have a password that password is used
| to get that key. So the password will only increase security if
| it's used to encrypt the TPM's key, but if it's just used to
| authenticate to the TPM, it wouldn't.
|
| Someone more familiar with TPM 2.0 could likely answer this
| authoritatively, but my assumption is that it's the latter.
|
| Properly leveraging TPM 2.0 features would likely be the best
| way to solve this problem.
| INTPenis wrote:
| That TPM hack was really impressive engineering. But I kept
| scrolling through to figure out what the next step was and it
| turns out the VPN software establishes a tunnel before
| authentication as a "feature".
|
| So while the TPM hack was very impressive, this article only
| gives me a sense of safety for our own corporate laptops.
| mattashii wrote:
| Well, only insofar that you trust that your own corporate
| laptops don't contain sensitive data on the disk.
|
| I am really happy to know my laptop isn't vulnerable to this
| (luks-based system), but I am very concerned with the potential
| (in)security of my collegues' laptops due to common use of
| corporate laptop hardware for software development and
| technical customer support.
| imwillofficial wrote:
| Send this article to your security team. Hopefully they will
| appreciate the backup.
| renewiltord wrote:
| Ah, very clever. Targeting the TPM to bypass FDE. Looks like
| having a disk encryption password is key. I used to have my boot
| partition encrypted with the same password as my primary user and
| it looks like even that would have thwarted this.
| thegeomaster wrote:
| > I used to have my boot partition encrypted with the same
| password as my primary user
|
| You say that as if it's not a good idea, but in the absence of
| external factors (password being used elsewhere or a hash
| stored somewhere e.g. for corporate SSO), using the same
| password shouldn't really diminish the security of your setup.
| pengaru wrote:
| You're more frequently entering the primary user password
| (screen unlocking, logins, sudo...) so there are
| substantially more opportunities to observe it either
| visually like over the shoulder or from security camera
| footage, or through a compromised machine fully online.
|
| Generally the FDE is unlocked in an offline and minimally
| functional state, and being a one-time entry @boot kind of
| thing it's far more practical to secure with things like a
| temporarily connected crypto hardware or somesuch.
|
| There's clearly some value in making them different.
| teddyh wrote:
| The first step is to actually encrypt your drives. Far too few
| people and places even do this step.
|
| Either use the OS-provided solution (Like LUKS, FileVault, or
| BitLocker), or use a cross-OS solution like Veracrypt
| <https://veracrypt.fr/>.
|
| Secondly, to avoid the problem in this article, you should have
| an external password necessary to unlock the drive; not a TPM.
| This is, of course, not what most people do, since typing in
| passwords is tedious.
|
| However, if you mostly need to boot up the laptop when connected
| to a specific network (i.e. on company premises), and it's
| acceptable to require a manually typed password when the laptop
| is not present at that location, _and_ if you use a Debian-based
| OS, there is a solution! Shameless plug:
| https://www.recompile.se/mandos
| imwillofficial wrote:
| It's a sad state of affairs when Veracrypt is one of the top
| contenders for tools to use. We need a fresh batch of properly
| maintained privacy tools.
| teddyh wrote:
| Feel free to recommend something else from this list:
|
| https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_.
| ..
| kryogen1c wrote:
| > you should have an external password necessary to unlock the
| drive; not a TPM.
|
| i thought the whole point of hardware oracles like TPMs was to
| avoid loading a PSK into RAM, making removable RAM sticks
| simple non-destructive attack vectors.
| lupire wrote:
| My company requires a password every time laptop wakes from
| sleep.
|
| Is that an unreasonable burden on people?
| layoutIfNeeded wrote:
| It depends. Can you turn off auto-sleep?
| PenguinCoder wrote:
| Really good article. It's interesting that TPM communicate is
| over SPI and also unencrypted. Goes to show you're only as strong
| as the weakest link.
| tyingq wrote:
| _" All BIOS settings were locked with a password"_
|
| This is trivial to override for every laptop I've ever had, with
| sites like https://bios-pw.org/ You have to read carefully, like
| doing "<ctrl><enter>" and not just "<enter>", but it's worked
| many times for me.
| imwillofficial wrote:
| A fantastic and thorough write up of taking a company laptop and
| breaking into a corp network. They even used a few methods and
| tools I hadn't heard of before. A fun read for the security
| folks. (Or anyone security adjacent)
___________________________________________________________________
(page generated 2021-07-28 19:00 UTC)