[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewire Attack on Windows Vista



Larry Seltzer wrote:


> I actually do have a response fom Microsoft on the broader issue, but it
> doesn't address these issues or even concded that there's necessarily
> anything they can do about it. They instead speak of the same
> precautions for physical access that they spoke of a couple weeks ago
> with respect to the "frozen notebook memory" attack - use drive
> encryption, use 2-factor authentication, use hibernate instead of sleep,
> use group policy to enforce them. I don't think it's a bad response
> under the circumstances.

WRT the DMA access over FireWire it's but a bad response since it doesn't
get the point!

1. Drive encryption won't help against reading the memory.

2. The typical user authentication won't help, we're at hardware level
   here, and no OS needs to be involved.

3. The computer is up (and running; see above), no hibernate or sleep
   is involved here.

4. Group policies can be circumvented, even by a limited user.
   <http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx>

Stefan