Blog: Encryption

Steganography has always been an esoteric and theoretical concept to me. The following lifehacker link shows the use of a hidden TrueCrypt volume that is embedded in a video file. It's pretty interesting to actually see it in action. One of the interesting parts of the post has to do with the difficulty of detecting something like this. They mention four methods of detection, none of which are very straightforward. It's a little concerning to see how difficult it can be to detect the hidden information. [more]

http://m.lifehacker.com/5771142/embed-a-truecrypt-volume-in-a-playable-video-file

I recently moved a hard drive from a ThinkPad T60 laptop to a ThinkPad T400.  The hard drive had a BIOS password set, but it appeared to work normally in the T400.  I could boot, enter the hard drive password, and access the disk.  However, when I started having problems getting PGP to encrypt the hard drive, I decided to remove the hard drive password.  The T400 could not remove it – the option was grayed-out in the BIOS.  Luckily, I still had access to the T60, so I put the hard drive back in the T60 and was able to remove the hard drive password.  I have now moved the hard drive to the T400 and I am able to set/remove the hard drive password at any time.

I upgraded from Vista to Windows 7 about three weeks ago.  I decrypted my PGP encrypted drive before the upgrade and, after the upgrade, PGP recognized my disk wasn't encrypted and prompted me to encrypt my drive.  I started the encryption process but wound up pausing the process because of slow performance, intending to resume it after hours.  I installed some Windows and Lenovo (ThinkDamage…probably my 2nd mistake) updates which required a reboot.  After the reboot, PGP started trying to install itself and produced this error message…

"You cannot upgrade or remove PGP while a whole disk is processing. Installation terminated." [more]

I was unable to access the PGP console in order to resume the encryption, decrypt, etc.  An attempt to uninstall PGP produced the same error.  This was not good since I was scheduled to leave town on an audit within 24 hours and thought I might have to abandon the upgrade to Windows 7, restore a backup and re-encrypt the old Vista image before I left town.

A coworker suggested I log a ticket with PGP.  After doing so, I was poking around their site, searching for various terms from the error message and stumbled across a reference to a command line command.  About that same time, I received an auto-response from PGP which included several links, the last of which led me to information about the same command line command, pgpwde.

Here is the relevant section from the page above:

SECTION 2 - PGPWDE Command Line

The following commands will help diagnose and decrypt the disk. Other commands can be listed by typing pgpwde --help.

1. To begin working with the PGPWDE interface open a command prompt and change to the PGP installation directory (default directory shown) C:\Program Files\PGP Corporation\PGP desktop.
2. To list all installed hard disks in the system type: pgpwde --enum. Entering this command will give us a list of disks with numbers we will use in the next few steps.
3. Now type pgpwde --status --disk 1. Substitute the PGP WDE disk number listed in the previous step for the number 1 in the command if different. The output of this command will tell us whether the disk is still encrypted.
   • If the disk is not encrypted, "Disk 1 is not instrumented by bootguard" will be the output.
   • If the disk is encrypted, the output will display:
     • "Disk 1 is instrumented by Bootguard."
     • The total number of sectors.
     • A Highwater value (number of sectors encrypted).
     • Whether the current key is valid.
4. Type pgpwde --list-user --disk 1. This will tell us the user information contained on the disk. This will help in multi-user environments to determine which user passphrase was used to implement WDE.
5. Type pgpwde --decrypt --disk 1 --passphrase {mypasswordhere}. This will start the decryption process. To view progress, type the status command listed in step 3 and note the Highwater number, this number will get smaller and smaller as the number of sectors encrypted decreases.

This command line command allowed me to decrypt the partially encrypted disk.  I then uninstalled PGP to be safe, reinstalled PGP and encrypted my disk without further incident.

There is a conflict between some network providers and the PGP password filter that handles keeping the domain password synchronized with the boot password.  Specifically, if you have a Symantec SNAC Network Provider, it can cause a password change to break the single sign-on feature.  What you do to fix it is: [more]

Pull up the Provider Order screen via:

Control Panel -> Network and Sharing Center -> Manage network connections -> Advanced (I had to press and release the Alt key to get the Advanced option in the menu – you may or may not have to) -> Advanced Settings -> Provider Order tab.

Once in the Provider Order tab, I saw PGPpwflt was at the bottom of the list and Symantec SNAC Network Provider was at the top of the list.  I moved the Symantec provider to the bottom of the list which left things like:

This fixed the problem.

Note: This is best done before you change your password!

I had several issues getting my PGP Desktop software to correctly talk to the PGP management server.  First, I went through the default install without any problems.  I configured my private/public keys and encrypted my disk.  I got word from Chris Brewer later, however, that I wasn’t showing up in the PGP server.  We both tried several things to get me in.  I tried importing my private key to the server, but it failed and the log was saying I wasn’t part of the managed domain.  We eventually called PGP support and got my PGP Desktop software reconfigured to use my domain credentials and register with the server.  Turns out I should have done a custom install and targeted our PGP management server… rather than the default stand-alone install.  I was now showing on the server, but I was showing to be decrypted.  My disk, however, was encrypted.  I decided to decrypt and re-encrypt now that I was talking to the server.  This was about a 24-hr process.  After re-encryption and multiple reboots… I still was showing to be “unencrypted” on the server.  The PGP support guy had mentioned the Mac client had some issues reporting properly to the management server and he had  a special build he could let us try.  Once we got it, I installed it and rebooted and everything was fixed.

I had problems with my laptop after installing the PGP desktop (in order to use the PGP Whole Disk Encryption).  Most times, when I would reboot, the PGP boot application would not take my domain password.  I would have to use a one-time recovery token to get booted.  A co-worker found, in the PGP forums, a reference to this being a conflict with the ThinkVantage fingerprint software for some ThinkPads (T400, T500, X301, X200, W700, etc.).  I uninstalled the fingerprint software and the problem stopped immediately.  I ran this way for more than a week without any issues.  I installed the fingerprint software again and, so far, it seems to work.  Time will tell if the problem comes back and the fingerprint software has to be uninstalled again.

A Nevada Law that took effect in October will require all businesses to encrypt personally-identifiable customer data, including names, and credit-card numbers, that are transmitted electronically.  Companies in Nevada that suffer a security breach, but comply with the new law would cap their damages at $1,000 per customer for each occurrence; however, those that do not comply would be subject to unlimited civil penalties.

http://online.wsj.com/article/SB122411532152538495.html

Microsoft Office uses various types of password protection.  In general, passwords used to limit modification of documents are reasonably weak and can be cracked easily (and immediately) with tools such as Office Key (from www.lostpassword.com).  Passwords required before a file can be opened usually require brute force type cracks but until I did some research, I still didn't know how strong the encryption was for these types of protection. [more]

There is also an online service (www.decryptum.com) that offers document recovery for about $29/document in many cases.  The service will show you part of the decrypted document before you have to pay for the whole document decryption process.  If they can't decrypt it, you don't pay.  However, it seems to work pretty well.  I tested it with a simple Office 2003 document that required a password to open.  Within about 30 seconds, they showed me the first two lines of the document's contents (which, in this case was the whole document).

Note - this does not work with 2007 XML formats - only with previous versions of Office documents.  That is consistent with Microsoft's warning that encryption with older versions of office is not as strong as it is with native mode 2007 documents.

The online document recovery process does not determine what the password is.  It just involves removing the password requirement altogether.

Of course, you would want to be very careful with confidential documents…

This came up in a recent audit where the bank was using password protected Word and Excel files for security measures.  We determined this isn't a suitable method for securing documents they send via e-mail.

I was researching a way to do major router changes remotely.  I found that if I tftp’ed a new configuration directly to NVRAM and replaced the startup-config file, then reloaded the router, all changes would go into effect.  While testing this process locally, I found out that when the router was reloaded with the new configuration file, the SSH encryption keys got erased and had to be regenerated.  So if this process is used, make sure telnet is enabled on the VTY lines so that you can get back into the router!