Friday, July 31, 2015

I've upgraded to Windows 10...What are my full disk encryption options?

A good question that I've been seeing around twitter lately. What are my FDE options and how do I keep myself secure from getting my bitlocker keys uploaded to OneDrive?

There are a few issues to address here and no it does not involve paying Microsoft an extra $200. That would be a little silly. So lets start from the beginning because this is not new with Windows 10. It was actually introduced in Windows 8.1 with a very specific criteria that has to be met. 

Before Windows 8.1 automatically enables Device Encryption, the following must be true:
  • The Windows device “must support connected standby and meet the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems.”  (Source) Older Windows PCs won’t support this feature, while new Windows 8.1 devices you pick up will have this feature enabled by default.
  • When Windows 8.1 installs cleanly and the computer is prepared, device encryption is “initialized” on the system drive and other internal drives. Windows uses a clear key at this point, which is removed later when the recovery key is successfully backed up.
  • The PC’s user must log in with a Microsoft account with administrator privileges or join the PC to a domain. If a Microsoft account is used, a recovery key will be backed up to Microsoft’s servers and encryption will be enabled. If a domain account is used, a recovery key will be backed up to Active Directory Domain Services and encryption will be enabled.

So if your pc does not meet these modern standards and you score and upgrade to Windows 10 home. No it won't self encrypt and you will be using a Windows 10 device that is unencrypted. If it does meet those standards then yes it will automatically encrypt and upload the recovery key to OneDrive assuming you logged into a Microsoft account. 

So lets get real for a second. If you are worried that now your secret "Golden Key" is out on OneDrive. You can easily enough remove it and regenerate a new recovery key. Also mind you the default for Bitlocker is AES128. I don't go less that AES256 on any of my systems. 

1. Go to this Microsoft FAQ and click on the question How can I get my Bitlocker recovery key. It will contain a direct link to take you to your recovery key. Once you are logged in. Just remove it. If you get a page saying no bitlocker key exists then you are good to go. 

2. Verify your computer is even encrypted. Open up a elevated command prompt and type in the following. 

manage-bde -status

This should pull back some info similar to this:

As you can see this drive is not encrypted. There is no bitlocker version and it is running Windows 10 home. I'll get to what I am going to do with my unencrypted laptop in a minute. 

If your drive is encrypted and you did have to do a removal of your key from OneDrive then do step 3. 

3. Regenerate your recovery key. No decryption necessary. 

Assume X: is the BitLocker protected drive you want to change recovery password for.
  1. Open an elevated cmd prompt
  2. Type manage-bde X: -protectors -get -type RecoveryPassword
  3. Locate the protector you want to cycle (probably the only one displayed) and copy its ID field (including the curly braces).
  4. Type manage-bde X: -protectors -delete -id [paste the ID you copied]
  5. Type manage-bde X: -protectors -add -rp [optionally specify the new 48-digit password or enter nothing to have it randomly generated for you]
Save your password somewhere safe. Encrypt the file with a password with a program such as 7zip. My favorite it to encrypt it with my own key. Then upload to OneDrive for backup purposes. 
Now lets talk about running Windows 10 home unencrypted. Microsoft is making the encryption market very narrow with the introduction of Secure Boot UEFI, GPT partitions and TPM chips. If you are running a GPT partition you will have a tough time finding a free FDE solution that supports GPT. Paid products typically do like Symantec PGP Encryption. I would suggest doing container based encryption using Veracrypt. Veracrypt developers seem to be fixing truecrypt audit items. I would stay clear of using truecrypt as it has not been updated in some time. 
Hopefully this will help those that seem to be confused about Windows 10 FDE. 

Friday, July 24, 2015

Suite B Cryptography

I was a little surprised today after downloading the Office 2013 admin GPO templates and moving them into my policy folder on a trash vm I used on occasion to look at some things.

One thing I noticed under the hood was enforcing the use of Suite B for S/MIME operations. Although this isn't unusual I just figured enforcing Suite B was more of a scripting reg hack than a actual Microsoft GPO option.

For those that are not familiar with Suite B Cryptography you can read all about it here.

A few things if you really want to go the Suite B route.

Suite B curves for Top Secret uses a Curve P-384 with a 256 bit key. So lets demonstrate using XCA. If you want XCA...Download it here >>

Lets create a Private Key first based on NIST P-384 Standards

Now We need to create a X509 cert that meets suite B top secret standards.

So go over to the certificate tab and do the following

Assign a password to your export. Now you should have a Suite B self signed certificate to do S/mime with.

For the record. I do not suggest you use P384 curves. Their origin's are doubtful. (Meaning I think they have a flaw where comms could be decrypted)

Enjoy the quick lesson on Suite B.

Tuesday, July 21, 2015

Car Hacking Jeeps

I saw this earlier.... Some Car hacking going on

My initial reaction is that this escalated completely in the wrong way. If you never drove in St. Louis then you need to. I can't understand why these researchers chose to do this on what I would consider a very busy public highway. 

Security research is supposed to be done in a safe and ethical manner. I am glad nobody was hurt but this is a really dangerous way to prove a point. For the driver and the other cars around the driver. I'm afraid this might make things worse researchers. Not better. Be safe out there folks and think before you demonstrate. 

Monday, July 20, 2015

Friday, July 17, 2015


At first glance.. I thought really old news... then after looking it really was old news.

So Laurie Law, Susan Sabett, Jerry Solinas.... I need to know where your crystal ball is located. Willing to pay it with bitcoin.

Paper is circa 1996.... I believe I was 15 at the time. Crazy to read now. 

Monday, July 13, 2015


Something a little odd happened today. A defcon talk has been pulled regarding an online anonymity device called ProxyHam. You can read about it here. 

Multiple theories are going around. My only thought is the FBI issued a gag order under CFA (Computer Fraud and Abuse act)...or it could be used for malicious means. Aside from anonymity I supposed you could use it to hop on a remote network and start sniffing traffic like crazy. 

@erratarob has offered to do the talk and device

I guess we will see what happens. 

Sunday, July 12, 2015

Chromebook Security

I actually bought a Chromebook this weekend. I like to do my research first before buying tech and below was a pretty good analysis from MIT to read on Google Chrome Book security. It was one of my decision factors before purchasing.