Re: [Fed-Talk] Two Questions about FileVault
Re: [Fed-Talk] Two Questions about FileVault
- Subject: Re: [Fed-Talk] Two Questions about FileVault
- From: "Miller, Timothy J." <email@hidden>
- Date: Wed, 13 May 2015 15:01:06 +0000
- Thread-topic: [Fed-Talk] Two Questions about FileVault
Enough for me.
I'd disclose to the Apple Security Group <email@hidden>. See https://www.apple.com/support/security Bug submissions might not make it there.
A CERT disclosure would be equivalent, with the addition that the CERT can publicly disclose if the vendor doesn't respond in a timely manner. US-CERT policy is 45 days IIRC.
-- T
> -----Original Message-----
> From: Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY
> SOLUTIONS] [mailto:email@hidden]
> Sent: Wednesday, May 13, 2015 9:38 AM
> To: Miller, Timothy J.
> Cc: Henry B (Hank) Hotz, CISSP; email@hidden Talk
> Subject: Re: [Fed-Talk] Two Questions about FileVault
>
> Tim,
>
> I had a co-worker set the key without my knowledge, attached the drive to a
> test system that had never had that disk connected, let alone a key saved to
> access, and while the prompt was displayed to enter the key for mounting
> read the data from the free space. There was no credentialed access
> guaranteed.
>
> I should note that FV2 through every means still leaves a small amount of
> recoverable data. Like with boot volumes, there's the recovery partition that
> isn't encrypted and some small amount of slack space (I think about 35MB),
> but the DU method leaves behind the entirety of unused space for recovery
> which is dramatically worse.
> Paul
>
> On May 13, 2015, at 7:26 AM, Miller, Timothy J. <email@hidden> wrote:
>
> >> When using DU to erase and encrypt a volume, check diskutil cs list
> >> and 30 seconds later the drive is listed as fully secure, conversion
> >> complete. Yet, while LOCKED and UNMOUNTED, on a system that's never
> >> touched that drive, the free space content is trivially recovered with Data
> Rescue 3 or 4.
> >> Unlike the other methods, DU is not running a background process to
> >> encrypt the entire drive.
> >
> > I was hoping that wasn't the case, but I wasn't able to tease that out from
> the thread.
> >
> > I'd feel better if you were able to reproduce on a system that has no HFS+
> support or by using other techniques just so as to eliminate the possibility
> that Data Rescue and or CoreStrorage is smart enough to snag credentials
> from Keychain and unlock/decrypt the volume on its own. There are some
> projects working in this space (e.g., hfsexplorer), so it's entirely possible.
> >
> > If you can do so, that's a vulnerability--if Apple won't give it attention you
> could disclose via CERT or a similar body.
> >
> > The obvious workaround would be to secureErase prior to formatting with
> diskutil or after, using secureErase freespace.
> >
> > -- T
> >
> >
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
References: | |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Henry B (Hank) Hotz, CISSP" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: William Cerniuk <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Trouton, Rich R" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Miller, Timothy J." <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Henry B (Hank) Hotz, CISSP" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Miller, Timothy J." <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Miller, Timothy J." <email@hidden>) |
| >Re: [Fed-Talk] Two Questions about FileVault (From: "Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY SOLUTIONS]" <email@hidden>) |