Solved

Monitoring BIOS integrity - a Bitlocker exclusive feature?

Posted on 2013-06-28
25
596 Views
Last Modified: 2013-07-10
Hi experts.

This question addresses people who are already familiar with Bitlocker's capability of monitoring changes to the BIOS. I wonder if some of you might know other encryptors that are capable of that.

[Bitlocker does request the recovery key whenever the Bios is modified - this alerts me that someone tampered with the BIOS. This tampering could include serious changes like starting a VNC server right at the BIOS level - yes, that's possible, see http://www.youtube.com/watch?v=Xq-mHC9JYwY ]
0
Comment
Question by:McKnife
  • 10
  • 8
  • 6
  • +1
25 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39286111
It is actually the TPM that checks the bios changes by monitoring the boot environment.

Truecrypt does not use the tpm

from the truecrypt faq
The only thing that TPM is almost guaranteed to provide is a false sense of security (even the name itself, "Trusted Platform Module", is misleading and creates a false sense of security). As for real security, TPM is actually redundant (and implementing redundant features is usually a way to create so-called bloatware).

http://www.symantec.com/business/support/index?page=content&id=TECH149444
AFAIK Symantec Endpoint protection does not use the tpm to monitor bios changes
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39286238
As with anything, physical access to a LT or Server's TPM chip can be compromised
http://www.flylogic.net/blog/?p=197

Note that TPM doesn't PREVENT anything from being tampered with, it only reports it was tampered with (some false positives are possible)
http://en.wikipedia.org/wiki/Trusted_Platform_Module#Other_uses_and_concerns
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 39286290
Primarily is the TPM doing its CRTM to check BIOS integrity, so Bitlocker leverage that. I was thinking maybe just look for one with TPM and UEFI and leverage the latter secure boot as in WIndows 8 @ http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

Saw similar in HP notebook - Embedded Security for HP ProtectTools - still leveraging TPM
http://h20331.www2.hp.com/Hpsub/cache/292230-0-0-225-121.html

Another is Wave Endpoint Monitor
http://www.wave.com/products/wave-endpoint-monitor

Side track,  not for Windows, I recalled there is Sboot for linux instead
http://sboot.linbox.org/wiki/Documentation
0
 
LVL 53

Author Comment

by:McKnife
ID: 39286773
Hi all.

Yes, there are some encryptors or security softwares of various kind that make use of TPM chips, that's clear. I wonder how those encryptors would react if for example someone would enter the BIOS and activate the Intel vPro VNC listener. Bitlocker would require the recov. pw so you would know there's something going on, are there other encryptors at the market known to you that would do the same?
That's all I am interested in for now, let's not discuss other items.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39286892
http://testlab.sit.fraunhofer.de/downloads/Publications/Attacking_the_BitLocker_Boot_Process_Trust2009.pdf
It's TPM+Bitlocker that offers the BIOS protection, TPM more so, as it tells the bootloader the bios is/isn't modified. Linux has them same thing in TrustedGrub
http://projects.sirrix.com/trac/trustedgrub/wiki/HowDoesItWork

I don't know of any encryption software that uses the same warnings from TPM about bios changes that BL does. But trustedgrub can get the alert from TPM as well and NOT load the rest of a TrueCrypt volume for example. It's the bootloader getting ques from TPM, bitlocker has it's own bootloader.
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 39287830
Wave Endpoint Monitor and McAfee ePO Deep Command (not the DeepSAFE) are in the list ...http://blogs.mcafee.com/security-connected/get-the-most-out-of-your-intel-vpro-based-pcs-with-mcafee-epo-deep-command
0
 
LVL 53

Author Comment

by:McKnife
ID: 39289064
Breadtan, are those really comparable products? Those would encrypt the drive and also alert the user of BIOS changes? That's what I am looking for and it does not look as if they do.
0
 
LVL 61

Expert Comment

by:btan
ID: 39289415
They are still dependent on TPM to detect and not the software in that BIOS tamper use case handling. Their other features are as mentioned not relevant
0
 
LVL 53

Author Comment

by:McKnife
ID: 39289633
I don't really care if it's the TPM - I just ask myself what encryptors. You mention endpoint monitor - that's no encryption software. EPO Deepcommand ain't one either, if I am not mistaken.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39289721
Power on -> TPM -> Bios check by TPM -> Bootloader -> Disk Encryption(decryption)
The disk encryption makes use of TPM, if you don't have TPM chip then Bitlocker doesn't check the bios. TrueCrypt takes no ques/alerts from TPM but is a full disk encryptor. TrustedGrub for linux does look at tpm, and can then make a decision to use the TrueCrypt decryption process, it's the bootloader not the encryption software necessarily. In BL case it has it's own bootloader before the decryption stage that makes the decision based on TPM (if present) to continue the boot process.
There are tons of FDE's out there, most ignore or don't acknowledge TPM messages.

-rich
0
 
LVL 53

Author Comment

by:McKnife
ID: 39289743
> There are tons of FDE's out there, most ignore or don't acknowledge TPM messages.
I am not asking "what FDEs don't?" but "what do?".
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39289778
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 53

Author Comment

by:McKnife
ID: 39289810
That table is known to anyone who ever wondered about features of encryptors, if you ask me. You quote encryptors that can use TPM. But which of those do what I am looking for?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39289843
SecureDoc says they do, as for the others, they don't say explicitly about BIOS. Contact the vendors support/forum, if you need I can do I can do it for you.
-rich
0
 
LVL 53

Author Comment

by:McKnife
ID: 39289895
Where does secure doc say they do?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39289992
Page 7 and 8:  http://www.winmagic.com/downloads//whitepapers/WinMagic_TPM_WhitePaper.pdf
Platform Integrity Attestation can be used to validate pre-OS
components, such as the PC’s BIOS, before access to encryption keys
– and encrypted data – is granted.
(page 8)
Similarly, SecureDoc uses the TPM to authenticate a computer
system to an end-user, thereby ensuring the system seeking to
access an encrypted drive is the expected system.
-rich
0
 
LVL 53

Author Comment

by:McKnife
ID: 39290082
Fine. So there's at least one other company.
If anyone can add other proof like datasheet links or own experience, please do so.
Contacting the manuf.'s about it of course is a solution, but just the one I tried to avoid by this question :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39290127
I think you can infer that if the others are using TPM, they'd likely support that feature, I bet over half listed do if not all, but you never know.
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 39290254
Waves Endpt does not do encryptor but detect BIOS tamper. DeepCommand is to manage at Intel vPro into the h/w abuse - also do not perform encryptor.

The TPM-secured software tools you're most likely to come across are encryption options like

PGP Whole Disk Encryption,
http://www.symantec.com/business/support/index?page=content&id=HOWTO42084

WinMagic SecureDoc,
http://www.winmagic.com/support/competitive-checklist
0
 
LVL 53

Author Comment

by:McKnife
ID: 39306846
Hi breadtan,

Secure doc was mentioned by RichRumble already. PGP WDE 10 does not support TPMs on other OS' but windows xp. Also, they will discontiue TPM support in future versions.
Will close this question in favor of RR, unless another contributor comes along in the next few hours.
0
 
LVL 61

Expert Comment

by:btan
ID: 39307330
Thanks! I know that it is late and will not hold you up. There seems to be stated by BestCrypt on TPM support though I cannot confirm the BIOS part as never really tried.

6. Secure unattended reboot
http://www.jetico.com/bcve3_web_help/index.php?info=html/01_introduction/04_new_in_version.htm

Version 3 of BestCrypt Volume Encryption utilizes Trusted Platform Module (TPM) hardware available on many motherboards for the purpose of unattended reboot of computers with encrypted boot/system disk volumes. This feature is necessary to manage servers that are required to function around the clock. If such a server has an encrypted boot/system volume, every reboot of the server requires manual password entry at boot time. With this new feature, a server administrator can choose an interval of time when BestCrypt Volume Encryption (with help of TPM) should support unattended reboot of the server
==========

Sidenote - I came across Privatecore which does attestion via TPM, but this does the hypervisor level on software-based, full-memory encryption system.
http://privatecore.com/vcage/
http://privatecore.com/resources-overview/server-attestation/
0
 
LVL 53

Author Comment

by:McKnife
ID: 39308867
Thanks!
0
 
LVL 53

Author Comment

by:McKnife
ID: 39314040
:(

Tried secureDoc today - it does not do the same as bitlocker although the whitepaper promises something that sounded as it would ["Platform Integrity Attestation can be used to validate pre-OS components, such as the PC’s BIOS, before access to encryption keys – and encrypted data – is granted."] - their support engineer did not even know what the white paper was talking about.

That's why I asked here, I wanted real life experience and no white paper guys ;)
Will write to any of the other "TPM companies".
by the way: secure Doc left the impression "horrible" at best - did work unstable on 7, did not work at all on vista and win8 although they promised it would. Same supported hardware in all cases.

-no comment needed-
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39314283
I'm sorry to hear that, but this kinda speaks to my other point that BIOS, while ripe for manipulation, is one of the least targeted vectors. TPM can also be bypassed/exploited itself to not report an issue or be reset at each reboot, there are chicken and the egg issues with TPM
http://books.google.com/books?id=QT7WKFkJWL4C&pg=PA41&lpg=PA41&dq=tpm+chicken+and+the+egg&source=bl&ots=vCfp1o4bKa&sig=csnsyr8FtW9GJJbha8eW-vvxQsY&hl=en&sa=X&ei=FGTdUdvWJqPmygGDrYCYCw&ved=0CDwQ6AEwAg#v=onepage&q=tpm%20chicken%20and%20the%20egg&f=false
I've learned a lot more about TPM than I ever wanted to with the question, I hope something else useful comes from it, other than learning that the Sales pitch of products bend the truth (who knew?)
:)
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 39314366
Let hope there can be better dealing with UEFI and Intel AMT side...thanks for sharing
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now