[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 631
  • Last Modified:

Monitoring BIOS integrity - a Bitlocker exclusive feature?

Hi experts.

This question addresses people who are already familiar with Bitlocker's capability of monitoring changes to the BIOS. I wonder if some of you might know other encryptors that are capable of that.

[Bitlocker does request the recovery key whenever the Bios is modified - this alerts me that someone tampered with the BIOS. This tampering could include serious changes like starting a VNC server right at the BIOS level - yes, that's possible, see http://www.youtube.com/watch?v=Xq-mHC9JYwY ]
0
McKnife
Asked:
McKnife
  • 10
  • 8
  • 6
  • +1
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
It is actually the TPM that checks the bios changes by monitoring the boot environment.

Truecrypt does not use the tpm

from the truecrypt faq
The only thing that TPM is almost guaranteed to provide is a false sense of security (even the name itself, "Trusted Platform Module", is misleading and creates a false sense of security). As for real security, TPM is actually redundant (and implementing redundant features is usually a way to create so-called bloatware).

http://www.symantec.com/business/support/index?page=content&id=TECH149444
AFAIK Symantec Endpoint protection does not use the tpm to monitor bios changes
0
 
Rich RumbleSecurity SamuraiCommented:
As with anything, physical access to a LT or Server's TPM chip can be compromised
http://www.flylogic.net/blog/?p=197

Note that TPM doesn't PREVENT anything from being tampered with, it only reports it was tampered with (some false positives are possible)
http://en.wikipedia.org/wiki/Trusted_Platform_Module#Other_uses_and_concerns
-rich
0
 
btanExec ConsultantCommented:
Primarily is the TPM doing its CRTM to check BIOS integrity, so Bitlocker leverage that. I was thinking maybe just look for one with TPM and UEFI and leverage the latter secure boot as in WIndows 8 @ http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx

Saw similar in HP notebook - Embedded Security for HP ProtectTools - still leveraging TPM
http://h20331.www2.hp.com/Hpsub/cache/292230-0-0-225-121.html

Another is Wave Endpoint Monitor
http://www.wave.com/products/wave-endpoint-monitor

Side track,  not for Windows, I recalled there is Sboot for linux instead
http://sboot.linbox.org/wiki/Documentation
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
McKnifeAuthor Commented:
Hi all.

Yes, there are some encryptors or security softwares of various kind that make use of TPM chips, that's clear. I wonder how those encryptors would react if for example someone would enter the BIOS and activate the Intel vPro VNC listener. Bitlocker would require the recov. pw so you would know there's something going on, are there other encryptors at the market known to you that would do the same?
That's all I am interested in for now, let's not discuss other items.
0
 
Rich RumbleSecurity SamuraiCommented:
http://testlab.sit.fraunhofer.de/downloads/Publications/Attacking_the_BitLocker_Boot_Process_Trust2009.pdf
It's TPM+Bitlocker that offers the BIOS protection, TPM more so, as it tells the bootloader the bios is/isn't modified. Linux has them same thing in TrustedGrub
http://projects.sirrix.com/trac/trustedgrub/wiki/HowDoesItWork

I don't know of any encryption software that uses the same warnings from TPM about bios changes that BL does. But trustedgrub can get the alert from TPM as well and NOT load the rest of a TrueCrypt volume for example. It's the bootloader getting ques from TPM, bitlocker has it's own bootloader.
-rich
0
 
btanExec ConsultantCommented:
Wave Endpoint Monitor and McAfee ePO Deep Command (not the DeepSAFE) are in the list ...http://blogs.mcafee.com/security-connected/get-the-most-out-of-your-intel-vpro-based-pcs-with-mcafee-epo-deep-command
0
 
McKnifeAuthor Commented:
Breadtan, are those really comparable products? Those would encrypt the drive and also alert the user of BIOS changes? That's what I am looking for and it does not look as if they do.
0
 
btanExec ConsultantCommented:
They are still dependent on TPM to detect and not the software in that BIOS tamper use case handling. Their other features are as mentioned not relevant
0
 
McKnifeAuthor Commented:
I don't really care if it's the TPM - I just ask myself what encryptors. You mention endpoint monitor - that's no encryption software. EPO Deepcommand ain't one either, if I am not mistaken.
0
 
Rich RumbleSecurity SamuraiCommented:
Power on -> TPM -> Bios check by TPM -> Bootloader -> Disk Encryption(decryption)
The disk encryption makes use of TPM, if you don't have TPM chip then Bitlocker doesn't check the bios. TrueCrypt takes no ques/alerts from TPM but is a full disk encryptor. TrustedGrub for linux does look at tpm, and can then make a decision to use the TrueCrypt decryption process, it's the bootloader not the encryption software necessarily. In BL case it has it's own bootloader before the decryption stage that makes the decision based on TPM (if present) to continue the boot process.
There are tons of FDE's out there, most ignore or don't acknowledge TPM messages.

-rich
0
 
McKnifeAuthor Commented:
> There are tons of FDE's out there, most ignore or don't acknowledge TPM messages.
I am not asking "what FDEs don't?" but "what do?".
0
 
McKnifeAuthor Commented:
That table is known to anyone who ever wondered about features of encryptors, if you ask me. You quote encryptors that can use TPM. But which of those do what I am looking for?
0
 
Rich RumbleSecurity SamuraiCommented:
SecureDoc says they do, as for the others, they don't say explicitly about BIOS. Contact the vendors support/forum, if you need I can do I can do it for you.
-rich
0
 
McKnifeAuthor Commented:
Where does secure doc say they do?
0
 
Rich RumbleSecurity SamuraiCommented:
Page 7 and 8:  http://www.winmagic.com/downloads//whitepapers/WinMagic_TPM_WhitePaper.pdf
Platform Integrity Attestation can be used to validate pre-OS
components, such as the PC’s BIOS, before access to encryption keys
– and encrypted data – is granted.
(page 8)
Similarly, SecureDoc uses the TPM to authenticate a computer
system to an end-user, thereby ensuring the system seeking to
access an encrypted drive is the expected system.
-rich
0
 
McKnifeAuthor Commented:
Fine. So there's at least one other company.
If anyone can add other proof like datasheet links or own experience, please do so.
Contacting the manuf.'s about it of course is a solution, but just the one I tried to avoid by this question :)
0
 
Rich RumbleSecurity SamuraiCommented:
I think you can infer that if the others are using TPM, they'd likely support that feature, I bet over half listed do if not all, but you never know.
-rich
0
 
btanExec ConsultantCommented:
Waves Endpt does not do encryptor but detect BIOS tamper. DeepCommand is to manage at Intel vPro into the h/w abuse - also do not perform encryptor.

The TPM-secured software tools you're most likely to come across are encryption options like

PGP Whole Disk Encryption,
http://www.symantec.com/business/support/index?page=content&id=HOWTO42084

WinMagic SecureDoc,
http://www.winmagic.com/support/competitive-checklist
0
 
McKnifeAuthor Commented:
Hi breadtan,

Secure doc was mentioned by RichRumble already. PGP WDE 10 does not support TPMs on other OS' but windows xp. Also, they will discontiue TPM support in future versions.
Will close this question in favor of RR, unless another contributor comes along in the next few hours.
0
 
btanExec ConsultantCommented:
Thanks! I know that it is late and will not hold you up. There seems to be stated by BestCrypt on TPM support though I cannot confirm the BIOS part as never really tried.

6. Secure unattended reboot
http://www.jetico.com/bcve3_web_help/index.php?info=html/01_introduction/04_new_in_version.htm

Version 3 of BestCrypt Volume Encryption utilizes Trusted Platform Module (TPM) hardware available on many motherboards for the purpose of unattended reboot of computers with encrypted boot/system disk volumes. This feature is necessary to manage servers that are required to function around the clock. If such a server has an encrypted boot/system volume, every reboot of the server requires manual password entry at boot time. With this new feature, a server administrator can choose an interval of time when BestCrypt Volume Encryption (with help of TPM) should support unattended reboot of the server
==========

Sidenote - I came across Privatecore which does attestion via TPM, but this does the hypervisor level on software-based, full-memory encryption system.
http://privatecore.com/vcage/
http://privatecore.com/resources-overview/server-attestation/
0
 
McKnifeAuthor Commented:
Thanks!
0
 
McKnifeAuthor Commented:
:(

Tried secureDoc today - it does not do the same as bitlocker although the whitepaper promises something that sounded as it would ["Platform Integrity Attestation can be used to validate pre-OS components, such as the PC’s BIOS, before access to encryption keys – and encrypted data – is granted."] - their support engineer did not even know what the white paper was talking about.

That's why I asked here, I wanted real life experience and no white paper guys ;)
Will write to any of the other "TPM companies".
by the way: secure Doc left the impression "horrible" at best - did work unstable on 7, did not work at all on vista and win8 although they promised it would. Same supported hardware in all cases.

-no comment needed-
0
 
Rich RumbleSecurity SamuraiCommented:
I'm sorry to hear that, but this kinda speaks to my other point that BIOS, while ripe for manipulation, is one of the least targeted vectors. TPM can also be bypassed/exploited itself to not report an issue or be reset at each reboot, there are chicken and the egg issues with TPM
http://books.google.com/books?id=QT7WKFkJWL4C&pg=PA41&lpg=PA41&dq=tpm+chicken+and+the+egg&source=bl&ots=vCfp1o4bKa&sig=csnsyr8FtW9GJJbha8eW-vvxQsY&hl=en&sa=X&ei=FGTdUdvWJqPmygGDrYCYCw&ved=0CDwQ6AEwAg#v=onepage&q=tpm%20chicken%20and%20the%20egg&f=false
I've learned a lot more about TPM than I ever wanted to with the question, I hope something else useful comes from it, other than learning that the Sales pitch of products bend the truth (who knew?)
:)
-rich
0
 
btanExec ConsultantCommented:
Let hope there can be better dealing with UEFI and Intel AMT side...thanks for sharing
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 10
  • 8
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now