This is exactly how encryption can backfire in a corporate environment.
Basically, it applies to all the disk based encryption, more especially on those which cannot be reversed. But I decided to mention Pointsec because this is where I got it working. Most company will encrypt the whole disk especially in banks, military agencies.
Next, we have a concept rootkit, which should be fairly powerful to mask itself from all if not most conventional anti-malware. We can assume in a "perfect" environment where if the rootkit is loaded, it cannot be detected in the same environment. So as long as you have the OS running with the rootkit installed in Ring 0 layer, you are screwed so to speak.
Traditionally, in this case, we would attempt to remove or disable the malware by booting it up with an alternative environment such as WinPE or Linux. Then we can perform a scan on hte FAT/NTFS and wipe out the rootkit. Now, this is where it get tricky. Because disk based encryption is used, there is no way an alternative environment will be able to see the files on the infected Windows. So far I have only encounter Microsoft's Bitlocker which can be decrypted. And in this case, it is possible to remove the rootkit after decrypting it.
By now, I think you can figure out what I am trying to say. The only way to wipe out the rootkit is to destroy the whole encrypted partition. And as long as the partition is still encrypted (in my case using Pointsec), there is virtually no way to even read the partition using another OS. In a way, Pointsec protects the rootkit from being isolated and destroyed. That is in the first place if someone even figures out that there is a rootkit in place.
Where this can be applied? Well, almost everywhere where company can afford to have all their laptop encrypted and pay enough to acquire a really god rootkit. The company can effectively spy on their employee and perform logging or auditing services. And even if the employee finds out, there is nothing they can do. Well at least in countries where privacy is not protected by law.
Ok, I am not going to leave my contact here, but if you think your organization requires such a services, drop me a comment. :)
No comments:
Post a Comment