COMMAND

    FWB

SYSTEMS AFFECTED

    Mac OS

PROBLEM

    Following is based on L0phT Security Advisory by Space Rogue.  FWB
    Hard Disk Toolkit 2.5 allows users to password protect hard  drive
    volumes.   This  password  has  to  be  entered when the hard disk
    driver loads  in order  to allow  the volume  to mount. Failure to
    enter  this  password  prevents  the  volume  from  mounting   and
    therefore prevents access to the data on the device.

    By forcibly replacing the FWB driver with a different driver it is
    possible  to  access  the  data  on  the password protected volume
    without  knowing  the   password.   Most   Macintosh  hard   drive
    formatting utilities will allow you to replace the FWB  passworded
    driver.   However  they  will  also  make  any  data  on the drive
    unreadable without advanced data recovery software (Norton  Volume
    Recover  etc.).   If  the  FWB  driver  is  replaced  with  La Cie
    Silverlining then it is possible to bypass the password and  still
    access the data.   L0pht testing procedure  utilized a Quadra  610
    24/230,  Mac  OS  8.0,  FWB  Hard  Disk  Tool  Kit  2.5,  La   Cie
    Silverlining 5.8.3, and an  External 160MB SCSI IBM  H3171-S2 hard
    drive.

    L0pht test  drive was  first low  level formatted  with FWB  and a
    read/write  password  was  assigned.   Then  about 10MB of various
    files where copied onto it as our test data.  The machine was then
    powered down and  rebooted.  Upon  boot up the  system prompted us
    to enter the password. This enabled the system to mount the drive.
    L0pht  then   launched  Silverlining   and  updated   the  driver.
    Silverlining did not complain about  doing this except to give  us
    the standard  dire warnings  about possible  data loss.   Again we
    powered down and  rebooted.  This  time no password  was asked for
    and the volume mounted successfully  with all of its data  intact.
    The previous steps  where repeated ten  times with no  discernible
    differences.

    L0pht  tried  various  other  hard  drive  formatting utilities in
    addition to  Silverlining such  as SCSI  Director Pro,  Anubis and
    others.  While some of these other utilities where able to replace
    the FWB driver access to the data was lost. Silverlining is unique
    in  that  attempts  to  preserve  data  integrity  while replacing
    the driver,  other utilities  do not  take data  preservation into
    account.

    L0pht would like  to acknowledge J.  Claymore who first  mentioned
    this problem some time ago which made this advisory possible.

SOLUTION

    Users  should  be  aware  that  using  a  driver level password to
    protect data is not always a guarantee that your data is safe from
    prying eyes.   The previous example  can be accomplished  in under
    five minutes with a medium sized drive and only requires that  the
    malicious user have  a bootable floppy  disk with Silverlining  on
    it.  Ten minutes of  unsupervised access to the target  machine is
    all that is required.

    FWB gives users six options when applying a password to a  volume;
    None, Read,  Read/Write, Encryption  Level 1,  Encryption Level 2,
    and  Encryption  Level  3.   Using  one  of the encryption options
    would possibly  allow for  greater security.  The disadvantage  is
    that using one  of the encryption  options greatly slows  down the
    speed at which your machine can read and write data as it does its
    encryption/decryption on the fly.  (It is not the purpose of  this
    advisory to  determine if  FWBs encryption  implementation is  any
    better or worse than its password implementation).

    Numerous hard drive  formatting utilities allow  the setting of  a
    password similar to FWB.  Unfortunately L0pht do not have the time
    to test them  all.  It  should therefore not  be assumed that  all
    other driver level passwords are secure.