Evil Maid wanted, B.S. in Computer Science a plus
Some weeks ago, Polish researcher Joanna Rutkowska published an attack on the TrueCrypt Full-Disk Encryption (FDE) software, which allows an attacker with access to an unattended PC to install a password sniffer in a first strike, and to steal the PC including the FDE password in a second strike.
She coined the term "evil maid attack" for this kind of incident, as it specifically applies to scenarios in which a traveller leaves a portable PC unattended in a hotel room, and a person who has access, but not necessarily dedicated technical skills (e.g. a room maid) actually executes the attack.
Technically, this person (in the absence of any reliable data on popular names for room maids, let’s just call her Trudy) inserts a bootable medium (e.g. a CD-ROM or USB stick), turns the laptop on, and consequently the bootable malware code on the medium gets executed.
This code then installs a transparent key logger in the Master Boot Record (MBR) of the hard disk. Later, the unsuspecting owner turns on his laptop, enters the passphrase and boots up. Without his knowledge, the keylogger intercepts the passphrase and stores it on the hard disk.
Finally, Trudy only needs to steal the laptop and to hand it over to the person who targeted the victim. Both steps don't require any particular technical knowledge, and can be performed by a person instructed/bribed by the master attacker.
It's not only TrueCrypt which is susceptible to this kind of attack, but basically all pure software FDE products. These products don't employ any additional hardware (e.g. TPM chip) to maintain the integrity of the boot process.
There are several ways to mitigate them quite efficiently (in Mac and Windows), find out in http://www.sophos.com/blogs/gc/g/2009/11/20/guest-blog-evil-maid-wanted-bs-computer-science/