ALERT: Disk encryption may not be secure enough

[Guest jim]

You may have already heard about or read about this story. If so, this is

not for you.

 

For those people in positions where privacy can mean the life or death of a

career or even a person, listen up......

 

"Computer scientists have discovered a novel way to bypass the encryption

used in programs like Microsoft's BitLocker and Apple's FileVault and then

view the contents of supposedly secure files.

 

In a paper (PDF) published Thursday that could prompt a rethinking of how to

protect sensitive data, the researchers describe how they can extract the

contents of a computer's memory and discover the secret encryption key used

to scramble files. (I tested these claims by giving them a MacBook with

FileVault; here's a slideshow.)

 

"There seems to be no easy remedy for these vulnerabilities," the

researchers say. "Simple software changes are likely to be ineffective;

hardware changes are possible but will require time and expense; and today's

Trusted Computing technologies appear to be of little help because they

cannot protect keys that are already in memory. The risk seems highest for

laptops, which are often taken out in public in states that are vulnerable

to our attacks. These risks imply that disk encryption on laptops may do

less good than widely believed." "

 

Read the entire article at

http://www.news.com/8301-13578_3-9876060-38.html?tag=tb or view the video

straight from Princeton at http://citp.princeton.edu/memory/.

 

jim

[Guest Richard G. Harper]

Re: ALERT: Disk encryption may not be secure enough

 

I always, ALWAYS carry a can of compressed air upside down in my pocket just

so I can super cool the memory chips from a PC and steal the data resident

on them. This just goes back to probably the second oldest security rule

there is - "If you don't physically secure your computer, it is no longer

your computer." The oldest, of course, being "If you let someone else run

code on your computer, it is no longer your computer."

 

--

Richard G. Harper [MVP Shell/User] rgharper@gmail.com

* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/

* PLEASE post all messages and replies in the newsgroups

* The Website - http://rgharper.mvps.org/

 

 

"jim" <jim@home.net> wrote in message

news:G8Bvj.106956$L%6.17232@bignews3.bellsouth.net...

> You may have already heard about or read about this story. If so, this is

> not for you.

>

> For those people in positions where privacy can mean the life or death of

> a career or even a person, listen up......

>

> "Computer scientists have discovered a novel way to bypass the encryption

> used in programs like Microsoft's BitLocker and Apple's FileVault and then

> view the contents of supposedly secure files.

>

> In a paper (PDF) published Thursday that could prompt a rethinking of how

> to protect sensitive data, the researchers describe how they can extract

> the contents of a computer's memory and discover the secret encryption key

> used to scramble files. (I tested these claims by giving them a MacBook

> with FileVault; here's a slideshow.)

>

> "There seems to be no easy remedy for these vulnerabilities," the

> researchers say. "Simple software changes are likely to be ineffective;

> hardware changes are possible but will require time and expense; and

> today's Trusted Computing technologies appear to be of little help because

> they cannot protect keys that are already in memory. The risk seems

> highest for laptops, which are often taken out in public in states that

> are vulnerable to our attacks. These risks imply that disk encryption on

> laptops may do less good than widely believed." "

>

> Read the entire article at

> http://www.news.com/8301-13578_3-9876060-38.html?tag=tb or view the video

> straight from Princeton at http://citp.princeton.edu/memory/.

>

> jim

>

[Guest Paul Adare]

Re: ALERT: Disk encryption may not be secure enough

 

On Fri, 22 Feb 2008 16:44:13 -0500, Richard G. Harper wrote:

> I always, ALWAYS carry a can of compressed air upside down in my pocket just

> so I can super cool the memory chips from a PC and steal the data resident

> on them. This just goes back to probably the second oldest security rule

> there is - "If you don't physically secure your computer, it is no longer

> your computer." The oldest, of course, being "If you let someone else run

> code on your computer, it is no longer your computer."

 

You've missed the point here, which is that most full disk encryption

utilities, Bitlocker included, advertise as one of their benefits, the

ability to protect confidential data in the event your computer is stolen.

 

With BDE at least, if you use a TPM with a PIN or a USB device with a PIN

and either power off or hibernate your computer, the attack is mitigated.

--

Paul Adare

MVP - Virtual Machines

http://www.identit.ca

The generation of random numbers is too important to be left to chance.

[Guest Mostly Gizzards]

Re: ALERT: Disk encryption may not be secure enough

 

Memo to users:

 

Never leave your computer unattended while powered on or in Standby Mode.

If you feel the need to leave your computer on a random park bench, please

ensure that you watch it closely for at least 60 seconds to ensure the

contents of the DRAM have decayed adequately to ensure someone cannot

possibly extract your encryption keys. At that point in time, feel free to

leave the area and frolic about in a carefree fashion - your data is safe.

 

MG

 

"Paul Adare" <pkadare@gmail.com> wrote in message

news:18prn5yu3ujqv.1bfvlan32fagt$.dlg@40tude.net...

> On Fri, 22 Feb 2008 16:44:13 -0500, Richard G. Harper wrote:

>

>> I always, ALWAYS carry a can of compressed air upside down in my pocket

>> just

>> so I can super cool the memory chips from a PC and steal the data

>> resident

>> on them. This just goes back to probably the second oldest security rule

>> there is - "If you don't physically secure your computer, it is no longer

>> your computer." The oldest, of course, being "If you let someone else

>> run

>> code on your computer, it is no longer your computer."

>

> You've missed the point here, which is that most full disk encryption

> utilities, Bitlocker included, advertise as one of their benefits, the

> ability to protect confidential data in the event your computer is stolen.

>

> With BDE at least, if you use a TPM with a PIN or a USB device with a PIN

> and either power off or hibernate your computer, the attack is mitigated.

> --

> Paul Adare

> MVP - Virtual Machines

> http://www.identit.ca

> The generation of random numbers is too important to be left to chance.

[Guest C.Joseph S. Drayton]

Re: ALERT: Disk encryption may not be secure enough

 

jim wrote:

>You may have already heard about or read about this story. If so,

>this is not for you.

>

>For those people in positions where privacy can mean the life or

>death of a career or even a person, listen up......

>

>"Computer scientists have discovered a novel way to bypass the

>encryption used in programs like Microsoft's BitLocker and Apple's

>FileVault and then view the contents of supposedly secure files.

>

>In a paper (PDF) published Thursday that could prompt a rethinking of

>how to protect sensitive data, the researchers describe how they can

>extract the contents of a computer's memory and discover the secret

>encryption key used to scramble files. (I tested these claims by

>giving them a MacBook with FileVault; here's a slideshow.)

>

>"There seems to be no easy remedy for these vulnerabilities," the

>researchers say. "Simple software changes are likely to be

>ineffective; hardware changes are possible but will require time and

>expense; and today's Trusted Computing technologies appear to be of

>little help because they cannot protect keys that are already in

>memory. The risk seems highest for laptops, which are often taken out

>in public in states that are vulnerable to our attacks. These risks

>imply that disk encryption on laptops may do less good than widely

>believed." "

>

>Read the entire article at

>http://www.news.com/8301-13578_3-9876060-38.html?tag=tb or view the

>video straight from Princeton at http://citp.princeton.edu/memory/.

>

>jim

 

This article is interesting, but does not really touch on the more

important and common security risk;

 

1) The usage of clipboard extenders is wide spread and people quite

often forget to turn them off when what they are copying shouldn't be

stored anywhere other than in a secure file.

2) The pagefile holds all kinds of data.

3) and of course there are all of those temp files that are created and

deleted (but not securely deleted) by various applications.

 

I have found more things by just looking in those 3 places than people

thought possible. Add to that the fact that there are freeware programs

that will scan for different types of data (ie. scan for JPGs inside of

a pagefile, and you can see how serious breaches in security can occur.

 

The next problem of course is that if the passwords are physically

saveds on the disk, then with enough computing power and time a brute

force attack on the password file can reap all types of rewards once

you've cracked the password file everything else on the drive is an

open book.

 

 

--

 

Sincerely,

C.Joseph Drayton, Ph.D. AS&T

 

CSD Computer Services

Web site: http://csdcs.tlerma.com/

E-mail: csdcs@tlerma.com