reginal..._at_hotmail.com writes:
-+---------------------------------
| Interesting piece from todays New York Times re weakness in
| computer encryption systems.
|
Saving ya'll some Googling...
1. Felten's (excellent) blog has an entry on this
>
> http://www.freedom-to-tinker.com/?p=1257
>
2. The actual academic paper
>
> http://citp.princeton.edu.nyud.net/pub/coldboot.pdf
>
3. Well known tech journalist Declan McCullagh, writing
to well known blogger Dave Farber
>
> The paper published today makes some pretty strong
> claims about the vulnerabilities of Microsoft's
> BitLocker, Apple's FileVault, TrueCrypt, Linux's
> dm-crypt subsystem, and similar products.
>
> So I put the folks behind it to a test. I gave them my
> MacBook laptop with FileVault turned on, powered up,
> encrypted swap enabled, and the screen saver locked.
>
> They were in fact able to extract the 128-bit AES key;
> I've put screen snapshots of their FileVault bypass
> process here:
> http://www.news.com/2300-1029_3-6230933-1.html
>
> And my article with responses from Microsoft, Apple,
> and PGP is here:
> http://www.news.com/8301-13578_3-9876060-38.html
>
> Bottom line? This is a very nicely done attack. It's
> going to make us rethink how we handle laptops in sleep
> mode and servers that use encrypted filesystems (a mail
> server, for instance).
>
4. Sherri Davidoff, friend and wizardress at VoIP attacks,
writing to the main cryptography discussion list
>
> As soon as I heard about this research I had to try it
> out. My laptop (Thinkpad) has an encrypted Truecrypt
> partition. I quickly made a modified bootable DSL usb
> memory dumper, powered the machine down, waited a
> minute, dumped memory, and found that I could recover
> passwords from multiple prior reboots. I was able to
> recover my Truecrypt password even if the volume was
> not mapped at the time of reboot, as well as GPG
> passwords, SSH passwords, etc etc. It was really easy.
>
> During physical pentests, when I grab an encrypted
> laptop from an office, my clients usually respond that
> the laptop was "encrypted" and the data was therefore
> safe. That's not necessarily true, of course, but we
> don't have the time during these engagements to test
> out the security of the encryption
> products/implementation, and neither do most attackers.
>
> Now attackers (or customs) just have to grab a live
> laptop, plug in a USB memory dumper and power cycle the
> system in order to obtain a dictionary of likely
> passwords and potentially recover encryption keys.
> Presumably tools to to accomplish this will soon be
> found in the wild and will become accessible to
> attackers with even low levels of technical skill.
>
> I imagine this will eventually have a big impact on the
> way organizations respond to stolen mobile device
> incidents. With the current technology, if a laptop or
> mobile device is on when it's stolen, companies will
> need to assume that the data is gone, regardless of
> whether or not encryption products have been deployed.
>
> Anyone familar with the laws in the arena? Are there
> regulations which require reporting only if data on a
> stolen device is not encrypted?
>
--dan
Received on Sat Mar 02 2024 - 00:57:17 CST