BreachExchange mailing list archives
Re: fringe: Researchers: Disk Encryption Not Secure
From: "B.K. DeLong" <bkdelong () pobox com>
Date: Thu, 21 Feb 2008 16:03:41 -0500
Well, if anything I think it makes a further case for using multifactor authentication in order to login to machines - a "something you have" piece. Of course, if we knew what we know now and all had robust data classification schemes allowing us to have to protect only that business critical or regulation-controlled data, we wouldn't have to boil the ocean. We could put in place RBAC and DRM/ERM might actually be doable. Now where's that Business Impact Assessment from the DR/BCP plan? Sounds like a good place to start.....if pigs could fly. ;) On Thu, Feb 21, 2008 at 3:48 PM, security curmudgeon <jericho () attrition org> wrote:
[Companies who suffer a data loss incident, take note. Not only is the "password" to the operating system worthless, now the encrypted drives that we never see used are too. =) -jericho] http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html Researchers: Disk Encryption Not Secure By Kim Zetter February 21, 2008 | 12:13:48 PM Researchers with Princeton University and the Electronic Frontier Foundation have found a flaw that renders disk encryption systems useless if an intruder has physical access to your computer -- say in the case of a stolen laptop or when a computer is left unattended on a desktop in sleep mode or while displaying a password prompt screen. The attack takes only a few minutes to conduct and uses the disk encryption key that's stored in the computer's RAM. The attack works because content as well as encryption keys stored in RAM linger in the system, even after the machine is powered off, enabling an attacker to use the key to collect any content still in RAM after reapplying power to the machine. "We've broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers," said J. Alex Halderman, one of the researchers, in a press release. "Unlike many security problems, this isn't a minor flaw; it is a fundamental limitation in the way these systems were designed." [..] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
-- B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- fringe: Researchers: Disk Encryption Not Secure security curmudgeon (Feb 21)
- Re: fringe: Researchers: Disk Encryption Not Secure B.K. DeLong (Feb 21)
- Re: fringe: Researchers: Disk Encryption Not Secure Roy M. Silvernail (Feb 21)
- Re: fringe: Researchers: Disk Encryption Not Secure Rory Wasserman (Feb 21)
- Re: fringe: Researchers: Disk Encryption Not Secure B.K. DeLong (Feb 21)
- Re: fringe: Researchers: Disk Encryption Not Secure Roy M. Silvernail (Feb 21)
- Re: fringe: Researchers: Disk Encryption Not Secure Evan Francen (Feb 22)
- Re: fringe: Researchers: Disk Encryption Not Secure Friedlander, Gary S (Feb 22)
- Re: fringe: Researchers: Disk Encryption Not Secure Paul Stevens (Feb 22)
- Re: fringe: Researchers: Disk Encryption Not Secure Chris Walsh (Mar 06)
- Re: fringe: Researchers: Disk Encryption Not Secure Roy M. Silvernail (Feb 21)
- Re: fringe: Researchers: Disk Encryption Not Secure B.K. DeLong (Feb 21)