[Dataloss] fringe: Researchers: Disk Encryption Not Secure

B.K. DeLong bkdelong at pobox.com
Thu Feb 21 21:03:41 UTC 2008 

Well, if anything I think it makes a further case for using
multifactor authentication in order to login to machines - a
"something you have" piece.

Of course, if we knew what we know now and all had robust data
classification schemes allowing us to have to protect only that
business critical or regulation-controlled data, we wouldn't have to
boil the ocean.

We could put in place RBAC and DRM/ERM might actually be doable. Now
where's that Business Impact Assessment from the DR/BCP plan? Sounds
like a good place to start.....if pigs could fly. ;)

On Thu, Feb 21, 2008 at 3:48 PM, security curmudgeon
<jericho at attrition.org> wrote:
>
>  [Companies who suffer a data loss incident, take note. Not only is the
>   "password" to the operating system worthless, now the encrypted drives
>   that we never see used are too. =)  -jericho]
>
>
>  http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html
>
>  Researchers: Disk Encryption Not Secure
>  By Kim Zetter  February 21, 2008 | 12:13:48 PM
>
>  Researchers with Princeton University and the Electronic Frontier
>  Foundation have found a flaw that renders disk encryption systems useless
>  if an intruder has physical access to your computer -- say in the case of
>  a stolen laptop or when a computer is left unattended on a desktop in
>  sleep mode or while displaying a password prompt screen.
>
>  The attack takes only a few minutes to conduct and uses the disk
>  encryption key that's stored in the computer's RAM.
>
>  The attack works because content as well as encryption keys stored in RAM
>  linger in the system, even after the machine is powered off, enabling an
>  attacker to use the key to collect any content still in RAM after
>  reapplying power to the machine.
>
>  "We've broken disk encryption products in exactly the case when they seem
>  to be most important these days: laptops that contain sensitive corporate
>  data or personal information about business customers," said J. Alex
>  Halderman, one of the researchers, in a press release. "Unlike many
>  security problems, this isn't a minor flaw; it is a fundamental limitation
>  in the way these systems were designed."
>
>  [..]
>  _______________________________________________
>  Dataloss Mailing List (dataloss at attrition.org)
>  http://attrition.org/dataloss
>
>  Tenable Network Security offers data leakage and compliance monitoring
>  solutions for large and small networks. Scan your network and monitor your
>  traffic to find the data needing protection before it leaks out!
>  http://www.tenablesecurity.com/products/compliance.shtml
>



-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org Son.
http://www.ianetsec.com Work.
http://www.bostonredcross.org Volunteer.
http://www.carolingia.eastkingdom.org Service.
http://bkdelong.livejournal.com Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

More information about the Dataloss mailing list