[Dataloss] (article) "We recovered the laptop!" ... so what?

B.K. DeLong bkdelong at pobox.com
Fri Feb 16 08:32:21 EST 2007 

It's funny - PKI and Key Management has been (mostly) mastered by the
military and intelligence services, (or at least taken VERY seriously
the past few years)....you'd think the business world would have
looked to them by now for guidance.

On 2/16/07, Adam Shostack <adam at homeport.org> wrote:
> When we wanted to perform m of n key backup for the master keys at
> Zero Knowledge systems, there was nothing commercially available.  Is
> there anything now? I'm unaware of anyone who uses m of n sharing in
> the real enterprise systems.  Please enlighten me.
>
>
> On Wed, Feb 14, 2007 at 10:03:41PM -0500, sawaba wrote:
> | When serious encryption is needed, key management is as important as the
> | algorithm and key strength used. Most people have seen in the movies when
> | it takes multiple keys turned at the same time to activate the firing
> | mechanism for a nuclear weapon. It is similar in many enterprise data
> | encryption situations (minus the threat of worldwide destruction). M of N
> | key management requires a certain minimum number (say 3 of 6) of
> | custodians to input their piece of the key to decrypt the data.
> |
> | Obviously, this doesn't work when you need to log into your laptop ("yeah
> | Bob, this is Mike, could you come down to Starbucks and log me in again? I
> | went to the bathroom and it powered off while I was gone"). So, we come
> | back to the fact that certain kinds of data shouldn't be on laptops in the
> | first place.
> |
> | --Sawaba
> |
> | On Tue, 13 Feb 2007, Adam Shostack wrote:
> |
> | >Speaking for myself here.  As I understand things:
> | >
> | >Certain versions of Vista (I think Ultimate and Enterprise) include
> | >Bitlocker whole drive encryption.  It's not on by default because of issues
> | >about key management.  So just upgrading to Vista, in and of itself,
> | >doesn't change anything.
> | >
> | >Bitlocker itself has a bunch of modes, ranging from keys stored in a
> | >TPM and unlocked with a PIN, to keys stored on the hard drive and
> | >unlocked with a password.  How you actually protect the encryption
> | >keys might be seen as important.  I don't know if anyone has done a
> | >comparison against state laws.
> | >
> | >Adam
> | >
> | >On Tue, Feb 13, 2007 at 07:34:43AM -0500, Herve Roggero wrote:
> | >| Let me give an example: If I do business in California, and my
> | >unencrypted
> | >| laptop gets stolen with 100,000 SSNs in it, stored in clear text. I need
> | >to
> | >| disclose this loss and reach out to 100,000 people to comply with SB
> | >1386.
> | >|
> | >| Now, if I upgrade my laptops to MS Vista, can I get away with it?
> | >|
> | >|
> | >|
> | >| I?m only asking as I am seeing an interesting response from CXO
> | >individuals
> | >| looking at MS Vista as a solution to their laptop/legal issues. If there
> | >is no
> | >| official technical workaround to this encryption and it takes thousands
> | >or
> | >| millions of years to crack, then it may fall under the ?reasonable?
> | >steps to
> | >| protect information and become a powerful tool for businesses looking to
> | >| comply.
> | >|
> | >|
> | >|
> | >| Thank you
> | >|
> | >| Herve Roggero
> | >|
> | >| Managing Partner, Pyn Logic LLC
> | >|
> | >| Cell: 561 236 2025
> | >|
> | >| Visit www.pynlogic.com
> | >|
> | >|
> | >-------------------------------------------------------------------------------
> | >|
> | >| From: blitz [mailto:blitz at strikenet.kicks-ass.net]
> | >| Sent: Monday, February 12, 2007 8:14 PM
> | >| To: Herve Roggero
> | >| Cc: dataloss at attrition.org
> | >| Subject: RE: [Dataloss] (article) "We recovered the laptop!" ... so what?
> | >|
> | >|
> | >|
> | >| Ok, so youve got a copy of an encrypted disk to crack at your leisure.
> | >The data
> | >| is still compromised and in someone elses hands, and they have no idea
> | >if its
> | >| secure or not.
> | >| That still counts as a loss in my book.
> | >|
> | >| At 08:54 2/12/2007, you wrote:
> | >|
> | >|
> | >| Hi everyone
> | >|
> | >| This thead is very interesting. All techniques so far deal with reading
> | >data at
> | >| a low level. Will Windows Vista prevent techniques such as Symantec
> | >Ghost? I
> | >| understand that Vista performs bit-level encryption with its BitLocker
> | >| technology.
> | >|
> | >| Thanks.
> | >|
> | >| Herve Roggero
> | >| Managing Partner
> | >| Pyn Logic LLC
> | >| Visit www.pynlogic.com
> | >|
> | >
> | >| _______________________________________________
> | >| Dataloss Mailing List (dataloss at attrition.org)
> | >| http://attrition.org/dataloss
> | >| Tracking more than 148 million compromised records in 573 incidents over
> | >7 years.
> | >
> | >_______________________________________________
> | >Dataloss Mailing List (dataloss at attrition.org)
> | >http://attrition.org/dataloss
> | >Tracking more than 148 million compromised records in 573 incidents over 7
> | >years.
> | >
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 148 million compromised records in 576 incidents over 7 years.
>


-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

More information about the Dataloss mailing list