Click here to receive your FREE subscription to Campus Technology
Opinion
Research Has Chilling Effect on Hard Drive Encryption
3/14/2008
Finally, they put it all together and used these techniques to successfully attack encryption products such as BitLocker, TrueCrypt, and Apple's File Vault. If you're not use wading through research findings, this means our data encryption procedures aren't as good as we thought they were. It means back to the drawing board.
But Won't 'Trusted Compuing' Hardware Solve the Problem?
The response of some security experts was that the capabilities of Trusted Computing hardware would address the kind of vulnerabilities exploited by the Princeton researchers. (Although not extensively used, Trusted Computing Modules or TCMs are now found on many--roughly 150,000--personal computers. In response, the Princeton researchers point out that even though the TCM administers which software modules can use a key, once the key is stored in DRAM by the application, it is vulnerable to the kind of attack they reported.
They also noted that they were able to defeat Microsoft's BitLocker encryption despite its use of TPM and that the use of TCM actually increased the vulnerability because the system will automatically mount hardware protected disks when the machine is powered on.
So What Can Be Done?
Defending yourself against memory imaging attacks is difficult: The key has to be stored somewhere. The Princeton research group that documented this vulnerability recommends countermeasures that focus on discarding or obscuring encryption keys before an adversary might gain physical access, preventing memory-dumping software from being executed on the machine, physically protecting DRAM chips, and possibly making the contents of memory decay more readily.
Unfortunately many of these strategies involve changes to the application or operating system software and are not under the user's control. Examples include software that overwrites encryption keys when they are no longer needed, systems that clear memory at boot time, or systems that limit booting from the network or removable media.
Other countermeasures involve hardware changes that are similarly not available to the user. For example, physically protecting the DRAM chips by encasing them in epoxy or designing chips whose memory decays very quickly when power is lost.
Finally, the Princeton group found that locking your computer screen, which leaves the computer running but requires a password before allowing user interaction, does not protect what you have stored in memory. Similarly, putting your computer in "sleep," "suspend," or hibernate mode is not effective since an attacker could simply awaken the computer and extract the contents of memory as described earlier.
Two New Rules to Protect Data on Your Laptop
Fortunately there are practical steps you can take to protect sensitive data on your personal computer:
1. If you have sensitive data on your computer and must leave it unattended, do a complete shut down. Don't put it to sleep; don't put it in hibernation. Turn it off.
2. After you do a complete shut down, wait a minute or so before leaving your computer unattended.
Doug Gale is president of Information Technology Associates, LLC (www.it associates.org) an IT consultancy specializing in higher education. He has more than 30 years of experience in higher education as a faculty member, CIO, and research administrator.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- IBM Unveils New Software Designed To Streamline eDiscovery
IBM has announced the release of new Enterprise Content Management (ECM) software specifically designed to meet the needs of clients dealing with complex legal discovery requirements. The eDiscovery solutions expand on IBM's ECM platform and are intended to give organizations greater control of digitally stored documents in an effort to reduce costs and streamline the discovery process involved in litigation.
- Microsoft Releases SQL Server 2008 to Manufacturing
Microsoft has released SQL Server 2008 to manufacturing (RTM) and, as an evaluation edition, to subscribers of its Microsoft Development Network and TechNet services, the company announced Wednesday.
- Security Woes Up, as PHP and OSS Make the List
Software vulnerabilities are up this year, especially Web browser-based ones, according to a new report from IBM Internet Security Systems. The X-Force 2008 Mid-Year Trend Statistics Report, released in late July, defined the problem broadly. A vulnerability is anything that results "in a weakening or breakdown of the confidentiality, integrity, or accessibility of the computing system."
- Textbook Publishing in a Flat World
According to the National Association of College Stores in a 2007 survey, the average cost of a new college textbook was $53. The founders of Flat World Knowledge, which launches with its first run of college textbooks this fall, consider that too high--so high, in fact, that they'll be offering textbooks for free, at least in versions that can be read online.
- CourseCast 2.0 Adds Podcasting, Streaming Media Features to Free Lecture Capture System
Panopto has released CourseCast 2.0, an update to the company's classroom capture system that's available free to academic users. CourseCast 2.0 had previously been available as part of Panopto's beta program for educators since June.
- It IS about Technology: Integrating Higher Ed into Knowledge Culture
For more than twenty years, we educational technologists have talked about "integrating information technology into higher education." The implication was that education would stay the same and information technology would benignly slip in and cause no ruckus at all. This rhetoric no longer applies, if it ever did, and does a disservice to us as we work through the intricacies of this age.
