Recent headlines in Ireland made more people aware of disk encryption.\u00a0 A laptop containing personal information of 170,000 Irish blood donors was stolen in New York.\u00a0 The laptop was being used to transport data as part of an application upgrade process.\u00a0 Normally, security experts would have been screaming … we remember the information loss in the UK with a third of the population’s personal information going missing on insecure CD’s or DVD’s.\u00a0 But in this case, the Blood Transfusion Service knew what they were doing.\u00a0 They’d encrypted the disk so that data was effectively secure.\u00a0 Or so we all thought!<\/p>\n
A team in Princeton University has reportedly<\/a> cracked disk encryption.\u00a0 I’m not talking just about SafeBoot or Windows BitLocker … I’m talking about disk encryption in general!<\/p>\n For disk encryption to work, the operating system on the computer must have access to the disk.\u00a0 For this it stores decryption keys in RAM to be able to decrypt the disk as it uses it.\u00a0 RAM does not instantly lose it’s contents when you turn off your PC as we are taught in basic computer science.\u00a0 It actually takes a little while for the contents to dissipate.\u00a0 This process takes longer if you can chill the RAM boards using something like a can of compressed air.\u00a0 Once the attacker obtains physical access to the machine (by breaking into an insecure branch office "computer room" or stealing a laptop in an airport or cafe) then they can start this process.\u00a0 Now they boot up the machine with a special tiny operating system that minimises it’s impact on RAM.\u00a0 They scan the contents of RAM and can identify patterns associated with AES, DES and RSA.\u00a0 This now gives them the information required to read the disks of the target computer.\u00a0 The attacker has almost instant access to information that was otherwise considered virtually impregnable.<\/p>\n What does this mean?\u00a0 We have to return to thinking that physical security is still a primary answer to data security.\u00a0 Information on PDA’s, laptops and even servers in insecure branch offices is back to being vulnerable to dedicated attackers.\u00a0 Ordinary criminal loss is not a concern because this vulnerability requires an immediate attack on the RAM chips in the computer.\u00a0 It remains a concern where we have a real risk of being attacked by attackers with a target in mind when they start the attack.<\/p>\n Let’s consider two scenarios.\u00a0 A company gives laptops to directors with a 3rd party disk encryption solution.\u00a0 It uses AES 256bit encryption.\u00a0 The director sits in a cafe drinking coffee and reading mail.\u00a0 An attacker paid by a rival company or an intelligence agency (we know certain European countries do this on behalf of native firms, mais oui!) walks in and grabs the laptop before running out.\u00a0 A van is waiting outside with a couple of engineers who can proceed with the attack.\u00a0 The data on the laptop is lost.\u00a0 The director’s inbox is vulnerable; replicated files, etc all are there.\u00a0 And as we know, directors have access to the most sensitive of data.<\/p>\n Here’s a worse scenario.\u00a0 We’ve been told not to place Active Directory domain controllers in branch offices where we cannot physically secure those machines.\u00a0 The reason is that a domain controller contains a replica of all users usernames and passwords.\u00a0 If the server is stolen then the entire forest is vulnerable and must be flattened\/rebuilt.\u00a0 The solution from Microsoft was a Windows 2008 Read Only Domain Controller (RODC) with BitLocker disk encryption.\u00a0 This does two things.\u00a0 Disk encryption virtually secures the contents of the disk (or so we thought).\u00a0 The RODC only replicates data of users in the branch office.\u00a0 This means that once the RODC is lost, an administrator can reset those accounts.\u00a0 It didn’t have to be done immediately because we know the disk encryption would slow down even the NSA for a long enough period.\u00a0 Here’s the new scenario.\u00a0 An attacker breaks into the branch office on a Friday night.\u00a0 He powers down the RODC and proceeds with the attack with the server in situ.\u00a0 He takes a copy of the required user data from the RODC and puts it on his laptop.\u00a0 He leaves before the weekend is over and nothing is suspected.\u00a0 Using the usernames and passwords that he now has, the attacker can attack the rest of the target network with ease.<\/p>\n The solution remains as clear as it always has been.\u00a0 Physical security remains the key to ultimate security.\u00a0 I’m not saying we should abandon encryption.\u00a0 It still plays a part in normal theft\/loss and let’s face it, the documented attack requires a dedicated attacker who can do the process almost instantly after powering off the machine.\u00a0 It’s funny how something as simple as a can of compressed air can be used to defeat something as complex as disk encryption.\u00a0 I bet MacGuyver would be proud!<\/p>\n Credit: Anthony Garmont<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" Recent headlines in Ireland made more people aware of disk encryption.\u00a0 A laptop containing personal information of 170,000 Irish blood donors was stolen in New York.\u00a0 The laptop was being used to transport data as part of an application upgrade process.\u00a0 Normally, security experts would have been screaming … we remember the information loss in … Continue reading “Disk Encryption Cracked?”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9033","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/9033","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9033"}],"version-history":[{"count":0,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/9033\/revisions"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}