Thursday, February 28, 2008

Warming the cold boot – a bit of braggin’ from BitArmor

By now, all of you are aware of the attacks on full disk encryption technologies described by Princeton researchers. In short, they describe how one can “steal” the contents of RAM and extract the encryption passwords kept in clear text. The research concludes that almost all disk encryption products have the same fundamental flaw that enables anyone, without custom-built and expensive resources, to gain access to the system. Rich Mogull has a good blog on how one should think through the ramifications.


This is scary news and rightfully so. We have seen encryption vendors approach this differently.

  • The don’t-worry, be happy approach: Some claim the attack is so esoteric, the customer need not worry – this is just research stuff.
  • Leave it to us approach: Some claim to have solved the problem, but with no indication of what that means or how they do it.
  • Increase your complexity approach: Some want you to increase the end-user complexity with process and unnatural actions to solve the problem. Not a good idea – every time we ask the end user to be responsible, we lose control and confidence that it was indeed secure. Transparency is the key to security..

We at BitArmor have taken another approach – the “solve the problem” approach. In fact, we had solved this problem, before it even became a known issue. Our CEO, Patrick McGregor is one of the researchers mentioned in the Princeton paper as having proposed architectural enhancements to prevent (the key word being prevent :))these attacks. From the paper:


“Others have proposed architectures that would routinely encrypt the contents of memory for security purposes [28, 27]. These would apparently prevent the attacks we describe..”

The “others” mentioned above, in case you were wondering, are McGregor et al… Check out his blog on his experience at Princeton...

Sorry if we seem to be bragging a bit – not often does a small startup from steeltown open up such a big can of whupass against a new broad new threat!

We have since applied (we had the technology already for a while) for multiple patents on technologies to solve these and similar attacks. Find out more on the BitArmor website (http://www.bitarmor.com/prevent-cold-boot-attacks/) for a high level look at how we deal with specific cold boot threats.

As soon as we can write up detailed information on exactly how we are dealing with the specific cold boot threats in our FDE (full disk encryption) as well as PFE (persistent file encryption) solutions, we will put it up here. Look for more information next week…

Tuesday, February 26, 2008

My Princeton Experience and Optimism for Encryption

As we all know by now, Ed Felten and his research group at Princeton have announced yet another landmark result in the realm of data security. For systems ranging from Java VMs to digital rights management to electronic voting machines – and now to disk encryption – the research group has shown that foundations for a secure world remain elusive to the industry.

I enjoyed the opportunity to collaborate with Dr. Felten on the SDMI cracking effort while I was at Princeton. In Felten's recent paper on cold boot attacks against encryption keys in DRAM, part of my Ph.D. thesis (which explored next-generation security architectures) is cited as a long-term solution. Indeed, for laptop encryption and trusted systems to truly realize their promise, hardware and software must be engineered with security at the core, not at the periphery.

The exposed flaws in many encryption solutions are disquieting examples of how difficult it is to engineer security systems for our impatient and diverse world. Routinely, software developers – as opposed to trained security architects – are being asked to design cryptographic systems with complex design parameters and even more complex security implications. The various attacks described in the cold boot paper show that security designers must improve their modeling of human behavior (and physics) when poised in front of their whiteboards.

Security is hard, but it is attainable! I’m optimistic that security engineering methodology will advance over time. Fortunately, today, a few companies are embracing a truly proactive approach for modeling threats and designing security systems.

This week, BitArmor will be making some key technical announcements on the strength of BitArmor software against attacks described in the Felten paper and beyond. Keep your eyes on this space...

Thursday, February 21, 2008

Disk encryption not enough?

Just saw this come off the wire - from news.com on how disk encryption from Bitlocker and Apple's FileVault has been circumvented by a few researchers. If this is as simple as they make it sound, this is a bit worrisome. However, I am not ready to buy this fully, till I understand this a bit more.

For one, I was under the impression that Bitlocker protected against booting via an alternative OS (especially a system with a TPM chip on it) because it can perform bootup integrity checks. The article seems to claim this is one of the ways in... Hmm, not so sure...

Further questions:
Is this attack valid for all authentication scenarios such as TPM+Pin?
How easy is it to scan the RAM on a locked system?

There was another article recently in eWeek that talked about FDE not being sufficient protection. I personally think that we need defense against multiple scenarios - not sure if the defense-in-depth term can be used, but seems to fit the best...

Looking forward to understanding this a bit more...

Tuesday, February 19, 2008

Laptop = Cinderella, USB = Drizella? I.e. did the USB beat the rap?

Interesting article by Rich Mogull on how to protect USB keys. He seemed to have covered most of the ways one can protect data - I myself like to glue-gun approach! Just kidding, I am all for productivity while being secure.

However, this made me think of breach notification laws. As Rich pointed out and as I blogged about earlier, the sizes of USB keys are getting huge! I have one on my desk now at 8GB and a portable USB hard drive for 250GB! I presume that when one loses their laptops they have as big a chance of losing on of these hard drives or USB keys. And no one is as concerned, since they dont have to notify anyoneif they lose a USB key....

So answer me this - did the USB key and portable hard drive sneak past the breach notification lawmakers? Is the laptop, the Cinderella of the family that the lawmakers hate so much? And did the USB, Drizella, (which apparently is the stepsister's name according to Disney :)) get away?

And finally, is this analogy a really bad one? :)

Wednesday, February 13, 2008

Encryption - too much of a good (or bad) thing?

Seems like the new angst is about the problems of widespread encryption. Further comments on this by Shanmuga and Rich Mogull - who slams this (to put it mildly:)).

As technologies become widely used, it itself gets impacted by this usage and so do, in turn, the users - its a two way street. Widespread adoption of cell phones, the net etc caused huge changes in how people live and interact - this spurred further changes to these technologies as well. But the one constant of this change is that things become easier to use and more solid and reliable in its capability.

I don't buy the argument that widespread encryption will cause attacks via key management challenges - the key management challenge itself, I think, is overblown. All security companies worth their salt have good solutions for this- those that don't, will face the harsh reality of the market. In any case, technology is never going to solve your security problems - if you dont back it up with good processes...

Friday, February 8, 2008

CA breach notification law 2.0?...

More new laws! Recent news implies that California might enhance the current laws about data breach notification. They want to clear up how companies notify the affected parties - apparently there is too much jargon and legalese. Which leaves most folks not knowing what hapenned, how it hapenned and how they are affected.

We have talked about this on our blog - just saw that Tom Olzak also picks this one up.. I don't think this is making anything more stringent in terms of disclosure - it just lays down some ground rules on communication clarity. I am all for more clarity - had a tough time figuring out the nuances of a few disclosure letters myself!

Thursday, February 7, 2008

Best practices - notification of a breach

CSO magazine has a facinating article on notifying stakeholders of a breach. They compare and contrast two styles of letters to customers - interesting stuff. How does one provide details without overwhelming the reader who may not understand everything? Does one mention steps beign taken, other breaches in the industry?

I wonder how many folks within the company (as well as lawyers, PR folks) might be involved in this task? I assume this increases the visibility of data breaches across the company - mainly because of the number of senior folks involved. Bit late though, now that the horse has left the barn...