[SecurityRatty] tag: bitarmor

A sneak peek at a Black Hat presentation

Wed, 30 Jul 2008 14:08:27 +0000

No, it is not the Dan K DNS presentation, sorry. Patrick McGregor, CEO of BitArmor Systems is presenting at Black Hat as well. As part of our promotion with the SBN and Black Hat I have made my blog available to Patrick to give us a sneak peek at his presentation. Patrick was nice enough to prepare the following:

Braving the Cold (Boot) – A Sneak Peek of My Presentation at Black Hat

by Patrick McGregor

Cold boot attacks aren’t theoretical academic exercises. Cold boot attacks are real. And they’re serious.

In the past few years, companies have poured hundreds of millions of dollars into full disk encryption technologies. Companies expect full disk encryption to reduce the risk of exposure of sensitive information such as intellectual property or customer data. Reality often deviates from what is expected, however. Researchers from Princeton shocked the industry earlier in 2008 when they released a research paper that showed that low-cost “Cold Boot” attacks could be used to defeat the security of most full disk encryption systems. They recently even published all the tools needed to do this at home!

Some have argued that Cold Boot attacks are not serious security threats. I disagree! First, an unskilled person can capitalize on the exploit using simple, automated steps and publicly available tools. In fact, Cold Boot attacks require nothing more than plugging a USB drive into a laptop. Second, the physical target of a Cold Boot attack, such as a laptop, is very easily obtainable (see the recent Ponemon report on laptops lost/stolen in airports – scary!). Third, although many laptops and desktops are stolen via random acts of theft, it is well known that some criminals profit from organized, calculated data theft. It is only a matter of time before we hear of a high-profile data breach that results from a simple Cold Boot attack.

I am excited to present at Black Hat several innovations for preventing Cold Boot attacks. In addition to summarizing how a Cold Boot attack works, I’ll describe four new software techniques for hardening full disk encryption against the attacks. The software technology was developed by myself, Tim Hollebeek, Alexander Volynkin, and Matt White. All of us work for BitArmor, an exciting security startup based in Pittsburgh. Here’s a sneak peek:

· Wash up: Wipe keys immediately before certain OS state transitions, such as before the computer shuts down or goes into hibernation mode – accessing the memory will yield nothing.

· Take advantage of BIOS memory smashing: By strategically placing keys in certain regions of memory, we can rely on the BIOS boot process to overwrite keys before any operating system can dump the contents of memory.

· Is it chilly in here?: Using built-in temperature sensors, we can lock down the system in reaction to temperature drops that may indicate a Cold Boot attack is in progress.

· Create a virtual enclave for keys: We can implement special cryptographic, OS and processor architecture techniques to provide robust protection for keys against the most aggressive cold boot attacks. By creating a “virtual secure enclave” for encryption keys in software, an attacker cannot extract critical keys from memory – even if the RAM is super-cooled.

Hope you can join us at Black Hat as we take an in-depth look at the future of full disk encryption technology.

For your hacking pleasure - Cold Boot utilities released!

Wed, 23 Jul 2008 09:32:00 +0000

Interesting news over the weekend. Looks like one of the original researchers from the Princeton Cold Boot attack work, Jacob Applebaum, published all the utilities they used to break full disk encryption products.

We, at BitArmor, have talked a bit about cold boot and how we protect against it. Our CEO Patrick and a few of our senior engineers will be presenting at Black Hat on techniques to prevent this attack - check out his perspective as well from his Princeton days.

RSA 2008 Keynote: Craig Mundie

Wed, 09 Apr 2008 20:16:00 +0000

Yesterday was a busy day, so I get a bit behind with my updates on RSA, but I wanted to post about the Microsoft keynote, in addition to the others I attended.

Format was fireside chat, with Craig Mundie, Microsoft's Chief Research and Strategy Officer sitting and talking with Chris Leach, Chief Information Security Officer at Affiliated Computer Services. [fwiw, I personally don't love the fireside chat format. Give me videos, fancying graphics and lots of acrobats on the stage ...]

I knew generally what Craig was going to talk about, but I was very interested to hear Craig's perspective and see how he thought about and talked about the end-to-end Trust topic. In my opinion, this is one of the key topics that could help guide where Microsoft security efforts will go over the next 5 years, building on the past 5 years, and I am happy to see that leadership (Craig, Scott Charney) are approaching it as a dialog with industry and a recognition that it needs interoperability and industry support.

Two key topics stuck with me at the end of the keynote:

How security and privacy are very independent, supporting each other, while also having a tension between them.
Any technological efforts supporting End-to-end Trust will need to be very inclusive in order to work in heterogeneous environments. Past infrastructure efforts (e.g. PKI) have demonstrated that the level of work and investment required means that it is more likely to hit roadblocks if existing business processes are excluded.

After the keynote, with the excellent assistance of Eric Green, I was able to pin down several Microsoft partners and get their thoughts on these two areas. Listen to the attached mp3 to hear our discussions with these good folks:

Sandy Porter
Director, Strategy
Avoco Secure

Jeremiah Beckett
President
SecureVantage Technologies

Patrick McGregor, Ph.D.
CEO
BitArmor

Jon Callas
CTO & CSO
PGP Corporation

Conrad G. Bayer
Senior Vice President
IDA Strategy
Avalaris, Inc.

Edward J. Gaudet
Senior Vice President, Corporate Development and Marketing
Liquid Machines

I did get a couple of these folks on video as well, so once I get that edited and uploaded, I'll update with links to those.

Additional information that is available on End to End Trust:

Best regards from RSA ~ Jeff

Warming the cold boot a bit of braggin from BitArmor

Thu, 28 Feb 2008 10:17:00 +0000

By now, all of you are aware of the attacks on full disk encryption technologies described by Princeton researchers. In short, they describe how one can “steal” the contents of RAM and extract the encryption passwords kept in clear text. The research concludes that almost all disk encryption products have the same fundamental flaw that enables anyone, without custom-built and expensive resources, to gain access to the system. Rich Mogull has a good blog on how one should think through the ramifications.

This is scary news and rightfully so. We have seen encryption vendors approach this differently.

The don’t-worry, be happy approach: Some claim the attack is so esoteric, the customer need not worry – this is just research stuff.
Leave it to us approach: Some claim to have solved the problem, but with no indication of what that means or how they do it.
Increase your complexity approach: Some want you to increase the end-user complexity with process and unnatural actions to solve the problem. Not a good idea – every time we ask the end user to be responsible, we lose control and confidence that it was indeed secure. Transparency is the key to security..

We at BitArmor have taken another approach – the “solve the problem” approach. In fact, we had solved this problem, before it even became a known issue. Our CEO, Patrick McGregor is one of the researchers mentioned in the Princeton paper as having proposed architectural enhancements to prevent (the key word being prevent :))these attacks. From the paper:

“Others have proposed architectures that would routinely encrypt the contents of memory for security purposes [28, 27]. These would apparently prevent the attacks we describe..”

The “others” mentioned above, in case you were wondering, are McGregor et al… Check out his blog on his experience at Princeton...

Sorry if we seem to be bragging a bit – not often does a small startup from steeltown open up such a big can of whupass against a new broad new threat!

We have since applied (we had the technology already for a while) for multiple patents on technologies to solve these and similar attacks. Find out more on the BitArmor website (http://www.bitarmor.com/prevent-cold-boot-attacks/) for a high level look at how we deal with specific cold boot threats.

As soon as we can write up detailed information on exactly how we are dealing with the specific cold boot threats in our FDE (full disk encryption) as well as PFE (persistent file encryption) solutions, we will put it up here. Look for more information next week…

My Princeton Experience and Optimism for Encryption

Tue, 26 Feb 2008 02:56:00 +0000

As we all know by now, Ed Felten and his research group at Princeton have announced yet another landmark result in the realm of data security. For systems ranging from Java VMs to digital rights management to electronic voting machines – and now to disk encryption – the research group has shown that foundations for a secure world remain elusive to the industry.

I enjoyed the opportunity to collaborate with Dr. Felten on the SDMI cracking effort while I was at Princeton. The recent paper on disk encryption vulnerabilities cites work based on part of my Ph.D. thesis (which explored next-generation security architectures) as a long-term solution. Indeed, for laptop encryption and trusted systems to truly realize their promise, hardware and software must be engineered with security at the core, not at the periphery.

The exposed flaws in many disk encryption solutions are yet another set of disquieting examples of how difficult it is to engineer security systems for our impatient and diverse world. Routinely, software developers – as opposed to trained security architects – are being asked to design cryptographic systems with complex design parameters and even more complex security implications. The various attacks described in Felten’s recent paper show that security designers must improve their modeling of human behavior (and physics) when poised in front of their whiteboards.

Security is hard, but it is attainable! I’m optimistic that security engineering methodology will advance over time. Fortunately, today, a few companies are embracing a truly proactive approach for modeling threats and designing security systems.

This week, BitArmor will be making some key technical announcements on the strength of BitArmor software against attacks described in the Felten paper and beyond. Keep your eyes on this space...

New survey: Consumers plan to sharply limit use of cards (AKA, have we awakened a sleeping giant?)

Wed, 28 Nov 2007 12:39:00 +0000

We have heard it all over – customers do not seem to be concerned about retailers mismanaging their data. They still spend money in those stores. It does not impact retailer revenue or stock price. So, let us not worry about it too much.
Wrong. I believe it is just a matter of time before consumers understand the issue and become intolerant of sloppy data protection. And maybe that time has come. The recent story on “60 Minutes” is shining a light on the issue and is an indicator of rising consumer awareness.
Coincidently, we at BitArmor, in partnership with several local TV news departments, conducted a survey over the Black Friday weekend (400 respondents) on this very issue. The results are significant, if not surprising:
· Three out of four consumers are concerned about companies not adequately protecting their data;
· Two-thirds of consumers plan to use their credit card for less than 25% of their holiday purchases;
· Only around 2% say they will continue shopping at a retailer they have heard does not do a good job of protecting data;
· More than 40% have had their identity stolen or know of someone who has;
· 75% of respondents say they would warn friends and family if they knew a store where they shopped wasn’t adequately protecting their data, 33% would sign up for credit monitoring and around 70% say they would be more careful while using their cards.
This should serve as a huge wakeup call to any company that works with sensitive payment card data; their customers are seeing what’s going on, and they don’t like it. Shoppers are increasingly concerned about what’s happening to their data. It’s reflected in fewer people using their credit cards, and it’s reflected in them saying they’ll shop at other stores if they don’t feel their personal information is being adequately protected. It seems we have awakened a sleeping giant…consumers who are spreading the word among friends and families about whom they consider to be are “poor” retailers (from the data protection point of view).
I’ve talked with some analysts who reject the notion that things will ever change. They say that consumers talk a good game, but don’t change their actual buying habits. Perhaps…but when “60 Minutes” starts referring to TJX by name, and calling its security efforts “outdated” and “obsolete,” I have to believe that a lot of shoppers will think twice before using their credit cards there right away. (And apparently Michael Horowitz at CNET agrees with me.)
All this points to the importance of securing customer data and making sure the right policies are in place. Is that enough? Maybe, but to increase customer confidence in a retailer, they will have to work just as hard in protecting their brand and increasing perception of trust.

PCI compliance are you just checking the box?

Wed, 14 Nov 2007 19:05:00 +0000

I will be presenting at the RSR conference this week, and this has me thinking more deeply about challenges that retailers are facing in complying with the Payment Card Industry (PCI) standards. I speak with many retailers in my role – BitArmor helps them secure and manage cardholder data in their environments. One of the challenges that retail CISO’s face is selling senior management on the funding of PCI initiatives. Often, senior management would rather invest in opening a new store than in purchasing an encryption solution to secure their existing infrastructure. For them, PCI is viewed as a necessary evil: many retailers are simply trying to check the compliance box instead of embracing the business benefits that PCI compliance can bring.

Is there value beyond just checking the box?

Yes!

PCI compliance efforts deliver significant value beyond the immediate data protection benefits. As part of becoming compliant, many retailers are being forced to rethink their systems, data paths, security models, networks, and policies. Fully addressing PCI requires solving these hard process problems, and this is an opportunity to build a strong operational base (making you competitive and agile) for the future of the company. As a result, working towards PCI compliance can increase both revenue and profit.

I see PCI (and so do many retail technologists) as today’s Y2K for retailers. Over the past 10 years, many companies have benefited from their efforts to address the Y2K bug. Y2K catalyzed massive investment in IT infrastructure that improved corporate processes and facilitated more efficient relationships with customers. The similarities between Y2K and PCI initiatives are striking. I believe the benefits will prove to be similar as well.

IT funding exists within many retailers to address PCI challenges. Retailers that take PCI compliance seriously and implement deep operational changes will reap many benefits. Those who view it as an exercise to pass an audit are missing a huge opportunity.

Sandy Porter Director, Strategy Avoco Secure
Jeremiah Beckett President SecureVantage Technologies
Patrick McGregor, Ph.D. CEO BitArmor
Jon Callas CTO & CSO PGP Corporation
Conrad G. Bayer Senior Vice President IDA Strategy Avalaris, Inc.
Edward J. Gaudet Senior Vice President, Corporate Development and Marketing Liquid Machines