[SecurityRatty] tag: faqs

Microsoft Exchange Server and Outlook email archiving FAQs

Wed, 30 Jul 2008 06:54:42 +0000

Get email-archiving advice for Exchange Server, Outlook and OWA. Plus, learn about email-archiving tools and methods to achieve effective data retention.

Indiana State University professor's laptop is stolen

Thu, 17 Jul 2008 05:29:35 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Indiana State University

Contractor/Consultant/Branch:
None

Victims:
"students who took economics classes from 1997 through the spring semester 2008"

Number Affected:
"more than 2,500"

Types of Data:
"names, grades, e-mail addresses and student identification numbers"*

*Until 2003, student identification numbers were the equivalent of each student’s Social Security number.

Breach Description:
"A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday."

Reference URL:
Indiana State University
Associated Press via WTHI Channel 10 News
Associated Press via Chicago Tribune

Report Credit:
Indiana State University

Response:
From the online sources cited above:

A password-protected laptop computer containing personal information for current and former Indiana State University students was stolen during the weekend, the university reported Tuesday.
[Evan] What do you suppose the purpose of the "password-protected" mention is? I hope it is not meant to reassure anyone that the information is safe. For those of you that do not know, password-protection is easily bypassed and in the opinion of many information security professionals (this one included), does NOT provide adequate protection for confidential information.

While there is no evidence to suggest that password security was breached, the university is taking the precaution of notifying all affected students for whom it has current contact information.
[Evan] If someone were to breach the "password security", what evidence would the school see? None. There would be no evidence (except locally on the laptop) if the local password store had been compromised. The school no longer has possession of the laptop, so the school would have no evidence.

The laptop contained data for students who took economics classes from 1997 through the spring semester 2008, estimated at more than 2,500 individuals.

If you took an economics class during this time period, but did not receive a letter, please call the Registrar’s Office to verify that you were on the list, and to update your address so that we may send you a letter.
[Evan] Contact information for the Registrar's Office, click here.

The information includes names, grades, e-mail addresses and student identification numbers.

Beginning in 2003, use of social security numbers as student ID numbers was discontinued in favor of university-specific identification numbers.
[Evan] A sound security decision by the university would have been to follow up with a project to identify and remove Social Security numbers already held as student IDs. Maybe it was, but the information on this laptop was missed.

The theft occurred Saturday while the professor was traveling in southern Indiana

the professor was traveling with his family and briefly left the computer unattended
[Evan] A laptop can grow legs in a flash. A person doesn't need to leave a laptop unattended for very long for it to disappear.

The incident occurred on July 12, 2008 and was reported to university officials on July 14, 2008.

The incident was reported immediately to the appropriate law enforcement agency and early Monday to university officials.

The extent of the information contained on the computer was not determined until Monday night.

Faculty and staff are being reminded that university policy prohibits the storage of private, sensitive data on portable computers.
[Evan] Excellent policy provision. Policy does little if it is not communicated, enforced, audited against, and improved. Where was the failure in the breach? Was the policy not communicated to this professor, and thus he/she was not aware?

In addition, laptops provided to faculty are equipped with several security measures including encryption and a bio-metric fingerprint reader to prevent access by anyone other than the assigned user.
[Evan] An excellent standard (or procedure).

Approximately 500 ISU faculty members have laptop computers.

The university is reviewing its procedures to ensure compliance with existing policies, said Interim President C. Jack Maynard, the university’s provost and vice president for academic affairs

From the FAQs:

Q: What can someone do with a stolen SSN?
A: "With just a SSN there is little anyone can do in the way of setting up a false identity or securing credit. Generally an identity thief would need more information and documentation to set up false credit.
[Evan] A SSN needs to be held in strict confidentiality in today's financial, employment, health, and other systems. It is often used for identification and authentication. Once an identity thief has a SSN, the owner of that SSN is now a prime target because the thief has the most confidential piece of information (ingredient) in the identity theft recipe. The rest of the information is typically easier to come by, i.e. name, address, employer, etc. It is true that an SSN alone is not enough information to commit identity theft, but it is an EXCELLENT start.

Commentary:
We can assume that the school knows the risks involved in storing confidential information on a poorly protected laptop. Otherwise, they probably wouldn't have policy and procedure against it. The school's statements that are meant to minimize the risk, seemingly without fact, are disappointing.

Past Breaches:
Unknown

Florida's Agency for Health Care Administration reports a breach

Wed, 09 Jul 2008 07:15:38 +0000

Technorati Tag: Security Breach

Date Reported:
7/7/08

Organization:
State of Florida

Contractor/Consultant/Branch:
Agency for Health Care Administration

Victims:
registered organ donors

Number Affected:
"about 55,000"

Types of Data:
"names, addresses, birth dates, driver license numbers and Social Security numbers"

Breach Description:
"TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers."

Reference URL:
AHCA FAQs
Sarasota Herald-Tribune
WCTV CBS News
Orlando Sentinel

Report Credit:
Sarasota Herald-Tribune

Response:
From the online sources cited above:

TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers.

The Agency for Health Care Administrations said Monday it has corrected the flaw, which may have allowed unauthorized users to view the personal information of roughly 55,000 donors.

"We stopped all access to the database, identified the flaws and corrected them."
[Evan] This breach makes me wonder a couple of things. Is information security testing part of the development lifecycle and change control? I also wonder if AHCA uses a formal change control process with segregated development, test, and production environments.

The database includes donors' names, addresses, birth dates and driver license numbers.

The agency is sending letters to inform individuals of the flaw.
[Evan] What kind of flaw, do you suppose? A Code flaw, an administrative/process flaw, a configuration flaw?

AHCA Secretary Holly Benson said they have not received any indication that the information was accessed inappropriately.
[Evan] No logging? Logging of the systems, processes, and people accessing confidential information is a must. Extensive logging would be able to determine if the information "was accessed inappropriately" (assuming the logs weren't subject to unauthorized modification).

The breach happened on June 20 and was fixed a day later, but officials say they thought it best to make the public aware.
[Evan] What does the "breach happened on June 20" mean? It could mean that a flaw was detected on June 20, but could have been in existence for longer. It could mean that a vulnerability was actually exploited on June 20. I guess it really depends on your definition. I assume that the author means that something changed (code push, updated information, configuration, etc.) on June 20.

"If you have not received a letter our logs note that your information was not affected by this security flaw."

A couple of FAQs:
Q: If I have additional questions regarding this issue, what should I do?
A: You can call 866 757 0677. This number is open Monday through Friday from 8AM to 7PM Eastern.

Q: If I am a registered donor and I receive a letter, does this mean that I am a victim of identity theft?
A: No. It is unlikely that someone has accessed your information or used it inappropriately. It does not mean that you are a victim of identity theft or that the information may be used to commit fraud. The Agency for Health Care Administration wanted to let you know about the incident so you are aware and may take steps as you see fit.
[Evan] Again, poor logging and other detective controls lead to statements such as "It is unlikely that someone accessed...".

Commentary:
Ugh! I am left with too many questions about this breach. On the surface, this breach doesn't look all that significant unless of course, you are a victim. When I read into it more, I realize that I have some serious concerns surrounding process, control, and detection mechanisms used at AHCA. With less detail, it is easier to imagine.

Past Breaches:
State of Florida:
January, 2008 - Five stolen Florida Department of Children and Families laptops

Times Up IPv6 OMB Mandate

Mon, 30 Jun 2008 15:27:18 +0000

Three years ago, the OMB set a June 2008 deadline “by which all agencies’ infrastructure (network backbones) must be using IPv6 and agency networks must interface with this infrastructure.”

Agencies are supposed to demonstrate that they can:

Transmit IPv6 traffic from the Internet and external peers, through the core (WAN), to the LAN.
Transmit IPv6 traffic from the LAN, through the core (WAN), out to the Internet and external peers.
Transmit IPv6 traffic from the LAN, through the core (WAN), to another LAN (or another node on the same LAN).

(Source: OMB IPv6 FAQs)

One year ago, the OMB reviewed the Enterprise Architecture Assessment Framework results and found that six of the twenty-four agencies were on track to achieve the June deadline. Two months ago, there was a good article by Carolyn Marsan Duffy about the status of compliance. Take a look at this article because it seemed like there was a lot of backpedaling going on about meeting the date – using phrases like “we don’t like the term mandate” and “more of a recommendation than a mandate.” At the time, only three agencies were in compliance.

Duffy just wrote an updated article, “Feds say they have aced IPv6 deadline”, and suddenly two months later, all lights seem green. As of June 24, ten of the twenty-four agencies sent emails to the OMB stating that “they have successfully transmitted IPv6 packets”. Fourteen still need to report in, but none have asked for an extension. And all of it was done through the regular tech refresh budget over the past three years. So if this is true, kudos to the feds!

Right around the time of the first not-so-rosy article, we ran a survey at FOSE, the big federal government IT show. We asked attendees if their agencies would be ready by the deadline:

33% said they would be ready
6% said they were already there
33% said they would NOT be ready
About a quarter didn’t know

What was really interesting is that we asked this same question in 2007, and the audience was equally split (yes/no) on whether or not their agencies would meet the mandate – 1 in 5 (2007) instead of 1 in 3 (2008).

So what can explain these numbers? Surprisingly, out of the attendees we talked to, only 65% of them said that IPv6 is important to their operations, making it second to last on the list of IT priorities covered by the survey. Maybe the answer lies in the relative “unimportance” of the milestone – that just the network backbones (and the routers supporting them) be capable of passing IPv6 packets. The true test for government IT workers will be when actual IPv6 applications must be supported which will impact networks, systems, application and monitoring tools throughout the government.

So was this a nice checklist item for the Bush administration? This initial deadline is the only one for IPv6 mandates from the current OMB incarnation. Actually running IPv6 applications, that’s a whole ‘nother story, apparently for a new administration.

ShareThis

Laptop stolen from R.E. Moulton may affect 19,000

Sun, 15 Jun 2008 18:15:45 +0000

Technorati Tag: Security Breach

Date Reported:
5/23/08

Organization:
OneAmerica

Contractor/Consultant/Branch:
R.E. Moulton, Inc.

Victims:
Customers

Number Affected:
~19,000

Types of Data:
"names in combination with social security numbers"

Breach Description:
A laptop computer containing sensitive personal information belonging to approximately 19,000 individuals was stolen from the Irving, Texas offices of R.E. Moulton on or around March 7th, 2008.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

R.E. Moulton is a leader in the medical stop-loss insurance industry and the stop-loss insurance products administered by it are available nation-wide.
[Evan] The notification to the New Hampshire State Attorney General starts with this sentence. It's nice if you can add a little marketing to your breach notification.

We are writing to inform you of an incident involving the possible disclosure of personal information.

Specifically, on or around March 7, 2008, thieves broke into our Irving, Texas regional office and stole a laptop computer containing personally identifiable information of numerous individuals, including names in combination with social security numbers.
[Evan] We don't know much about the physical security controls protecting the office and laptop, but we do have a clue. The fact that R.E. Moulton states "on or around March 7" leads me to believe that the physical controls were not sophisticated enough to detect the theft when it occurred. The practice or storing confidential information on a laptop is not a good idea in most cases and there is also no mention of encryption, so I assume it was not used. Bad, bad, and bad.

A police report was filed and the police are actively investigating this crime.

Personal information was on the stolen laptop because R.E. Moulton receives requests to provide quotes for stop-loss insurance coverage.
[Evan] In my opinion, this may be justification for collecting personal information, but certainly not a justification for storing it on a laptop.

Approximately 19,000 individuals were affected, although there may be duplicates on our master list; this means that the list of affected individuals may be smaller.

At this time. we are unable to determine the number of New Hampshire residents, if any, who will be notified of this incident because the information maintained on the laptop did not include addresses, but we will provide a list at a later date if we find that New Hampshire residents were affected.

Letters will be sent to these individuals as soon as we receive their addresses from their employers or the third parties who arranged for the insurance quotes.
[Evan] It seems to me that the "employers or the third parties" have a significant role in this breach also. I wonder if information security personnel at the "employers or the third parties" were aware and approved of the sharing of personal information with R.E. Moulton. If they were, then I wonder if they followed good protocol and evaluated the information security practices of R.E. Moulton.

Those employers and third parties were notified of this incident during the week of May 5, 2008 and are currently collecting the needed addresses.
[Evan] Employers and third parties were notified almost 2 months after the theft.

Depending on the length of time needed to collect addresses, we hope to start sending letters to the affected individuals in June.
[Evan] Add the amount of time referred to in this sentence to the ~2 months that have already passed and then add this to the time to address letters and you get a long time before victims are notified. I presume some victims will never be notified.

Please know that we have taken this incident very seriously.
[Evan] Action speaks louder than words.

While we do not anticipate that any of the information will be used for unauthorized or malicious purposes, to help those whose information was involved, we have engaged ConsumerInfo.com, Inc., an Experian company, to provide those individuals with one year of credit monitoring at no cost to them.

Please note that we are committed to protecting our customer and that we are constantly improving our processes to avoid any further reoccurrences.

In addition, appropriate steps have been take to prevent future disclosures of this information.
[Evan] What steps have been taken? It seems to me that data owners deserve more detail and explanation.

We sincerely apologize for any inconvenience or worry this may have caused you.

We encourage you to contact the company at 800-553-5318 with any questions or concerns.

From the FAQs:
Q. What is being done by R.E. Moulton to prevent a similar incident from occurring?
A. R.E. Moulton had procedures in place to protect customer information and is constantly reviewing those procedures in light of developments in information security and the evolution of criminal activity.
[Evan] What do you think of this answer?

Commentary:
I get especially frustrated by breaches that involve confidential information on a stolen laptop. Stolen laptops are one of, if not the most common types of breaches that we read about, yet the frequency of reports does not seem to be subsiding. Can an organization claim that they didn't know any better? At what point does risky information security behavior become negligent?

I suspect that most victims don't even know that R.E. Moulton had their personal information. This make the breach a little more troubling.

I accept mistakes because we all make them. I also accept security incidents that occur despite an organization's best efforts at protection. I don't accept poor behavior that seems to go against common sense.

Past Breaches:
Unknown

Microsoft Outlook .PST file FAQs

Thu, 24 Apr 2008 11:17:10 +0000

Troubleshoot Outlook .PST file issues -- from importing and exporting data to .PST file repair and recovery -- with this collection of Outlook .PST FAQs.

Former LendingTree employees sold access to customer information

Wed, 23 Apr 2008 09:08:37 +0000

Technorati Tag: Security Breach

Date Reported:
4/21/08

Organization:
IAC/InterActiveCorp (IAC)

Contractor/Consultant/Branch:
LendingTree, LLC

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"loan request data such as name, address, email address, telephone number, Social Security number, income and employment information"

Breach Description:
"Recently, LendingTree learned that several former employees may have taken Company passwords and given them to a handful of lenders. These lenders then used the passwords to access LendingTree customer information files, normally available only to LendingTree-approved lenders, to market loans to LendingTree's customers."

Reference URL:
LendingTree FAQs
MSNBC Red Tape Chronicles
NetworkWorld

Report Credit:
LendingTree

Response:
From the online sources cited above:

LendingTree has told its customers that former employees helped unauthorized mortgage lenders hack into its systems and steal customer information from 2006 to 2008.
[Evan] From Rob Douglas, editor of InsideIDTheft.info "Given that data was accessed from 2006 to early 2008, it can be inferred that passwords used by former employees remained operational for months or even years after their employment was terminated, generally considered poor security practice"

Recently, LendingTree learned that several former employees may have taken Company passwords and given them to a handful of lenders.
[Evan] Monitoring insider activity for fraud is a difficult challenge for information security personnel, especially when the credentials (username/password) used are valid.

These lenders then used the passwords to access LendingTree customer information files, normally available only to LendingTree-approved lenders, to market loans to LendingTree's customers.

The files contained loan request data such as name, address, email address, telephone number, Social Security number, income and employment.
[Evan] Sheesh! This is everything that a bad guy (or gal) would need to do some serious damage.

A LendingTree spokeswoman said the company was not granting interviews to discuss the data theft. She would not say how many customers were affected nor how much data was stolen, but instead supplied a copy of the customer letter sent by the firm.

Our internal security uncovered this situation. We began an internal investigation and reported it to the authorities. We continue to assist the authorities and are telling our customers as soon as it was possible to do so.

Credit card information (such as account number or account balance) was not involved.
[Evan] No need, with information such as name, address, email address, telephone number, Social Security number, income and employment, a fraudster could get his/her own credit card.

We promptly enhanced the security of our system so that this situation couldn't happen again. We also brought lawsuits against the lenders and other persons involved.
[Evan] What? How do you promptly fix human behavior? If there were such a simple fix for the problem that led to this incident then why wasn't it implemented prior to the incident? I don't buy it.

we have no reason to believe any identity theft or fraudulent financial activity resulted from this situation

You still might want to get a free credit report and file a fraud alert with the credit bureaus. When you get your credit report, look for any accounts you didn't open and/or inquiries from creditors that you didn't initiate. If you see anything you don't understand, contact the credit bureau.
[Evan] What if an affected individual has already used their free annual credit report?

LendingTree believes that the information accessed was limited to mortgage customer loan requests only, which were then used by the mortgage lenders to solicit those customers for mortgage loans.

We brought a lawsuit against Newport Lending Group, Irvine, California; Home Loan Consultants, Inc., Newport Beach, California; and Sage Credit Company, Irvine, California, in connection with this incident.
[Evan] I wonder what the lawsuits seek.

LendingTree sent emails or letters to the mortgage customers that it believes, based on its investigation to date, might be at risk of having their information accessed and used by these mortgage companies to solicit mortgage loans.

You should also be vigilant for 12 to 24 months in reviewing bank and credit card statements and any future credit reports.
[Evan] As long as Social Security numbers are still used for authentication, people should remain vigilant, whether it be 12, 24, or 300 months.

You can call LendingTree at 866-505-8874 to speak with one of our customer service representatives who are available from 9am to 9pm ET seven days a week.
[Evan] Well thank you for permission Mr. LendingTree

Commentary:
I don't necessarily fault LendingTree too much for the incident occurrence. Preventing internal privileged access abuse is a real challenge. There are some controls that can reduce risk, but we don't know which of these are in use at LendingTree. I think it was just a matter of time. Actually, I would be surprised if this was the first time with past occurrences remaining internal and private.

What I do fault LendingTree for is a really poor public response. There are no apologies in the FAQs for the inconvenience. There is no offer of any real assistance. There is no readily available information on the company's web site (the FAQs are very hard to find without any direct link from the home page). The information (once found) given by LendingTree is much less than what would make me comfortable. Overall, their response gives off this general feeling of arrogance.

Personally, I am a LendingTree customer as I have applied for a previous car loan through them. Am I to take LendingTree at their word and believe that this breach only affected mortgage applications? What controls were in place to prevent employees from granting access to my data? I need more detailed information about the investigation and what LendingTree did to "promptly" enhance security before I conduct business with them again.

Past Breaches:
Unknown

Three intrusions go undetected at Antioch University

Mon, 31 Mar 2008 12:23:10 +0000

Technorati Tag: Security Breach

Date Reported:
3/29/08

Organization:
Antioch University

Contractor/Consultant/Branch:
None

Victims:
"current and former students as well as current and former employees going back to 1996"

Number Affected:
~70,000

Types of Data:
"The system contained people's names, addresses, telephone numbers, and social security numbers. For students and former students it also contained academic records and for employees and former employees it contained payroll records."

Breach Description:
"A computer system at Antioch University that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year, the school said Friday."

Reference URL:
Antioch University FAQs
Antioch University Security Letter
The Associated Press
ITBusinessEdge

Report Credit:
Antioch University

Response:
From the online sources cited above:

I wasn't an English major, so who am I to point this out?

A computer system at Antioch University that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year, the school said Friday.

On February 13, 2008, a security incident occurred on one of Antioch University's computer systems. The University responded aggressively by immediately contacting forensic software investigators to examine its computer system.
[Evan] Maybe an aggressive response was warranted in this case, but this is not so in all cases. Sometimes an aggressive response causes harm. The school should be commended for bringing in a third-party expert. I wonder how the school initially became aware of the intrusion.

After analyzing Antioch's computer system, the investigators determined that an unauthorized intruder breached one of Antioch's computer systems on three different occasions: June 9, 2007, June 10, 2007, and October 11, 2007.
[Evan] Oh my! This is a tough pill to swallow. Obviously no intrusion detection or effective monitoring of this server. The protection of confidential information requires more active involvement. Three breaches occurring over the course of 18 months without a response (until now) is not acceptable.

The system contains files with Social Security numbers, names, academic records for students and former students, and payroll records for Antioch's employees and former employees. It also contains names and Social Security numbers for student applicants.

We are not aware of a single report of identity theft as a result of the intruder's actions.

No conclusive evidence has been found that the intruder actually acquired, viewed, copied, or otherwise misappropriated any of your personal information.

Nonetheless, we are continuing to analyze all available evidence to determine the extent of the intrusion.

Based on what we know regarding the facts surrounding the intrusion, we believe it is unlikely your information has been or will be misused. However, the University does not seek to minimize the concerns raised by this intrusion.
[Evan] We will minimize concerns then tell you that we don't seek to minimize the concerns.

Improvements to our system are being made but it is constant vigilance and a sense of caution that are necessary in keeping the system we develop safe.
[Evan] Yes, "constant vigilance" is required. So is this a "now we get it" response?

We will continue to reevaluate, identify, and remove potential vulnerabilities as we make improvements to our security system.

The University is working with appropriate federal and state law enforcement agencies to apprehend the responsible party and to determine if any personal information was stolen.
[Evan] Unless the intruder is a complete idiot, there is little hope of apprehension.

The University will aggressively pursue those responsible for the breach.
[Evan] Why? Time spent on establishing a sound information security program would be time better spent in my opinion.

Additionally, we have contacted the three major consumer credit reporting agencies to inform them of this incident.

The university said it is contacting by mail people whose information could have been exposed.

Antioch University takes the security and privacy of its employees, students, and applicants seriously and deeply regrets that this incident has occurred.

A Toll Free Hotline at 1-866-905-2288 has been set up to assist you with answers to any questions or concerns regarding the data security intrusion. The Toll Free Hotline is available from 9 a.m. to 5 p.m. EDT, April 1 through May 30, 2008. If you call after business hours or find it necessary to leave a message, Antioch University will attempt to return your call within two business days.

If you suspect that you are a victim of identity theft immediately contact local law enforcement, your state's Office of Attorney General, and the Federal Trade Commission (1-877-ID-THEFT or 1-877-438-4338).

Again, Antioch deeply regrets any inconvenience this incident may have caused.

Commentary:
Two facts stand out for me immediately when I read about this breach.

1. According to the university, this server contained sensitive information "going back to 1996". Does a data retention policy not exist at the school? I do not know of any regulation or business reason why the school needs to keep data going back 12 years.

2. A server that creates, processes or stores sensitive information requires much more information security attention than the one involved in this breach. It would be embarrassing. This is an excellent case for IDS/IPS.

The school response seems sincere and open, but it doesn't leave me with a sense of comfort.

Past Breaches:
Unknown

FAQ: SQL Server databases how-to

Thu, 20 Mar 2008 07:59:19 +0000

Troubleshoot SQL Server database issues with these FAQs. Whether it's how to back up, restore, import, export, copy or upgrade SQL Server databases, you'll get expert advice here.

Encryption defeated, still an advocate?

Fri, 22 Feb 2008 13:15:15 +0000

Technorati Tag: Encryption

Originally I was not going to write about this because it is not a breach (incident), but...

Yesterday, researchers from Princeton University, the Electronic Frontier Foundation, and Wind River Systems released an eye-opening report labeled "Lest We Remember: Cold Boot Attacks on Encryption Keys" in which they "present a suite of attacks that exploit DRAM remanence [sic] effects to recover cryptographic keys held in memory".

OK. What does this mean to the non-geek? It means that there are now successful attacks against many encryption implementations, including those most commonly used on mobile devices (laptop, thumb drive, etc.). Here at The Breach Blog I have advocated the use of hard drive encryption in many posts and pointed out the fact that storing confidential information on unencrypted laptops is bad security and poor business. So, what does this all mean?

From Princeton University's Center for Information Technology Policy FAQs:

Q. What encryption software is vulnerable to these attacks?
A. We have demonstrated practical attacks against several popular disk encryption systems: BitLocker (a feature of Windows Vista), FileVault (a feature of Mac OS X), dm-crypt (a feature of Linux), and TrueCrypt (a third-party application for Windows, Linux, and Mac OS X). Since these problems result from common design limitations of these systems rather than specific bugs, most similar disk encryption applications, including many running on servers, are probably also vulnerable.

Q. What can users do to protect themselves?
A. The most effective way for users to protect themselves is to fully shut down their computers several minutes before any situation in which the computers’ physical security could be compromised. On most systems, locking the screen or switching to “suspend” or “hibernate” mode does not provide adequate protection. (Exceptions exist; some systems may not be protected even when powered off. Check with the developer of your disk encryption software for further guidance.)

Q. Isn’t your attack difficult to carry out? Don’t you need materials like liquid nitrogen?
A. We found that information in most computers’ RAMs will persist from several seconds to a minute even at room temperature. We also found a cheap and widely available product — “canned air” spray dusters — can be used to produce temperatures cold enough to make RAM contents last for a long time even when the memory chips are physically removed from the computer. The other components of our attack are easy to automate and require nothing more unusual than a laptop and an Ethernet cable, or a USB Flash drive. With only these supplies, someone could carry out our attacks against a target computer in a matter of minutes.

And from "Lest We Remember: Cold Boot Attacks on Encryption Keys" Conclusion:
"There seems to be no easy remedy for these vulnerabilities. Simple software changes are likely to be ineffective; hardware changes are possible but will require time and expense; and today’s Trusted Computing technologies appear to be of little help because they cannot protect keys that are already in memory. The risk seems highest for laptops, which are often taken out in public in states that are vulnerable to our attacks. These risks imply that disk encryption on laptops may do less good than widely believed."

[Evan] Well, if this ain't a shot to the gut! On the surface I am miffed by research that leaves me wondering what in the world am I supposed to do now? When I think about it more, I am extremely grateful for the work these people do and I'm not really surprised by the findings. People that have been in the information security field for a while, understand some of the concepts that (we think) make us effective in what we do. Nobody can rightfully claim that full disk encryption or any other single technology is the one that protects against everything. We are never 100% secure will all technologies, let alone one. Security is a holistic discipline that is about defense in depth, continual analysis and improvement, systems and backup systems, threats, countermeasures, etc. etc. This is just another attack vector that wasn't widely known or accepted until now.

I am still an advocate for using full disk encryption (and encryption in general) as good information security practice. It is another essential cog in the bigger information security machine. Recognize the technology for what it is and understand that it's use does reduce risk when compared to the alternative of using clear-text. Obtaining the encryption keys is obviously very possible, but obtaining clear text information is completely trivial. Long-term this is a great problem to have. I have seen many, many good "out of the box" ideas being kicked around by information security professionals, debating possible solutions. It's the out of the box thinking that spurs creative solutions.

Other News Sources:
CNET.com News story
The New York Times story
SecurityFocus story
InformationWeek story