[SecurityRatty] tag: princeton

Hardware Drive Encryption Becomes Manageable

Mon, 10 Nov 2008 06:51:53 +0000

Regulatory compliance requirements and other best security practices are driving enterprises more consistently towards use of hard drive encryption, but it's not always an easy decision., Software encryption products can impose a performance burden and key management can be problematic. The answer, argues Seagate, is hardware encryption built into the drive. Integration into McAfee's Endpoint Encryption products makes key management more organized and secure, and no CPUs are burdened in the encryption or decryption of the data. Seagate also has announced they are now shipping 320GB and 500GB self-encrypted drives up to 7200RPM. Dell will be shipping notebooks with these drives. The drives come factory pre-loaded with management software. Early this year headlines were had with the revelation, by researchers at Princeton, of a theoretical attack that could recover software encryption keys even from a notebook that had been shut off. It's actually silly James Bond stuff that real people shouldn't worry about, but it did demonstrate the real point that the keys exist in memory and there are ways they can be gotten. Attacks on the live system that gain control of it, through malware for example, could still gain access to any data to which the compromised user has access. With hardware-encrypted drives, at least the private key is secure and the Princeton attack is prevented. Notebooks with drives like these in a managed environment really do make it easier to feel secure about notebooks, even if they have sensitive data on them. Combine them with other best practices, like multi-factor authentication, and you've given yourself the best chance to succeed in security. One day we'll use products like this and nothing less will be acceptable.

Q&A: Felten on e-voting and what can go wrong

Mon, 03 Nov 2008 02:00:00 +0000

Princeton computer science professor Edward Felten explains what can go wrong with e-voting in the presidential election, what voters can do about it.

Princeton report rips N.J. e-voting machines as easily hackable

Mon, 27 Oct 2008 01:00:00 +0000

A Princeton University report sharply criticizes the e-voting machines used in New Jersey and elsewhere as unreliable and potentially prone to hacking.

Prominent Web sites found to have serious coding flaw

Mon, 29 Sep 2008 20:00:00 +0000

Two Princeton University academics have found a type of coding flaw on several prominent Web sites that could jeopardize personal data and in one alarming case, drain a bank account.

Sensitive data on 100,000 students exposed by Princeton Review

Tue, 19 Aug 2008 09:00:00 +0000

Princeton Review, the New York-based educational service and test preparation provider, inadvertently exposed the names, birth dates, performance results and other data on 100,000 students.

Report: Princeton Review publishes sensitive data online

Mon, 18 Aug 2008 20:00:00 +0000

The Princeton Review is the latest company hit with a data breach that is making headlines. The New York-based educational service and test preparation provider inadvertently exposed files on at least 100,000 students in Sarasota, Florida and Fairfax County, Virginia through its Web site. News of the breach was made public Tuesday morning by a report in the New York Times.

A sneak peek at a Black Hat presentation

Wed, 30 Jul 2008 14:08:27 +0000

No, it is not the Dan K DNS presentation, sorry. Patrick McGregor, CEO of BitArmor Systems is presenting at Black Hat as well. As part of our promotion with the SBN and Black Hat I have made my blog available to Patrick to give us a sneak peek at his presentation. Patrick was nice enough to prepare the following:

Braving the Cold (Boot) – A Sneak Peek of My Presentation at Black Hat

by Patrick McGregor

Cold boot attacks aren’t theoretical academic exercises. Cold boot attacks are real. And they’re serious.

In the past few years, companies have poured hundreds of millions of dollars into full disk encryption technologies. Companies expect full disk encryption to reduce the risk of exposure of sensitive information such as intellectual property or customer data. Reality often deviates from what is expected, however. Researchers from Princeton shocked the industry earlier in 2008 when they released a research paper that showed that low-cost “Cold Boot” attacks could be used to defeat the security of most full disk encryption systems. They recently even published all the tools needed to do this at home!

Some have argued that Cold Boot attacks are not serious security threats. I disagree! First, an unskilled person can capitalize on the exploit using simple, automated steps and publicly available tools. In fact, Cold Boot attacks require nothing more than plugging a USB drive into a laptop. Second, the physical target of a Cold Boot attack, such as a laptop, is very easily obtainable (see the recent Ponemon report on laptops lost/stolen in airports – scary!). Third, although many laptops and desktops are stolen via random acts of theft, it is well known that some criminals profit from organized, calculated data theft. It is only a matter of time before we hear of a high-profile data breach that results from a simple Cold Boot attack.

I am excited to present at Black Hat several innovations for preventing Cold Boot attacks. In addition to summarizing how a Cold Boot attack works, I’ll describe four new software techniques for hardening full disk encryption against the attacks. The software technology was developed by myself, Tim Hollebeek, Alexander Volynkin, and Matt White. All of us work for BitArmor, an exciting security startup based in Pittsburgh. Here’s a sneak peek:

· Wash up: Wipe keys immediately before certain OS state transitions, such as before the computer shuts down or goes into hibernation mode – accessing the memory will yield nothing.

· Take advantage of BIOS memory smashing: By strategically placing keys in certain regions of memory, we can rely on the BIOS boot process to overwrite keys before any operating system can dump the contents of memory.

· Is it chilly in here?: Using built-in temperature sensors, we can lock down the system in reaction to temperature drops that may indicate a Cold Boot attack is in progress.

· Create a virtual enclave for keys: We can implement special cryptographic, OS and processor architecture techniques to provide robust protection for keys against the most aggressive cold boot attacks. By creating a “virtual secure enclave” for encryption keys in software, an attacker cannot extract critical keys from memory – even if the RAM is super-cooled.

Hope you can join us at Black Hat as we take an in-depth look at the future of full disk encryption technology.

For your hacking pleasure - Cold Boot utilities released!

Wed, 23 Jul 2008 09:32:00 +0000

Interesting news over the weekend. Looks like one of the original researchers from the Princeton Cold Boot attack work, Jacob Applebaum, published all the utilities they used to break full disk encryption products.

We, at BitArmor, have talked a bit about cold boot and how we protect against it. Our CEO Patrick and a few of our senior engineers will be presenting at Black Hat on techniques to prevent this attack - check out his perspective as well from his Princeton days.

Technical glitch blamed in The Princeton Tower Club breach

Tue, 13 May 2008 05:20:10 +0000

Technorati Tag: Security Breach

Date Reported:
5/8/08

Organization:
The Princeton Tower Club

Contractor/Consultant/Branch:
None

Victims:
Former club members

Number Affected:
103

Types of Data:
"names and social security numbers"

Breach Description:
"Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning."

Reference URL:
The Daily Princetonian
United Press International
Asbury Park Press

Report Credit:
Rachel Dunn and Josephine Wolff, The Daily Princetonian

Response:
From the online sources cited above:

Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning.

The document was attached to an apparently unrelated e-mail that informed current members about a club event.

The spreadsheet was attached unintentionally because of "a technical glitch," Tower graduate board chair Greg Berzolla ’87 said
[Evan] Really? A technical glitch? These types of breaches are usually the result of human error.

"The [spreadsheet] file wasn’t even available on the hard drive [of the computer that sent the e-mail]," Berzolla said. "[The e-mail system] took an old e-mail and used it as a template [for Wednesday’s e-mail] as near as we can guess. It’s not a system very many people use or understand, that’s the problem."

"I cannot comment on [the glitch] because I don’t understand it," he said. "I didn’t figure it out, I think the club technical chair [did]. [Tower president] Stephanie [Burset ’09] tried to explain it to me, but I think she doesn’t really understand it either."
[Evan] At least he is honest.

Burset said in an e-mail that Pine, the e-mail system Tower currently uses, is "fairly antiquated, but our tech chairs have assured me that nothing like this can ever happen again," and added that "we plan on switching to a new client whom is more secure and easier to use."
[Evan] I am concerned by statements like "nothing like this can ever happen again". We still don't know why it happened in the first place.

The e-mail was sent by Tower officers from the tower@princeton.edu account to the roughly 200 current club members.

Tower officers sent another e-mail to the club yesterday asking members to delete the message from their mailboxes "out of respect for ’07."

Berzolla said he believes the risk of identity fraud is "extremely limited"

"It’s hard for any kind of fraud to occur that quickly," he said of the incident. "I feel confident that our club members are not going to use this information badly."
[Evan] It only takes one person. It should also be mentioned that one or more of the destination email accounts could be a shared account and that these emails were sent in clear text (subject to the possibility of interception).

"[The breach] would have had to have been intentional [for there to be legal repercussions]," Berzolla said.
[Evan] Do you have to demonstrate intent to argue negligence (The failure to use reasonable care)? I'm certainly not a lawyer, but I think that there are cases where victims have been awarded damages when there was not intent to harm on the part of the defendant. I don't really advocate lawsuits anyway, but I am just stating what seems obvious to me.

Tower will pay for an identity theft protection services for the affected individuals next year.

Berzolla hopes this measure will assuage any possible threat of legal action from former members against the club. "I don’t expect there to be any problems, but just in case," he said.

The social security numbers on the spreadsheet were collected as part of the process of signing in new members several years ago, Berzolla said. Tower no longer requires its members to submit their social security numbers, he added.
[Evan] It is a good practice to not collect information that isn't required to conduct business. The Tower Club would be well advised to go through the information they currently possess and purge the information they no longer need.

Victim Reaction:
"I had no idea this happened, and frankly, I’m baffled and a little pissed off," Valerie McConnell ’07 said

"Now that I know that the social security numbers weren’t sent out on purpose, I’m not pissed off," McConnell said. "I think my identity is ok. I can’t imagine anyone in the club trying to steal my identity (not that there’s a lot to steal right now anyway)."
[Evan] I think I would still be pissed off. Identity thieves are not all stupid. Many of them will hold on to the information for a year or more before using it or selling it.

"[The incident] is a mistake; it shouldn’t have happened," Beylin said in an e-mail. "However, with the number of times I’ve handed out my SSN this year while seeking financial services or apartment hunting, it’s really not my biggest source of concern for identity theft."
[Evan] This is a good point. Have you ever thought of all the times you have given out your Social Security number? All of your employers, schools, insurance companies, banks, mortgage companies, credit card companies, etc. have your number. The same number used for identification and authentication. A recipe for disaster?

Commentary:
The Tower Club does not handle personal information any worse than most other organizations. It seems like they just didn't know any better. It sometimes makes me nervous.

Past Breaches:
Unknown

Icy encryption tool protects laptops from "cold boot" attack, vendor says

Mon, 12 May 2008 20:00:00 +0000

The vendor HyBlue says it can prevent the "cold boot" encryption hack discovered by Princeton researchers.