It is always a good idea to take your daily dose of sensational headlines in the IT press with a grain of salt!
In the last couple of weeks, the blogosphere has been abuzz with news that (Microsoft’s) BitLocker drive partition encryption process was penetrated, and indeed, easily defeated.
My first thought upon reading the research document from a team including the esteemed Edward Felton, was that this was an attack more likely to occur in exotic situations, and/or against highly targeted victims.
Where are the cooler heads?
The entire Internet went ablaze, with an unbelievably high number of articles front-running the initial article until one of the worst attributes of the Web, the ability to create a self-sustaining, albeit false, echo chamber, came to fore. Everyone and man+dog opined that Microsoft had done us in again.
Had they?
Almost immediately, Troy Arwine, in an article on the “Stay Safe” Cyber Security blog, immediately refuted some of the assertions of the rather sensationally-headlined paper.
It was drowned out by cries of him (Arwine) being a ‘homer’, since he worked for Microsoft.
Independent thought, at last!
Last Friday, Endpoint Technologies Associates, a highly respected technology analysis firm, came out with their independent analysis of the Mr. Felton’s paper.
Titled Popsicle Hack tries to Chill Zeal for Hardware Security, and authored by Roger Kay, the analysis looked the issue described in the research document, and at the feasibility of the attack being carried out willy-nilly as headlines were screaming.
The conclusion: such an attack was not likely to occur randomly.
After reading the analysis, I contacted Roger for some expansion or clarification of some of the conclusions in the document.
[John Obeto] In the light of the post by Troy Arwine on the Microsoft “Stay Safe” Cyber Security blog, and your examination of the issue, am I right in concluding that this is a very unlikely attack vector for most computer installations?
[Roger Kay] Very unlikely; people are more likely to try BitUnlocker than the Popsicle Hack, which requires physical manipulation of memory rather than just attaching a USB cable.
[JO] Would it be fair to declare that this hack would be somewhat esoteric, and probably more likely to be used in a directed attack, such as in corporate or industrial espionage?
[RK] Esoteric is right. Remember, crooks are opportunistic and gravitate toward to easiest prey. Spooks and other professionals go for specific targets. So, BitUnlocker and the Popsicle Hack would become part of their arsenal.
[JO] Does this hack mean that the protection afforded by the use of BitLocker, either by itself, or in conjunction with a built-in TPM module, is no longer useful?
[RK] Nope, if you read Troy’s post, it’s clear that to be protected, you need to employ a comprehensive, layered method. Of course, no security is absolute, but it’s better to be protected than not, particularly when opportunists are choosing their targets.
The issue could not be any clearer.
In other words, while it sounds easy, the only ones who could pull of this sort of a hack are professionals, who should have known about this before the Felton paper. (And are probably upset at him and his colleagues for publicizing it!)
Meaning that instituting a policy of just utilizing TPM, BitLocker, and other encryption methods to protect your computing assets, then assuming all is well, is no policy at all.
As with physical assets, you have to be ever vigilant, and use the technologies above as part of a comprehensive policy consistent with industry best practices, regulatory directives, and corporate document-retention
Thank you for taking the time, Roger.
His analysis is here.
Noted analyst Roger Kay is president of Endpoint Technologies Associates.
Comments: (11)
on Wed, Mar 12th, 2008 at 03:14 PM
LOL, I completely forgot about the bitlocker fiasco until you brought it up, but nice to see it wasn’t 100% true.
FreezemyMem on Wed, Mar 12th, 2008 at 03:38 PM
I want to understand your article better and I think I do, but when you say popsicle hack, do you mean the freezing memory etc?
on Wed, Mar 12th, 2008 at 05:16 PM
yeah thats exactly what it is
on Wed, Mar 12th, 2008 at 05:19 PM
btw, I think this is more of a problem on OSX check my post here
http://www.hardwaregeeks.com/index.php/site/comments/glitch_exposes_os_x_passwords/
John on Wed, Mar 12th, 2008 at 07:41 PM
@FreezemyMem: In order to carry out the most invasive of attacks, you are supposed to immerse the memory (DIMMs, SIMMs, SIPPs, whatever) in liquid nitrogen or some other similar generally-available cryogenic fluid (LOL) to freeze it (the popsicle part) and then insert the frozen popsicle (sic) into awaiting prep’d decrypting system.
Yeah, that easy!
on Wed, Mar 12th, 2008 at 07:45 PM
Actually John the Study that was done recently, said the memory could be stored for up to 4 or 5 minutes just by blowing compressed air on it.
on Wed, Mar 12th, 2008 at 07:45 PM
granted the air would have to be really cold.
FreezemyMem on Wed, Mar 12th, 2008 at 10:56 PM
Thanks, I understand now. So basically all the bitching about this was just to make noise.
on Thu, Mar 13th, 2008 at 02:06 AM
@Michael: if you read the document carefully, you will find that that amount of time, in a real world situation, is probably not enough to perform an illegal intrusion into a system. As a result, going nuclear, or using liquid nitro, would be better, I think.
@FreezemyMem: True. It might be freezing on the dark side of the moon, however, unless I find myself beamed over there in a real crazy nightmare, what do I care? I’ll just put together enough warm clothes for winter, in the real world here on Sol-3
on Thu, Mar 13th, 2008 at 02:49 PM
yeah I get what you are saying, it’s really not a flaw in the software just a flaw in the hardware that can be taken advantage of if you are Mr. Freeze
on Thu, May 15th, 2008 at 10:32 AM
I must admit the Princeton paper on cold boot attacks on encryption keys is very clever. There is now a great resource on making Bitlocker a bit more secure. Pretty much anyone with a system capable of running Bitlocker should be using TPM and a PIN.
Page 1 of 1 pages
Post Tags: bitlocker microsoft tpm ultimate extras
Next entry: HP Personal Workstations Previous entry: Small Business blog