Monday, February 25, 2008

Researchers Find Way to Steal Encrypted Data - New York Times

Researchers Find Way to Steal Encrypted Data - New York Times:
"SAN FRANCISCO — A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.

The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover. Encryption software is widely used by companies and government agencies, notably in portable computers that are especially susceptible to theft."
As I tell people I work with, there is NO expectation of privacy in your email, online activities, and apparently now on your encrypted hard drive in your laptop.

A few things to note:
  • Physical access to a running or recently shutdown computer is required. The passphrases that encrypt and decrypt your data are maintained in unencrypted form in your computer's RAM. While this information is supposed to go away when the power us shut off, the contents of RAM may persist for a few seconds up to a few minutes. Chilling the RAM modules may extend this period to several hours.
  • Only a cold shutdown will cause the RAM to clear after a few minutes. Putting the computer into sleep mode keeps the contents of RAM intact. This is by design to permit the laptop to start up in seconds when the user wishes to resume work. How many people use sleep mode routinely? Personally, I don't, especially when traveling. And I require a password to resume work after sleep mode is exited.
  • If security tokens are kept on a USB drive or smartcard, and these are part of the security mechanism, then the techniques worked out by the Princeton computer scientists are not effective.
This is not simply an abstract issue for technogeeks. A friend of mine helps to support evangelism in a part of the world that is not openly identified. The indigenous Christians use laptops and email for communication, and encryption of sensitive data is part of their security strategy.

No comments: