A team including the Electronic Frontier Foundation (EFF), Princeton University, and other researchers have found a major security flaw in several popular disk encryption technologies that leaves encrypted data vulnerable to attack and exposure.
“People trust encryption to protect sensitive data when their computer is out of their immediate control,” said EFF Staff Technologist Seth Schoen, a member of the research team. “But this new class of vulnerabilities shows it is not a sure thing. Whether your laptop is stolen, or you simply lose track of it for a few minutes at airport security, the information inside can still be read by a clever attacker.”
The researchers cracked several widely used disk encryption technologies, including Microsoft’s BitLocker, Apple’s FileVault, TrueCrypt, and dm-crypt. These “secure” disk encryption systems are supposed to protect sensitive information if a computer is stolen or otherwise accessed. However, in a paper and video published on the Internet today, the researchers show that data is vulnerable because encryption keys and passwords stored in a computer’s temporary memory — or RAM — do not disappear immediately after losing power.
… or at least they should be.
I read earlier how Claranet (an ISP) became the first victim to the kernel bug disclosed a few days ago:
Hackers used a bug in the sys_vmsplice kernel call, which handles virtual memory management, to gain root privileges and replace Claranet customers’ index.html files with the hacker’s calling card.
The exploit was noticed at about 6pm on Tuesday.
Claranet said: “Malicious activity related to the vulnerability was detected on Claranet’s shared hosting platform. Within 10 minutes Claranet contained and halted the malicious activity, and locked down the platform to prevent further damage.
To be fair to Linux here, this was patched hours after being disclosed, with source released at the very same time. Distribution vendors take more time to build their packages with the new code but this process is sped up logarithmically for security holes — Ubuntu, for example, had patched kernels out the next day.
So source code out there, new kernels available shortly after disclosure. Two days later, an Claranet gets hacked. Their admins should have been all over this. I’m just a user and I knew about this just 4 hours after it came out.
On a different note, if you want a laugh, take a look at the nonsense going on in the Register’s comment thread for their posting on Claranet getting hacked. It’s amazing what people’ll say. One example:
With all you Linux fanbois harping on constantly about how secure your system is you tend to forget that believing your own bullshit compromises your systems.
Sigh. Competancy would have avoided this.
In the news aggregator we use here I saw a post before the weekend entitled: ASUS Eee PC rooted out of the box. I bookmarked it for today but honestly thought nobody else would see it and if they did, they would see how flimsy the whole thing was and not bother reposting it.
But it turns out that Rise Security, who say they were founded in 2004, yet did not purchase their domain until mid-2006 — in other words: liars or idiots, were taken extremely seriously. But why?
The article’s premise is that they can “hack” a stock Eee PC because it runs a vulnerable version of the Samba server. But I can’t see how this would ever be an issue.
Say you buy one, take it home and turn it on. Are you going to get hacked there and then? No. You don’t have your networking set up. So you turn on WiFi for the first time and connect to the internet. The Eee PC checks for updates (including a patch for Samba). Theoritically if you had somebody inside your network that knew your IP and knew it was a stock Eee PC, they could, theoretically, brute your Samba server.
What’s more likely is you download a few updates and you’re nigh-on-immediately safe.
And this “out the box” thing is nuts. Every OS disk a few months behind the latest patches is horribly insecure. That’s why we have updates people!