In computer security data breaches are unfortunate and unfortunately not all that uncommon. In October of this year South Carolina Department of Revenue announced they were victims of a data breach. The breach was large in the amount of people affected and the breath of the breach. Breach consisted of 3.8 million residents of South Carolina. Social Security, credit cards, and bank account information was exposed. Additionally cyber criminals gained access to 44 servers, installed 33 pieces of malicious software and utilities. As bad as that news is gets worse; internal monitoring or audits did not notify the South Carolina Department of Revenue of its own data breach. It was not until law enforcement agencies brought 3 cases of identity theft to the department before they became aware that something might not be right.
One interesting thing that came out of the data breach is South Carolina Department of Revenue was in compliance with IRS rules of storing Social Security numbers. But compliance is not the same thing as security. While encryption is one of the main defense steps used to provide security it may not be enough. This is especially true if we use encryption without compliance or use it without additional monitoring or auditing.
Many companies are moving to entire disk encryption for laptops. The hope is to prevent a data breach if the laptop is stolen or lost. The South Carolina Department of Revenue data breach was not caused by a stolen or lost laptop. Other data breaches have been such as Department of Veterans were cause by a stolen laptop. The key point here is encryption alone is not security and it will be always be about defense in depth, which includes encryption, auditing, active monitoring, risk assessments, compliance, procedures, etc and just being open mined to the “what if”.
Lets take a closer look at whole disk encryption and the risks. The first risk is an always-present risk when using encryption; key management. When using whole disk encryption such as PGP whole disk the key is on the machine it is protecting. This key needs to be available at all times for disk access. No problem we can store the key in memory. To comprise the key you need access to the machine and knowledge of where the key is in memory. Second is if the computer is stolen or lost from a park car, airport, hotel room the computer if off so memory is no longer an issue, or is it.
The Princeton University’s Center for Information Technology Policy released a paper showing how whole-disk encryption can be cracked quickly and easily.
Princeton group’s attack on whole-disk encryption relies on the fact that computer memory (DRAM) is not wiped out when the system is powered off. Instead, it becomes unreliable, decaying over a period of time. The attack is as follows: get access to a laptop that is currently operating (so that the whole-disk encryption key is in memory), spray the RAM with an inverted compressed air can to cool it to -50 degrees Celsius, and power the system off. Cooling the memory slows the decay of memory. Second you will need to get a snapshot of the target computers memory. This snapshot can then be inspected to locate prospective cryptographic keys and try them on the target drive. Some knowledge of the particular whole-disk encryption product being used would be needed to find the exact spot in memory where the key is, and some error-correction techniques must be used in case a bit or two has been flipped due to memory decay, but it reduces the problem from cryptographically impossible to something that can be cracked in a few minutes or at worst hours. So is this the end of whole disk encryption? The answer to that question is no. But we do need to look at our procedures.
- Do not use sleep/suspend-to-RAM when the computer is not actually in your hands — either power off or use hibernate mode. Best is power off several minutes before any situation in which the computers’ physical security could be compromised. In a sleep or suspend-to-RAM scenario, the whole-disk encryption key is still maintained in memory and can be recovered.
- If you have a few truly critical files, use file encryption (such as Windows’s Encrypted File System or PGP’s file encryption) on those files with a different password than that used on the whole-disk encryption. Better yet keep critical information off mobile devices.
- If laptop is lost or stolen do a risk assessment/audit of what was on that computer and increase monitoring on vulnerable data/systems that may be at risk.
- Educate laptop users about the above risk and using whole disk encryption is a good solution but can be enhanced by the above steps.