In computer security data breaches are unfortunate and
unfortunately not all that uncommon. In
October of this year South Carolina Department of Revenue announced they were
victims of a data breach. The breach was large in the amount of people affected
and the breath of the breach. Breach consisted of 3.8 million residents of South
Carolina. Social Security, credit cards, and bank account information was
exposed. Additionally cyber criminals gained access to 44 servers, installed 33
pieces of malicious software and utilities. As bad as that news is gets worse; internal
monitoring or audits did not notify the South Carolina Department of Revenue of
its own data breach. It was not until law enforcement agencies brought 3 cases
of identity theft to the department before they became aware that something
might not be right.
One
interesting thing that came out of the data breach is South Carolina
Department of Revenue was in compliance with IRS rules of storing Social
Security numbers. But compliance is not the same thing as security. While
encryption is one of the main defense steps used to provide security it may not
be enough. This is especially true if we use encryption without compliance or
use it without additional monitoring or auditing.
Many companies are moving to entire disk encryption for laptops.
The hope is to prevent a data breach if the laptop is stolen or lost. The South
Carolina Department of Revenue data breach was not caused by a stolen or lost
laptop. Other data breaches have been such as Department of Veterans were cause
by a stolen laptop. The key point here is encryption alone is not security and
it will be always be about defense in depth, which includes encryption,
auditing, active monitoring, risk assessments, compliance, procedures, etc and
just being open mined to the “what if”.
Lets take a closer look at whole disk encryption and the
risks. The first risk is an always-present risk when using encryption; key
management. When using whole disk encryption such as PGP whole disk the key is
on the machine it is protecting. This key needs to be available at all times
for disk access. No problem we can store
the key in memory. To comprise the key you need access to the machine and
knowledge of where the key is in memory.
Second is if the computer is stolen or lost from a park car, airport,
hotel room the computer if off so memory is no longer an issue, or is it.
The Princeton
University’s Center for Information Technology Policy released a paper showing
how whole-disk encryption can be cracked quickly and easily.
Princeton
group’s attack on whole-disk encryption relies on the fact that computer memory
(DRAM) is not wiped out when the system is powered off. Instead, it becomes
unreliable, decaying over a period of time. The attack is as follows: get
access to a laptop that is currently operating (so that the whole-disk
encryption key is in memory), spray the RAM with an inverted compressed air can
to cool it to -50 degrees Celsius, and power the system off. Cooling the memory
slows the decay of memory. Second you will need to get a snapshot of the target
computers memory. This snapshot can then be inspected to locate prospective
cryptographic keys and try them on the target drive. Some knowledge of the
particular whole-disk encryption product being used would be needed to find the
exact spot in memory where the key is, and some error-correction techniques
must be used in case a bit or two has been flipped due to memory decay, but it
reduces the problem from cryptographically impossible to something that can be
cracked in a few minutes or at worst hours. So is this the end of whole disk
encryption? The answer to that question is no. But we do need to look at our
procedures.
- Do not use sleep/suspend-to-RAM when the computer is not actually in your hands — either power off or use hibernate mode. Best is power off several minutes before any situation in which the computers’ physical security could be compromised. In a sleep or suspend-to-RAM scenario, the whole-disk encryption key is still maintained in memory and can be recovered.
- If you have a few truly critical files, use file encryption (such as Windows’s Encrypted File System or PGP’s file encryption) on those files with a different password than that used on the whole-disk encryption. Better yet keep critical information off mobile devices.
- If laptop is lost or stolen do a risk assessment/audit of what was on that computer and increase monitoring on vulnerable data/systems that may be at risk.
- Educate laptop users about the above risk and using whole disk encryption is a good solution but can be enhanced by the above steps.
Links: