Comments on: You can never rely on encryption

By: Cagey

Cagey — Mon, 03 Mar 2008 14:49:45 +0000

If the file was encrypted on the laptop then it was unencrypted at some stage. That would imply there would be info left over in the swapfile or somewhere else that may not be encrypted.

Alternatively, maybe they are saying that file is not specifically encrypted but the laptop hard disk is protected with 256 AES.

In either scenario, the encryption is as weak as the password. The letter says that “the code on this laptop is thirty five characters”. Is that potentially or in reality? If the actual password is 5 or 6 characters then it can be easily brute-force cracked. If it is longer it may be vulnerable to a dictionary attack. If it is a random 35 alphanumeric characters then it is presumably written down somewhere.

Unless the user has a very good memory for random alphas the only hope would be an obfuscated passphrase like “Shou1dnt 68 5hare-tHis_*&$ing_data!”

By: Fitz

Fitz — Wed, 27 Feb 2008 13:09:25 +0000

I’ve written a letter to the Chief Executive of the IBTS with a number of questions. One of the questions asks specifically if the password was stored anywhere else.

By: Bob

Bob — Wed, 27 Feb 2008 12:12:31 +0000

i.e. if faced with a 2^255 operation Bank Vault Door, look for the doorbell

By: Bob

Bob — Wed, 27 Feb 2008 12:07:31 +0000

the AES-type 256 bit encryption is a red herring; if Mitnick were confronted with this he’d look for the post-it with the password - probably in the laptop case.

By: Fitz

Fitz — Mon, 25 Feb 2008 23:33:39 +0000

I’m very very angry. I received a letter from the IBTS today telling me that my information was on that laptop.

I did not give permission to IBTS to use my personal details in any way.

I am also concerned that although the details are supposedly encrypted there is clearly such lax protection of this data that the passwords are probably stored in email on the damn laptop.

By: Anonymous Coward

Anonymous Coward — Mon, 25 Feb 2008 18:21:58 +0000

Ip Address - It was simple. They didn’t need a lab or any fancy equipment. The cooling was done using a simply canister you can buy at any electronics or many other stores (they used the same spray canisters you use to blow dust out of your computer or keyboard). They lowered the temp to -50 degrees centigrade, not -192.

Once cooled, they could then remove the memory chip and simply drop it into another system. Nothing complex here. After that they could use any of a number of freely available utilities to do a memory dump and then look for an area of high entropy - basically a memory segment that looked like a series of random numbers. Not very difficult considering that you could easily eliminate all the areas that the computer instructions (program) use because instructions aren’t random. Program data is also usually not random (unless generated for games (to vary game play) or for some other program related purpose). Data is otherwise very structured.

Anyone skilled enough to understand assembly and hardware savvy enough to take a machine apart enough to access the ram would be able to pull this off. Which boils down to almost any computer science grad or half-baked hacker.

However, since this is a recent exploit, it’s likely that the blood donor data was safe from attack. Ultimately, this wasn’t an attack on any of the encryption algorithms but is a “side-channel” attack. You can’t break the encryption, so you just go around it. Kind of like recording a blue-ray dvd to an analog device. But in this case, you don’t really get any signal degredation.

By: Ip Address

Ip Address — Sun, 24 Feb 2008 06:48:48 +0000

What concert me is that a group from Princeton University call it “simple method” to steal encrypted information stored on computer hard disks.
I do not think that it is simple method to cool the chips in liquid nitrogen (-196 Â°C) and then put the chips back into a machine to read out their contents. But… it is good to know that increased the security of modern personal computers, does not appear to stop the potential attacks and that computer security experts are now on the move to make things better and more secure.

By: John Hunter

John Hunter — Sat, 23 Feb 2008 18:18:11 +0000

Very true. I don’t understand why simple common sense measures are not taken. I get the same feeling as when a character in a movie is obviously setting themselves up for disaster. They would never to that in real life… Hmm., then again maybe they would

By: Anon

Anon — Sat, 23 Feb 2008 17:00:18 +0000

You’re being totally alarmist here. The reported vulnerability really has nothing to do with the loss of donor data in this case.

Look at the details of the attack - the window in which it has to occur is tiny. Somehow I doubt the thief chilled the DRAM and extracted the data within a few minutes.

Now you might have reason to be concerned if the laptop was switched on, unlocked and the crypto keys had been entered when it was taken. Some casual snooping could lead to the data.

By: Steven

Steven — Fri, 22 Feb 2008 20:50:48 +0000

That data should never have left the building, nevermind the State, encrypted or otherwise. I’m curious to know whether the terms under which it was acquired from donors permits its use in software testing by third parties..

In the UK, at least, this is streng verboten: http://www.theregister.co.uk/2006/03/14/unknown_data_protection_breach/