Ed Felten this week released some research on defeating disk encryption by recovering keys from DRAM. His blog entry mentioned by name Bitlocker, FileVault and dm-crypt as implementations which can be defeated in this way. Some 70+ articles appeared over the next 24 hours discussing the attack. Of course, we all immediately pinged Mike Halcrow to hear his thoughts on the issue. Between this article and the one a few weeks ago “Encryption could make you more vulnerable”, he just isn’t feeling the love, so he sat down and pounded out his own blog response. In light of news stories such as these, it is well worth keeping in mind that a key motivator for server encryption is to ease disposition of obsolete hardware. It is just too easy to do it the wrong way if you don’t employ encryption.
One of the most common requests I hear is for automation of security hardening, so it was pretty cool when TCS announced their Security Blanket product last fall. Earlier this month they announced that it is now compliant with DISA’s STIG. This is cool and all, but didn’t anyone tell their marketing branch that a security blanket just makes you feel better but doesn’t offer any real security? Not exactly the message that you want your hardening tool to confer.
I have a weakness for stories like Hacks, Phreaks, Worms, Tigers
and Bears–Oh My “The top eight events that changed the course of computer security history (and two that didnâ€™t)” Nothing earth shattering, but a fun quick read.
And, of course, IBM to collaborate on NSA program is just amazingly awesome good news.
Links in this edition: