Click here to receive your FREE subscription to Campus Technology
News
BitLocker Password Exploit Is 'Very Unlikely,' Sisk Says
8/29/2008
|
|
Redmond responded Tuesday to an independent security vendor's discovery of a hard-drive encryption vulnerability affecting Microsoft's BitLocker function, Intel/HP's BIOS and several other products and programs.
Microsoft acknowledged the threat, which was described by representatives of Kolkata, India-based iViZ at the Defcon 16 event. Redmond offered some explanations and workarounds.
"We recognize that the claim detailed in the presentation by the researcher about BitLocker is correct," wrote Bill Sisk, security response communications manager for Microsoft, in an e-mail sent today. "This theoretical attack is only possible in targeted situations, and while probable, [it's] very unlikely."
Sisk's comments come as a retort to an announcement on Monday from iViZ, a security penetration testing company. iViZ said that it had discovered a new class of a preexisting vulnerability that allows attackers to steal computer boot passwords. The exploit bypasses the security of preboot authentication software, such as Microsoft's BitLocker hard-disk encryption tool.
The premise of iViz's argument lies in the fact that programmers who might be unaware of such bugs tend to code boot password features in a way that doesn't expunge critical information from the hard drive. It's a circumstance that could lead to "inadvertent leakage and theft," according to the company's announcement. Even the most thorough hard-drive encryption scheme may not be able to block this vulnerability.
To that end, Sisk added that the software giant has addressed such issues in Windows Vista Service Pack 1, and he encouraged "customers to update their systems accordingly."
BitLocker, first released in January 2007, is designed to guard personal and private data on mobile PCs. It comes with other protection options that can be customized to meet the needs of various end users.
"Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use," wrote Sisk. "If a system is in 'Sleep mode' it is, in effect, still running."
In that vein, Microsoft encourages IT pros concerned about such bugs to consult best practices on data encryption in BitLocker, previously published by Redmond here.
Among other things, Microsoft's guidance expounds on the balance of security and usability when using BitLocker in hibernate mode.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. You can contact Jabulani at editor@entmag.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Tufts Grants Rights for Mileage-Increasing Transportation Technology to Electric Truck
Tufts University has optioned rights to a technology that can recharge the batteries of any hybrid electric and electric-powered vehicle while it is driven. The Tufts-developed technology could increase by 20 percent to 70 percent the miles per gallon or total driving range performance of vehicles like the Honda Civic, Ford Escape, and Toyota Prius hybrids and the Tesla Motors and Phoenix Motorcars electric vehicles.
- U Florida and Cyntellect Collaborate to Unlock Mysteries of Cancer Stem Cells
The University of Florida has entered into a research agreement with life sciences company Cyntellect. The university's Interdisciplinary Center for Biotechnology Research will work with the company to focus on a variety of research areas including the purification and analysis of cancer stem cells (CSCs), rare cells believed to be directly involved in propagating cancers.
- George Mason U Receives Grant To Deploy Intergraph Apps for Intelligence Curriculum
George Mason University (GMU) in Fairfax, VA has been awarded a grant from Intergraph to enable students enrolled in GMU's Geospatial Intelligence Graduate Certificate program to use the company's geospatial production and exploitation software as part of their core curriculum.
- Institute for Cyber Security at U Texas, San Antonio Opens Incubator
The University of Texas at San Antonio (UTSA) Institute for Cyber Security (ICS) has launched a new Internet security incubator. The incubator was developed to commercialize promising technologies that address major cyber security and privacy issues. The first companies to enter the incubator are Denim Labs and SafeMashups.
- ISO/IEC Publishes Office Open XML Standard
ISO/IEC has published the Office Open XML (OOXML) file format standard, formally known as ISO/IEC 29500:2008. It describes file formats originally designed by Microsoft for its Office 2007 productivity suite, which are used in presentation, spreadsheet and word processing applications.
- Dynamics NAV 2009 ERP Coming Next Month
Microsoft exec Kirill Tatarinov Wednesday described some new features to expect in the forthcoming Microsoft Dynamics NAV 2009 enterprise resource planning solution. He gave the keynote address at Microsoft's Convergence 2008 event in Copenhagen, Denmark.
