In December 2009, researchers at the security lab of Fraunhofer SIT announced a new way of circumventing the drive encryption technology provided by Microsoft Bitlocker (found in versions of Vista, Windows 7 and Server 2008). In addition to previous announcements from other researchers on the same topic, Fraunhofer were able to bypass this security even when used in conjunction with a Trusted Platform Module (TPM).
The announcement created a buzz on the Internet, as usual with lots of people claiming the end of the world, pointing fingers at Microsoft and twittering their opinions on #fail and #failure.
Well. All you can do is manage risk. Bitlocker works. It provides good security, when implemented properly (now that's possibly the hard part, as it involves humans). Take a look at the wikipedia entry on Bitlocker, it describes how Bitlocker has three authentication mechanisms, and how they may be attacked (or circumvented) by using "cold boot attacks" or "bootkit attacks". These are physical attacks, they need physical access to your computer. There's a smaller chance of that happening compared to getting "hijacked" by malware on some random website you're visiting. Even if somebody deliberately wanted to attack you, there's a higher probability of that happening using software and websurfing than against your physical computer.
There are hundreds - thousands - of people that can access your computer rather easily, without putting much effort or expense into it. Compare that to the millions (or billions?) that can attack you through the Internet... Well, you get the idea.
But that's a diversion, lets get back to Bitlocker. There are other solutions on the market that can provide full-disk encryption as well, Safeguard Easy from Sophos and Check Point Full Disk Encryption are 2 commercial alternatives. TrueCrypt is maybe one of the best known free and open-source solutions. (Comparison of many solutions can be found here). Not going into the details here, there are pros and cons with all of them, and they will all be susceptible to either cold boot or bootkit attacks in some form anyway.
What i find amazing about all the fuzz and buzz about the apparent failure of Bitlocker is that people are criticizing advanced technology and cryptographic solutions, talking about advanced attack methods which require rather advanced tools and techniques. Security is 80% about people, the remaining 20% is everything else. PROPERLY implementing the technology is the key here. Many people doesn't do things properly, at least not on their first attempt (or do you always read the manual first?)
I'm interested in passw
ords. Not by passwords themselves, but how they protect, or fail to protect information and assets that represent value in some form to people, organizations and our society in a variety of ways.The failure is always on the human side, as we fail to design, implement and maintain it properly. Many people ask me "What about 2-factor authentication then?". I usually reply with "Oh, you're thinking about those cute little dongles which people lose all the time, protected only by 4 static digits, most probably written on the backside of the dongle? PIN equals PASSWORD".
You may use AES-256 as your encryption of choice, but if your password is password... Well, that's not good. And it doesn't matter if you're using Bitlocker, Truecrypt, Sophos or Check Point. All software solutions, which may interact with, or require hardware tokens as well. Of course you could buy yourself some of the hard drives that features on-board hardware encryption like the Momentus drives from Seagate, but still there will probably be a need of a user supplying some sort of credentials in order to access the encrypted data. Which will be susceptible to cold boot or bootkit attacks as well.
Now here's a failure from my point of view: if not implemented properly, they will allow the user to use very short and easy-to-guess passwords. Believe me; if people are allowed to use very easy passwords and never change them, they will do exactly that. (I've got many years of personal research to support that allegation.) To make things worse: if any unauthorized individuals can get access to your unencrypted data they will also get access to any passwords stored on the computer. Even if you change it after momentarily after discovering your computer is gone, the probability of most users changing their password from password10 to password11 is rather high (got statistics there as well). Once they're in, it is really hard to get them out. An attacker only needs to succeed once, you can never fail.
The FUD concerning Bitlocker #failure published some places are just FUD. There's a rather big gap between the academical research ending up in advanced attack scenarios and the simple reality as illustrated in this xkcd comic:
Bottom line: Do your own evaluation of the solutions available, and choose the one that fulfills your needs, satisfies your risk analysis and conforms to your budget. Bitlocker may very well be fulfilling all those criteria.
Personally i recommend using full-disk encryption for most environments, but you also need to harden and patch your operating system and all applications continuously. That is a long list of work to do, believe me.
This blogpost is the personal opinions of Per Thorsheim, and does not necessarily reflect the opinion of his employer. Per Thorsheim is working full-time with security, based in Bergen, Norway. During his spare time he does research into various security topics and is a very active participant in the security community. He is currently certified CISA and CISM from ISACA, and CISSP-ISSAP from ISC(2). You can read his blog at securitynirvana.blogspot.com, and contact him at per-AT-thorsheim.net. He is very interested in public speaking engagements.
Recent comments
14 weeks 3 days ago
14 weeks 4 days ago
14 weeks 5 days ago
14 weeks 5 days ago
14 weeks 5 days ago
14 weeks 6 days ago
18 weeks 13 hours ago
19 weeks 2 days ago
21 weeks 4 days ago
21 weeks 6 days ago