Re: [Fed-Talk] no sensitive data on Macbooks at NIH
Re: [Fed-Talk] no sensitive data on Macbooks at NIH
- Subject: Re: [Fed-Talk] no sensitive data on Macbooks at NIH
- From: Michael <email@hidden>
- Date: Mon, 7 Apr 2008 09:57:45 -0400
Since this question has not been answered on list -- the reference to
the "can of compressed air" refers to the issue if you hold a can of
compressed air upside down the liquid that comes out is cold enough to
make the data in RAM stay around for 15 minutes or more.
"DRAMs used in most modern computers retain their contents for seconds
to minutes after power is lost, even at operating temperatures and
even if removed from a motherboard. Although DRAMs become less
reliable when they are not refreshed, they are not immediately erased,
and their contents persist sufficiently for malicious (or forensic)
acquisition of usable full-system memory images."
If you do a hard reboot of a machine the RAM is refreshed almost
immediately after power is restored and therefore the data is still in
the RAM unless the OS or hardware overwrites it and this latter issue
is easily bypassed. There is a very easy to read research paper from
Princeton: "Lest We Remember: Cold Boot Attacks on Encryption Keys" <http://citp.princeton.edu/pub/coldboot.pdf
>. From the references listed there is a good set of preexisting
research on this subject, but the implications of this field of study
never got passed out to the general security community I guess.
Basically you either remove the RAM to a friendly machine or reboot
the original machine with a minimum Linux OS and copy data out.
Practical attacks have been demonstrated "against several popular disk
encryption systems: BitLocker (a feature of Windows Vista), FileVault
(a feature of Mac OS X), dm-crypt (a feature of Linux), and TrueCrypt
(a third-party application for Windows, Linux, and Mac OS X)." The
Vista designers were aware of this issue when they designed BitLocker,
their solution didn't solve the problem.
There is no software solution to this problem, any data you have
access to when logged into your machine is available to anyone who
steals your machine while you are logged in regardless of locking
screen savers and locked sleep modes.
The physical solution is to never leave your machine powered up in
screen saver mode or sleep mode if there is even remote chance it
could be stolen, for example, in a cafe or in the airport security
line or your office.
*** This all assumes you are already encrypting at least the data on
your machine.
Regarding NIH, it seems pretty clear that they decided to certify
Pointsec and BitLocker to protect their data and ignore equivalent
software build-in to OS X, tis a shame that "Apple officials were not
immediately available for comment" on this misunderstanding -- I
wonder that really means, they called or emailed who? Another view is
that someone decided that only whole-disk encryption could be used
regardless of any analysis. Personally I have a bit of an issue with
software-based whole disk encryption, it seems that given the massive
set of known content and the need to actually boot the operating
system you should be able to find a researcher or company that has
already cracked the software.
PointSec has it's own problems <http://isc.sans.org/diary.html?storyid=4133&rss
> & <https://www.swiftpage5.com/lucidatainc.cmitch6039/C080311142700/speasapage.aspx?addr=280
>.
Basically PointSec is vulnerable to attacks via FirePorts if the
machine has been successfully booted pass the authentication stage.
Also mentioned "It is also important to note that ANY whole disk
encryption solution is vulnerable once the operating system is loaded
into memory."
Of course PointSec has "Through the new support for remote help
feature, Pointsec for Linux 2.0 allows users to reset their password
through the help desk and regain access to their system." Apply
social engineering and bypass the encryption.
Thinking about all the facts, your data is safer if individual files
are encrypted as well as using a whole disk encryption or FileVault.
On a reasonably handled OS X or Linux machine, none of the user's data
exists outside the user's directory. The only trick is proving that
nothing ends up in /tmp and getting Management to understand.
Michael
On Apr 5, 2008, at 4:16 PM, Josh Larsen wrote:
So can any other FDE product - because its an attack on the
hardware, not
the software.
What does compressed air have to do with a system that was not
encrypted?
On Sat, Apr 5, 2008 at 3:39 PM, William G. Cerniuk
<email@hidden> wrote:
Pointsec can be compromised with a can of compressed air.
V/R
Wm.
On Apr 5, 2008, at 3:36 PM, Josh Larsen wrote:
"The laptop was not encrypted, despite a 2-year-old federal policy
that
mandates encryption on government systems."
What are you basing that statement on?
On Fri, Apr 4, 2008 at 8:34 PM, Joel Esler <email@hidden>
wrote:
Need I point out that pointsec was compromised as well? Or no...
--
Joel Esler
Sent from the iRoad.
On Apr 4, 2008, at 7:57 PM, Stephen Bates <email@hidden>
wrote:
<http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207001840
>
[image: InformationWeek] <http://www.informationweek.com/>
U.S. Health Agency Forbids Sensitive Data On Apple MacBooks
Employees who store medical records on laptops must use systems
that run
either on Microsoft's Windows operating system or Linux.
By Paul McDougall, InformationWeek
<http://www.informationweek.com/;jsessionid=1M0XXJBNM2SLUQSNDLPSKH0CJUNN2JVN
>
April 4, 2008
URL: <http://www.informationweek.com/story/showArticle.jhtml?articleID=207001840
>
http://www.informationweek.com/story/showArticle.jhtml?articleID=207001840
In the wake of a widely publicized security breach that left
thousands
of patient records exposed, the federal government's National
Institutes of
Health is forbidding all employees who use Apple's MacBook laptops
from
handling sensitive data as of Friday, *InformationWeek* has learned.
Employees at the health agency who store medical records and other
personal information on laptops must use systems that run either on
Microsoft's Windows operating system or Linux, according to an
agency memo.
Those systems must be equipped with Check Point Software's Pointsec
encryption tool as of April 4, according to an NIH mandate.
Systems running
Windows Vista can also use Vista's built-in BitLocker disk
encryption tool.
NIH imposed the no-MacBooks rule because there is no Apple-
compatible
version of Pointsec. To date, Check Point has only released a beta
version
of Pointsec for Macs that's not yet ready for government use.
"Computers that cannot be encrypted by Pointsec at this time (e.g.,
Macs) are waived from the encryption mandate, but only with the
stipulation
that they do not contain any PII or sensitive government
information," the
NIH Office of Research Services said in a memo to NIH staff. PII
refers to
personally identifiable information.
NIH said it's been given no estimate as to when a final version of
Pointsec for Macs may become available. It was not immediately
clear how
many Apple MacBooks are in use at the NIH. It also wasn't clear
whether the
ban extends to the whole of the U.S. Department of Health And Human
Services, of which NIH is a part.
An NIH spokesman did not immediately respond to an inquiry seeking
more
information.
The MacBook ban applies to in-house NIH workers and also to
contractors
employed by the agency to handle sensitive data, according to the
memo.
NIH employees who use laptops that are permanently anchored to a
desk or
research equipment can ask for an exemption from the encryption
mandate as
long as they place a "Do Not Remove" sticker on their machines.
NIH's decision highlights one of the biggest challenges facing
Apple as
it seeks to make greater inroads against Microsoft in the business
and
government computing markets. Commercial software developers have
little
incentive to port business applications to the Mac because the
platform
holds only a tiny share of the business computing market.
NIH imposed the April 4 deadline in the wake of an embarrassing
incident<http://public.nhlbi.nih.gov/newsroom/home/GetPressRelease.aspx?id=2559
>in February in which a laptop containing records on 2,500
patients enrolled
in a medical study was stolen. The laptop was not encrypted,
despite a
2-year-old federal policy that mandates encryption on government
systems.
NIH did not disclose the type of laptop that was stolen. Apple
officials
were not immediately available for comment.
<http://as.cmpnet.com/event.ng/Type=click&FlightID=110044&AdID=182232&TargetID=10069&Segments=98,629,3108,3448,8878,9985,10059,10292,13987,14403&Targets=145,2625,2878,6528,10069,10484&Values=34,46,51,63,77,87,92,102,140,204,222,227,283,442,659,774,1311,1405,1431,1716,1767,1785,1925,1945,1970,2256,2299,2310,2329,2352,2678,2767,2862,2942,3078,3214,3890,3904,4080,6293,6391,6392,6393,6422&RawValues=IP,66.77.24.210,&Redirect=http://www.interop.com/lasvegas/?priorityCode=CMCENL01
>
Copyright (c) 2007 CMP Media LLC <http://www.cmpnet.com/>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden