Almost every viable player in the market has now been acquired, and I expect the rest to follow suit in the next quarter. For those of you that have not been following over the years - here is the plays that have been made:

First to go, (my former employer) Pointsec Mobile Technologies was sold to Checkpoint for 586M .

Then Utimaco was purchased by Sophos for 342M .

The McAfee purchased the former SafeBoot product for 350M .

Now Symantec has taken down both PGP for 300M and Guardian Edge for 70M .

Over my more than a decade in the Data-at-Rest business it has gone from ‘what is encrpytion’ to ‘whose security suite with encryption are you buying’. This technology has strongly moved into the mainstream.

   It should not be a surprise as Information Security regulations have grown in include a number of requirements for protection of personally identifiable information - both all major commercial vertical and government agencies.

 The question for 2010 and 2011 will be one of large scale implementation of the technologies usign existing tools on the market, as well as growth of those products as they are integrated into much large suites of applications.

  I think that we will see a few more acquisition firework shows before it is done, but I’m looking forward to seeing the resulting mainstream products that result.

  Myself and a team of other highly experienced information security experts can help deploy your data-at-rest solution - including conversion from one vendor to another, or no-risk guaranteed deployment scenarios - independent of the vendors.

   For more information, please visit http://www.designedsecure.com  .

End shameless promotion message.

  The standards that the Government spent so much time and money to create are entirely ignored, and there is no one to enforce them. The wild west has returned, products do not meet even basic Information Security standards like FIPS and Common Criteria are being purchased and deployed. Plans to implement common sense policies, procedures and technologies to protect ourselves are being ignored - and money is quickly following in Cybersecurity withotu defining what Cybersecurity means or what the target of our efforts are.

     We need to get focused on providing real protections for Data-at-Rest, belive it or not this is where the majority of data leak occurs. Lost USB Keys, lost laptops, lost external hard drives - we see the stories every day.  The technologies exist already to address the problems, but we lack the resolve to deploy them.

2010 is starting out as the year of renewed Hype cycle. Lot’s of people talking about security, put not much activity in making things secure. So far this year Commercial program have been released to break both Bitlocker (yes, again!) and Truecrypt - one only needs to look as far as www.passware.com to find programs able to crack commerical ‘military strength crypto’.

Hopefully in the remainder of this year, Data-at-Rest protections , and information security more generally, will find solutions getting implemented in order to meet the growing need to secure Data-at-rest; and hopefully we can find better Data-at-rest solutions from the information security vendors to provide real protections.

  From now on, whenever I get into the once a week argument with someone that thinks that know about security I’ll point out this site. I always the one saying that Data Loss from lost / stolen / copied devices and media is 100 times more then network based intrusion - then someone starts relating to me their recollection of Wargames 20 years ago and transfers it into fact. Funny part about it is that most CIOs spend their money that way, also.

    Find any company that has comprehensive Data-at-Rest implementations?  Good luck looking, because you will find very few.. You’ll even find people telling You that Microsoft Bitlocker Drive encryption is secure despite the readily available tools to defeat it (take a look at www.lostpassword.com ) .

  So, the truth is that no one’s data without a data-at-rest encrpytion plan is secure; and no one has a good comprehensive data-at-rest implementation. SO, net-net people can have whatever data they want on any individual because companies refuse to protect it. All the Billions that CIOs and CSOs waste on the newest network security tool doesn’t protect their data even one little bit.

  Data-at-Rest is the ignored weakest link of any corporations information security policy - and anyone can breach any company they want, any time they want simply by picking up a laptop or USB key with data on it.  Let’s see your Millions of dollars of IT security expenditures prevent it.

    I can’t tell you how many conversations I have had recently, in Government and Business alike, and companies have ‘moved on’  looking for the next security hot topic to protect against without completing their Polices, procedures, and implementation around Data-At-Rest.  Some are looking to next generation hardware that encrypts information in hardware - without thinking about the management backend required to do enterprise scale user and encryption key management.

   Security is hard work, and sometimes that ’stick to it’ ness doesn’t easy convey from the security team to the board room or executive leadership.  Looking into 2010, I have a hope that we can make this the ‘implementation decade’.  Can we complete our security implementation in 2010? Sure, through hard work and determination we can use technologies and procedures already in existence to provide at least basic protections for Data everywhere it goes. We all need to spend a lot more time thinking about solving problems, and implementing them - at least as much as we do looking for new problems.

     So, Implement that Cryptosystem - change that four character password -  implement two-factor authentication. I know it’s taken 15 years for us all to get here, but maybe if we complete some of these implementation we won’t have to continually hear about data losses for the next 10 years.

  Seems like a Choicepoint perfect storm, intellectual property is roaming in the wild in the heads and cell phones of dismissed employees. It’s too late to work on that to-do list of Data Leak Protection items the day after 100s of employees are sent packing - some with the 8gb USB keys and synced personal cell phone.

   It still astonishes me that enterprise treat security as an afterthought, and find themselves playing catch up after the incident rather then preparing prior. A data back-up  always sounds like a good idea the day your hard drive fails, while the day before it sounds like a pain in the butt.

   Everyone Information security person still employed at a large institution should be in overdrive trying to get protections in place for the next R-Day (Reduction In Force Day ). If nothing else, and given you have no budget, you should run a test group of a free tool like Truecrypt - or evaluate one of the Data at Rest vendors, so when you are able to beg for some budget you can get a program rolled out quickly.

   Everyone in INFOSEC needs to be in overdrive mode during this economic quagmire, need I remind you what the Stones say “Just as every cop is a criminal and all the sinners, Saints” - in this time of despiration people will do things that they woudl not usually do. Your security controls are more important now then ever.

 What about ePO, or HBSS, McAfee’s be all - end all managment console that communicates to all the clients. ZERO certifications, ZIP, Zilch, Nada. What about certifications that cover anything above Windows XP, nope.

Do you know McAfee has NEVER done a certification for FIPS on it’s own? Only through acquisition of SafeBoot do they have ANY certifications. What a joke!

Just so no one says that I’m talkign out of school, here is a copy of all of McAfee’s certifications form the NIST website at www.nist.gov/cmvp

It’s always funny to me how people can spend MIllions of dollars on marketing, but not spend on building a quality product

                On February 21, 2008 a team of researchers from Princeton University published a research paper entitled ‘Lest We Remember: Cold Boot Attacks on Encryption Keys’[i]  that describes a combination of a physical and logical attack on a laptop that results in the disclosure of Encryption keys that are encrypting the data on the hard drive. A video demonstration, available on the research team’s website, demonstrates this techniques usage on Microsoft’s Bitlocker in the form of a software program called ‘unbitlocker’.

                The paper details, in a general fashion, how the attack method can be used to attack an entire class of products similar to Bitlocker, products referred to as full disk encryption products. Several companies have come out with statements regarding the feasibility or infeasibility of the attack, but there has not been a rigorous discussion of the recreation of this attack.

                Functionally, the attack breaks down into two parts: a physical attack to image the RAM of the target system and a logical attack to find the key amidst all of the other data that is in RAM.  The majority of the controversy regarding this paper has centered on the feasibility of the physical attack; with several people denouncing the feasibility.

                However, one of the fundamental guiding tenants of security systems is Kerckhoff’s Principal – a security system should depend only on the security of the key to maintain security, even if everything about the system is public knowledge.  To this end, we have endeavored to reproduce the experiment without the reliance on the physical attack – to be exact, we have assumed that the physical attack was perfectly executed and delivered the best data possible.

                The task of finding one encryption key in the entire contents of RAM is not trivial.Finding this solitary piece of information in RAM  is analogous to finding a needle in a haystack.  Just to give everyone perspective, a good computer has 2 Giga-Bytes of RAM – this is 17,179,869,184 bits of information. The Keys that we use routinely are 256-bit; meaning that you are looking for 256 bits in 17,179,869,184 bits of information.  This means we are looking for 1 in 67,108,864 (67 Million) – The Earth total surface area is 196,935,000 (70% ocean, 30% land ) with only 59 Million Square miles of land. – So we are looking for one square mile on all the land on earth.  The Princeton team used some sophisticated mathematical techniques to key the key in Memory, they have not released all of the methods to the world yet  (nor have they released unbitlocker, a program that uses this to crack Microsoft Bitlocker).

                We have taken several sets of sample data, and replicated the ‘keyfind’ program described in Princeton paper (but not disclosed). In the interested of public discussion of this topic, we are fully disclosing the keyfind method and will provide a brief explanation as to its function.

                Only after a rigorous examination of this research can countermeasures be developed to create stronger security for confidential data stored on laptops to protect against such attacks and others to come in the future. Our examination has led to rigorous defenses against the specific attacks described in the Princeton research, but variations of this attack will always be possible in the future. Vigilance is required to stay ahead of attacks, and keep data secure.

Experimental Sections

                Reproduction of the attack entails two sections:

1)      Physical capture of the RAM contents

2)      Logical Analysis of the RAM contents to retrieve Key

   Our experiment was based on the assumption that a reasonable physical memory capture of the target machine is feasible and has been accomplished. To recreate this occurrence, we utilized Microsoft’s debugging program, WINDBG.EXE to obtain a complete memory dump of an encrypted target computer. This constitutes the worst case scenario for the target machine, and would not be a feasible attack in real life. This method requires the target machine to be attached to another machine via a firewire cable and for software to be installed on the target – clearly not a stealth attack. This does, however, require that any protections present be on the part of the encryption software itself with no reliance on the power state or make up of the target computer.

  Logical Analysis of the memory dumps consists of the attempted retrieval of the encryption key that is used for the encryption of the data stored on the hard drive. Special programs must be developed for mathematical analysis of the data, the Princeton team mentions a program that they created called ‘keyfind’ which they have not disclosed. We have recreated the function of this program from the mathematics behind it and include it in the experiment recreation section.

AES Key Expansion

 The method of finding the AES key amidst all of the other extraneous data in memory is using one of the functional characteristics of AES itself, namely Key expansion.  Key expansion is the mechanism through which you take the symmetric encryption key and expand it into a workable format for both encryption and decryption – as well as several iterations, or rounds.  AES is not a Feistel Cipher, meaning that encryption and decryption are not equivalent functions, which necessitates the separate tables for encryption and decryption of data.

Since this key is typically used constantly in the case of full disk encryption , the Key expansion is stored in memory and used to encrypt the data being written to the disk and decrypt the data being read off the disk. This was the mechanism of attack utilized by the Princeton researchers.

                In order to find the key expansion in memory (and subsequently in the memory dump file captured in the attack) the Keyfind program reads a specific length of data which corresponds to the key length of the algorithm.  The Length of the data is 32 bits for 256-bit, 24 bits for 192-bit or 16 bits for 128 bit. This data from the memory dump is then assumed to be the encryption key, and Key Expansion is performed upon it.  The resultant Key Expansion is then compared against the ‘nextchunk’ of data from the memory dump to see if it matches. 

                The pattern matching of the key to the key expansion is what allows the decrease in time to finding the key stored in RAM. IT is, however, dependent upon the pattern found in memory matching the pre-computed Key expansion exactly.

Experiment recreation

Physical Capture

   Physical capture of memory was obtained through the use of the windows debugging tool. Setup of this tools is detailed on http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx  . Physical setup required two computers, a target computer (the computer being attacked) and a host computer (from which the attacker is attacking). 

   The target system must have a full disk encryption software installed and running, and the user must be authenticated. In our recreation we used Mobile Armor’s DataArmor product version 3.0 service pack 4.

Sample Data

Experimental Results

Finding the Key (or more aptly, if what you found is a key)

/* * * Copyright and license information can be found below. * Modifications Copyright (C) 2008 MobileArmor Inc. * * Writen by Brendan Johnson * * This software is provided ‘as-is’, without any express or implied * warranty. */ 

#define READSIZE 4096#include <string.h>#include “stdafx.h”//The following header is from Brian Gladman’s AES lib//Found at http://fp.gladman.plus.com/cryptography_technology/rijndael/index.htm#include “aes.h”//The following is OS depended file IO.#include “readFile.h” 

int KeyFindMain(); 

//Simple main functionint _tmain(int argc, _TCHAR* argv[]){      OpenFile(argv[1]);      KeyFindMain();      CloseFile();      fprintf(stderr,”Program has finished\n”);      getc(stdin);      return 0;} 

//Main programint KeyFindMain(){      //The two arrays must be declared in order      // and next to eachother.      unsigned char Data[READSIZE*2];      unsigned char *Data1 = Data;      unsigned char *Data2 = &Data[READSIZE]; 

      //We need a table for both encryption and decryption      aes_ctx encrypt_table;      aes_ctx decrypt_table; 

      //Set the values to 1      memset(Data1, 0×1, READSIZE);      memset(Data2, 0×1, READSIZE); 

      //Read the next chunk of the file into Data1      ReadNextChunk(Data1);      //Read the next chunk of the file into Data2      ReadNextChunk(Data2); 

      //While we still have file to go      while(!AtEndofFile)      {            //For each byte of the file            for(int i=0;i<READSIZE;i++)            {                  //Assume we are looking an AES 256 bit key.                  aes_encrypt_key(&Data1[i], 32, &encrypt_table);                  aes_decrypt_key(&Data1[i], 32, &decrypt_table); 

                  //Check the encrption key                  if( 0 == memcmp(&Data1[i+32], &encrypt_table.ks[8], 208))                  {                        fprintf(stderr,”Found AES-256 key of “);                        for(int j=0;j<32;j++)                        {                              fprintf(stderr, “0x%x\t”, Data1[i+j]);                        }                        fprintf(stderr,”\n”);                  }                  //Check the decryption key                  if( 0 == memcmp(&Data1[i+32], &decrypt_table.ks[8], 208))                  {                        fprintf(stderr,”Found AES-256 key of “);                        for(int j=0;j<32;j++)                        {                              fprintf(stderr, “0x%x\t”, Data1[i+j]);                        }                        fprintf(stderr,”\n”);                  } 

                  //Assume we are looking an AES 192 bit key.                  aes_encrypt_key(&Data1[i], 24, &encrypt_table);                  aes_decrypt_key(&Data1[i], 24, &decrypt_table);                  if( 0 == memcmp(&Data1[i+24], &encrypt_table.ks[8], 184))                  {                        fprintf(stderr,”Found AES-192 key of “);                        for(int j=0;j<24;j++)                        {                              fprintf(stderr, “0x%x\t”, Data1[i+j]);                        }                        fprintf(stderr,”\n”);                  }                  if( 0 == memcmp(&Data1[i+24], &decrypt_table.ks[8], 184))                  {                        fprintf(stderr,”Found AES-192 key of “);                        for(int j=0;j<24;j++)                        {                              fprintf(stderr, “0x%x\t”, Data1[i+j]);                        }                        fprintf(stderr,”\n”);                  }                  //Assume we are looking an AES 128 bit key.                  aes_encrypt_key(&Data1[i], 16, &encrypt_table);                  aes_decrypt_key(&Data1[i], 16, &decrypt_table);                  if( 0 == memcmp(&Data1[i+16], &encrypt_table.ks[8], 160))                  {                        fprintf(stderr,”Found AES-128 key of “);                        for(int j=0;j<16;j++)                        {                              fprintf(stderr, “0x%x\t”, Data1[i+j]);                        }                        fprintf(stderr,”\n”);                  }                  if( 0 == memcmp(&Data1[i+16], &decrypt_table.ks[8], 160))                  {                        fprintf(stderr,”Found AES-128 key of “);                        for(int j=0;j<24;j++)                        {                              fprintf(stderr, “0x%x\t”, Data1[i+j]);                        }                        fprintf(stderr,”\n”);                  } 

            }            //We are done looking at this block, move on to the next.            memcpy(Data1, Data2, sizeof(Data2));            AtEndofFile=1;            //Read the next chunck of the file            ReadNextChunk(Data2);      } 

      return 1;} 

Results

Conclusion

                The Attack described in the Princeton attack is effective against a wide variety of programs that make use of AES encryption keys. The Princeton research team hinted at one of many protections against the attack in their paper, padding the key expansion with extra  data. There are several methods of defense against this attack, several of them centered on disturbing the expected pattern of the key expansion in memory.

                One method would be to expand the AES key into 256k seeded with random information, making the elements of the table difficult or impossible for the attacker to discern without knowing the pattern.  

                Several Viable methods of protection are viable and, indeed, should be practiced in the practice of good cryptographic Hygiene. The attack vector employed is easily defended against through standard cryptographic practices, and rigorous adherence to good Key Handling processes.

[i] Lest We Remember: Cold Boot Attacks on Encryption KeysJ.Alex Halderman,, Seth D.Schoen,, Nadia Heninger, William Clarkson, William Paul, Joseph A.Calandrino, Ariel J.Feldman, Jacob Appelbaum, and Edward W.Felten;Princeton University, Electronic Frontier Foundation, Wind River Systems; February 21, 2008; http://citp.princeton.edu/memory 

    The presidential Cyberreview is out, http://www.whitehouse.gov/CyberReview/ , and it’s good. There is a little of everything in there, and the spin masters in commercial companies have already highlighted their sections, and emphasized them and downplayed the rest.

  Scary thought — Did you ever think that this merry go round of picking and choosing around information security is the cause of the problem? Perhaps the NSA and every security expert worth their slat is correct, ‘Defense in Depth’ is the only solution toward some semblance of security?

  I recently spent some time explaining to someone why all of the CyberSecurity ’stuff’ didn’t just mean better firewalls. It seems that Apathy and our normal cavalier attitude of walking through a world and choosing not to understand how it works has caught up with us all.

   Instead of addressing this through nubulous over generalization, let’s ask simeple questions:

1.  What are we protecting?
2. Where is what we are protecting?
3. How is what we are protecting used?
4. What are the interconnections?

   Do you know that questions one and two are the hardest to answer? Do you know that they have very little to do with the internet and firewalls, and routers, and ethernet addresses? The simplest and most common sense questions are the hardest to answer, and hold the most sway in security.  Tell me every computing, storage device, USB Key, external Hard drive, magentic tape, Cell phone, blackberry, SME PED, iPod or whos-a-ma-whatsus you have connected inside your organization and what’s on it. Easy to say, hard to do.

 Next, decide what you are protecting - is it in Databases? is it in word documents? is it in powerpoints? is it in graphic files? is it in raw text? For the government, the answer is yes to all of the above.

 Protecting our country in Cyberspace has a lot in common with protecting our nation Physically:

  Woudl the nation be safe if we protected the borders but had no police officers? No. Would the country be safe if we had ground protection but no air force? No. Would the country be safe by having Ground and Air protection but no one covering the oceans? No.

 There are no Easy answers to security, but there are simple ones. ‘Defense in Depth’ means that you have firewalls, that you have antivirus - but that is not all you have. You protect ALL the data, where ever it resides - and everywhere it travels. Do you protect it on a laptop when there is not firewall? Yes. Do you protect it on an external USB hard drive? Yes. Do you protect it on a Cell Phone? Yes. Do all of these things have to do with Firewalls? No.

  Protecting in Cyberspace is just like protecting your house. Do you only buy a deadbolt and then not get window locks? No. Do you buy a security system and then not lock your doors? No.

  Simple Answers, Simple Questions. Perhaps if we really ask the questions, and really want to answer them, we’ll solve the problem.