Microsoft’s BitLocker Disk Encryption Technology Bypassed By Researchers

It looks like full disk encryption software is susceptible to evil maid attacks even with TPM (Trusted Platform Module).  I think, to date, it was believed that TPM could significantly counter evil maid attacks (although, as the linked post notes, it’s impossible to guarantee 100% protection).

Well, that stat is even further removed from 100% protection by the latest research:

“…a variety of hardware-based attacks against BitLocker… remain possible in the Evil Maid scenario. We demonstrate how an attack based solely on tampering with the boot loader may still succeed and help the attacker to gain access to confidential data.”[zdnet]

The researchers noted that believing any full disk encryptoin would give 100% protection had always been an “unrealistic yet common expectation.”  It’s just not possible. (Bizarre yet realistic example: I point a gun to your head and ask you to type in the password to unlock your contents.  100% protection from any type of encryption can never be.)

The researchers noted that

“…TPM is far from useless, as it makes the attack more noticeable than it would be otherwise, and  itrequires the attacker to access the machine twice.

“As an application of the Trusted Computing platform, BitLocker uses only a subset of the functions available, and it does so in a particular way. Our attack applies only to the combination of platform, application, attack scenario, and attack objective discussed here.”[emphasis mine]

Bing Out For 30 Minutes?!

According to PC World, Microsoft’s search engine, Bing, was off-line for half an hour.  The really interesting question is not why, nor how.  The really interesting question is: did anyone notice?  I know I didn’t.

But the rest of the world did:

…the short-lived outage resulted in a flurry of media coverage, including a couple of stories right here on PCWorld.com.

In fact, a quick check of Google News reveals numerous reports on Bing’s minor glitch–and not just from tech news sites and bloggers, the folks you’d expect to cover such things. Mainstream media outlets including the BBC, UPI, and Seattle Times did as well. The Washington Post’s site also had the story.

Really?  I guess Microsoft’s not dead yet.  At least, the world is not counting it out.

HSBC Software Bug Shows Confidential Chap.13 Info

A deficiency in the software used by HSBC has led to a data breach.  Redacted sensitive information on saved imaged documents was visible due to a software bug.  It has affected the bank’s customers who were going through Chapter 13 bankruptcy proceedings.

It has affected files between May 1, 2007 and Oct. 17, 2008–over one year!  HSBC learned of the problem on July 9, 2009.

Personal H1N1 Vaccination Profile? SCAM!

The Center for Disease Control (CDC) has issued a notice warning people that e-mails referring to a state vaccination program are false.  These are phishing attempts, and they are trying to get your personal data by setting up a “personal H1N1 vaccination profile.”  From the CDC:

The messages request that users must create a personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The message then states that anyone that has reached the age of 18 has to have his/her personal Vaccination Profile on the cdc.gov site.

The CDC has NOT implemented a state vaccination program requiring registration on www.cdc.gov. Users that click on the email are at risk of having malicious code installed on their system. CDC reminds users to take the following steps to reduce the risk of being a victim of a phishing attack:

• Do not follow unsolicited links and do not open or respond to unsolicited email messages.
• Use caution when visiting un-trusted websites.
• Use caution when entering personal information online.

The page seems to be on a rolling basis, so if other news comes up, the above passage will be pushed down (use Ctrl+F to do a search, I guess).

Eastern Illinois University Warns of Breach

Eastern Illinois University (EIU) has announced that an external source (read: hacker) may have broken into files containing personal information on 9,000 former and current students as well as applicants.

A number of viruses were found on a server that was used by EIU’s admissions office.  The university’s IT workers think someone accessed the server between November 11 and November 16.

“The server contained undergraduate electronic admissions applications submitted between March 10, 2000, and Nov. 16, 2009,” according to wandtv.com.

Students and applicants have been sent  letters.

Malware #1 Cause of Data Loss Again

Malware is #1 when it comes to data losses–again.  The #2 reason is laptop and other hardware theft.  I guess laptop encryption programs and other data protetcion software programs like truecrypt won’t cut it anymore.  Although, perhaps McAfee is in a better position than most, which offers their traditional anti-virus wares a well as encryption.

The 2009 CSI Computer Crime and Security survey has found that malware infections increased from 50% to 64%, the first reversal in a downward trend for malware infections that started in 2005.

It was also found that companies experienced double the password sniffing attacks of the previous year, from 9% to 17%.

Seti@Home Leads To $1 Million Loss For School?

Talk about really wanting to find E.T.

A network systems administrator for the Higley Unified School District has resigned after it was discovered he had deployed Seti@Home on more than 5000 computers.

What’s Seti@home?  Why, only the first distributed computing project that used the unused power of individual computers to chug through data received from the Arecibo Observatory!  Basically, the project scans the skies for signals from E.T.  All that scanning creates data, and this stuff has to be analyzed to see if there are any signals.

In order to foster more adoption, the Seti@Home guys put ranking in place, so people would have bragging rights and create an element of competition.

And this guy really took up to it:

[Higley superintendent Denise] Birdwell said the massive software slowed down educational programs in every classroom and cost the district more than $1 million in added utility fees and computer replacement parts.

Apparently, the alien-seeking software had been running since Niesluchowski was hired nearly 10 years ago.

“Basically our processors were hooked up and running 24 hours a day, 12 months a year, every day of the school year,” Birdwell said.

It took them 10 years to figure this out?  Forget intelligent life in space; what about intelligent life closer to home?

There is–supposedly–more to this story, apparently.

Links to same stories covered here and here.

BlackBerry User: Beware The PDF

Research In Motion, the company that makes the BlackBerry has posted a warning on their site that Adobe Acrobat PDFs could be used to access corporate networks. (And I don’t mean in a good, legal way).

From Sophos’s site:

According to a security advisory issued by the firm, hackers could send email message with an attached PDF file that, when opened by a BlackBerry mobile user, could cause code to be launched on the enterprise server that hosts the BlackBerry Attachment Service.

What this essentially means is that hackers can run code inside your network, with the PDF file acting sort of like a trojan horse.

For the time being, the company is advising clients to remove PDF files from their list of authorized files until a patch is made available.

Go to RIM’s site (first link above) to see if you need to do something about the issue.

RuneScape Virtual Characters Robbed In Real Life

A 23-year old was arrested by British police for stealing characters and goods in the realm of RuneScape, a MMORPG (Massively Multiplayer Online Role Playing Game).

The motive for stealing virtual goods?  Money (the real kind).  As Sophos’s guy points out, such virtual crimes that spill over to the real world is not new:

• 2005, South Korea: Lineage gamers’ usernames and passwords were stolen, with over $200,000 in cybermoney and virtual items
• 2007, Denmark: $6000 of virtual furniture stolen
• 2009, Australia: $200 billion “kredits” stolen from Eve Online and used to make a down payment on a real house
• 2009, Japan: Wife “murders” husband within a game, and the cops are called over

The impetus behind the crime is that there was at the time a thriving underground market for items and money that could only be gained by playing the game over long periods of time (the market has been replaced by something that’s a bit more legitimate).  If you’re in a rush, and you’ve got the money, why not buy it?  I certainly remember the offers on eBay back then….

Microsoft Sending Take Down Notices for COFEE

Remember how the COFEE situation from nearly a month ago was a whole much ado about nothing?  Where the forensic examination tool for law authorities was leaked?

Well, the saga continues, with Microsoft sending take down notices to any sites that are hosting a copy of the software.  Cryptome.org was served with such a letter (rather, e-mail), and they promptly complied.  They seem to have asked around to see if it was necessary to do so:

Security experts we quizzed on this point, however, said Microsoft was well within is rights to ask sites to stop offering copies of the tool for download

I’m not sure why any kind of asking around was necessary: software specifically licensed to a particular group (the cops) is being hosted by guys who shouldn’t have it, and who wouldn’t have it except for it having been leaked.  It certainly doesn’t help if they’re allowing the leak to further propagate.  (Is it just me?  Doesn’t it seem obvious?)

Let me put it this way: if I buy (unbeknown to me) a stolen car, and the cops find it and identify it–well, I probably won’t go to prison, but I don’t get to keep the car, either.  Letting the underage neighborhood kids take joyrides on it certainly is not going to help matters.