2008年2月24日 星期日

trek, three-way, encrypted vulnerability

encrypt
verb [T usually passive]
to change electronic information or signals into a secret code (= system of letters, numbers or symbols) that people cannot understand or use on normal equipment:
Your financial information is fully encrypted and cannot be accessed.

encryption
noun [U]vulnerable
adjective
able to be easily physically, emotionally, or mentally hurt, influenced or attacked:
I felt very vulnerable, standing there without any clothes on.
It is on economic policy that the government is most vulnerable.
Tourists are more vulnerable to attack, because they do not know which areas of the city to avoid.

vulnerability s
noun [U]


加密軟體也無法防範
〔編譯胡立宗/綜合報導〕美國普林斯頓大學、電 子前鋒基金會(EFF)及溫瑞爾公司(Wind River Systems)二十二日公布一份系統安全研究報告,指出市面上所有的加密軟體其實都不可靠,因為硬體限制,駭客只要急速冷凍電腦的記憶體,就可輕易取得 其中的解密程式碼,破解各大加密軟體的防線。
主流加密軟體如微軟的BitLocker、蘋果電腦的FileVault及TrueCrypt與dm-crypt等,都是將機密資料加密鎖碼後存入電腦硬碟,但唯一的漏洞就在記憶體,如果能取得記憶體中的解碼資料,就算資料鎖碼方式再嚴密,都無法阻擋有心人入侵。
降溫後移植到特製軟體
研究人員發現的漏洞,就是利用記憶體在低溫狀況下,可保存其中資訊長達數分鐘甚至是數小時的特性。他們利用一罐常見的罐裝除塵噴霧,就能將記憶體溫度降到攝氏零下五十度,然後將記憶體移到安裝有特製記憶體備份軟體的電腦上,就能輕易取得其中資料,找到所需的解碼資料。
防駭 最好將電源關閉
研究人員指出,如果電腦或筆記型電腦處於鎖定、睡眠或休眠模式中,這種入侵方式的成功機率最高,因為此時電源並未完全切斷,而記憶體當中還存有先前的資料。因此就算裝有加密軟體,要避免駭客竊取資料,最好的方法還是將電源關閉。

Researchers Find Way to Steal Encrypted Data


Center for Information Technology Policy, Princeton University
Princeton-based researchers broke the encryption system by freezing memory chips, permitting them to read the software.


Published: February 22, 2008

SAN FRANCISCO — A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.
The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover. Encryption software is widely used by companies and government agencies, notably in portable computers that are especially susceptible to theft.
The development, which was described on the group’s Web site Thursday, could also have implications for the protection of encrypted personal data from prosecutors.
The move, which cannot be carried out remotely, exploits a little-known vulnerability of the dynamic random access, or DRAM, chip. Those chips temporarily hold data, including the keys to modern data-scrambling algorithms. When the computer’s electrical power is shut off, the data, including the keys, is supposed to disappear.
In a technical paper that was published Thursday on the Web site of Princeton’s Center for Information Technology Policy, the group demonstrated that standard memory chips actually retain their data for seconds or even minutes after power is cut off.
When the chips were chilled using an inexpensive can of air, the data was frozen in place, permitting the researchers to easily read the keys — long strings of ones and zeros — out of the chip’s memory.
“Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power,” Edward W. Felten, a Princeton computer scientist, wrote in a Web posting. “Just put the chips back into a machine and you can read out their contents.”
The researchers used special pattern-recognition software of their own to identify security keys among the millions or even billions of pieces of data on the memory chip.
“We think this is pretty serious to the extent people are relying on file protection,” Mr. Felten said.
The team, which included five graduate students led by Mr. Felten and three independent technical experts, said they did not know if such an attack capability would compromise government computer information because details of how classified computer data is protected are not publicly available.
Officials at the Department of Homeland Security, which paid for a portion of the research, did not return repeated calls for comment.
The researchers also said they had not explored disk encryption protection systems as now built into some commercial disk drives.
But they said they had proved that so-called Trusted Computing hardware, an industry standard approach that has been heralded as significantly increasing the security of modern personal computers, does not appear to stop the potential attacks.
A number of computer security experts said the research results were an indication that assertions of robust computer security should be regarded with caution.
“This is just another example of how things aren’t quite what they seem when people tell you things are secure,” said Peter Neumann, a security researcher at SRI International in Menlo Park, Calif.
The Princeton researchers wrote that they were able to compromise encrypted information stored using special utilities in the Windows, Macintosh and Linux operating systems.
Apple has had a FileVault disk encryption feature as an option in its OS X operating system since 2003. Microsoft added file encryption last year with BitLocker features in its Windows Vista operating system. The programs both use the federal government’s certified Advanced Encryption System algorithm to scramble data as it is read from and written to a computer hard disk. But both programs leave the keys in computer memory in an unencrypted form.
“The software world tends not to think about these issues,” said Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania. “We tend to make assumptions about the hardware. When we find out that those assumptions are wrong, we’re in trouble.”
Both of the software publishers said they ship their operating systems with the file encryption turned off. It is then up to the customer to turn on the feature.
Executives of Microsoft said BitLocker has a range of protection options that they referred to as “good, better and best.”
Austin Wilson, director of Windows product management security at Microsoft, said the company recommended that BitLocker be used in some cases with additional hardware security. That might include either a special U.S.B. hardware key, or a secure identification card that generates an additional key string.
The Princeton researchers acknowledged that in these advanced modes, BitLocker encrypted data could not be accessed using the vulnerability they discovered.
An Apple spokeswoman said that the security of the FileVault system could also be enhanced by using a secure card to add to the strength of the key.
The researchers said they began exploring the utilities for vulnerabilities last fall after seeing a reference to the persistence of data in memory in a technical paper written by computer scientists at Stanford in 2005.
The Princeton group included Seth D. Schoen of the Electronic Frontier Foundation, William Paul of Wind River Systems and Jacob Appelbaum, an independent computer security researcher.
The issue of protecting information with disk encryption technology became prominent recently in a criminal case involving a Canadian citizen who late in 2006 was stopped by United States customs agents who said they had found child pornography on his computer.
When the agents tried to examine the machine later, they discovered that the data was protected by encryption. The suspect has refused to divulge his password. A federal agent testified in court that the only way to determine the password otherwise would be with a password guessing program, which could take years.
A federal magistrate ruled recently that forcing the suspect to disclose the password would be unconstitutional.



WASHINGTON — Sometime soon, a group of American corporate executives and military leaders will quietly sit down and divide Iraq into three parts.




In the annals of great heroic exploits, the conquest of Mount Everest by Sir Edmund and Mr. Norgay ranks with the first trek to the South Pole by Roald Amundsen in 1911 and the first solo nonstop trans-Atlantic flight by Charles A. Lindbergh in 1927.



trek
━━ n., v. (-kk-) (徒歩の)長く苦しい旅(をする); 〔南アフリカ〕 牛車旅行(する); 移住する.
verb [I usually + adverb or preposition] -kk-
to walk a long distance, usually over land such as hills, mountains or forests:
We spent the day trekking through forests and over mountains.
INFORMAL I trekked (= walked a long and tiring distance) all the way into town to meet him and he didn't even turn up.

trek 
noun [C]
We did an eight hour trek yesterday.
INFORMAL You can walk to town from here, but it's a bit of a trek (= it's a long distance to walk).
Controversial Contractor’s Iraq Work Is Split Up 
By JAMES RISEN
The three-way division of the largest Pentagon contract in Iraq ends the monopoly held by KBR, which has been accused of mismanagement and exploiting its political ties to Vice President Dick Cheney.

three-way

(thrē'')
adj.
  1. Having, permitting, or indicating passage in three directions: a three-way valve.
  2. Having three participants or ingredients: a three-way tie; three-way chili.
Meaning #1: involving three parties or elements

Synonyms: triangulartrilateraltripartitethree-party

沒有留言: