February 26, 2008 · 2 min read
Why have a lock when you give away the key?
What happens when aspects of security are overlooked and the very thing that is meant to protect you becomes a liability in itself? As a leading digital media agency, we know the dangers of hackers and viruses. We take Internet security very seriously and make every effort to ensure our websites are protected.
Computer security is a cold war, always has been, always will be … each development by the opposing side spurs the other on to overcoming it whether they are the hackers or the vendors.
This is actually very good for the consumer as a whole as it means Internet security holes are exposed and patched so the products they rely on for protection are kept up to date. Increasingly we see encryption included as a feature (Vista’s BitLocker and Apple’s FileVault) which is supposed to make our data ‘safe’ using encryption keys to make it unreadable. But what if the keys aren’t protected too?
A team lead by a Princeton security researcher recently found that the encryption keys held in the computers memory are held in an simple readible state, the lack of protection for these valuable keys works on the assumption that the keys go when the computer is turned off and the keys are lost … but it’s not as simple as that.
The team discovered that the data was still held in the memory for some time after the computer was turned off (common sense if you think about it to be honest), the RAM chips could be frozen using simply canned air and then the information can be pulled off at the users leisure.
Now bear in mind all the recent government breaches in data security, now replay their “it’s ok it’s encrypted” assurances, now think of the Mi5 laptop that was lost recently …
Once the encryption keys are available to would be attackers the whole idea of protection is soon lost as you realise there is no such thing as security, don’t put all your eggs in one basket and at the end of the day the best possible security is good practice and common sense.