Language Selection

English French German Italian Portuguese Spanish

Microsoft 'Encryption' and Intel 'Security'

Filed under
Microsoft
Security
  • You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10 [Ed: Actually, it has long been known that Microsoft's BitLocker has NSA back doors. Even Microsoft staff spoke about it. It's for fools.]

    Some SSDs advertise support for “hardware encryption.” If you enable BitLocker on Windows, Microsoft trusts your SSD and doesn’t do anything. But researchers have found that many SSDs are doing a terrible job, which means BitLocker isn’t providing secure encryption.

  • Flaws in self-encrypting SSDs let attackers bypass disk encryption

    Researchers at Radboud University in the Netherlands have revealed today vulnerabilities in some solid-state drives (SSDs) that allow an attacker to bypass the disk encryption feature and access the local data without knowing the user-chosen disk encryption password.

    The vulnerabilities only affect SSD models that support hardware-based encryption, where the disk encryption operations are carried out via a local built-in chip, separate from the main CPU.

    Such devices are also known as self-encrypting drives (SEDs) and have become popular in recent years after software-level full disk encryption was proven vulnerable to attacks where intruders would steal the encryption password from the computer's RAM.

  • New Intel CPU Flaw Exploits Hyper-Threading to Steal Encrypted Data

    A team of security researchers has discovered another serious side-channel vulnerability in Intel CPUs that could allow an attacker to sniff out sensitive protected data, like passwords and cryptographic keys, from other processes running in the same CPU core with simultaneous multi-threading feature enabled.

    The vulnerability, codenamed PortSmash (CVE-2018-5407), has joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including Meltdown and Spectre, TLBleed, and Foreshadow.

Windows BitLocker back doors (several of them) exacerbated

  • Flaw In SSDs Allows Hackers To Access Encrypted Data Without Password

    However, the issue runs deeper. Windows users are more risk-prone as the Windows BitLocker, a software-level full disk encryption system of Windows OS does not encrypt the users’ data at the software level upon detecting a device capable of hardware-based encryption.

    The researchers have recommended the SED users to use software-level full disk encryption systems such as VeraCrypt to protect their data.

"Microsoft for defaulting to using these broken encryption"

  • Researchers expose 'critical vulnerabilities' in SSD encryption

    After considering a handful of possible flaws in hardware-based full-disk encryption, or self-encrypting drives (SEDs), the pair reverse-engineered the firmware of a sample of SSDs and tried to expose these vulnerabilities.

    They learned that hackers can launch a range of attacks, from seizing full control of the CPU to corrupting memory - outlining their findings in a paper titled 'self-encrypting deception: weakness in the encryption of solid state drives (SSDs)'.

    There are a host of exploits that can be used, such as cracking master passwords, set by the manufacturer as a factory default. These are routinely found in many SSDs, and if obtained by an attacker could allow them to bypass any custom password set by a user.

  • Crucial and Samsung SSDs' Encryption Is Easily Bypassed

    Researchers from Radboud University in The Netherlands reported today their discovery that hackers could easily bypass the encryption on Crucial and Samsung SSDs without the user’s passwords. The researchers also pointed at Microsoft for defaulting to using these broken encryption schemes on modern drives.

    The Dutch researchers reverse-engineered the firmware of multiple drives and found a “pattern of critical issues." In one case, the drive’s master password used to decrypt data was just an empty string, which means someone would have been able to decrypt it by just pressing the Enter key on their keyboard. In another case, the researchers said the drive could be unlocked with “any password” because the drive’s password validation checks didn’t work.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Canonical Extends Ubuntu 18.04 LTS Linux Support to 10 Years

BERLIN — In a keynote at the OpenStack Summit here, Mark Shuttleworth, founder and CEO of Canonical Inc and Ubuntu, detailed the progress made by his Linux distribution in the cloud and announced new extended support. The Ubuntu 18.04 LTS (Long Term Support) debuted back on April 26, providing new server and cloud capabilities. An LTS release comes with five year of support, but during his keynote Shuttleworth announced that 18.04 would have support that is available for up to 10 years. "I'm delighted to announce that Ubuntu 18.04 will be supported for a full 10 years," Shuttleworth said. "In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IOT where manufacturing lines for example are being deployed that will be in production for at least a decade ." Read more

Benchmarking Packet.com's Bare Metal Intel Xeon / AMD EPYC Cloud

With the tests earlier this week of the 16-way AMD EPYC cloud comparison the real standout of those tests across Amazon EC2, Packet, and SkySilk was Packet's bare metal cloud. For just $1.00 USD per hour it's possible to have bare metal access to an AMD EPYC 7401P 24-core / 48-thread server that offers incredible value compared to the other public cloud options for on-demand pricing. That led me to running some more benchmarks of Packet.com's other bare metal cloud options to see how the Intel Xeon and AMD EPYC options compare. Packet's on-demand server options for their "bare metal cloud" offerings range from an Intel Atom C2550 quad-core server with 8GB of RAM at just 7 cents per hour up to a dual Xeon Gold 6120 server with 28 cores at two dollars per hour with 384GB of RAM and 3.2TB of NVMe storage. There are also higher-end instances including NVIDIA GPUs but those are on a dynamic spot pricing basis. Read more

Microsoft Spies on Customers, Red Hat Connections to Government

  • Microsoft covertly collects personal data from enterprise Office ProPlus users
    Privacy Company released the results of a data protection impact assessment showing privacy risks in the enterprise version of Microsoft Office.
  • DLT Named Red Hat Public Sector Partner for 2019; Brian Strosser Quoted
    Red Hat has selected DLT Solutions as its Public Sector Partner of the Year in recognition of the Herndon, Va.-based tech firm’s contributions to the former’s business efforts. DLT said Tuesday it provides government agencies with resale access to open-source technologies such as Red Hat’s cloud, middleware and Linux software offerings. The company has provided services in support of Red Hat’s products through contracts under the General Services Administration‘s GSA Schedule, NASA‘s SEWP V, the Defense Department‘s Enterprise Software Initiative and the National Institutes of Health‘s Chief Information Officer – Commodities and Solutions vehicles.

Programming: WebRender, Healthcare Design Studio GoInvo, PHP Boost and Google Cloud Platform (GCP)

  • Mozilla GFX: WebRender newsletter #30
    Hi! This is the 30th issue of WebRender’s most famous newsletter. At the top of each newsletter I try to dedicate a few paragraphs to some historical/technical details of the project. Today I’ll write about blob images. WebRender currently doesn’t support the full set of graphics primitives required to render all web pages. The focus so far has been on doing a good job of rendering the most common elements and providing a fall-back for the rest. We call this fall-back mechanism “blob images”. The general idea is that when we encounter unsupported primitives during displaylist building we create an image object and instead of backing it with pixel data or a texture handle, we assign it a serialized list of drawing commands (the blob). For WebRender, blobs are just opaque buffers of bytes and a handler object is provided by the embedder (Gecko in our case) to turn this opaque buffer into actual pixels that can be used as regular images by the rest of the rendering pipeline.
  • Healthcare Design Studio GoInvo Releases Open Source Research on Loneliness [Ed: Very odd if not 'creative' use of the term Open Source]
  • PHP Lands Preload Feature, Boosting Performance In Some Cases 30~50%
    PHP developers unanimously approved and already merged support for the new "preloading" concept for this web server language. PHP preloading basically allows loading PHP code that persists as long as the web server is running and that code will always be ready for each subsequent web request, which in some cases will dramatically speed-up the PHP performance on web servers. While PHP has long supported caching to avoid PHP code recompilation on each new web request, with each request PHP has still had to check to see if any of the source file(s) were modified, re-link class dependencies, and similar work. PHP preloading allows for given functions/classes to be "preloaded" that will survive as long as the web server is active. It effectively allows loading of functions or entire/partial frameworks that will then be present for each new web request just as if it were a built-in function.
  • Google Announces a Managed Cron Service: Google Cloud Scheduler
    Google announced a new Service on the Google Cloud Platform (GCP) - Cloud Scheduler, a fully managed cron job service that allows any application to invoke batch, big data and cloud infrastructure operations. The service is currently available in beta. With Google Cloud Scheduler customers can use the cron service with no need to manage the underlying infrastructure. There is also no need to manually intervene in the event of transient failure, as the services retries failed jobs. Furthermore, customers will only pay for the operations they run -- GCP takes care of all resource provisioning, replication and scaling required to operate Cloud Scheduler. Also, customers can, according to Vinod Ramachandran, product manager at Google, benefit from: