Language Selection

English French German Italian Portuguese Spanish

Microsoft 'Encryption' and Intel 'Security'

Filed under
Microsoft
Security
  • You Can’t Trust BitLocker to Encrypt Your SSD on Windows 10 [Ed: Actually, it has long been known that Microsoft's BitLocker has NSA back doors. Even Microsoft staff spoke about it. It's for fools.]

    Some SSDs advertise support for “hardware encryption.” If you enable BitLocker on Windows, Microsoft trusts your SSD and doesn’t do anything. But researchers have found that many SSDs are doing a terrible job, which means BitLocker isn’t providing secure encryption.

  • Flaws in self-encrypting SSDs let attackers bypass disk encryption

    Researchers at Radboud University in the Netherlands have revealed today vulnerabilities in some solid-state drives (SSDs) that allow an attacker to bypass the disk encryption feature and access the local data without knowing the user-chosen disk encryption password.

    The vulnerabilities only affect SSD models that support hardware-based encryption, where the disk encryption operations are carried out via a local built-in chip, separate from the main CPU.

    Such devices are also known as self-encrypting drives (SEDs) and have become popular in recent years after software-level full disk encryption was proven vulnerable to attacks where intruders would steal the encryption password from the computer's RAM.

  • New Intel CPU Flaw Exploits Hyper-Threading to Steal Encrypted Data

    A team of security researchers has discovered another serious side-channel vulnerability in Intel CPUs that could allow an attacker to sniff out sensitive protected data, like passwords and cryptographic keys, from other processes running in the same CPU core with simultaneous multi-threading feature enabled.

    The vulnerability, codenamed PortSmash (CVE-2018-5407), has joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including Meltdown and Spectre, TLBleed, and Foreshadow.

Windows BitLocker back doors (several of them) exacerbated

  • Flaw In SSDs Allows Hackers To Access Encrypted Data Without Password

    However, the issue runs deeper. Windows users are more risk-prone as the Windows BitLocker, a software-level full disk encryption system of Windows OS does not encrypt the users’ data at the software level upon detecting a device capable of hardware-based encryption.

    The researchers have recommended the SED users to use software-level full disk encryption systems such as VeraCrypt to protect their data.

"Microsoft for defaulting to using these broken encryption"

  • Researchers expose 'critical vulnerabilities' in SSD encryption

    After considering a handful of possible flaws in hardware-based full-disk encryption, or self-encrypting drives (SEDs), the pair reverse-engineered the firmware of a sample of SSDs and tried to expose these vulnerabilities.

    They learned that hackers can launch a range of attacks, from seizing full control of the CPU to corrupting memory - outlining their findings in a paper titled 'self-encrypting deception: weakness in the encryption of solid state drives (SSDs)'.

    There are a host of exploits that can be used, such as cracking master passwords, set by the manufacturer as a factory default. These are routinely found in many SSDs, and if obtained by an attacker could allow them to bypass any custom password set by a user.

  • Crucial and Samsung SSDs' Encryption Is Easily Bypassed

    Researchers from Radboud University in The Netherlands reported today their discovery that hackers could easily bypass the encryption on Crucial and Samsung SSDs without the user’s passwords. The researchers also pointed at Microsoft for defaulting to using these broken encryption schemes on modern drives.

    The Dutch researchers reverse-engineered the firmware of multiple drives and found a “pattern of critical issues." In one case, the drive’s master password used to decrypt data was just an empty string, which means someone would have been able to decrypt it by just pressing the Enter key on their keyboard. In another case, the researchers said the drive could be unlocked with “any password” because the drive’s password validation checks didn’t work.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

FreeBSD 12.0-RC1 Released, Fixes Ryzen 2 Temperature Reporting

Arguably most user-facing with this week's FreeBSD 12.0-RC1 release is updating the amdsmn/amdtemp drivers for attaching to Ryzen 2 host bridges. Additionally, the amdtemp driver has been fixed for correctly reporting the AMD Ryzen Threadripper 2990WX core temperature. The 2990WX temperature reporting is the same fix Linux initially needed to for a 27 degree offset to report the correct temperature. It's just taken FreeBSD longer to add Ryzen 2 / Threadripper 2 temperature bits even though they had beat the Linux kernel crew with the initial Zen CPU temperature reporting last year. Read more Also: MeetBSD 2018: Michael W Lucas Why BSD?

GPU/Graphics: DRM/KMS and CUDA

  • Google's Pixel 3 Is Using The MSM DRM Driver, More Android Phones Moving To DRM/KMS Code
    It turns out Google's recently announced Pixel 3 smartphone is making use of the MSM Direct Rendering Manager driver associated with the Freedreno open-source Qualcomm graphics project. Google is also getting more Android vendors moving over to using DRM/KMS drivers to power their graphics/display. Alistair Strachan of Google presented at this week's Linux Plumbers Conference and the growing adoption of Direct Rendering Manager / Kernel Mode-Setting drivers by Android devices.
  • Red Hat Developers Working Towards A Vendor-Neutral Compute Stack To Take On NVIDIA's CUDA
    At this week's Linux Plumbers Conference, David Airlie began talking about the possibility of a vendor-neutral compute stack across Intel, Radeon, and NVIDIA GPU platforms that could potentially take on NVIDIA's CUDA dominance. There has been the work on open-source NVIDIA (Nouveau) SPIR-V compute support all year and that's ongoing with not yet having reached mainline Mesa. That effort has been largely worked on by Karol Herbst and Rob Clark, both open-source GPU driver developers at Red Hat. There has also been other compute-motivated open-source driver/infrastructure work out of Red Hat like Jerome Glisse's ongoing kernel work around Heterogeneous Memory Management (HMM). There's also been the Radeon RADV driver that Red Hat's David Airlie co-founded and continues contributing significantly to its advancement. And then there has been other graphics/compute contributions too with Red Hat remaining one of the largest upstream contributors to the ecosystem.

Endless OS Switching To The BFQ I/O Scheduler For More Responsive Linux Desktop

While Con Kolivas' kernel patch series decided to do away with BFQ support, the GNOME-aligned Endless OS Linux distribution has decided to do the opposite in move from CFQ as the default I/O scheduler over to BFQ. Endless OS has decided to switch to the BFQ (Budget Fair Queuing) I/O scheduler since it prioritizes interactive workloads and should make for a better experience for its users particularly when applications may be upgrading in the background. During heavy background I/O, Endless found that their launch time of LibreOffice went from taking 16 seconds with CFQ to just three seconds when using BFQ. Other tests were also positive for improving the interactivity/responsiveness of the system particularly during heavy background I/O. Read more

Goa to train teachers in new open-source software apps for cyber security

After working with Google India for wider adoption of internet safety in schools two years ago, Goa education agencies will implement another project to train computer, information and communication technology school and higher secondary teachers in new open-source software applications for cyber security integration. The State Board of Secondary and Higher Secondary Education and Goa State Council Educational Research and Training (GSCERT) have decided to begin the second programme with over 650 computer teachers from December 4 to 18, Mr. Ajay Jadhav, Board of Study member and coordinator of the first project with Google, said on Friday. The cyber security training syllabus has been worked out and 18 resource persons are ready for the project. Read more