Archive - December 2009
21 December, 2009
Microsoft BitLocker
There has been a lot of talk the last few weeks about research reports that Microsoft's BitLocker can be circumvented on systems with Trusted Platform Modules. Microsoft recently posted a blog on this topic and noted, "This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world. Even with BitLocker's multi-authentication configurations, an attacker could spoof the pre-OS collection of the user's PIN, store this PIN for later retrieval, and then reboot into the authentic collection of the user's PIN. The attacker would then be required to gain physical access to the laptop for a second time in order to retrieve the user's PIN and complete the attack scheme. "
Microsoft goes on to say, "We recognize users want advice with regards to BitLocker and have published best practice guidance in The Data Encryption Toolkit for Mobile PCs. In the toolkit, we discuss the balance of security and usability and detail that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. Using this method, a machine that is powered off or hibernated will protect users from the ability to extract a physical memory image of the computer."
We urge users and IT administrators with BitLocker and TPMs to review this post and follow published best practices for BitLocker with TPM to thwart attacks.
For more information on protecting data at rest, please visit http://www.trustedcomputinggroup.org/solutions/data_protection. For more information on the TPM, go tohttp://www.trustedcomputinggroup.org/solutions/authentication.
Data Protection
Read Post8 December, 2009
First Certified TPM; Protecting Government Information; and Japan’s Security and IT Experts Learn More about TCG
Earlier this year, TCG announced the development of its first certification program, for Trusted Platform Modules. This week, Infineon announced its TPM is the first to achieve TCG certification, based on TCG's own tests and the Common Criteria EAL 4+ requirements.
The company also has been working closely with the UK government agency CESG, the National Technical Authority for Information Assurance, to ensure the TPM meets the UK government's strict requirements for security. Based on assessments, CESG has says the Infineon TPM is suitable to protect critical data, including "restricted" data.
The complete news release can be found online at http://www.cesg.gov.uk/ and at http://www.infineon.com/cms/en/corporate/press/news/releases/2009/INFCCS200912-015.html. Information on the TPM certification program is located on TCG's Certification Page. Watch for additional news on certification!
Elsewhere in the world, in Tokyo today, more than 50 IT professionals gathered at a workshop sponsored by TCG's Japan Regional Forum (JRF) to learn more about Trusted Computing. Presenters from leading IT and technology vendors presented technical and applications information on the Trusted Platform Module, Trusted Network Connect for network security, and trusted storage capabilities, including self-encrypting drives. This workshop is one of many activities the JRF has undertaken to advocate Trusted Computing in one of the world's leading IT markets. The group also hosts a multi-vendor demonstration. More information on the JRF and slides from today's talks can be found in Japanese at http://www.trustedcomputinggroup.org/jp.
Data Protection, News & Events
Read Post