In the wake of laptop theft and loss that lead to embarrassment, legal liability and extra costs, smart organizations began to mandate encryption, at least to the devices given to folks who carry sensitive information beyond the physical and cyber walls of the organization.
Encryption became something of a panacea: If companies spend the money to encrypt, the data can be considered safe. Moreover, encrypting companies will be on safer ground legally and from a regulatory standpoint, no matter what happens.
Well, the line got a bit blurrier last week when Princeton University, Wind River Systems and the Electronic Frontier Foundation claimed that there are conditions under which encryption keys can be recovered from machines found in the sleep or hibernation mode. The procedure involves an attack on the device's RAM on a "warm reboot." The exploit, the piece says, was able to unlock BitLocker in Windows Vista, Apple's FireVault and two open source programs -- TrueCrypt and dm-crypt.
Ross Humphries, a senior product manager for Windows Vista, blogged on the topic. His response -- reported upon in ComputerWorld -- was essentially that the exploit was unlikely. Three things have to be in place for the approach to succeed: the person would need physical access to the machine, the device would have to be found in the right mode and the person would have to know what to do and, presumably, have the right tools, which could include liquid nitrogen and, presumably, tongs or a thick pair of gloves.
Two things are apparent in the response: Humphries doesn't appear to maintain that the hack is conceptually impossible. (He is paraphrased as saying that BitLocker can guard machines, though to what extent is unclear.) Moreover, a close examination of his reasons that it is unlikely are not compelling. A team of crackers dedicated to pulling off the procedure would have a pretty good shot at success.
This news notwithstanding, encryption is and will remain a key tool in the battle to protect laptops. Elsewhere on this front -- in other words, in stories that don't involve the possibility of dipping a machine in a vat of liquid nitrogen -- there is good news and bad.
First, the good news: The Veterans Affairs department took a huge number of hits two years ago when an unencrypted laptop with millions of veterans' records was stolen. It is only fair, then, that the department get some credit for the way a theft was handled in February.
Every phase of the revamped policy on laptops seemed to work: The device was protected by GuardianEdge full-disk encryption and the employee followed procedures by securing the machine to a piece of furniture and immediately alerting the Austin police department and VA when it was stolen. The laptop was found at a convenience store the police raided in connection with suspected drug activity. The cops saw the VA insignia on the device and alerted the Homeland Security Department, which returned the machine to the VA.
On the other side of the coin, a laptop containing the names and vital information on more than 300,000 customers of Horizon Blue Cross/Blue Shield of New Jersey went missing on Jan. 5. The organization is in the process of installing encryption software on its laptops but, the writer says, this particular machine had not yet been processed. The fair question is this: If the organization thinks encryption is important enough to mandate, why did it still allow employees to take home devices without it? The danger -- that a machine would be lost or stolen before IT installed the software -- is precisely what happened.
There is a lot of good information on whole-disk encryption at this LinkedIn column. A member asked for advice on the topic, and got an ear full. Among brands recommended are PGP, SafeBoot, PointSec, TrueCrypt, Utimaco, Credant, BestCrypt, Private Disk, ScramDisk and Cypherix. Dell, one responder pointed out, is embedding encryption in some new machines. The responses offered good input beyond just naming brands.