Newly Discovered Security Weakness Affects Most Laptops

Status
Not open for further replies.

Co BIY

Honorable
Jun 18, 2015
330
21
10,815
6
So the attacker has to steal a laptop that is currently running, before performing the firmware switch and cold boot. Because the data they could potentially steal is wiped out during a normal shutdown ?

This would be a pretty advanced and complicated attack.
 

Pat Flynn

Distinguished
Aug 8, 2013
231
15
18,765
42
OK... I work in IT... if you have physical access to a device that isn't supposed to be accesed., the security is compromised. PERIOD.
I think we really need the media to chill on these 'security flaws', all you're doing is scaring the sheeple.
 
I repair computer and sometimes clients forget their password (stored in outlook or web browser) When I show them how easy it is to get them they are mostly shocked. If you have physical access to computer, it is really easy to download tools and get info you want. This is not a new security issue.
 

stdragon

Commendable
Apr 5, 2018
1,551
4
1,660
196


Short of an exploit I"m not aware of, I'm not sure a machine encrypted with BitLocker (FIPS certified encryption) can be cracked. I suppose it might be possible if the hibernation file (a RAM dump in a large file) was left in an unencrypted state, but I'm certain it's not, no?

 

anbello262

Distinguished
Sep 27, 2013
1,171
0
19,660
117
This is inportant for companies that keep big trade secrets, not for consumers (the same as most security issues discovered recently).
So I wouldn't ignore it, but also it's important to know about the demographics targeted.
 

Dosflores

Reputable
Jul 8, 2014
147
0
4,710
6


Are you talking about computers that are protected by BitLocker? If you don't use BitLocker, data isn't protected at all.
 

Dosflores

Reputable
Jul 8, 2014
147
0
4,710
6


Hibernation is safe. This new vulnerability only affects computers that are in sleep mode.
 
Aug 2, 2018
83
0
140
4


You should be fired . PERIOD.

Physical access to a device does not mean security is compromised . it means the IT department is ignorant.

The best protection is being smart when you use your device . not open 100 Apps and sites and then cry when some one Hacks into your PC in standby mode
 
Jul 10, 2018
11
0
10
0
Anonymous said:
"once someone has physical access all they really have to do is take the hard drive and place it in a different computer to get everything"

No. We're talking about drives encrypted with tools like Bitlocker, which was mentioned several times in the comments. That's the entire point of such tools, to PREVENT someone from being able to simply mount the drive from a stolen machine in another machine and copy the data off.


NEWSONLINE5000000 said:
"You should be fired . PERIOD.

Physical access to a device does not mean security is compromised . it means the IT department is ignorant.

The best protection is being smart when you use your device . not open 100 Apps and sites and then cry when some one Hacks into your PC in standby mode"

That's a bit harsh. And if you work in IT, you should know full well that servers typically DON'T have their drives locked down with Bitlocker when they're operated in a secure environment, and that most network devices (routers, switches, etc) allow one to do a lot of damage if one has physical access to it. This has always been the case, and is why we go to great lengths (if we're doing our jobs) to secure access to these areas, because we CAN'T lock down every server & network device like we do with laptops & workstations. Depending on the device, you very well should assume security is compromised if it has been stolen. Especially something like a Cisco ASA.

And what employee DOESN'T access hundreds of websites over the course of a week or two? That's extremely common, as is using a large number of applications. While you can prevent employees from installing un-approved applications on their workstations, you can't realistically prevent them from visiting un-approved websites (we can't whitelist them all). Which is why we spend so much time securing our networks and workstations against attack.

Seriously, do you even WORK in IT??

pdxITgirl
 
Jul 10, 2018
11
0
10
0
ANBELLO262 said:
"This is inportant for companies that keep big trade secrets, not for consumers (the same as most security issues discovered recently).
So I wouldn't ignore it, but also it's important to know about the demographics targeted."

Well, no, this would be important for ANY company that uses laptops, as laptops very frequently get stolen and users, in most cases, store quite a few confidential files on local storage. It's not just "big trade secrets" that would cause problems if leaked. This is a very real issue for any company of any size. I can't tell you how many times we've had our users get their laptops stolen while on the road.

And realistically, any consumer / home user who has a laptop and stores ANYTHING sensitive on it could have quite a mess on their hands if said laptop was stolen. Ideally, one would use an encrypted password manager to store their logins and encrypt sensitive files stored on their laptop, but I don't know of any home users who do this unless they work in IT and know to. What I typically see, in real life, is people who put their logins in text files called "passwords.txt" stored on their desktop, or have Excel spreadsheets with all of their logins nicely laid out. Banking information and other personal information stored in My Documents. A treasure trove of information for identity thieves or even blackmailers. Even our politicians do stuff like this.

Most consumers don't consider this, but they really shouldn't be storing ANYTHING they don't want stolen in the cloud, or unencrypted on anything that could get stolen, like a laptop or an iPad. I keep sensitive documents in encrypted BestCrypt or TrueCrypt containers on a USB drive that I keep offline & unplugged unless I need to use it, and don't store anything of value on my phone. If I MUST have something on my laptop, it's encrypted in a password manager or 'crypt container.

Realistically, even on a desktop computer at home, such things should be encrypted by users of ANY kind. But consumers never consider even the most rudimentary things to secure their information, nor do they bother to take the time to learn about it. Then they whine, cry & moan when their information gets hacked or leaked. You'd think people would learn by now not to keep incriminating or sensitive stuff on their iPhone or in their gmail, but they never do...

This kind of thing affects EVERYONE, not just large corporations protecting their trade secrets. If people used their brain and a little common sense more often, people wouldn't be having their identities stolen left and right. You can't prevent everything, but you can pretty easily prevent most types of data theft of data that you yourself control.
 
Yeah... once an attacker has physical access the battle is already pretty much lost on most computers. This is why we have to preach vigilance and situational awareness. The user is almost always the weakest link in the chain.
 

anbello262

Distinguished
Sep 27, 2013
1,171
0
19,660
117


I only partially agree with you. I think most people don't have really confidential information on their laptops, and most would suffer the lost information and lost hardware a lot more than stolen information. And even so, in most cases, a laptop stolen from a random nobody is worth a lot more as re-sell hardware than the value of the information contained, since most thefts are done by people who just want a quick buck and know little about IT.
Stolen laptops usually only get to the hands of hackers when there is reason to believe that said laptop has something valuable, which usually means corporate laptops.

I agree that "there are some cases", but I'm just stating that most of the time this doesn't affect common people. Just like spectre and meltdown.

And I fully agree that it affects even small companies, as long as they work with laptops, I was wrong in my first statement.
 
Jul 10, 2018
11
0
10
0
JUSTIN.M.BEAUVAIS said:

"Yeah... once an attacker has physical access the battle is already pretty much lost on most computers. This is why we have to preach vigilance and situational awareness. The user is almost always the weakest link in the chain."

Yes, that's why it's so critical for businesses to deploy laptops with TPM so they can use Bitlocker (and FileVault on Mac) to encrypt the hard drives, and follow all industry best practices so a stolen laptop is just a brick. At the very least, they'd have to re-install the OS before they could use it, ensuring your data is safe. Hopefully the employee hasn't left the OS unlocked when the laptop is stolen, though, which would render most protection useless, as they'd be able to copy confidential files off the laptop with ease.
 
Jul 10, 2018
11
0
10
0
ANBELLO262 said:

"I only partially agree with you. I think most people don't have really confidential information on their laptops, and most would suffer the lost information and lost hardware a lot more than stolen information. And even so, in most cases, a laptop stolen from a random nobody is worth a lot more as re-sell hardware than the value of the information contained, since most thefts are done by people who just want a quick buck and know little about IT.
Stolen laptops usually only get to the hands of hackers when there is reason to believe that said laptop has something valuable, which usually means corporate laptops.

I agree that "there are some cases", but I'm just stating that most of the time this doesn't affect common people. Just like spectre and meltdown.

And I fully agree that it affects even small companies, as long as they work with laptops, I was wrong in my first statement."


Well, and my statement was mostly geared towards business users, where data integrity would almost always be an issue. Even if it was an average smash-and-grab type theft, it would be presenting an opportunity for further theft or fraud based on whatever information was present on the hard drive, or accessible from network shares.

That's for your average smash-and-grab. Targeted theft, deception & fraud against specific employees, or any employee, of a company in order to obtain specific information (such as Intellectual Property, passwords, or whatever) is actually pretty common and not that "rare" of an incident. Most companies don't publicly report this, however, unless it resulted in a large-scale leak of sensitive information or large financial loss. My understanding of that giant Sony leak a few years back was that someone had targeted a Sony Systems Administrator, and was able to get their login credentials, which would have had administrative access to many systems.

It's unfortunately true that many admins are lonely men, which makes them ripe targets for women who are working for a competitor or criminal enterprise, who would target these men with feigned interest and gain access that way. Again, more common than you'd think.


With personal computers / consumers, the risk isn't so much theft of direct information or Intellectual Property (depending on the person) so much as the access to financial information or passwords. As again, most people have their passwords stored in plain text, in a text file and/or have their online banking passwords autosaved in their web browsers. This is what I mean that, by using even basic security like encryption and a little common sense, a tremendous amount of fraud could be prevented because the easy access thieves have to such information would no longer be so easy.


My conclusion being that even the most innocuous home user probably has *something* on their computer worth stealing, and that theft of ANY person's computer represents a real target beyond the raw value of the device itself. Though I agree that thieves wouldn't be interested in grandma's cookie recipes or some soccer mom's yoga schedule.
Any thief who knows how to take advantage of a given situation would most definitely seize this chance to steal access to their accounts, emptying out any bank accounts, maxing out credit cards, getting loans in their name, etc.
 
Status
Not open for further replies.

ASK THE COMMUNITY