How Reliable is Data Encryption Software?
As it turns out, conventional data encryption software just might not be as secure as once perceived. Newly released research has revealed that the security settings of both Microsoft's BitLocker and Apple's File Vault can be easily bypassed, giving crackers access to a user's personal information. The published paper clearly illustrated how such attacks are able to access computer memory and scan the encryption keys used to encode data.
Memory modules can retain data for any given period of time from seconds to minutes. This allows cryptographic keys to be retrieved even when they have been removed from the computer's motherboard. Data encryption software solutions scramble data on protected hard drives and also store the encryption keys in memory. When the computer is sent into Hibernation or Standby mode, the keys are placed in a memory file. While all data in the memory is meant to be automatically deleted when putting the computer to sleep, RAM chips in some machines take longer to completely clear it. This explains how thieves are able to access data that is supposedly protected, taking advantage while the machine is still in sleep mode. They could perform this activity by simply loading the computer from a removable drive or over a network and then scanning the memory for encryption keys. Experts suggest that the only way data encryption software can completely protect a drive is if the machine is shut down entirely, allowing the RAM data to vanish.
Some researchers have said that this latest revelation indicates that data encryption software might not be able to protect cryptographic keys from the natural functions of the operating system. Others believe that the answer doesn't lie in software, but hardware solutions. Security experts suggest that consumers should look into buying computers that come with built-in encryption features. They maintain that data encryption hardware is capable of eliminating unauthorized access because none of the keys are actually used on the hard drive, aside from the chip. The only way to crack the encrypted message would be to remove or physically destroy the chip.
The findings regarding the two vulnerable applications are something that could have serious ramifications in the terms of compliance. In a number of states such as California, legislation calls for public companies to disclose details of data security breaches to all individuals who were impacted. The exception is if the compromised data can be verified as encrypted. Data encryption hardware can eliminate the possibility of embarrassment and corporate losses by securely storing cryptographic keys on removable media.
Software in general is known to be vulnerable, many of them containing errors in the source code their based on. Software vulnerabilities give points of entry to both hackers and malicious programs. When considering the facts, it's hard to prove that any form of data encryption software could be sufficient. What makes a good method of defense doesn't always make the best solution. If you're truly concerned about the integrity and confidentiality of your data, you may want to look into hardware-based solutions.