[TETENAL]

FileVault allegedly can be cracked if the computer is stolen (or unattended for a short while) while in sleep mode. See the video at:

Center for Information Technology Policy � Lest We Remember: Cold Boot Attacks on Encryption Keys

Most thieves probably don't have the technical know how to pull this off, but for government or corporate users this might be an issue.

[OreoCookie]

I've changed the title to reflect that it's not just FileVault, but similar disk encryption systems are susceptible to this attack, too. The problem is actually not FileVault's mechanism, but rather that the cryptographic key remains in memory and that they've succeeded to extract the contents of DRAM even after the computer has been shut off.

[bearcatrp]

Just passing this on from what I found... Security glitch exposes OS X account passwords | Tech news blog - CNET News.com

Hopefully fixed soon though.

[larrinski]

Looks pretty bad to me. I probably won't be the first here to say that if someone has physical access to your computer, the game is up...Hey, I am the first one

I just hope my encrypted sparse images are safe...

[Don Pickett]

Physical access always compromises 99% of security measures.

[ghporter]

Since most Mac users have auto-login enabled, this is moot really. However, as Don points out, if you can touch the machine, it's compromised no matter what. Not a big deal really, but a nice way to get sensational headlines.

[TETENAL]

The big deal is that this decrypts the keychain and circumvents FileVault. Both should not be possible, even with physical access. Laptops get stolen.

[Big Mac]

By refusing to get a fix out quickly, Apple doesn't seem to have taken a very responsible position in response to this exploit.

[Person Man]

Originally Posted by Big Mac 

By refusing to get a fix out quickly, Apple doesn't seem to have taken a very responsible position in response to this exploit.

I'd rather Apple take the time necessary to properly test the fix to make sure it doesn't break anything.

Originally Posted by From the original article

Appelbaum reported the problem to Apple on February 5, but Apple didn't fix it in the security update released on February 11.

Um, 6 days is NOT enough time to develop a fix and properly test it before releasing it. This will probably be fixed in the next Security Update, whenever that is.

It hasn't even been a month since Apple was notified. Give them time. If it's not fixed within 6 weeks of being reported to them, THEN your complaint is valid. (IMO)

[OreoCookie]

This was covered a week ago and first posted by TETENAL. Please use his thread for discussion.

It wasn't a security issue just for OS X, but in the demo video, they've actually cracked a Vista laptop.

[OreoCookie]

The same group of researchers found another, OS X-specific flaw that allows to extract passwords from memory in the same manner. I've decided the merge the threads as the idea behind the attack is exactly the same in both cases.

I should add that while the group and the method are the same, the flaw that bearcaprt has pointed out is a different one that is indeed OS X-specific. I didn't realize that at first, because both, the method and the group were the same.

[turtle777]

Originally Posted by ghporter 

Since most Mac users have auto-login enabled, this is moot really. However, as Don points out, if you can touch the machine, it's compromised no matter what. Not a big deal really, but a nice way to get sensational headlines.

I don't. I feel special

-t

[ghporter]

Originally Posted by TETENAL 

The big deal is that this decrypts the keychain and circumvents FileVault. Both should not be possible, even with physical access. Laptops get stolen.

...and FileVault is dicey at best-it may keep YOU from your data for no apparent reason. If you depend on FileVault for protecting your sensitive data, then IMO you're living pretty close to the edge anyway.

It is relatively easy to attack encrypted files if you have the drive-which is of course what the intruder would have if he got his hands on your computer to begin with-so if he knows about the keychain vulnerability he simply gets his access sooner rather than later. Yes, this vulnerability is sort of like forcing you to keep the key to your house under the doormat in exactly the same place, but if you have a locked gate outside your door to keep the baddies away from your doormat, then it's not as big a problem.

Also, how many laptop thieves go for the data on the drive? It's my understanding that such thefts are done by non-technical people who sell the computers quickly for a quick buck. It is not "trivial" to take advantage of this vulnerability (though not as difficult as trying to break an encrypted storage system without it), so odds are IF your computer is stolen and IF it's stolen by or given to someone who wants the data on it, then IF that person knows about the vulnerability and IF he can take advantage of it then you have a problem. Better to keep your sensitive data on portable media that you keep on your person, especially if you travel with your laptop.

It's an excellent idea to do this for a lot of reasons. ALL of my written assignments are on a USB drive that goes with me everywhere. This not only makes it easy for me to work on my assignments either on my MBP at school or on my iMac at home, it means that a crash, a robbery, or any other catastrophic problem won't impact my school work.

[TETENAL]

Originally Posted by ghporter 

Also, how many laptop thieves go for the data on the drive?

Governmental laptops have already been stolen for the apparent reason to get to the data. I guess in the corporate environment this happens as well (without the media attention). FileVault is the best Apple offers to protect against this. It's in Apple's interest to make this a safe as possible.

[turtle777]

Originally Posted by ghporter 

ALL of my written assignments are on a USB drive that goes with me everywhere. This not only makes it easy for me to work on my assignments either on my MBP at school or on my iMac at home, it means that a crash, a robbery, or any other catastrophic problem won't impact my school work.

I disagree that this is more secure.

A missing USB stick might not be noticed missing for a while, unlike a WHOLE missing computer.

Plus, a USB stick by itself is worth almost nothing. So immediately, a thief would go for what MIGHT be worth a buck: the data.

-t

[ghporter]

My process with the USB stick makes it VERY unlikely that I'd not notice it missing-if it isn't in the computer it's tethered in my pack; there are no other states. But on the whole, you make a good point: NOTHING is fool proof (fools are so inventive) and any method you use to secure your data needs to be well thought out and practiced to the point of reflex. Otherwise, as turtle says, you'd be putting yourself in a position to definitely lose your data to someone who would know that's what he had.

[JKT]

Would I be right in thinking that the Secure virtual memory option in the Security preferences is not going to be any help here - does it only encrypt memory once it is written to disk as swapfiles, or does it do it on the fly in RAM as well?

[ghporter]

There would be some pros and cons either way in respect to whether the data in RAM is encrypted-it could speed the actual writing of caches, but it would slow the whole process down immensely, while waiting until it's time to write the cache would slow that down but allow normal RAM access to be at full hardware speed. My money would be on the latter strategy.

I'm also interested in this issue: Does Secure Virtual Memory use a standard keychain-entry key?