Tuesday, April 13, 2010

Where secure doesn´t mean secure and safe doesn´t mean safe

You may update your antivirus software religiously, immediately download all new Windows security patches, and refuse to click any e-mail links ostensibly sent by your bank, but even if your computer is running exactly the way it’s supposed to, a motivated attacker can still glean a shocking amount of private information from it.

The time it takes to store data in memory,fluctuations in power consumption, even the sounds your computer makes can betray its secrets. MIT researchers centered at the Computer Science and Artificial Intelligence Lab’s Cryptography and Information Security Group (CIS) study such subtle security holes and how to close them.

“Imagine a stock broker that specializes in a specific company,” Tromer says.
“If you observe that his virtual machine is particularly active, that could be valuable information. Or you may want to know how popular your competitors’ website is. We’ve actually demonstrated that we can very robustly estimate web server popularity.”

“This has sparked the imagination of both the research community and industry,” Rohatgi says. “I interact with a lot of people in industry, and when they say, ‘Give me the technical basis for this,’ I point to [Tromer and colleagues’] papers.”

Finally, Tromer is continuing work he began as a graduate student, on the use of a “hundred-dollar commodity microphone” to record the very sounds emitted by a computer and analyze them for information about cryptographic keys. So far, Tromer hasn’t been able to demonstrate complete key extraction, but he believes he’s getting close.

Any information at all about a computer’s internal workings “is actually fairly damaging,” Rohatgi says. “In some sense, some of these cryptographic algorithms are fairly brittle, and with a little extra information, you can break them.”
Post a Comment