NASA Employees Warned About Vista Security Loophole

Computer security specialists at NASA have warned their employees of a loophole in the encryption feature BitLocker, only present in Enterprise and Ultimate editions of Microsoft's Windows Vista operating system. According to a document posted on NASA's Web site, BitLocker's encryption can be bypassed if a user leaves their computers in "sleep" mode. Only if the computer is shut down or set to "hibernate", users are required to insert a USB authentication key into their PCs or laptops to in order to boot up.

"An administrator can reduce the risk of circumvention of BitLocker (through theft of a "sleeping" rather than "hibernating" machine) by reducing the duration before the machine goes into hibernation," said NASA's security specialists, Aaron Powell and Christopher Vincent.

News source: InformationWeek

Report a problem with article
Previous Story

Hackers Attack Every 39 seconds

Next Story

Metal Gear Solid Movie Details Revealed

20 Comments

Commenting is disabled on this article.

Agreed, and the point of BL is not to impede someone from taking the data at any point in time, it's to prevent them from grabbing a cold machine, taking it elsewhere , and compromising the machine (i.e. as would be easy with a laptop). Thats the point of all OTFE.

For one thing, I find it hard to believe that NASA cannot or does not have a better hard drive encryption scheme than freaking Vista's capabilities, I'd want hardware encryption for the HD so that regardless of the OS settings it's encrypted.

Next, this isn't a big thing, as said, it's basically to secure the HD in case of theft, this standby crap is almost like saying "someone can copy the data when the PC is on if they kill (or KO) the operator before they shut it off." It's not like just because the data is on a BL drive that I cannot just move it to my USB drive and use it anywhere after that as long as the Vista OS is on, I did it earlier today actually, lol. If I try to copy it from Linux or XP it will fail though.

This really is nonsense. But, it is nice that this is pointed out for the people that will use standby over hibernation (i.e. me, I hate hibernation and delete the capability to even do it). Still, for NASA, this doesn't really matter, and for most people in general it doesn't. It's a good "tip" but nothing to be writing home about.

Well, isn't the whole point of sleep to enable the user to jump right back to where they left off? I don't normally leave my conputer in sleep mode if I am going to be away for any length of time. I always shut down or hibernate.

Unsuccessful to you perhaps, but hardly to the NASA employees demanding high security in all circumstances. They probably consider that this feature still being enabled by default an oversight in the BitLocker design. BitLocker could really inform & ask a user upon being enabled if some of these system settings that invalidate the protection should be modified. I think it doesn't really matter how one "should" or "should not" use sleep mode here... One scenario would be that another employee mistakenly thinks a laptop with shared ownership in the company is shut off and put it at risk.

Hmmm I seem to be the only one that finds this a non-issue?

I mean ... how are you going to steal a computer AND keep the power going to it so it doesn't turn off? Not like sleep mode magically doesn't require power or anything, right?

Now for laptops ... that's another story.

Bitlocker is in Enterprise and Ultimate only, not Business.

http://www.microsoft.com/windows/products/.../bitlocker.mspx

BitLocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Ultimate for client computers and in Windows Server "Longhorn".

Also this isn't really a "loophole" in Vista. Bitlocker is a boot-up security technology. Since stand-by does not involve the shutting down and booting up of a PC, it obviously doesn't kick in.

So, this is a "feature"?

Either way, this is a very real security problem, and should be addressed. I think disable sleep on BitLocker-enabled PCs would be the best way for Microsoft to quickly deal with this.

markjensen said,
So, this is a "feature"?

Either way, this is a very real security problem, and should be addressed. I think disable sleep on BitLocker-enabled PCs would be the best way for Microsoft to quickly deal with this.


It's not a problem. Hybernation is the default mode now in Vista, so if someone turns it off - too bad for them.

However, I do think that Microsoft should inform users that standby won't have the same effect as hybernation.

mrmckeb said,
It's not a problem. Hybernation is the default mode now in Vista, so if someone turns it off - too bad for them.

However, I do think that Microsoft should inform users that standby won't have the same effect as hybernation.

You are so right!

There is no risk of compromized data! Everything is perfectly secure.

Keep your head buried in the sand (or stuffed up Microsoft arse), and keep that rosy point of view!

Good catch by NASA.

But that is kinda what "sleep" is about - put user right back where they were when they turn the PC back "on".

I am guessing that the best fix will be for Microsoft to modify their sleep recovery a bit. This may take a bit of work and testing, as this interruption is not a normal part of the sleep process.

A quicker solution would be a hotfix that disabled the ability to sleep if BitLocker is enabled for a PC.

I agree; this is currently behavior by design, but the design in question could no doubt have been better.

If users run BitLocker, it is usually to have their computers protected at all times when they're not using it, and then they're likely not interested in quick startups if that comes as a cost of security. Revering Power Off to be like in XP if BitLocker is active sounds reasonable. They'd still have the option to enable that again if they really wished to, by going to the Advanced Power Savings preferences and changing the "shut down" Start Menu button behavior.