Beware: Major PGP WDE issue on Sandy Bridge architecture. Show Stopper.

Posted: 2nd April 2011 by John in News
Tags: , , , ,
8

I’ve written on here before about major bugs in the PGP platform for whole disk encryption.  Fairly recently it was discovered that there exists a bug with the latest version of PGP Desktop (specifically, whole disk encryption), with machines that are running the new Intel Sandy Bridge architecture with certain hard drives.  On the new 2011 Macbook Pro’s this manifests itself after the drive is instrumented and encryption started.  If you happen to reboot the machine (even after a full encrypt) you can get past the boot guard, only to be faced with a hung system at the Apple logo.  Decrypting the drive (using target disk mode) does not resolve the issue, and running fsck shows the catalog file to be corrupted and unrecoverable.

Initially we thought this issue to be specific to the Mac platform, however further testing has shown this to be a problem with ANY platform running Sandy Bridge.  Specifically, I’ve seen this issue on Macbook Pro 8,2 models with the 750GB hard drives as well as with SSD’s as well as with new Dell laptops running Sandy Bridge and equipped with SSD’s.

For the Mac side of the house, a solid week of testing has allowed me to find two workarounds.  It would appear that forcing the OS to boot into 32 bit mode (perpetually), then installing PGP and encrypting, resolves the issue.  Unfortunately you also lose the benefit of running in native 64 bit mode.  This is less than ideal.   For Mac’s that are running with the Apple provided SSD’s you can also resolve this by placing a jumper on the left two jumper pins on the right side of the rear of the drive (there are four pins, they should be obvious), then doing a fresh install of the OS.  At the moment I do not know specifically what that jumper configuration does (I can’t get a straight answer out of Toshiba), but I do know that it fixes the issue and allows for encryption to work.  I’ve been running this configuration in my Sandy Bridge MBP 15″ for a few days now, fully encrypted, without any issues.

To date I do not have a workaround for the Dells. This is a major issue and Symantec has not made a widespread announcement on their encryption blog warning consumers.  I have been in contact with Symantec regarding this issue (including working with one of their developers to perform testing and help narrow down where the problem exists), but as of yet have not heard a definitive answer as to what the cause is.

I will post updated information as it becomes available.

 

 

Two hops over the pond

Posted: 29th March 2011 by John in Personal
Tags: ,
3

Last week I had the awesome opportunity to visit the ExactTarget Global headquarters in London. A project I have been working on required someone to be physically present in our office over there and I was picked to be that someone. This was cool for several reasons – first and foremost being that it was my first international trip and second being that I got to meet some pretty great people who work in our London office.

The trip is considered a success – the project work was done without incident and was quite productive. I won’t go into detail as to what that involved, but suffice to say we’re all happy with the results. My coworkers in London made the trip even better than I had expected – welcoming me both to their office and to their country. They were all very friendly and I really enjoyed getting to meet them all and enjoy a few pints with them as well. My friend and coworker, Ashraf, made sure to take me to Bodeans BBQ for lunch. He had me try the Soho Special and… it was amazing. If you like BBQ you owe it to yourself to give this sandwich a try – it’s fantastic.

Sadly – I did not get much time to play tourist. It’s definitely sad that I didn’t get to get out and see the (many!) sights and visit the many wonderful museums, but it gives me something to look forward to for my next trip across the pond. I definitely want to take Ann and go be tourists for a while.

The trip was fantastic, but I am definitely glad to be back home. There’s just no substitute for sleeping in my own bed.

It’s going to be a long night…

Posted: 21st March 2011 by John in Personal
Tags: , ,
1

I sit here in Newark waiting (im)patiently for the announcement that my flight is ready to board.  I’ve got another hour and a half until the scheduled boarding time, and I’m really hopeful for an on-time departure.

Those of you who follow me on Twitter know I’m embarking on a journey across the pond to visit the ExactTarget Global headquarters in London.  A project I’m working on requires my presence in London to meet with a vendor, which I really can’t say is such a bad thing.

This is, however, my first international trip.  Ever. I’d be lying if I said I wasn’t a bit nervous for this very reason.

I’ve asked advice from lots of people and have made all of the arrangements (several of them thanks to the WONDERFUL people in our London office who helped out!) needed to make it a smooth trip.  I’m as ready for this trip as one man can be.  I’m still nervous.

I’ll have loads of fun I’m sure, and I consider myself lucky to get a free trip to London.  That certainly doesn’t happen every day – I will take advantage of it.

Any advice on things I should definitely do when I have some free time?

 

You had me at XSS

Posted: 9th March 2011 by John in Personal
Tags: ,
0

As I deal with Application Security issues, I’ve found that quite a few people don’t fully understand the dangers of attack vectors like SQL injection and Cross Site Scripting (XSS).  It’s at least somewhat easy to illustrate the dangers of SQL injection – just point them to this XKCD strip.  Far more difficult to explain to someone who doesn’t understand is the risk involved in XSS.

A lot of folks downplay the potential risk, choosing instead to believe that the risk is low because they mark their session cookies as http only, so “document.cookie” won’t get you anything worthwhile.  A challenge for those in AppSec is how to educate them about the true dangers of even a single XSS vulnerability.

While looking for a way to do exactly that I stumbled on (no, not using StumbleUpon) XSS-Track, a project which aims to demonstrate how a single XSS vulnerability can enable tracking of a user across an entire website (not just the page with the vulnerability), and even intercept files that are uploaded by that user.   The capabilities are almost limitless if enough time and effort is put in.

With luck – examples such as the one provided by XSS-Track can be used to entice organizations to reduce the window of vulnerability on XSS (and other) vulnerabilities found in their web apps.  It certainly is a powerful tool for expressing the magnitude of damage possible from XSS.

 

 

A visit by the Fire Department

Posted: 7th March 2011 by John in Personal
Tags: ,
3

*bzzzzzzzzzzzzzzz* *bzzzzzzzzzzz *bzzzzzzzzzzzzzzzzzz*

Another 800 number calling – I let it go to voicemail.  Then it happened again … *Bzzzzzzzzzzzzz* *bzzzzzzzzzzz* *bzzzzzzzzzzzzz*.   Slightly annoyed, I again let it go to voicemail.

A minute or so later, my phone chirps again – notifying me that I have voicemail.  This intrigued me – very rarely do 800 numbers leave me voicemail.  I listened to the voicemail and immediately regretted not answering the phone.  Read the rest of this entry »

Older Entries
Newer Entries