iViZ ,a company that specializes in on-demand penetration testing, announced its discovery of a new class of vulnerability. This vulnerability lets attackers steal computer boot passwords and reach the pre-boot authentication software like hard disk encryption tools. It can result in unauthorized access and theft of confidential data, contributing to an already big problem; for 2007, the global loss due to data theft was estimated at $40 billion.
"Surprisingly, this vulnerability has been existing for 25 years," said Jonathan Brossard, iViZ lead security researcher and discoverer of the vulnerability. "Programmers unaware of this security hole have coded boot password feature in such a way that user entered text do not get flushed from memory properly leading to inadvertent leakage and theft. Even hard-drive encryption does not help in this case,"
The vulnerability affects Microsoft (News - Alert) Bitlocker on the latest TPM (but not Vista SP1), Truecrypt, Intel/HP BIOS and others.
iViZ has already informed all the impacted vendors.
"We appreciate vendors like Microsoft, Intel (News - Alert), HP taking a proactive approach in providing fixes to users, " said Bikash Barai, CEO of iViZ. "iViZ is committed to initiatives making the web safe and would continue to conduct research that helps to secure organizations worldwide."
iViZ is an information security company that provides end-to-end, automated penetration testing on-demand. Its technology can simulate the intelligence of a human hacker and also detect all possible attack paths in a system or the network. It then provides the remedies also.
iViZ offers On-Demand Penetration Testing for proactive security risk management and compliance for standards such as SOX, PCI, HIPAA or ISO 27001. The Software-as-a-Service (SaaS (News - Alert)) model replaces the conventional time taking, costly and non-comprehensive manual testing. It provides the testing capability anytime, anywhere.
Don’t forget to check out TMCnet’s White Paper Library, which provides a selection of in-depth information on relevant topics affecting the IP Communications industry. The library offers white papers, case studies and other documents which are free to registered users.
Anamika Singh is a contributing editor for TMCnet. To read more of Anamika's articles, please visit her columnist page.
Edited by Mae Kowalke