Source : iViZ, India Encrypting Your Hard Disk is not Safe Anymore: Indian Security Startup iViZ Discovers New Vulnerability Affecting Microsoft, Intel, HP, Lenovo and Others Vulnerability Allows Attackers to Bypass Hard-Disk Encryption Software, System Boot Passwords and Steal Confidential Data Kolkota, West Bengal, India -- (Business Wire India) -- Monday, September 01, 2008 10:43:00 AM iViZ, an Indian information security startup offering on-demand Penetration Testing, announced its discovery of a new class of vulnerability earlier this month at Defcon 16, the world's leading security conference. This vulnerability allows attackers to steal computer boot passwords and bypass the security of pre-boot authentication software like hard disk encryption tools. It affects general computer users, enterprises, governments and can result in unauthorized access or theft of confidential data. Incidentally, in 2007 the global loss due to data theft is estimated to be USD 40 Billion. "Surprisingly, this vulnerability has been existing for 25 years" says Jonathan Brossard, iViZ lead security researcher and discoverer of this vulnerability. "Programmers unaware of this have coded boot password feature such that user password is not flushed properly leading to inadvertent text leakage and theft from memory. Even hard-drive encryption does not help here." adds Mr. Brossard. This vulnerability affects Microsoft Bitlocker on the latest TPM (but not Vista SP1), Truecrypt, Intel/HP BIOS and several others. As a part of responsible disclosure practice, iViZ has already briefed all the affected vendors. "We appreciate vendors like Microsoft, Intel, HP proactively providing fixes to users. iViZ is committed to initiatives making the web safe and conducts research that helps secure organizations worldwide." said Bikash Barai, CEO of iViZ. Bill Sisk, security response communication manager at Microsoft, via his email to RedmondMag, encouraged “customers to update their systems accordingly”. About iViZ: iViZ, founded at IIT and funded by IDG Ventures, offers the world's only end-to-end, automated Penetration Testing on-demand. It's patent-pending technology can simulate the intelligence of a human hacker and detect all possible attack paths in a system / network and also suggest suitable remedies. Using this technology, iViZ provides on-demand Penetration Testing for proactive security risk management and compliance for standards like SOX, PCI, HIPAA or ISO 27001. The Software-as-a-Service model provides anytime, anywhere and anyhow testing capability and eliminates the pain associated with the conventional time-intensive, expensive and non-comprehensive manual testing. Website: www.ivizsecurity.com Vulnerability Details: www.ivizsecurity.com/security-advisory.html Media Contact Details Bala Girisaballa, iViZ, India, +91 99802-35881, bala.girisaballa@ivizsecurity.com Submit your press release at http://www.businesswireindia.com