fis

Recently, I was involved in security testing of the device where TPM was used to store hard drive encryption key and authorize the platform before the key is unsealed from TPM to allow the OS loader or OS itself to decrypt hard drives. As the device was a stand alone device without possibility of using of another authorization methods (such as PIN, password or another key stored i.e. on USB key or a smart card) I have identified a possible attack vector how to disclose the encryption key and decrypt the data stored on the protected partitions of the hard drive. The idea was based on the fact the he TPM chip is usually connected to standardized and well documented LPC bus on the motherboard. On this bus the communication is not encrypted so it is possible to capture the traffic using a low-cost digital analyzer device and decode the LPC / TPM ACPI protocols later using the simple Java program. It took about two days (including preparations and simple LPC/TPM ACPI decoder developme

Please note this critical vulnerability affects mainly those who use AppService for PCI DSS related services. As the service is not designed according to best security practices and security standards  ITS NOT COMPLIANT  with the PCI DSS standard at least its requirement 6. This in the end means the  complete customer service  is not compliant too. This is because the AppService is not designed and maintained according to best practices and industry standards as PCI DSS requires. I've started with development of some application with targeting the Azure as the hosting platform. Because I was ethical hacker for last 10 years I was interested how secure the Azure is before I'll put anything there. I've read all that stuff related to sandboxes and isolation level of VM's running in the cloud, especially those related to web applications... Its good to trust but also to check. Once I've created the account to the Azure Portal I have deployed my first small Asp.Net