Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

6/18/2014
12:00 PM
Cam Roberson
Cam Roberson
Commentary
Connect Directly
Facebook
LinkedIn
RSS
E-Mail vvv
100%
0%

Data Security Decisions In A World Without TrueCrypt

The last days of TrueCrypt left many unanswered questions. But one thing is certain: When encryption freeware ends its life abruptly, being a freeloader can get you into a load of trouble.

The sudden demise of the encryption freeware TrueCrypt has left users and security experts to consider a couple of mysteries. First, what the heck happened to it? Second, and probably more important in the long term, where do the individuals and businesses that had been running TrueCrypt now go for their security needs?

On May 28, TrueCrypt’s official website began redirecting to a warning reading, “Using TrueCrypt is not secure as it may contain unfixed security issues.” A brief explanation followed, stating that development of TrueCrypt was killed in May following Microsoft’s termination of support for Windows XP. Then, in a curious choice for a team of open source developers, the remainder of the redirect page instructs users on how to migrate from TrueCrypt to BitLocker, Microsoft’s proprietary encryption product.

With the unknowns in this case set against the current backdrop of NSA scandals, reports of secret government requests for information issued to tech companies along with gag orders, and the pervasive sense that personal privacy is fading into an illusion, the TrueCrypt situation has been a perfect fuel for conspiracy theories -- and, really, who doesn’t love a good conspiracy theory?

Consider the possibilities
Is TrueCrypt’s explanation of Microsoft's ending support for Windows XP sufficient? Newer versions of Windows do come with BitLocker or EFS (Encrypting File System) built-in, ostensibly reducing the need for additional software. However, neither of these is built-in with Windows “Home” Editions, and the explanation does nothing to address TrueCrypt’s coverage of Mac and Linux systems.

Could TrueCrypt’s seeming endorsement of BitLocker be evidence that Microsoft bought them off? Or was it government agents in black suits and dark shades who got to them? TrueCrypt was famously the encryption tool recommended by Edward Snowden. There is a list of known legal cases where the FBI and law enforcement desired to get past TrueCrypt encryption, and it could not be cracked. Did the NSA bring pressure upon TrueCrypt’s creators, compromising the software’s defenses? Is Lifetime already buying the rights to a made-for-TV movie?

Just too much work
There’s likely a simpler, less provocative explanation. After a decade of uncompensated labor, the team behind TrueCrypt may have just grown tired of building, hosting, and supporting the product for free. A crowd-funded code and penetration
review of TrueCrypt supported by the Open Crypto Audit Project, although outwardly welcomed by the TrueCrypt team and positive in its first phase conclusions, may have caused team members to consider their project thankless. Or they may have simply accepted that BitLocker is sufficient protection for your average individual user and that it is now standard on a large enough share of Windows PCs to render their product no longer crucial enough to justify the effort.

Regardless of the truth behind the last days of TrueCrypt, the real question for users is what to do now. The answer will probably be different (and should be different) for individual and business applications. An individual owns the responsibility for his data. BitLocker and EFS come free as part of Windows on many PCs and are reasonably easy to turn on and off. For normal individual use, they do the job. Because Microsoft backs them, they have a guaranteed level of compatibility and longevity.

We would not recommend freeware encryption tools for exactly this reason: As with TrueCrypt, there are fewer guarantees that free tools will remain available and supported in the long term. In our opinion, the motivation, dedication, and responsibility to continue building and supporting software is severely diminished without profit motivation. There is a lot of encryption freeware available, but none more popular and well-respected than the now defunct TrueCrypt. The bottom line is that. In fact, using built-in tools is TrueCrypt’s final recommendation as well, and we agree when it comes to the security needs of an individual.

You get what you pay for
Businesses have more complex needs than individuals, and should look for more comprehensive security. Recent incidents with Target stores and the Heartbleed virus have proved how vulnerable and liable a business can be following a breach in data security. When choosing data encryption solutions, businesses should take a hard look at what they get for free versus what a small spend can provide.

More complex tools that aren’t shortcuts might make the most sense. Businesses need tools that enforce data security over their entire employee base. They need policy control capabilities: password requirements, lockouts, and key management. These tools must not encumber employee productivity and be easy for IT to manage and support. Mobile devices are a concern for businesses as well, and not only smartphones and tablets, but also USB devices, all holding sensitive and potentially damaging business data. Businesses may consider tools that can protect data in situations where encryption can’t: when a device is stolen with the power on, or when a contractor or employee is no longer in good standing.

As with individuals, we recommend that businesses seek solutions that use built-in encryption tools for their virtues of compatibility and longevity. However, more is required of a business-class tool. Top security tool providers recognize that supporting built-in encryption is much easier than attempting to incorporate encryption into an OS. Adding, supporting, and updating pre-boot processes and integrating with hardware is difficult. As the same time, Macs, iOS, and Android have built integrated encryption modules that can be leveraged by the right data security tools. Data can be remotely managed or wiped, and devices quarantined, taking the burden of data protection away from employees. These more robust business-class options, while more expensive than freeware, can amount to an immense savings. With data security solutions, you get what you pay for, and free can cost you.

Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CAMROBERSON
50%
50%
CAMROBERSON,
User Rank: Author
6/23/2014 | 9:52:14 AM
Re: TC volumes are Plain-Text when they are open...
You're absolutely right, Darker. There is a real distinction as to why people get encryption. Many look just to check the "compliance" checkbox; to have safeharbor in the event of hardware loss. But is the data truly secure? There are many instances where the data isn't encrypted and then what? Enforcing sound authentication policy? Certainly. How about an ability to remotely reach out to that device and control access. Or kill it altogether? I believe encryption is only a (and not the only) necessary piece of true security."
theb0x
50%
50%
theb0x,
User Rank: Ninja
6/21/2014 | 1:15:13 PM
Re: TC volumes are Plain-Text when they are open...
@darkerreading Exactly, And not only that TC, PGP..etc all have plain-text MBR just waiting to be tampered with when the volume is open from the booted OS. Also, the symmetric key is stored in RAM which yes can be extracted.

With Hardware-FDE or SEDs (Self-Encrypting Drives), the symmetric key managment is contained within the hard drive controller itself eliminating memory as a potetntial attack vector. Also unlike software based encryption, the MBR is fully encrypted.

However, not all SEDs are created equal. I have in the past successfully bypassed the firmware based authentication of a drive which resulted in full access to the encrypted volume without the key.

 

 

 

 
li'l ciso
50%
50%
li'l ciso,
User Rank: Strategist
6/20/2014 | 7:43:21 PM
TC volumes are Plain-Text when they are open...
Why does everyone forget that all encrypted voiumes are PT when they are open?

That goes for BL, PGP, SED's and TC. Encryption only protects you when the volume is closed. The NSA has 1001 exploits to get on your machine when it's running, why would they waste their time trying to crack TC... You just have to wait... then bam... insert surreptitious backdoor, or just read the data at that point... why crack TC/PGP/Bitlocker/Free-otfe at all?

Speaking of Free-OTFE, it was as good if not better than TC. And as far as I can recall, written by one woman, over a number of years, but feature for feature at least on windows, it was great. I can't speak to it's cross-platform-ness, but it was a great program. I don't think Plausible Deniablity was one of her things, but other than that I can't remember any major differences.

Good Day Sir
McDaveX
100%
0%
McDaveX,
User Rank: Strategist
6/20/2014 | 12:23:01 PM
Truecrypt still going strong
While its possible the Audit might throw up a spanner, until then there is no major reason to abandon Truecrypt, so I am not seeing the point of this article?
theb0x
50%
50%
theb0x,
User Rank: Ninja
6/19/2014 | 8:05:50 PM
Re: You're overlooking something...
This brings a whole new meaning to 'Debugging'. 
kalbr88
50%
50%
kalbr88,
User Rank: Apprentice
6/19/2014 | 3:45:20 PM
TrueCrypt's step by step recommendation for Mac as well
http://truecrypt.sourceforge.net/OtherPlatforms.html

TrueCrypt's site had also posted detailed instructions for Mac.

 
gev
100%
0%
gev,
User Rank: Moderator
6/19/2014 | 2:09:29 PM
yes I do
yes I do get to argue about anything - it is my right to free speach.

fact that you can not find anything only tells you that it is not found, not that it does not exist. And this is applicable unversally to everything.

coming from a totalitarian country, I do know what i am talking about, believe me.

 
anon5472249769
100%
0%
anon5472249769,
User Rank: Apprentice
6/19/2014 | 1:52:50 PM
Re: You're overlooking something...
Sorry, my friend, but you're bluffing with a hand of deuces here. The government of the United States of America is the ONLY country that has engaged in the full gamut of these practices (can you find me ONE... ONE example of someone else soldering backdoor chips on to the motherboards of Cisco routers, for example?), and everyone outside the U.S. knows about it (whether or not you want to acknowledge it).

Over time, we are simply going to stop using U.S.-manufactured software, hardware and services, because we have to assume that it has all been compromised. MIGHT equivalent equipment, if manufactured elsewhere, have been compromised? Possibly (although this is unlikely in most cases, with some exceptions such as Huawei). But thanks to Snowden, we KNOW -- way beyond a reasonable doubt -- that virtually ALL U.S.-manufactured equipment either already has been, or very well might soon be, "backdoored" by the NSA and other U.S. spook agencies.

I'm sorry if you don't like hearing that, but you don't get to argue about it. This IS the situation and the POV outside your country, and there's NOTHING that you now can do about it. The Humpty Dumpty of implicit foreign trust in the U.S. is broken, and all of Dick Cheney's horses and all of Barack Obama's men, can't put Humpty Dumpty, together, again.

Don't like that? Call Michael Hayden, Keith Alexander and James Clapper. Don't bother taking notes, because a few other people listening on the line, are already doing that for you.
gev
100%
0%
gev,
User Rank: Moderator
6/19/2014 | 10:17:28 AM
Re: You're overlooking something...
You point finger at US only because it openly tells you about what is going on.

The lack of information about other developed and otherwise countries doing the same only tells me that they are either not caught yet, or are better able to silense the truth.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/18/2014 | 4:23:10 PM
Re: You're overlooking something...
@Bulos Qoqish

At a high level, I have to agree with you.  I believe the most successful and useful security tools, whether on the pen-testing side or encryption side, are free and open source software (FOSS) for many of the reasons you note.

Time will tell, but I have high hopes for TrueCrypt.ch to do exactly what you identified, which is keep technology like this moving forward, improve upon it rather than run from it, and use the FOSS community to make it work the way we want, independent of licenses, patents and hidden functions.
Page 1 / 2   >   >>
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3633
PUBLISHED: 2021-02-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2021-20203
PUBLISHED: 2021-02-25
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS s...
CVE-2021-3406
PUBLISHED: 2021-02-25
A flaw was found in keylime 5.8.1 and older. The issue in the Keylime agent and registrar code invalidates the cryptographic chain of trust from the Endorsement Key certificate to agent attestations.
CVE-2021-20327
PUBLISHED: 2021-02-25
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node....
CVE-2021-20328
PUBLISHED: 2021-02-25
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in inte...