Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

6/18/2014
12:00 PM
Cam Roberson
Cam Roberson
Commentary
Connect Directly
Facebook
LinkedIn
RSS
E-Mail vvv
100%
0%

Data Security Decisions In A World Without TrueCrypt

The last days of TrueCrypt left many unanswered questions. But one thing is certain: When encryption freeware ends its life abruptly, being a freeloader can get you into a load of trouble.

The sudden demise of the encryption freeware TrueCrypt has left users and security experts to consider a couple of mysteries. First, what the heck happened to it? Second, and probably more important in the long term, where do the individuals and businesses that had been running TrueCrypt now go for their security needs?

On May 28, TrueCrypt’s official website began redirecting to a warning reading, “Using TrueCrypt is not secure as it may contain unfixed security issues.” A brief explanation followed, stating that development of TrueCrypt was killed in May following Microsoft’s termination of support for Windows XP. Then, in a curious choice for a team of open source developers, the remainder of the redirect page instructs users on how to migrate from TrueCrypt to BitLocker, Microsoft’s proprietary encryption product.

With the unknowns in this case set against the current backdrop of NSA scandals, reports of secret government requests for information issued to tech companies along with gag orders, and the pervasive sense that personal privacy is fading into an illusion, the TrueCrypt situation has been a perfect fuel for conspiracy theories -- and, really, who doesn’t love a good conspiracy theory?

Consider the possibilities
Is TrueCrypt’s explanation of Microsoft's ending support for Windows XP sufficient? Newer versions of Windows do come with BitLocker or EFS (Encrypting File System) built-in, ostensibly reducing the need for additional software. However, neither of these is built-in with Windows “Home” Editions, and the explanation does nothing to address TrueCrypt’s coverage of Mac and Linux systems.

Could TrueCrypt’s seeming endorsement of BitLocker be evidence that Microsoft bought them off? Or was it government agents in black suits and dark shades who got to them? TrueCrypt was famously the encryption tool recommended by Edward Snowden. There is a list of known legal cases where the FBI and law enforcement desired to get past TrueCrypt encryption, and it could not be cracked. Did the NSA bring pressure upon TrueCrypt’s creators, compromising the software’s defenses? Is Lifetime already buying the rights to a made-for-TV movie?

Just too much work
There’s likely a simpler, less provocative explanation. After a decade of uncompensated labor, the team behind TrueCrypt may have just grown tired of building, hosting, and supporting the product for free. A crowd-funded code and penetration
review of TrueCrypt supported by the Open Crypto Audit Project, although outwardly welcomed by the TrueCrypt team and positive in its first phase conclusions, may have caused team members to consider their project thankless. Or they may have simply accepted that BitLocker is sufficient protection for your average individual user and that it is now standard on a large enough share of Windows PCs to render their product no longer crucial enough to justify the effort.

Regardless of the truth behind the last days of TrueCrypt, the real question for users is what to do now. The answer will probably be different (and should be different) for individual and business applications. An individual owns the responsibility for his data. BitLocker and EFS come free as part of Windows on many PCs and are reasonably easy to turn on and off. For normal individual use, they do the job. Because Microsoft backs them, they have a guaranteed level of compatibility and longevity.

We would not recommend freeware encryption tools for exactly this reason: As with TrueCrypt, there are fewer guarantees that free tools will remain available and supported in the long term. In our opinion, the motivation, dedication, and responsibility to continue building and supporting software is severely diminished without profit motivation. There is a lot of encryption freeware available, but none more popular and well-respected than the now defunct TrueCrypt. The bottom line is that. In fact, using built-in tools is TrueCrypt’s final recommendation as well, and we agree when it comes to the security needs of an individual.

You get what you pay for
Businesses have more complex needs than individuals, and should look for more comprehensive security. Recent incidents with Target stores and the Heartbleed virus have proved how vulnerable and liable a business can be following a breach in data security. When choosing data encryption solutions, businesses should take a hard look at what they get for free versus what a small spend can provide.

More complex tools that aren’t shortcuts might make the most sense. Businesses need tools that enforce data security over their entire employee base. They need policy control capabilities: password requirements, lockouts, and key management. These tools must not encumber employee productivity and be easy for IT to manage and support. Mobile devices are a concern for businesses as well, and not only smartphones and tablets, but also USB devices, all holding sensitive and potentially damaging business data. Businesses may consider tools that can protect data in situations where encryption can’t: when a device is stolen with the power on, or when a contractor or employee is no longer in good standing.

As with individuals, we recommend that businesses seek solutions that use built-in encryption tools for their virtues of compatibility and longevity. However, more is required of a business-class tool. Top security tool providers recognize that supporting built-in encryption is much easier than attempting to incorporate encryption into an OS. Adding, supporting, and updating pre-boot processes and integrating with hardware is difficult. As the same time, Macs, iOS, and Android have built integrated encryption modules that can be leveraged by the right data security tools. Data can be remotely managed or wiped, and devices quarantined, taking the burden of data protection away from employees. These more robust business-class options, while more expensive than freeware, can amount to an immense savings. With data security solutions, you get what you pay for, and free can cost you.

Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
theb0x
50%
50%
theb0x,
User Rank: Ninja
6/18/2014 | 3:41:46 PM
FalseCrypt
I think there are quite a few code quality issues with TrueCrypt because it utilizes XTS2 as the block cipher mode of operation instead of using HMAC. The bootloader and Windows Kernel Driver also contain depreciated functions among other issues which are clearly visable in the source code. Because of this it lacks protection from certain modification to the volume. It would not surprise me the least bit if the NSA has further developed and exploited these flaws in a similar fashion to the Stoned Bootkit (a form of malware developed to MITM all read/write operations of the encrypted volume without breaking the encryption itself.) This attack works because TrueCrypt does not have the capability to prevent anything from being loaded prior to it's own MBR. I see this as being a similar issue with BitLocker if exploited correctly because it operates basically in the same maner.
CAMROBERSON
50%
50%
CAMROBERSON,
User Rank: Author
6/18/2014 | 1:21:20 PM
Re: You're overlooking something...
I grapple with the question of what the NSA is capable of cracking and what it isn't. I suppose the NSA may have cracked TrueCrypt which may have drove its developers to take it down and assert "It's not secure." Who knows? I'm going to assume the NSA has a leg up on their "illegal" hacking brethren but I think most (law abiding) folks are concerned with criminals with financial motivations. With proper authentication and 256 bit encryption (built-in or commercially available) I think my data's safe. If the NSA wants to learn more about me they can do it the old-fashioned way and tap my phone. 
anon5131084689
100%
0%
anon5131084689,
User Rank: Apprentice
6/18/2014 | 12:45:22 PM
Heartbleed
What's "The heartbleed virus" again?
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/18/2014 | 12:42:45 PM
Re: Moving on from TrueCrypt
"When one door closes another opens", truecrypt has been good but maybe it is time to check out some other options and when the money talks... Good point Robby. 
Bulos Qoqish
100%
0%
Bulos Qoqish,
User Rank: Apprentice
6/18/2014 | 12:31:02 PM
You're overlooking something...
I read your article about "what to do in the absence of TrueCrypt" with some interest; however, you are leaving out a few very important factors :


(1.) TrueCrypt - whatever its faults - was at least an Open Source application. Almost all commercial encryption systems (Bitlocker is the obvious example) are closed-source, meaning that one has to just take at face value, manufacturer representations that the cryptography involved is (a) correctly implemented and (b) free of "backdoors" to enable covert channel attacks by (for example) intelligence agencies. In the post-Snowden era, one would have to be crazily naive to be willing to accept this kind of assurance.


(2.) In the post-Snowden era, we must assume that all U.S.-invented, manufactured or owned software, including but not limited to the encryption systems that you advocate, have been compromised by the NSA and likely by other agencies such as the CIA, FBI, DIA, and just about anyone who wants to, under the USA PATRIOT Act and other applicable U.S. legislation. Bitlocker is the most obvious example of this but really ALL U.S.-owned software and hardware must be assumed to have been similarly compromised.

I'm sorry if you don't like hearing this, but it is the #1 concern for those of us outside the U.S., and there is NOTHING that you can do, now, to address the concern. Send all cards of thanks and appreciation to George Bush, Dick Cheney, Barack Obama, James Clapper, Michael Hayden and Keith Alexander.

(3.) As you point out, one of TrueCrypt's significant advantages was its multi-platform capabilities. These capabilities are starkly absent from most of the commercial products that you advocate (particularly BitLocker), many of which (Bitlocker, Apple FileVault, etc.) are deliberately engineered for marketing reasons, so as to lock a user into a platform-specific "walled garden". For those of us who need static data security in a heterogeneous endpoint environment, this issue is a "show stopper" for the Bitlockers of the world.

The bottom line? Something will replace TrueCrypt. That "something" will be Open Source and will be carefully designed so as to preclude compromise by the United States' pervasive, Orwellian surveillance state. TrueCrypt was a signature achievement in personal data privacy, and the next step will be a step forward, not backward - which is what you are advocating, by pushing Bitlocker.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 12:26:11 PM
Moving on from TrueCrypt
I tend to believe that the creators of TrueCrypt were approached by Microsoft with a deal they couldn't refuse.  I have no evidence to support that other than the recommendation of bitlocker.  Just call it a gut feeling.

As far as what to do now I would recommend looking into DiskCryptor .  While not as polished as TrueCrypt it does appear to be built upon solid security.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15664
PUBLISHED: 2020-10-01
By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extensi...
CVE-2020-15665
PUBLISHED: 2020-10-01
Firefox did not reset the address bar after the beforeunload dialog was shown if the user chose to remain on the page. This could have resulted in an incorrect URL being shown when used in conjunction with other unexpected browser behaviors. This vulnerability affects Firefox &lt; 80.
CVE-2020-15666
PUBLISHED: 2020-10-01
When trying to load a non-video in an audio/video context the exact status code (200, 302, 404, 500, 412, 403, etc.) was disclosed via the MediaError Message. This level of information leakage is inconsistent with the standardized onerror/onsuccess disclosure and can lead to inferring login status t...
CVE-2020-15667
PUBLISHED: 2020-10-01
When processing a MAR update file, after the signature has been validated, an invalid name length could result in a heap overflow, leading to memory corruption and potentially arbitrary code execution. Within Firefox as released by Mozilla, this issue is only exploitable with the Mozilla-controlled ...
CVE-2020-15668
PUBLISHED: 2020-10-01
A lock was missing when accessing a data structure and importing certificate information into the trust database. This vulnerability affects Firefox &lt; 80 and Firefox for Android &lt; 80.