Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Data Security Decisions In A World Without TrueCrypt
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Robert McDougal
Robert McDougal,
 User Rank: Ninja
6/18/2014 | 12:26:11 PM
Moving on from TrueCrypt
I tend to believe that the creators of TrueCrypt were approached by Microsoft with a deal they couldn't refuse.  I have no evidence to support that other than the recommendation of bitlocker.  Just call it a gut feeling.

As far as what to do now I would recommend looking into DiskCryptor .  While not as polished as TrueCrypt it does appear to be built upon solid security.
Bulos Qoqish
Bulos Qoqish,
 User Rank: Apprentice
6/18/2014 | 12:31:02 PM
You're overlooking something...
I read your article about "what to do in the absence of TrueCrypt" with some interest; however, you are leaving out a few very important factors :


(1.) TrueCrypt - whatever its faults - was at least an Open Source application. Almost all commercial encryption systems (Bitlocker is the obvious example) are closed-source, meaning that one has to just take at face value, manufacturer representations that the cryptography involved is (a) correctly implemented and (b) free of "backdoors" to enable covert channel attacks by (for example) intelligence agencies. In the post-Snowden era, one would have to be crazily naive to be willing to accept this kind of assurance.


(2.) In the post-Snowden era, we must assume that all U.S.-invented, manufactured or owned software, including but not limited to the encryption systems that you advocate, have been compromised by the NSA and likely by other agencies such as the CIA, FBI, DIA, and just about anyone who wants to, under the USA PATRIOT Act and other applicable U.S. legislation. Bitlocker is the most obvious example of this but really ALL U.S.-owned software and hardware must be assumed to have been similarly compromised.

I'm sorry if you don't like hearing this, but it is the #1 concern for those of us outside the U.S., and there is NOTHING that you can do, now, to address the concern. Send all cards of thanks and appreciation to George Bush, Dick Cheney, Barack Obama, James Clapper, Michael Hayden and Keith Alexander.

(3.) As you point out, one of TrueCrypt's significant advantages was its multi-platform capabilities. These capabilities are starkly absent from most of the commercial products that you advocate (particularly BitLocker), many of which (Bitlocker, Apple FileVault, etc.) are deliberately engineered for marketing reasons, so as to lock a user into a platform-specific "walled garden". For those of us who need static data security in a heterogeneous endpoint environment, this issue is a "show stopper" for the Bitlockers of the world.

The bottom line? Something will replace TrueCrypt. That "something" will be Open Source and will be carefully designed so as to preclude compromise by the United States' pervasive, Orwellian surveillance state. TrueCrypt was a signature achievement in personal data privacy, and the next step will be a step forward, not backward - which is what you are advocating, by pushing Bitlocker.
Randy Naramore
Randy Naramore,
 User Rank: Ninja
6/18/2014 | 12:42:45 PM
Re: Moving on from TrueCrypt
"When one door closes another opens", truecrypt has been good but maybe it is time to check out some other options and when the money talks... Good point Robby. 
anon5131084689
anon5131084689,
 User Rank: Apprentice
6/18/2014 | 12:45:22 PM
Heartbleed
What's "The heartbleed virus" again?
CAMROBERSON
CAMROBERSON,
 User Rank: Author
6/18/2014 | 1:21:20 PM
Re: You're overlooking something...
I grapple with the question of what the NSA is capable of cracking and what it isn't. I suppose the NSA may have cracked TrueCrypt which may have drove its developers to take it down and assert "It's not secure." Who knows? I'm going to assume the NSA has a leg up on their "illegal" hacking brethren but I think most (law abiding) folks are concerned with criminals with financial motivations. With proper authentication and 256 bit encryption (built-in or commercially available) I think my data's safe. If the NSA wants to learn more about me they can do it the old-fashioned way and tap my phone. 
theb0x
theb0x,
 User Rank: Ninja
6/18/2014 | 3:41:46 PM
FalseCrypt
I think there are quite a few code quality issues with TrueCrypt because it utilizes XTS2 as the block cipher mode of operation instead of using HMAC. The bootloader and Windows Kernel Driver also contain depreciated functions among other issues which are clearly visable in the source code. Because of this it lacks protection from certain modification to the volume. It would not surprise me the least bit if the NSA has further developed and exploited these flaws in a similar fashion to the Stoned Bootkit (a form of malware developed to MITM all read/write operations of the encrypted volume without breaking the encryption itself.) This attack works because TrueCrypt does not have the capability to prevent anything from being loaded prior to it's own MBR. I see this as being a similar issue with BitLocker if exploited correctly because it operates basically in the same maner.
RetiredUser
RetiredUser,
 User Rank: Ninja
6/18/2014 | 4:23:10 PM
Re: You're overlooking something...
@Bulos Qoqish

At a high level, I have to agree with you.  I believe the most successful and useful security tools, whether on the pen-testing side or encryption side, are free and open source software (FOSS) for many of the reasons you note.

Time will tell, but I have high hopes for TrueCrypt.ch to do exactly what you identified, which is keep technology like this moving forward, improve upon it rather than run from it, and use the FOSS community to make it work the way we want, independent of licenses, patents and hidden functions.
gev
gev,
 User Rank: Moderator
6/19/2014 | 10:17:28 AM
Re: You're overlooking something...
You point finger at US only because it openly tells you about what is going on.

The lack of information about other developed and otherwise countries doing the same only tells me that they are either not caught yet, or are better able to silense the truth.
anon5472249769
anon5472249769,
 User Rank: Apprentice
6/19/2014 | 1:52:50 PM
Re: You're overlooking something...
Sorry, my friend, but you're bluffing with a hand of deuces here. The government of the United States of America is the ONLY country that has engaged in the full gamut of these practices (can you find me ONE... ONE example of someone else soldering backdoor chips on to the motherboards of Cisco routers, for example?), and everyone outside the U.S. knows about it (whether or not you want to acknowledge it).

Over time, we are simply going to stop using U.S.-manufactured software, hardware and services, because we have to assume that it has all been compromised. MIGHT equivalent equipment, if manufactured elsewhere, have been compromised? Possibly (although this is unlikely in most cases, with some exceptions such as Huawei). But thanks to Snowden, we KNOW -- way beyond a reasonable doubt -- that virtually ALL U.S.-manufactured equipment either already has been, or very well might soon be, "backdoored" by the NSA and other U.S. spook agencies.

I'm sorry if you don't like hearing that, but you don't get to argue about it. This IS the situation and the POV outside your country, and there's NOTHING that you now can do about it. The Humpty Dumpty of implicit foreign trust in the U.S. is broken, and all of Dick Cheney's horses and all of Barack Obama's men, can't put Humpty Dumpty, together, again.

Don't like that? Call Michael Hayden, Keith Alexander and James Clapper. Don't bother taking notes, because a few other people listening on the line, are already doing that for you.
gev
gev,
 User Rank: Moderator
6/19/2014 | 2:09:29 PM
yes I do
yes I do get to argue about anything - it is my right to free speach.

fact that you can not find anything only tells you that it is not found, not that it does not exist. And this is applicable unversally to everything.

coming from a totalitarian country, I do know what i am talking about, believe me.

 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file