Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Data Security Decisions In A World Without TrueCrypt
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
theb0x
50%
50%
theb0x,
User Rank: Ninja
6/18/2014 | 3:41:46 PM
FalseCrypt
I think there are quite a few code quality issues with TrueCrypt because it utilizes XTS2 as the block cipher mode of operation instead of using HMAC. The bootloader and Windows Kernel Driver also contain depreciated functions among other issues which are clearly visable in the source code. Because of this it lacks protection from certain modification to the volume. It would not surprise me the least bit if the NSA has further developed and exploited these flaws in a similar fashion to the Stoned Bootkit (a form of malware developed to MITM all read/write operations of the encrypted volume without breaking the encryption itself.) This attack works because TrueCrypt does not have the capability to prevent anything from being loaded prior to it's own MBR. I see this as being a similar issue with BitLocker if exploited correctly because it operates basically in the same maner.
CAMROBERSON
50%
50%
CAMROBERSON,
User Rank: Author
6/18/2014 | 1:21:20 PM
Re: You're overlooking something...
I grapple with the question of what the NSA is capable of cracking and what it isn't. I suppose the NSA may have cracked TrueCrypt which may have drove its developers to take it down and assert "It's not secure." Who knows? I'm going to assume the NSA has a leg up on their "illegal" hacking brethren but I think most (law abiding) folks are concerned with criminals with financial motivations. With proper authentication and 256 bit encryption (built-in or commercially available) I think my data's safe. If the NSA wants to learn more about me they can do it the old-fashioned way and tap my phone. 
anon5131084689
100%
0%
anon5131084689,
User Rank: Apprentice
6/18/2014 | 12:45:22 PM
Heartbleed
What's "The heartbleed virus" again?
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/18/2014 | 12:42:45 PM
Re: Moving on from TrueCrypt
"When one door closes another opens", truecrypt has been good but maybe it is time to check out some other options and when the money talks... Good point Robby. 
Bulos Qoqish
100%
0%
Bulos Qoqish,
User Rank: Apprentice
6/18/2014 | 12:31:02 PM
You're overlooking something...
I read your article about "what to do in the absence of TrueCrypt" with some interest; however, you are leaving out a few very important factors :


(1.) TrueCrypt - whatever its faults - was at least an Open Source application. Almost all commercial encryption systems (Bitlocker is the obvious example) are closed-source, meaning that one has to just take at face value, manufacturer representations that the cryptography involved is (a) correctly implemented and (b) free of "backdoors" to enable covert channel attacks by (for example) intelligence agencies. In the post-Snowden era, one would have to be crazily naive to be willing to accept this kind of assurance.


(2.) In the post-Snowden era, we must assume that all U.S.-invented, manufactured or owned software, including but not limited to the encryption systems that you advocate, have been compromised by the NSA and likely by other agencies such as the CIA, FBI, DIA, and just about anyone who wants to, under the USA PATRIOT Act and other applicable U.S. legislation. Bitlocker is the most obvious example of this but really ALL U.S.-owned software and hardware must be assumed to have been similarly compromised.

I'm sorry if you don't like hearing this, but it is the #1 concern for those of us outside the U.S., and there is NOTHING that you can do, now, to address the concern. Send all cards of thanks and appreciation to George Bush, Dick Cheney, Barack Obama, James Clapper, Michael Hayden and Keith Alexander.

(3.) As you point out, one of TrueCrypt's significant advantages was its multi-platform capabilities. These capabilities are starkly absent from most of the commercial products that you advocate (particularly BitLocker), many of which (Bitlocker, Apple FileVault, etc.) are deliberately engineered for marketing reasons, so as to lock a user into a platform-specific "walled garden". For those of us who need static data security in a heterogeneous endpoint environment, this issue is a "show stopper" for the Bitlockers of the world.

The bottom line? Something will replace TrueCrypt. That "something" will be Open Source and will be carefully designed so as to preclude compromise by the United States' pervasive, Orwellian surveillance state. TrueCrypt was a signature achievement in personal data privacy, and the next step will be a step forward, not backward - which is what you are advocating, by pushing Bitlocker.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/18/2014 | 12:26:11 PM
Moving on from TrueCrypt
I tend to believe that the creators of TrueCrypt were approached by Microsoft with a deal they couldn't refuse.  I have no evidence to support that other than the recommendation of bitlocker.  Just call it a gut feeling.

As far as what to do now I would recommend looking into DiskCryptor .  While not as polished as TrueCrypt it does appear to be built upon solid security.
<<   <   Page 2 / 2


Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.