from the get-out-the-bug-spray dept.
The flaws, which were apparently missed in an earlier independent audit of the TrueCrypt source code, could allow attackers to obtain elevated privileges on a system if they have access to a limited user account.
The original authors of TrueCrypt, who have remained anonymous, abruptly shut down the project in May 2014 warning that "it may contain unfixed security issues" and advised users to switch to BitLocker, Microsoft's full-disk encryption feature that's available in certain versions of Windows.
At that time a crowd-funded effort was already underway to perform a professional security audit of TrueCrypt's source code and its cryptography implementations. The first phase, which analyzed the TrueCrypt driver and other critical parts of the code, had already been completed when TrueCrypt was discontinued. The auditors found no high-severity issues or evidence of intentional backdoors in the program.
It's impossible to tell if the new flaws discovered by Forshaw were introduced intentionally or not, but they do show that despite professional code audits, serious bugs can remain undiscovered
The Intercept reports on an email obtained by The Washington Post: Top [Intelligence] Lawyer Says Terror Attack Would Help Push for Anti-Encryption Legislation:
The intelligence community's top lawyer, Robert S. Litt, told colleagues in an August email obtained by the Washington Post that Congressional support for anti-encryption legislation "could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement." So he advised "keeping our options open for such a situation."
[...] A senior official granted anonymity by the Post acknowledged that the law enforcement argument is "just not carrying the day." He told the Post reporters: "People are still not persuaded this is a problem. People think we have not made the case. We do not have the perfect example where you have the dead child or a terrorist act to point to, and that's what people seem to claim you have to have."
On Tuesday, Amy Hess, a top FBI official, told reporters that the bureau has "done a really bad job collecting empirical data" on the encryption problem. FBI Director James Comey has attempted to provide examples of how law enforcement is "going dark," but none have checked out. Only Manhattan District Attorney Cyrus Vance has been able to provide an example of encrypted technology maybe blocking one possible lead in a murder investigation.
Litt was commenting on a draft options paper from the National Security Council that includes three proposals for the Obama Administration: oppose compulsory backdoor legislation and come out in favor of encryption, defer any decisions until after an open consultation, or do nothing. No option calling for backdoors was included.
In other news, the EFF has issued its first certificate as part of the Let's Encrypt initiative. Microsoft researchers have published a paper and code (MIT license) for FourQ, a new and faster elliptic curve cryptography implementation. Cryptome's John Young has announced that some of his public PGP keys have been compromised.
June 7: FBI Official: "Build Technological Solutions to Prevent Encryption Above All Else"
July 30: Ex-Intelligence Officials Support Encryption in Editorial
September 10: Justice Department Considered Suing Apple Over iMessage Encryption
VeraCrypt security audit reveals many flaws, some already patched [Zeljka Zorz/Helpnet Security]
VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab.
The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report.
The code auditing effort analyzed VeraCrypt 1.18 and its bootloaders.
"A first step consisted in verifying that the problems and vulnerabilities identified by iSec and NCC Group in TrueCrypt 7.1a for the Open Crypto Audit Project had been taken into account and fixed," the Quarkslab researchers involved in the effort explained.
"Then, the remaining study was to identify potential security problems in the code specific to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix the public vulnerabilities of TrueCrypt, but also to bring new features to the software."
Are any Soylentils using Veracrypt and/or other forks of Trucrypt?
The full audit report: TrueCrypt Cryptographic Review[PDF] [Alex Balducci, Sean Devlin, Tom Ritter/Open Crypto Audit Project]
Independent Audit: Newly Found TrueCrypt Flaw Allows Full System Compromise
No Backdoors Found in TrueCrypt
TrueCrypt Site Encodes Warning about NSA Infiltration
TrueCrypt Discontinued, Compromised?
-- submitted from IRC