Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
posted by cmn32480 on Wednesday September 30 2015, @06:01PM   Printer-friendly
from the get-out-the-bug-spray dept.

ITWorld reports:

The flaws, which were apparently missed in an earlier independent audit of the TrueCrypt source code, could allow attackers to obtain elevated privileges on a system if they have access to a limited user account.

The original authors of TrueCrypt, who have remained anonymous, abruptly shut down the project in May 2014 warning that "it may contain unfixed security issues" and advised users to switch to BitLocker, Microsoft's full-disk encryption feature that's available in certain versions of Windows.

At that time a crowd-funded effort was already underway to perform a professional security audit of TrueCrypt's source code and its cryptography implementations. The first phase, which analyzed the TrueCrypt driver and other critical parts of the code, had already been completed when TrueCrypt was discontinued. The auditors found no high-severity issues or evidence of intentional backdoors in the program.

It's impossible to tell if the new flaws discovered by Forshaw were introduced intentionally or not, but they do show that despite professional code audits, serious bugs can remain undiscovered


Original Submission

Related Stories

Crypto Wars Continue 43 comments

The Intercept reports on an email obtained by The Washington Post: Top [Intelligence] Lawyer Says Terror Attack Would Help Push for Anti-Encryption Legislation:

The intelligence community's top lawyer, Robert S. Litt, told colleagues in an August email obtained by the Washington Post that Congressional support for anti-encryption legislation "could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement." So he advised "keeping our options open for such a situation."

[...] A senior official granted anonymity by the Post acknowledged that the law enforcement argument is "just not carrying the day." He told the Post reporters: "People are still not persuaded this is a problem. People think we have not made the case. We do not have the perfect example where you have the dead child or a terrorist act to point to, and that's what people seem to claim you have to have."

On Tuesday, Amy Hess, a top FBI official, told reporters that the bureau has "done a really bad job collecting empirical data" on the encryption problem. FBI Director James Comey has attempted to provide examples of how law enforcement is "going dark," but none have checked out. Only Manhattan District Attorney Cyrus Vance has been able to provide an example of encrypted technology maybe blocking one possible lead in a murder investigation.

Litt was commenting on a draft options paper from the National Security Council that includes three proposals for the Obama Administration: oppose compulsory backdoor legislation and come out in favor of encryption, defer any decisions until after an open consultation, or do nothing. No option calling for backdoors was included.

In other news, the EFF has issued its first certificate as part of the Let's Encrypt initiative. Microsoft researchers have published a paper and code (MIT license) for FourQ, a new and faster elliptic curve cryptography implementation. Cryptome's John Young has announced that some of his public PGP keys have been compromised.

Related:

June 7: FBI Official: "Build Technological Solutions to Prevent Encryption Above All Else"
July 30: Ex-Intelligence Officials Support Encryption in Editorial
September 10: Justice Department Considered Suing Apple Over iMessage Encryption


Original Submission

Audit Reveals Significant Vulnerabilities for TrueCrypt and Successor VeraCrypt 18 comments

VeraCrypt security audit reveals many flaws, some already patched [Zeljka Zorz/Helpnet Security]

VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab.

The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report.

The code auditing effort analyzed VeraCrypt 1.18 and its bootloaders.

"A first step consisted in verifying that the problems and vulnerabilities identified by iSec and NCC Group in TrueCrypt 7.1a for the Open Crypto Audit Project had been taken into account and fixed," the Quarkslab researchers involved in the effort explained.

"Then, the remaining study was to identify potential security problems in the code specific to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix the public vulnerabilities of TrueCrypt, but also to bring new features to the software."

A short overview of the issues found (fixed and still not fixed) can be found here. The audit report, with mitigations for still unpatched vulnerabilities, can be downloaded from here.

Are any Soylentils using Veracrypt and/or other forks of Trucrypt?

The full audit report: TrueCrypt Cryptographic Review[PDF] [Alex Balducci, Sean Devlin, Tom Ritter/Open Crypto Audit Project]

Previously:
Independent Audit: Newly Found TrueCrypt Flaw Allows Full System Compromise
No Backdoors Found in TrueCrypt
TrueCrypt Site Encodes Warning about NSA Infiltration
TrueCrypt Discontinued, Compromised?

-- submitted from IRC


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by frojack on Wednesday September 30 2015, @06:22PM

    by frojack (1554) on Wednesday September 30 2015, @06:22PM (#243632) Journal

    First, I understand its Windows Only problem.

    Second, This is not a compromise of the TrueCrypt encryption!

    This is just a a bug in the Windows TrueCrypt driver. The bug allows an account on an already running and "decrypted" system to achieve elevated credentials. So if YOU don't do that, your data is quite safe, as long as your turn your computer off when you are not using it. (suspend to ram is a no no, as it has always been).

    The VeraCrypt project, based on truecrypt has already fixed these vulnerabilities.
    https://github.com/veracrypt/VeraCrypt/commit/b7f9df6e4f09ba342fdbbadc63af5062cc57eaf2 [github.com]
    https://github.com/veracrypt/VeraCrypt/commit/9b24da3398581da1fa66c6b8f682bbcfa7ded4fd [github.com]
    You should be using VeraCrypt instead. http://sourceforge.net/projects/veracrypt/ [sourceforge.net]

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 2, Funny) by Runaway1956 on Wednesday September 30 2015, @06:31PM

      by Runaway1956 (2926) Subscriber Badge on Wednesday September 30 2015, @06:31PM (#243637) Journal

      Looks like Frojack wins the internet today. Snopes should be offering you a job soon.

      --
      A MAN Just Won a Gold Medal for Punching a Woman in the Face
      • (Score: -1, Redundant) by Anonymous Coward on Wednesday September 30 2015, @06:53PM

        by Anonymous Coward on Wednesday September 30 2015, @06:53PM (#243645)

        Straight up. That comment has everything you need to know in one shot.

        • (Score: 4, Funny) by Anonymous Coward on Wednesday September 30 2015, @07:34PM

          by Anonymous Coward on Wednesday September 30 2015, @07:34PM (#243662)

          However, it leaves very little room to inject comments about NSA, Snowden, derogatory comments about "the sheeple", remarkably un-insightful comments regarding bread and circuses from people who think they are being insightful. In short, it removes the need for 95% of the obligatory comments we need in every story, so perhaps his comment was a bit too effective.

          • (Score: 1, Funny) by Anonymous Coward on Wednesday September 30 2015, @07:47PM

            by Anonymous Coward on Wednesday September 30 2015, @07:47PM (#243668)

            wait. are you paid by the government to lead people into shutting up about the government? i mean... who else would say such nasty things about our insightful views into the conspiracy to generate a sheeple of illiterate oblivious corporate minions?

            • (Score: 2) by http on Thursday October 01 2015, @04:08AM

              by http (1920) on Thursday October 01 2015, @04:08AM (#243851)

              Bingo, sir.

              --
              I browse at -1 when I have mod points. It's unsettling.
          • (Score: 2, Touché) by Marand on Wednesday September 30 2015, @07:50PM

            by Marand (1081) on Wednesday September 30 2015, @07:50PM (#243670) Journal

            However, it leaves very little room to inject comments about NSA, Snowden, derogatory comments about "the sheeple", remarkably un-insightful comments regarding bread and circuses from people who think they are being insightful. In short, it removes the need for 95% of the obligatory comments we need in every story, so perhaps his comment was a bit too effective.

            That's okay, because it's a Windows bug. That means we can still make snarky remarks about "M$" and criticise people for using "Windoze" while pointing out that if people used $preferred_os_of_poster everything would be 100% safe, no bugs would ever happen again, and their computers would start ejecting gold coins out of the dvd drives (for any old-timers that still have them)

            Or, more likely, people will just not read frojack's post and still inject the NSA/etc. comments anyway. :)

          • (Score: 2) by dyingtolive on Wednesday September 30 2015, @09:30PM

            by dyingtolive (952) on Wednesday September 30 2015, @09:30PM (#243699)

            This just in: SNOWDEN AND AHMED MELTED STEEL BEAMS WITH BREAD AND CIRCUSES UNDER THE INFLUENCE OF GAMEMAKER ON ORDER FROM NSA! 9/11 CONFIRMED!

            I think that covers most of the rest.

            --
            Don't blame me, I voted for moose wang!
            • (Score: 0) by Anonymous Coward on Thursday October 01 2015, @06:33AM

              by Anonymous Coward on Thursday October 01 2015, @06:33AM (#243877)

              What about MyCleanPC?

          • (Score: 2) by aristarchus on Wednesday September 30 2015, @10:16PM

            by aristarchus (2645) on Wednesday September 30 2015, @10:16PM (#243717) Journal

            perhaps his comment was a bit too effective.

            That's our frojack! Winning the internet and killing SoylentNews!

          • (Score: 0) by Anonymous Coward on Thursday October 01 2015, @06:39AM

            by Anonymous Coward on Thursday October 01 2015, @06:39AM (#243879)

            Well, there is a reason people say those things. When you have hordes of people who don't care about or even support unconstitutional mass surveillance, what other conclusions can you draw? They are simply ignorant fools.

    • (Score: 0) by Anonymous Coward on Wednesday September 30 2015, @09:46PM

      by Anonymous Coward on Wednesday September 30 2015, @09:46PM (#243704)

      ... warning that "it may contain unfixed security issues" and advised users to switch to BitLocker, Microsoft's full-disk encryption feature ...

      First, I understand its Windows Only problem.

      Of course it's a Windows only issue. They told us that when they recommended using BitLocker.

  • (Score: 5, Interesting) by FakeBeldin on Wednesday September 30 2015, @10:20PM

    by FakeBeldin (3360) on Wednesday September 30 2015, @10:20PM (#243718) Journal

    The interesting questions revolve around the audit [istruecryptauditedyet.com]:
    - Should this have been caught in the audit?
        yes, the paid-for source audit specifically included looking for "Windows kernel driver ... elevation of privilege".
      report [opencryptoaudit.org], pg. 10.
    - Why wasn't it?

    It's clear that not everything will be caught in a time/money/person-limited audit. Nevertheless, finding bugs that ought to have been caught places the rest of the audit's findings in doubt.

    :s

    • (Score: 0) by Anonymous Coward on Thursday October 01 2015, @02:16AM

      by Anonymous Coward on Thursday October 01 2015, @02:16AM (#243807)

      You say you can't find every flaw, then you say that this ought to have been caught. Well, first it was caught, which is why we're having a story about it. But why do you say this one should have been caught with 100% certainty over any other one?

      • (Score: 3, Insightful) by FakeBeldin on Friday October 02 2015, @11:55AM

        by FakeBeldin (3360) on Friday October 02 2015, @11:55AM (#244371) Journal

        I'm not saying this should have been caught with 100% certainty.
        I am saying that since they specifically claimed to be looking for this type of bug in the windows driver. There was exactly such a bug in exactly the place they looked for it, and they didn't find it. We should take the rest of their findings with a larger dose of salt than expected.

        We paid someone to look into things, they said "we can't see everything, we're only looking at these very specific parts for these very specific bugs", and then later we find that they didn't spot exactly such a bug in exactly one of the parts they claimed to look at.

        It's like someone in the Independence Day movie saying "we're looking for signs of alien activity" and not noticing the city-sized flying saucers over his head.

  • (Score: 0) by Anonymous Coward on Thursday October 01 2015, @12:43AM

    by Anonymous Coward on Thursday October 01 2015, @12:43AM (#243770)
    Then you're already pwn3d anyway.