Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Tuesday October 25 2016, @10:09PM   Printer-friendly
from the decrypt-this dept.

VeraCrypt security audit reveals many flaws, some already patched [Zeljka Zorz/Helpnet Security]

VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab.

The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report.

The code auditing effort analyzed VeraCrypt 1.18 and its bootloaders.

"A first step consisted in verifying that the problems and vulnerabilities identified by iSec and NCC Group in TrueCrypt 7.1a for the Open Crypto Audit Project had been taken into account and fixed," the Quarkslab researchers involved in the effort explained.

"Then, the remaining study was to identify potential security problems in the code specific to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix the public vulnerabilities of TrueCrypt, but also to bring new features to the software."

A short overview of the issues found (fixed and still not fixed) can be found here. The audit report, with mitigations for still unpatched vulnerabilities, can be downloaded from here.

Are any Soylentils using Veracrypt and/or other forks of Trucrypt?

The full audit report: TrueCrypt Cryptographic Review[PDF] [Alex Balducci, Sean Devlin, Tom Ritter/Open Crypto Audit Project]

Previously:
Independent Audit: Newly Found TrueCrypt Flaw Allows Full System Compromise
No Backdoors Found in TrueCrypt
TrueCrypt Site Encodes Warning about NSA Infiltration
TrueCrypt Discontinued, Compromised?

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday October 26 2016, @01:33PM

    by Anonymous Coward on Wednesday October 26 2016, @01:33PM (#418964)

    I have a client using TrueCrypt still. They are using the last released version; we saved the binaries in various places. They are in a very confidential business and were concerned following public data leaks that something like that could happen to them. The company partners didn't want to trust Microsoft to not have golden keys for their encryption scheme someone could steal; they felt if someone stole MS's keys, MS would be good at covering it up, and we wouldn't know until years later, well after their business was ruined by a data leak.

    I wanted to change them to VeraCrypt, but it's installed on around 100 PCs, and the users are not very technically literate. There was a concern about retraining them if the screen didn't look exactly identical on each machine they might need to use. Probably won't be able to upgrade them to a new setup until the next major company-wide upgrade.

    I do wonder about the real effectiveness of the encryption in the event that a machine was actually stolen as they fear.

  • (Score: 2) by tangomargarine on Wednesday October 26 2016, @02:14PM

    by tangomargarine (667) on Wednesday October 26 2016, @02:14PM (#418984)

    I have a client using TrueCrypt still. They are using the last released version

    Technically they're probably using the second-to-last version, since the last build they released concurrent with their closing the project only allows you to read volumes, but not write to them.

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
  • (Score: 2, Insightful) by Francis on Wednesday October 26 2016, @02:31PM

    by Francis (5544) on Wednesday October 26 2016, @02:31PM (#418994)

    In other words, they're idiots that have been coddled.

    It's rather unfortunate, that IT winds up having to babysit people that are too lazy to learn anything. A simple one page document should be more than enough to get people to switch to a new program like this. The security implications of a new program really ought to be a bigger concern than the users.

    Now, if this were a replacement for a complicated piece of software like Office, I could completely understand it, but at some point people need to just accept that they need to actually learn how to use computers. The last thing we need is for another generation of folks to think it's OK to be bad with computers. It's bad enough that we have people thinking it's OK to be bad at math when they aren't even trying to do math. At least those consequences tend to not affect others.

    • (Score: 2) by lgw on Wednesday October 26 2016, @08:11PM

      by lgw (2836) on Wednesday October 26 2016, @08:11PM (#419122)

      I've yet to see any practical exploits in TrueCrypt that are fixed in VeraCrypt. Why would you insist people change? Until we have real evidence that VeraCrypt is making the overall security better than TrueCrypt, what's the win, and what's the urgency?

      I begin to suspect you're an IT guy of the tier who still thinks changing passwords every 90 days is a good idea.

      • (Score: 1) by Francis on Thursday October 27 2016, @12:18AM

        by Francis (5544) on Thursday October 27 2016, @12:18AM (#419216)

        Because Truecrypt is known to have exploits, we still don't know why they suddenly abandoned it and the developers of Veracrypt appear to be taking things seriously and were cooperating with the audit. I'm sure they'll fix whatever the audit before too long.

        OTOH, at some point you do have to make the switch, given the highly unusual way in which Truecrypt ended it's existence, I wouldn't personally trust it further than I could throw the developers. I don't use Veracrypt either, but I haven't used Truecrypt a single time since the project was shuttered other than to remove my files from it.

        What's more, the security of the software is usually less of a problem than the security of the users and if they're so dense that IT was worried about them making this transition, that doesn't speak well about them.

        • (Score: 2) by lgw on Friday October 28 2016, @12:36AM

          by lgw (2836) on Friday October 28 2016, @12:36AM (#419659)

          Because Truecrypt is known to have exploits

          What practical exploits is Truecrypt known to have? The audit didn't find any, beyond "short passwords aren't safe".

          OTOH, at some point you do have to make the switch, given the highly unusual way in which Truecrypt ended it's existence

          I trust audits over speculation. I believe the devs ended the project to prevent exploits being added, when pressure was brought to bear on one of them by a government. It's certainly possible that it has an exploit no one found yet, and the government pressured a dev to keep it secret, but that's possible with any tool, so what can we trust beyond audits (and hope they aren't also compromised)?

          • (Score: 1) by Francis on Friday October 28 2016, @02:36PM

            by Francis (5544) on Friday October 28 2016, @02:36PM (#419855)

            How quaint, you've still got faith in humanity.

            The truth here is that we don't know why they up and stopped development suddenly. I can't think of any other projects like this that were abandoned so quickly with no explanation or signs ahead of time. It is speculation, but it's certainly a safer speculation than your far less likely view that there's an exploit that the government wanted kept secret.

            Ultimately, do what you want, but it's ridiculous to use questionable encryption technology under this sort of circumstance. The Veracrypt folks will fix those bugs and do you really want to be the one whose stuff gets broken into because somebody made one of those impractical exploits practical?

            Also, read the audit, but if the data is worth encrypting, then it's worth encrypting with something secure and supported.

            • (Score: 2) by lgw on Saturday October 29 2016, @12:56AM

              by lgw (2836) on Saturday October 29 2016, @12:56AM (#420003)

              Fundamentally, I don't trust the Veracrypt guys yet.