Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / TrueCrypt Security Flaws Found
TrueCrypt Encryption Software Has Critical Security Flaws
TrueCrypt Encryption Software Has Critical Security Flaws
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
By all accounts, there are still plenty of people who use TrueCrypt's software for encryption, even though its developers discontinued the project abruptly last May. More than five months after it was shut down, a community-led audit of the software didn't find any security backdoors. However, new research has uncovered two privilege vulnerabilities -- one of them "critical" -- that could affect Windows-based users of the freeware.

James Forshaw, an information security engineer and researcher with Google's Project Zero team -- which looks for zero-day exploits -- recently identified two vulnerabilities that were apparently missed by auditors with the Open Crypto Audit Project. Patches for both bugs were released over the weekend by VeraCrypt, an encryption provider whose solution is built with a forked version of TrueCrypt.

TrueCrypt has been used by, among others, David Miranda, the partner of journalist Glenn Greenwald, who was one of the first reporters to publish information provided by former security contractor Edward Snowden about widespread surveillance by the U.S. National Security Agency and its equivalent organization in the U.K., the Government Communications Headquarters. The freeware enables users to encrypt either some or all of the data stored on their devices.

Bugs Enabled Abuse of Privileges

After learning of Forshaw's discoveries, VeraCrypt on Saturday released fixes for two TrueCrypt vulnerabilities that could potentially affect users on Windows. One was a critical flaw identified as CVE-2015-7358; the other was dubbed CVE-2015-7359.

Both bugs enable local elevation of privileges on Windows, which could allow hackers to gain access to systems by hijacking processes for drive letter handling or by incorrect impersonation token handling.

The VeraCrypt release also fixed several other Windows bugs, including the display of some Unicode languages. In addition to Windows, TrueCrypt can be used on devices running Mac OS X, Linux, DragonFly BSD and Android.

"Even though my #truecrypt bugs weren't back doors it's clear that it was possible to sneak them past an audit," Forshaw noted Sunday in a tweet. The next day he tweeted that he did not mean to suggest that those bugs were intentionally put into TrueCrypt. "Just that no matter how much you audit, bugs can still sneak through," he said.

Not a Nail in TrueCrypt Coffin

Cybersecurity expert Bruce Schneier, a fellow at Harvard's Berkman Center for Internet and Society, echoed Forshaw's last comment. He told us that the latest bug discovery proves only that no one audit can uncover every possible flaw in a program.

However, he said that doesn't mean the latest findings should preclude the use of TrueCrypt. "Of course not," he said. "Everyone suspects everything, and no one knows anything," he said.

While Schneier said he has stopped using TrueCrypt, the alternatives for anyone who is concerned about the security of their stored data are "a whole bunch of mediocre choices." He said that people could either continue to use TrueCrypt, use the embedded encryption provided by either Microsoft or Apple, or opt for a follow-on-type offering like VeraCrypt or, his own current choice, BestCrypt.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.