Tales from the TrueCrypt | TechSNAP 164

Tales from the TrueCrypt | TechSNAP 164

The TrueCrypt project has shut down, and we’ll run down what we think is the most likely answer to this sudden mystery is.

Plus the good news for openSSL, the top 10 Windows configuration mistakes, and big batch of your questions, our answers, and much much more!

Thanks to:


\"DigitalOcean\"


\"Ting\"


\"iXsystems\"

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

TrueCrypt shuts down unexpectedly

  • TrueCrypt is a cross-platform image or whole disk encryption system
  • The website for TrueCrypt changed yesterday, stating that “it may contain unfixed security issues”
  • The page states now that Windows XP is EOL and all supported versions of Windows support ‘BitLocker’ disk encryption, TrueCrypt is no longer necessary
  • The website provides information about transitioning data from TrueCrypt to the OS disk encryption system for various different OSs
  • The website has been updated with version 7.2 of TrueCrypt, which only allows the user to decrypt their files, not encrypt any new files
  • This was originally thought to be a hack of the site, or a hoax
  • The new binary is signed with the correct key, the same as previous versions of TrueCrypt, suggesting that this post is legitimate
  • While the code is available, the license is restrictive
  • The developers of TrueCrypt are anonymous
  • GIST tracking various bits of information and speculating about possible causes
  • ThreatPost coverage
  • One of the suspicious things about the announcement is the recommendation to use BitLocker, the authors of TrueCrypt had previously expressed concerns about how BitLocker stores the secret keys in the TPM (Trusted Platform Module), which may also allow the NSA to access the secret key
  • There is some speculation that this could be a ‘warrant canary’, the authors’ way to telling the public that they were forced to do something to TrueCrypt, or divulge something about TrueCrypt
  • However, it is more likely that the developers just no longer have an interest in maintaining TrueCrypt
  • The last major version release was 3 years ago, and the most recent release before the announcement was over a year ago. An actively developed project would likely have had at least some maintenance releases in that time
  • The code for TrueCrypt was being audited after a crowdfunding effort. The first phase of the audit found no obvious backdoors, but the actual cryptography had not been analyzed yet.
  • Additional Coverage – Krebs On Security

Core Infrastructure Initiative provides OpenSSL with 2 full time developers and funds a security audit

  • The CII has announced its Advisory board and the list of projects it is going to support
  • Advisory Board members include:
  • longtime Linux kernel developer and open source advocate Alan Cox
  • Matt Green of Open Crypto Audit Project
  • Dan Meredith of the Radio Free Asia’s Open Technology Fund
  • Eben Moglen of Software Freedom Law Center
  • Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School
  • Eric Sears of the MacArthur Foundation
  • Ted T’so of Google and the Linux kernel community
  • Projects identified as core infrastructure:
  • Network Time Protocol
  • OpenSSH
  • OpenSSL
  • Open Crypto Audit Project to conduct security audit of OpenSSL
  • The security audit will be difficult due to the lack of a consistent style in the code and the maze of ifdef and ifndef segments
  • the OCAP (Open Crypto Audit Project) team, which includes Johns Hopkins professor and cryptographer Matthew Green and Kenn White, will now have the money to fund an audit of OpenSSL
  • OCAP was originally created by a crowdfunded project to audit TrueCrypt

The top 10 windows server security misconfigurations

  • NCCGroup does what it calls ‘Build Surveys’, where they check production environments to ensure they are configured properly
  • The following is the result of an analysis of their last 50 such surveys:
    • Missing Microsoft Patches: 82%
    • Insufficient Auditing: 50%
    • Third-Party Software Updates: 48%
    • Weak Password Policy: 38%
    • UAC Disabled for Administrator Account: 34%
    • Disabled Host-Based Firewall: 34%
    • Clear Text Passwords and Other Sensitive Information: 24%
    • Account Lockout Disabled: 20%
    • Out-of-Date Virus Definitions: 18%
    • No Antivirus Installed: 12%
  • Conclusions: Everyone makes the same mistakes, over and over
  • Most of these problems are trivial to fix
  • Part of the problem is this culture of ‘patch averseness’, partly this is the fault of software vendors often issuing patches that break more things than they fix, but in general Microsoft has actually done a good job of ensuring their patches apply smoothly and do not break things
  • Part of this is the fact that they only issue updates once a month, and only once they have been tested
  • In the study, most of the machines that were missing patches, were missing patches that were more than a year old, so it isn’t just conservatism, but just a complete lack of proper patch management

Feedback:

Round-Up:

Question? Comments? Contact us here!