Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.freeware > #244481 > unrolled thread

Newly found TrueCrypt flaw allows full system compromise

Back to article view | Back to alt.comp.freeware

Contents

  Newly found TrueCrypt flaw allows full system compromise "The Sorceress of Qar" <sorceress@qar.qanar.com> - 2015-10-02 09:29 -0500
    Re: Newly found TrueCrypt flaw allows full system compromise "Mr. Man-wai Chang" <toylet.toylet@gmail.com> - 2015-10-02 22:32 +0800
    Re: Newly found TrueCrypt flaw allows full system compromise Shadow <Sh@dow.br> - 2015-10-02 11:59 -0300
      Re: Newly found TrueCrypt flaw allows full system compromise "Mr. Man-wai Chang" <toylet.toylet@gmail.com> - 2015-10-02 23:07 +0800
        Re: Newly found TrueCrypt flaw allows full system compromise Shadow <Sh@dow.br> - 2015-10-02 12:34 -0300
          Re: Newly found TrueCrypt flaw allows full system compromise none <none@none.invalid> - 2015-10-02 09:44 -0700
            Re: Newly found TrueCrypt flaw allows full system compromise Shadow <Sh@dow.br> - 2015-10-02 14:20 -0300
              Re: Newly found TrueCrypt flaw allows full system compromise none <none@none.invalid> - 2015-10-02 12:44 -0700
              Re: Newly found TrueCrypt flaw allows full system compromise "Mr. Man-wai Chang" <toylet.toylet@gmail.com> - 2015-10-03 14:49 +0800
      Re: Newly found TrueCrypt flaw allows full system compromise "Mr. Man-wai Chang" <toylet.toylet@gmail.com> - 2015-10-02 23:08 +0800
    Re: Newly found TrueCrypt flaw allows full system compromise cal@invalid.com - 2015-10-03 21:01 -0500
      Re: Newly found TrueCrypt flaw allows full system compromise Shadow <Sh@dow.br> - 2015-10-04 10:59 -0300
        Re: Newly found TrueCrypt flaw allows full system compromise "Mr. Man-wai Chang" <toylet.toylet@gmail.com> - 2015-10-04 23:31 +0800

#244481 — Newly found TrueCrypt flaw allows full system compromise

Windows users who rely on TrueCrypt to encrypt their hard drives have a 
security problem: a researcher has discovered two serious flaws in the 
program.

TrueCrypt may have been abandoned by its original developers, but it 
remains one of the few encryption options for Windows. That keeps 
researchers interested in finding holes in the program and its spin-offs.

James Forshaw, a member of Google's Project Zero team that regularly 
finds vulnerabilities in widely used software, has recently discovered 
two vulnerabilities in the driver that TrueCrypt installs on Windows 
systems.
[ Don't miss a thing! Sign up for ITworld's daily newsletter ]

The flaws, which were apparently missed in an earlier independent audit 
of the TrueCrypt source code, could allow attackers to obtain elevated 
privileges on a system if they have access to a limited user account.

The original authors of TrueCrypt, who have remained anonymous, abruptly 
shut down the project in May 2014 warning that "it may contain unfixed 
security issues" and advised users to switch to BitLocker, Microsoft's 
full-disk encryption feature that's available in certain versions of 
Windows.

At that time a crowd-funded effort was already underway to perform a 
professional security audit of TrueCrypt's source code and its 
cryptography implementations. The first phase, which analyzed the 
TrueCrypt driver and other critical parts of the code, had already been 
completed when TrueCrypt was discontinued. The auditors found no 
high-severity issues or evidence of intentional backdoors in the program.

It's impossible to tell if the new flaws discovered by Forshaw were 
introduced intentionally or not, but they do show that despite 
professional code audits, serious bugs can remain undiscovered.

The first phase of the TrueCrypt audit project, performed by security 
engineers from iSEC Partners, a subsidiary of information assurance 
company NCC Group, covered the driver code, but "Windows drivers are 
complex beasts" and it's easy to miss local elevation of privilege 
flaws, Forshaw said on Twitter.

The Google researcher hasn't disclosed details about the two bugs yet, 
saying that he usually waits seven days after a patch is released to 
open his bug reports.

Since TrueCrypt is no longer actively maintained, the bugs won't be 
fixed directly in the program's code. However, they have been fixed in 
VeraCrypt, an open-source program based on the TrueCrypt code that aims 
to continue and improve the original project.

VeraCrypt 1.15 that was released Saturday, contains patches for the two 
vulnerabilities, identified as CVE-2015-7358 and CVE-2015-7359, as well 
as for other bugs. The program's developer only flagged the 
CVE-2015-7358 flaw as critical and said that it can be exploited by 
"abusing drive letter handling."

There are still many users of TrueCrypt or VeraCrypt, because it's one 
of the few free options they have for encrypting their entire hard 
disks, including the Windows system partition. Microsoft's BitLocker is 
not available on Home editions of Windows, which come pre-installed on 
many consumer laptops, and most other programs that can encrypt the 
system partition require a paid license.

Users who still use TrueCrypt should switch to VeraCrypt as soon as 
possible. In addition to patches for these two flaws, the program also 
has other security improvements over its predecessor.



http://www.itworld.com/article/2987438/data-protection/newly-found-truecrypt-flaw-allows-full-system-compromise.html
-- 
A Paradoxial World, for Sure.

[toc] | [next] | [standalone]

#244483

On 10/2/2015 10:29 PM, The Sorceress of Qar wrote:
>
> Users who still use TrueCrypt should switch to VeraCrypt as soon as
> possible. In addition to patches for these two flaws, the program also
> has other security improvements over its predecessor.
>

DO NOT put your TrueCrypt volumes online? :)

-- 
   @~@   Remain silent. Nothing from soldiers and magicians is real!
  / v \  Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora release 22)  Linux 4.0.8-300.fc22.i686+PAE
   ^ ^   22:24:01 up 18 days 2:41 0 users load average: 0.06 0.06 0.05
不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

[toc] | [prev] | [next] | [standalone]

#244484

On Fri, 02 Oct 2015 09:29:52 -0500, "The Sorceress of Qar"
<sorceress@qar.qanar.com> wrote:

>
>Windows users who rely on TrueCrypt to encrypt their hard drives have a 
>security problem: a researcher has discovered two serious flaws in the 
>program.
>
>TrueCrypt may have been abandoned by its original developers, but it 
>remains one of the few encryption options for Windows. That keeps 
>researchers interested in finding holes in the program and its spin-offs.
>
>James Forshaw, a member of Google's Project Zero team that regularly 
>finds vulnerabilities in widely used software, has recently discovered 
>two vulnerabilities in the driver that TrueCrypt installs on Windows 
>systems.

	Veracrypt is hosted and funded by a firm in Redmond USA (do a
DNS lookup)
	Both "flaws" require local access to the computer, they are
not explorable remotely.
	I'll stop using TrueCrypt for my elephant p0rN when they crack
Daniel Danta's hard drives. The FBI have been unable to crack it, even
though he used old version 6.
	FWIW
	[]'s
-- 
Don't be evil - Google 2004
We have a new policy  - Google 2012

[toc] | [prev] | [next] | [standalone]

#244485

On 10/2/2015 10:59 PM, Shadow wrote:
> 	Both "flaws" require local access to the computer, they are
> not explorable remotely.

To be precise, not "to the computer", but "to the disk with the 
TrueCrypt volumes"?

-- 
   @~@   Remain silent. Nothing from soldiers and magicians is real!
  / v \  Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora release 22)  Linux 4.0.8-300.fc22.i686+PAE
   ^ ^   22:54:01 up 18 days 3:11 0 users load average: 0.00 0.01 0.05
不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

[toc] | [prev] | [next] | [standalone]

#244487

On Fri, 2 Oct 2015 23:07:37 +0800, "Mr. Man-wai Chang"
<toylet.toylet@gmail.com> wrote:

>On 10/2/2015 10:59 PM, Shadow wrote:
>> 	Both "flaws" require local access to the computer, they are
>> not explorable remotely.
>
>To be precise, not "to the computer", but "to the disk with the 
>TrueCrypt volumes"?

	Dunno. The preliminary report just said "local access".
	Lets wait for the full report. Google got a few hundred
million from the NSA to hold out a little longer, but it WILL leak.
There are as many "bad guys" in the NSA as anywhere else. Probably
more, given the type of personality you need to join.
	;)
	[]'s
-- 
Don't be evil - Google 2004
We have a new policy  - Google 2012

[toc] | [prev] | [next] | [standalone]

#244489

Shadow expressed precisely :
> Dunno. The preliminary report just said "local access".
>     Lets wait for the full report. Google got a few hundred
> million from the NSA to hold out a little longer, but it WILL leak.
> There are as many "bad guys" in the NSA as anywhere else. Probably
> more, given the type of personality you need to join.

As you seem know so much, it is strange you are so poor.

Wait, I know, the US government is extending it's tentacles into 
Brazil, specifically preventing you from getting a job and earning a 
living.  You are on an NSA / CIA watch list, hence they are keeping you 
in abject poverty......

[toc] | [prev] | [next] | [standalone]

#244491

On Fri, 02 Oct 2015 09:44:40 -0700, none <none@none.invalid> wrote:

>Shadow expressed precisely :
>> Dunno. The preliminary report just said "local access".
>>     Lets wait for the full report. Google got a few hundred
>> million from the NSA to hold out a little longer, but it WILL leak.
>> There are as many "bad guys" in the NSA as anywhere else. Probably
>> more, given the type of personality you need to join.
>
>As you seem know so much, it is strange you are so poor.
>
>Wait, I know, the US government is extending it's tentacles into 
>Brazil, specifically preventing you from getting a job and earning a 
>living.  You are on an NSA / CIA watch list, hence they are keeping you 
>in abject poverty......

	I probably am on their watch list, but then so are you. You
just used 5 keywords.
	I'm a retired doctor (5 years retired) , after over 30 years
on the job, used to work sometimes over 100 hours a week. I have never
been unemployed, though I did have my life savings confiscated in 1989
(as did all Brazilians). But I just carried on working.
	I've been on Usenet for almost 20 years, so most people know
me. Who are you, and why do you defend the NSA ?
	[]'s
-- 
Don't be evil - Google 2004
We have a new policy  - Google 2012

[toc] | [prev] | [next] | [standalone]

#244502

Shadow used his keyboard to write :
> On Fri, 02 Oct 2015 09:44:40 -0700, none <none@none.invalid> wrote:
>
>> Shadow expressed precisely :
>>> Dunno. The preliminary report just said "local access".
>>>     Lets wait for the full report. Google got a few hundred
>>> million from the NSA to hold out a little longer, but it WILL leak.
>>> There are as many "bad guys" in the NSA as anywhere else. Probably
>>> more, given the type of personality you need to join.
>> 
>> As you seem know so much, it is strange you are so poor.
>> 
>> Wait, I know, the US government is extending it's tentacles into 
>> Brazil, specifically preventing you from getting a job and earning a 
>> living.  You are on an NSA / CIA watch list, hence they are keeping you 
>> in abject poverty......
>
> 	I probably am on their watch list, but then so are you. You
> just used 5 keywords.
> 	I'm a retired doctor (5 years retired) , after over 30 years

A retired witch doctor?

> on the job, used to work sometimes over 100 hours a week. I have never
> been unemployed, though I did have my life savings confiscated in 1989
> (as did all Brazilians). But I just carried on working.
> 	I've been on Usenet for almost 20 years, so most people know
> me. Who are you, and why do you defend the NSA ?

For a retired "doctor" you seem quite illiterate. Where did I defend 
the NSA?  Apparently, you are either delusional, seeing things which 
are not there or you are a simpleton.

[toc] | [prev] | [next] | [standalone]

#244538

> 	I've been on Usenet for almost 20 years, so most people know
> me. Who are you, and why do you defend the NSA ?

Remember you could ignore him/her! :)

-- 
   @~@   Remain silent. Nothing from soldiers and magicians is real!
  / v \  Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora release 22)  Linux 4.0.8-300.fc22.i686+PAE
   ^ ^   14:45:01 up 18 days 19:02 0 users load average: 0.00 0.02 0.05
不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

[toc] | [prev] | [next] | [standalone]

#244486

On 10/2/2015 10:59 PM, Shadow wrote:
> 	Both "flaws" require local access to the computer, they are
> not explorable remotely.
> 	I'll stop using TrueCrypt for my elephant p0rN when they crack
> Daniel Danta's hard drives. The FBI have been unable to crack it, even
> though he used old version 6.

AND: do you need a compromised TrueCrypt?

-- 
   @~@   Remain silent. Nothing from soldiers and magicians is real!
  / v \  Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora release 22)  Linux 4.0.8-300.fc22.i686+PAE
   ^ ^   22:54:01 up 18 days 3:11 0 users load average: 0.00 0.01 0.05
不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

[toc] | [prev] | [next] | [standalone]

#244595

On Fri, 02 Oct 2015 09:29:52 -0500, "The Sorceress of Qar"
<sorceress@qar.qanar.com> wrote:

>
>Windows users who rely on TrueCrypt to encrypt their hard drives have a 
>security problem: a researcher has discovered two serious flaws in the 
>program.
>
>TrueCrypt may have been abandoned by its original developers, but it 
>remains one of the few encryption options for Windows. That keeps 
>researchers interested in finding holes in the program and its spin-offs.
>
>James Forshaw, a member of Google's Project Zero team that regularly 
>finds vulnerabilities in widely used software, has recently discovered 
>two vulnerabilities in the driver that TrueCrypt installs on Windows 
>systems.
>[ Don't miss a thing! Sign up for ITworld's daily newsletter ]
>
>The flaws, which were apparently missed in an earlier independent audit 
>of the TrueCrypt source code, could allow attackers to obtain elevated 
>privileges on a system if they have access to a limited user account.
>
>The original authors of TrueCrypt, who have remained anonymous, abruptly 
>shut down the project in May 2014 warning that "it may contain unfixed 
>security issues" and advised users to switch to BitLocker, Microsoft's 
>full-disk encryption feature that's available in certain versions of 
>Windows.
>
>At that time a crowd-funded effort was already underway to perform a 
>professional security audit of TrueCrypt's source code and its 
>cryptography implementations. The first phase, which analyzed the 
>TrueCrypt driver and other critical parts of the code, had already been 
>completed when TrueCrypt was discontinued. The auditors found no 
>high-severity issues or evidence of intentional backdoors in the program.
>
>It's impossible to tell if the new flaws discovered by Forshaw were 
>introduced intentionally or not, but they do show that despite 
>professional code audits, serious bugs can remain undiscovered.
>
>The first phase of the TrueCrypt audit project, performed by security 
>engineers from iSEC Partners, a subsidiary of information assurance 
>company NCC Group, covered the driver code, but "Windows drivers are 
>complex beasts" and it's easy to miss local elevation of privilege 
>flaws, Forshaw said on Twitter.
>
>The Google researcher hasn't disclosed details about the two bugs yet, 
>saying that he usually waits seven days after a patch is released to 
>open his bug reports.
>
>Since TrueCrypt is no longer actively maintained, the bugs won't be 
>fixed directly in the program's code. However, they have been fixed in 
>VeraCrypt, an open-source program based on the TrueCrypt code that aims 
>to continue and improve the original project.
>
>VeraCrypt 1.15 that was released Saturday, contains patches for the two 
>vulnerabilities, identified as CVE-2015-7358 and CVE-2015-7359, as well 
>as for other bugs. The program's developer only flagged the 
>CVE-2015-7358 flaw as critical and said that it can be exploited by 
>"abusing drive letter handling."
>
>There are still many users of TrueCrypt or VeraCrypt, because it's one 
>of the few free options they have for encrypting their entire hard 
>disks, including the Windows system partition. Microsoft's BitLocker is 
>not available on Home editions of Windows, which come pre-installed on 
>many consumer laptops, and most other programs that can encrypt the 
>system partition require a paid license.
>
>Users who still use TrueCrypt should switch to VeraCrypt as soon as 
>possible. In addition to patches for these two flaws, the program also 
>has other security improvements over its predecessor.
>
>
>
>http://www.itworld.com/article/2987438/data-protection/newly-found-truecrypt-flaw-allows-full-system-compromise.html

More on the subject is here:

https://duckduckgo.com/?q=TrueCrypt+flaw

[toc] | [prev] | [next] | [standalone]

#244605

On Sat, 03 Oct 2015 21:01:35 -0500, cal@invalid.com wrote:

>On Fri, 02 Oct 2015 09:29:52 -0500, "The Sorceress of Qar"
><sorceress@qar.qanar.com> wrote:
>More on the subject is here:
>
>https://duckduckgo.com/?q=TrueCrypt+flaw

//TrueCrypt vulnerabilities would not directly allow an attacker to
decrypt drive data. Instead, successful exploitation allows malware
installation on the victim’s machine, which would be enough to figure
out TrueCrypt’s Decryption Key and other sensitive data.//

	Wow, sounds really serious. You mean if I have a keylogger on
the PC (put there by any one of hundreds of available exploits) it can
discover my passwords ?
	Notice the sites advising ou to switch to the M$ encryptor
(either the commercial BitLocker or the "open-source" VeraCrypt.)
	There is NO way TrueCrypt can be exploited on an isolated
(local) computer. If it's on the net, well ....... I'm sure the latest
browser exploit would allow that.
	[]'s
-- 
Don't be evil - Google 2004
We have a new policy  - Google 2012

[toc] | [prev] | [next] | [standalone]

#244610

On 10/4/2015 9:59 PM, Shadow wrote:
> 	There is NO way TrueCrypt can be exploited on an isolated
> (local) computer. If it's on the net, well ....... I'm sure the latest
> browser exploit would allow that.

You forgot something called Dark Magic! But then can a computer program 
cast magic? I heard that machines cannot use magic. :)

[toc] | [prev] | [standalone]

Back to top | Article view | alt.comp.freeware

csiph-web