Content
- Page 1 – New vulnerabilities in popular crypto software
- Page 2 – Green does not believe in bug-free code
On one side read
Almost exactly half a year had Matthew D. Green still good news for the many fans of TrueCrypt, a program to encrypt files and drives: “It seems as if TrueCrypt is a relatively well-designed piece of crypto software.” In a detailed investigation by the company NCC Crypto Services “no evidence of intentional built backdoors or any serious design flaw discovered” were, that would make TrueCrypt inherently insecure.
The good news was that for two reasons: First, the anonymous developers of TrueCrypt had abandoned the project in June 2014 and left the users only a mysterious warning, the software can contain security loopholes. The NCC audit seemed overcome the worst concerns.
Secondly, it was a great success for Green that this audit ever gave. The cryptography professor from Johns Hopkins University in Baltimore had the project Open Crypto Audit launched, connected to a fundraising campaign that brought more than 53,000 US dollars to finance the two-step verification. From open source software like TrueCrypt it always is, anyone can check the code for vulnerabilities and backdoors – but somebody has to do it also halt. The campaign had shown that the users pay for it even when its software is important. And TrueCrypt was important to them because it worked across platforms, was free and just open source (although it does not officially open-source software is due to problematic Disclaimers).
But now has James Forshaw, a security expert from Google, discovered two previously unknown vulnerability in TrueCrypt, one of which is considered “critical”. Was the audit so sloppy that TrueCrypt users were falsely lulled into security – and if so, what they can do now?
Details about the two vulnerabilities are not yet public. What is clear so far only that they relate only to Windows users, and will only work if the attacker has access to the computer and secured with TrueCrypt files are currently open – which apparently also a remote access, such as a Trojan, sufficient
. >
Patrick Beuth
Patrick Beuth is an editor in the department Digital at ZEIT ONLINE. His profile page, click here.
could theoretically both vulnerabilities can be discovered in the audit, according to Forshaw the corresponding part of TrueCrypt codes became the first part of the study examined. However, both errors were easily overlooked. The fact that they have been overlooked in the second part of the audit, has a different reason: The attack scenario is not part of the Threat Model , to this type of attack, the software has not been tested. NCC should investigate whether encrypted files can be read by third parties if the user has just opened it rather. In practice this would mean: can approach a thief to the backed up data when he stole a secured laptop with TrueCrypt? Can prosecutors open a stored in the cloud and the cloud provider handed TrueCrypt container? The answer, according to the audit: This works most in extremely rare cases, due to minor errors in TrueCrypt Code.
In an e-mail to TIME ONLINE Green writes about the newly discovered vulnerabilities: “They show us that audits are not a perfect process slip are some vulnerabilities, no matter how well someone. looking. ” He therefore dismissed the year before a half out that TrueCrypt was not perfect. However, the review hopefully create additional confidence in those code that others use as a basis for their TrueCrypt Forks. This refers to projects such VeraCrypt that are based on TrueCrypt.
No comments:
Post a Comment