Is This TrueCrypt's Fatal Flaw?
mardi 13 octobre 2015 à 11:33GuiGui's Show - Liens
« But now, two security vulnerabilities in TrueCrypt have been discovered, one of which is deemed serious. Here is what you need to know and do.
The flaws were discovered by James Forshaw, a member of Google’s Project Zero team which ferrets out zero-day vulnerabilities in all sorts of software. One of the flaws is not very useful to hackers, in Forshaw’s opinion. The other is much more serious.
TrueCrypt's Fatal Flaw
The less dangerous flaw, designated CVE-2015-7359, would allow any user of a shared computer to impersonate another user. The attacking user could unmount a victim’s TrueCrypt-encrypted virtual drive volume. But, as Forshaw writes,
“I don’t believe this is really a serious issue, as if you’re mounting encrypted volumes on shared machine and leaving them mounted I think you’ve got other problems.” In other words, people who do something this dumb have probably left several other, easier entries into their systems wide open.
The other flaw, CVE-2015-7358, is more serious. It could allow an attacker to gain administrative privileges on a machine even if its boot drive is fully encrypted by TrueCrypt. And if a user has administrative privileges, he or she can do anything on that computer, including installing malware.
Is Data Encrypted With TrueCrypt at Risk?
I've been reading that this flaw (even though it's serious and compromises the security and privacy of the affected computer) does NOT give the attacker the ability to decrypt a TrueCrypt volume.
But… what if the attacker was able to install a keylogger that loads before TrueCrypt’s authentication module, enabling the keylogger to capture the user’s TrueCrypt authentication key as it is typed? With that key, the attacker could do anything with the victim’s encrypted data.
[...]
However, they can turn to a free spinoff of TrueCrypt called VeraCrypt, which has already been patched to close the holes discovered by Forshaw. VeraCrypt is able to convert your TrueCrypt volumes to VeraCrypt format, so there should be an easy transition. »
Deux failles dans Truecrypt datant de septembre 2015 qui touchent uniquement winwin et ne remet pas en cause directement le chiffremment des données. Veracrypt, un fork open source mais pas libre de Truecrypt, corrige ces failles alors que Truecrypt n'est plus maintenu.
BTW, prudence avec Gostcrypt, autre alternative qui est soutenue, entre autres par le « Laboratoire de Cryptologie et de Virologie Opérationnelles ESIEA, Laval » et Éric Filiol. Ce dernier a des casseroles à son actif malgrè ses compétences/pédagogie avérées : dit avoir cassé AES en 2003 (http://eprint.iacr.org/2003/022.pdf), FUD *dangereux* autour de TOR en 2011 (http://koolfy.be/2011/10/24/did-filiol-break-tor-1/), le flou/lulz autour de la libperseus (http://news0ft.blogspot.fr/2011/06/challenge-fail.html).
Sinon, il reste toujours LUKS sous GNU/Linux ou softraid+crypto sous OpenBSD qui sont libres, eux, donc on peut avoir un peu plus confiance. :)
Via Aeris (https://blog.imirhil.fr/)
(Permalink)
« But now, two security vulnerabilities in TrueCrypt have been discovered, one of which is deemed serious. Here is what you need to know and do.
The flaws were discovered by James Forshaw, a member of Google’s Project Zero team which ferrets out zero-day vulnerabilities in all sorts of software. One of the flaws is not very useful to hackers, in Forshaw’s opinion. The other is much more serious.
TrueCrypt's Fatal Flaw
The less dangerous flaw, designated CVE-2015-7359, would allow any user of a shared computer to impersonate another user. The attacking user could unmount a victim’s TrueCrypt-encrypted virtual drive volume. But, as Forshaw writes,
“I don’t believe this is really a serious issue, as if you’re mounting encrypted volumes on shared machine and leaving them mounted I think you’ve got other problems.” In other words, people who do something this dumb have probably left several other, easier entries into their systems wide open.
The other flaw, CVE-2015-7358, is more serious. It could allow an attacker to gain administrative privileges on a machine even if its boot drive is fully encrypted by TrueCrypt. And if a user has administrative privileges, he or she can do anything on that computer, including installing malware.
Is Data Encrypted With TrueCrypt at Risk?
I've been reading that this flaw (even though it's serious and compromises the security and privacy of the affected computer) does NOT give the attacker the ability to decrypt a TrueCrypt volume.
But… what if the attacker was able to install a keylogger that loads before TrueCrypt’s authentication module, enabling the keylogger to capture the user’s TrueCrypt authentication key as it is typed? With that key, the attacker could do anything with the victim’s encrypted data.
[...]
However, they can turn to a free spinoff of TrueCrypt called VeraCrypt, which has already been patched to close the holes discovered by Forshaw. VeraCrypt is able to convert your TrueCrypt volumes to VeraCrypt format, so there should be an easy transition. »
Deux failles dans Truecrypt datant de septembre 2015 qui touchent uniquement winwin et ne remet pas en cause directement le chiffremment des données. Veracrypt, un fork open source mais pas libre de Truecrypt, corrige ces failles alors que Truecrypt n'est plus maintenu.
BTW, prudence avec Gostcrypt, autre alternative qui est soutenue, entre autres par le « Laboratoire de Cryptologie et de Virologie Opérationnelles ESIEA, Laval » et Éric Filiol. Ce dernier a des casseroles à son actif malgrè ses compétences/pédagogie avérées : dit avoir cassé AES en 2003 (http://eprint.iacr.org/2003/022.pdf), FUD *dangereux* autour de TOR en 2011 (http://koolfy.be/2011/10/24/did-filiol-break-tor-1/), le flou/lulz autour de la libperseus (http://news0ft.blogspot.fr/2011/06/challenge-fail.html).
Sinon, il reste toujours LUKS sous GNU/Linux ou softraid+crypto sous OpenBSD qui sont libres, eux, donc on peut avoir un peu plus confiance. :)
Via Aeris (https://blog.imirhil.fr/)
(Permalink)