[Micronet] TrueCrypt - Windows XP Fallout

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] TrueCrypt - Windows XP Fallout

Philip Weekly

Hello Everyone,

 

Do to the abatement of Windows XP, the anonymous makers of TrueCrypt have terminated any future development. Thus TrueCrypt has now been determined to be insecure. TrueCrypt recommends migrating to Windows BitLocker.  See the link below for additional details.

 

http://truecrypt.sourceforge.net/

 

I would suggest a member of the IST Security team provide some baseline recommendations for Whole Disk Encryption (WDE).

 

Regards,

 

Philip

 

 

Philip Weekly

Director, Information Systems

 

School of Optometry

University of California

510-642-2230

http://cal-eye-care.org/

 

This email and any files transmitted with it are confidential. If you have received this email in error please notify the sender and then delete it immediately.

Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of The School of Optometry or The University of California.

 


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] TrueCrypt - Windows XP Fallout

Graham Patterson

I'm actually more worried about a substitute for the directory/folder
level encryption for cross-platform use. The nearest alternative seems
to be AESCrypt, which only does file level encryption, and requires that
you manually delete (securely!) the unencrypted version.

Windows and  OSX both have OS-level whole disk encryption options.


Graham


On 6/2/14 7:41 AM, Philip Weekly wrote:

> Hello Everyone,
>
>  
>
> Do to the abatement of Windows XP, the anonymous makers of TrueCrypt
> have terminated any future development. Thus TrueCrypt has now been
> determined to be insecure. TrueCrypt recommends migrating to Windows
> BitLocker.  See the link below for additional details.
>
>  
>
> http://truecrypt.sourceforge.net/
>
>  
>
> I would suggest a member of the IST Security team provide some baseline
> recommendations for Whole Disk Encryption (WDE).
>
>  
>
> Regards,
>
>  
>
> Philip
>
>  
>
>  
>
> Philip Weekly
>
> Director, Information Systems
>
>  
>
> School of Optometry
>
> University of California
>
> 510-642-2230
>
> http://cal-eye-care.org/
>
>  
>
> This email and any files transmitted with it are confidential. If you
> have received this email in error please notify the sender and then
> delete it immediately.
>
> Please note that any views or opinions presented in this email are
> solely those of the author and do not necessarily represent those of The
> School of Optometry or The University of California.
>
>  
>
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>


--
Graham Patterson, Systems Administrator
Lawrence Hall of Science, UC Berkeley   510-643-2222
"...past the iguana, the tyrannosaurus, the mastodon, the mathematical
puzzles, and the meteorite..." - directions to my office.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] TrueCrypt - Windows XP Fallout

Seth Novogrodsky
It's not really clear  why TrueCrypt is now desupported. There are links to some interesting articles about this in the last SANS NewsBites newsletter:

--TrueCrypt Shuts Down Development
(May 29, 2014)
The TrueCrypt open source encryption project has ceased operations after
issuing a warning that the software is no longer secure. The warning
included instructions for users to migrate to BitLocker. The warning
says that TrueCrypt development stopped in May 2014 after Microsoft
stopped supporting Windows XP, but experts say the connection does not
make sense. Some are positing that the company received a National
Security Letter and is doing what Lavabit did to avoid disclosing
customer data. Others have suggested that it might be a hoax or an
attack, or that the TrueCrypt developers found an overwhelming
vulnerability.
https://isc.sans.edu/forums/diary/True+Crypt+Compromised+Removed+/18177  
http://www.computerworld.com/s/article/9248658/In_baffling_move_TrueCrypt_open_source_crypto_project_shuts_down?taxonomyId=17
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/
http://arstechnica.com/security/2014/05/bombshell-truecrypt-advisory-backdoor-hack-hoax-none-of-the-above/

PC World has an article listing some TrueCrypt alternatives:

http://www.pcworld.com/article/2304851/so-long-truecrypt-5-encryption-alternatives-that-can-lock-down-your-data.html


Seth

On 6/2/2014 8:16 AM, Graham Patterson wrote:
I'm actually more worried about a substitute for the directory/folder
level encryption for cross-platform use. The nearest alternative seems
to be AESCrypt, which only does file level encryption, and requires that
you manually delete (securely!) the unencrypted version.

Windows and  OSX both have OS-level whole disk encryption options.


Graham


On 6/2/14 7:41 AM, Philip Weekly wrote:
Hello Everyone,

 

Do to the abatement of Windows XP, the anonymous makers of TrueCrypt
have terminated any future development. Thus TrueCrypt has now been
determined to be insecure. TrueCrypt recommends migrating to Windows
BitLocker.  See the link below for additional details.

 

http://truecrypt.sourceforge.net/

 

I would suggest a member of the IST Security team provide some baseline
recommendations for Whole Disk Encryption (WDE).

 

Regards,

 

Philip

 

 

Philip Weekly

Director, Information Systems

 

School of Optometry

University of California

510-642-2230

http://cal-eye-care.org/

 

This email and any files transmitted with it are confidential. If you
have received this email in error please notify the sender and then
delete it immediately.

Please note that any views or opinions presented in this email are
solely those of the author and do not necessarily represent those of The
School of Optometry or The University of California.

 



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.




-- 
Seth Novogrodsky
Department of Economics and College of Letters & Science

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] TrueCrypt - Windows XP Fallout

Noah N Bacon
Greetings all,

While the TrueCrypt Team may have discontinued updating the application (though the story is muddled), the audit of the program still continues.


They are evaluating the software on a line by line basis and are now delving into the cryptanalysis portion of the program, thus it may still be viable (with v7.1a still possibly being secure).

--Noah


On Mon, Jun 2, 2014 at 8:35 AM, Seth Novogrodsky <[hidden email]> wrote:
It's not really clear  why TrueCrypt is now desupported. There are links to some interesting articles about this in the last SANS NewsBites newsletter:

--TrueCrypt Shuts Down Development
(May 29, 2014)
The TrueCrypt open source encryption project has ceased operations after
issuing a warning that the software is no longer secure. The warning
included instructions for users to migrate to BitLocker. The warning
says that TrueCrypt development stopped in May 2014 after Microsoft
stopped supporting Windows XP, but experts say the connection does not
make sense. Some are positing that the company received a National
Security Letter and is doing what Lavabit did to avoid disclosing
customer data. Others have suggested that it might be a hoax or an
attack, or that the TrueCrypt developers found an overwhelming
vulnerability.
https://isc.sans.edu/forums/diary/True+Crypt+Compromised+Removed+/18177  
http://www.computerworld.com/s/article/9248658/In_baffling_move_TrueCrypt_open_source_crypto_project_shuts_down?taxonomyId=17
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/
http://arstechnica.com/security/2014/05/bombshell-truecrypt-advisory-backdoor-hack-hoax-none-of-the-above/

PC World has an article listing some TrueCrypt alternatives:

http://www.pcworld.com/article/2304851/so-long-truecrypt-5-encryption-alternatives-that-can-lock-down-your-data.html


Seth


On 6/2/2014 8:16 AM, Graham Patterson wrote:
I'm actually more worried about a substitute for the directory/folder
level encryption for cross-platform use. The nearest alternative seems
to be AESCrypt, which only does file level encryption, and requires that
you manually delete (securely!) the unencrypted version.

Windows and  OSX both have OS-level whole disk encryption options.


Graham


On 6/2/14 7:41 AM, Philip Weekly wrote:
Hello Everyone,

 

Do to the abatement of Windows XP, the anonymous makers of TrueCrypt
have terminated any future development. Thus TrueCrypt has now been
determined to be insecure. TrueCrypt recommends migrating to Windows
BitLocker.  See the link below for additional details.

 

http://truecrypt.sourceforge.net/

 

I would suggest a member of the IST Security team provide some baseline
recommendations for Whole Disk Encryption (WDE).

 

Regards,

 

Philip

 

 

Philip Weekly

Director, Information Systems

 

School of Optometry

University of California

510-642-2230

http://cal-eye-care.org/

 

This email and any files transmitted with it are confidential. If you
have received this email in error please notify the sender and then
delete it immediately.

Please note that any views or opinions presented in this email are
solely those of the author and do not necessarily represent those of The
School of Optometry or The University of California.

 



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


    


-- 
Seth Novogrodsky
Department of Economics and College of Letters & Science


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.




--
Noah Bacon
Campus Shared Services IT
University of California, Berkeley
Ph: (510) 664-9219

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] TrueCrypt - Windows XP Fallout

paul rivers
In reply to this post by Philip Weekly

The recommendations remain the same: use vetted and strong industry
standards when doing any kind of encryption. There are more detailed
recommendations here:

https://security.berkeley.edu/node/379

Those recommendations do still include Truecrypt, as it is early yet to
know what's going on. As Seth pointed out, there's a lot of speculation.
We'll see how things settle out. Either way, the guideline page will be
updated.

For full disc encryption, native OS tools are now excellent.

While of course full disc encryption is a good thing for portable
devices[1], we still see far too many cases on campus where:

 - The OS is not getting updated in a timely fashion
 - The browser is out of date and/or running out of date plug-ins
 - The OS has services for desktop devices that are open to the
internet, and yet are not being managed in a way that is appropriate for
an internet-facing service

This leads to far more desktop compromises than it should. I do think
full disc encryption is a critical layer, but without the above and
similar fundamentals, it's not the place to start. This isn't directed
at anyone in particular, but after looking at monthly security ops
stats, I thought it was worth repeating.

Regards,
Paul


[1] Not just a good thing, but also required by policy in many cases:
https://security.berkeley.edu/mssei?destination=node/363#encryption-removable-media




On 06/02/2014 07:41 AM, Philip Weekly wrote:

> Hello Everyone,
>
>  
>
> Do to the abatement of Windows XP, the anonymous makers of TrueCrypt
> have terminated any future development. Thus TrueCrypt has now been
> determined to be insecure. TrueCrypt recommends migrating to Windows
> BitLocker.  See the link below for additional details.
>
>  
>
> http://truecrypt.sourceforge.net/
>
>  
>
> I would suggest a member of the IST Security team provide some baseline
> recommendations for Whole Disk Encryption (WDE).
>
>  
>
> Regards,
>
>  
>
> Philip
>
>  
>
>  
>
> Philip Weekly
>
> Director, Information Systems
>
>  
>
> School of Optometry
>
> University of California
>
> 510-642-2230
>
> http://cal-eye-care.org/
>
>  
>
> This email and any files transmitted with it are confidential. If you
> have received this email in error please notify the sender and then
> delete it immediately.
>
> Please note that any views or opinions presented in this email are
> solely those of the author and do not necessarily represent those of The
> School of Optometry or The University of California.
>
>  
>
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.