Veracrypt Audit

[Chiefcrowe]

https://ostif.org/the-veracrypt-audit-results

 

[John Connor]

Meh, I still trust Truecrypt. There is a vulnerability, but that's when the computer is on when it will be vulnerable anyway. So long as my data is encrypted on power off I'm good. Although, UEFI capability is promising in Veracrypt.

 

[Bardock]

this took two seconds of googling to find: http://securityaffairs.co/wordpress/25782/hacking/air-gap-network-hacking.html

 

[John Connor]

This is truth:

US intelligence has already explored this attack technique, the NSA program known as TEMPEST makes use of special devices to syphon data from computers and servers via leaking emanations, including unintentional radio or electrical signals and vibrations from targeted hardware (e.g. Monitors, memory chips, keyboards, network cards and connection cables).

This is not:

Once the malicious code is installed in the phone, it scans for electromagnetic waves which can be manipulated to build a network connection using FM frequencies to install a virus onto a computer or server.

You can't use the FM broadcast band to manipulate data on a computer. That is just plain asinine. LOL!

 

[Mike64]

this took two seconds of googling to find: http://securityaffairs.co/wordpress/25782/hacking/air-gap-network-hacking.html

Even assuming that particular one is in fact even plausible (I've read about ones using a similar "approach" that are apparently functional at least in a limited way), attack vectors like that are extremely impractical for "general use", and easily thwarted by anyone with even half a brain. Which doesn't mean that a large organization with many workers of varying levels of intelligence, motivation to maintain security, and loyalty to whomever or whatever owns or runs the organization would be immune, but as far as motivated individuals are concerned, they're fundamentally meaningless.

 

[John Connor]

I'll just add this:

While I think Israel is one of our greatest middle eastern allies, I have known them to peddle hyped up propaganda. They are almost as bad as Russia.

If they stated that this involved bluetooth using a cellphone and a computer's bluetooth connection I'd be inclined to believe it. But the article states they are using a cell phone's FM radio to interact with a computer off loading a payload. One critical aspect stands out. Phones that do have a built in FM broadcast radio only RX, there is no Xmiter. No matter how you slice it you can't use software to Xmit on a RX only capable FM broadcast chip. It just isn't gonna happen. Even IF the radio in the cellphone was capable of Xmiting, the frequencies used are not going to interact with a computer.

 

[John Connor]

I think the jest of the whole thing is that even if you have FDE, TEMPEST can see it. This is why the NSA hardens their buildings.

 

[Mike64]

I think the jest of the whole thing is that even if you have FDE, TEMPEST can see it. This is why the NSA hardens their buildings.

And for that matter, there was another report (also out of Israel, so probably to be taken with at least a flake of kosher salt) that a PC's fan's speed could be modulated to transmit information via audible frequencies to a phone's mic. But again (all the other issues aside), that requires not only infecting a smartphone that will come into proximity with the target machine and the machine itself with appropriate software, but also that the phone remain turned on and/or in range of the targeted computer while the latter is being used. Even if a private individual can't be 100% sure their phone and/or computer could never be infected without being detected, turning the phone off (probably), or simply putting it in a drawer or leaving it in another room entirely are obviously mindlessly easy ways to thwart such an attack...

 

[John Connor]

modulated to transmit information via audible frequencies to a phone's mic.

LOL Would be a very slow rate of speed if possible. Not only that, but no two fans have the same audio properties to maintain a common modulation scheme.

 

[blackangst1]

This is an interesting article on the same sight re: Truecrypt:

https://ostif.org/truecrypt-critical-flaw-highlights-the-need-for-ostif-support-for-veracrypt/

TrueCrypt – The venerable full disk and container encryption software that was abandoned by its developers in 2014, was believed to be secure, despite the development of the software ending. This was the consensus among the security community because the software had been audited by iSec (a subsidiary of NCC). They had taken separate looks at the boot loader and the application code and not found any serious security flaws.

This strengthened the community’s trust in the software and people continued to use the software, confident that the software was largely bug-free.

Fast forward to today and James Forshaw from Google’s Project Zero has taken a look at the source code, and found two flaws that existed throughout the iSec audit. One is a critical EOP (escalation of privilege) bug that would allow an attacker to use the TrueCrypt application to get elevated access to a computer that has the software installed. While this would not give access to the containers on the Windows PC and the data would remain encrypted, it is only one additional step now to bypass that hurdle. You could, for example, install a keylogger on the machine and use that to get access to the passwords on the machine without the user’s knowledge, thus breaking the encryption of containers.

VeraCrypt has patched the flaws, and the current version is now safe from the EOP attack. Make sure you update VeraCrypt to the current version if you haven’t already. If you are still running TrueCrypt, now is the time to run for the hills as this flaw is a deal-breaker. Having the TrueCrypt software installed is a direct security risk on all Windows systems.

This chain of events highlights the need for support from organizations like ours and people like you. You need as many eyes on critical security software as possible. Our efforts to draw more skilled developers into reviewing the code, both through bounties and direct funding of audits, is a crucial step in keeping software as secure as possible.

You can read more about the new flaws here: CVE-2015-7358 and CVE-2015-7359 (full disclosure has not occurred yet, this will be updated with links after full disclosure)

 

[John Connor]

Like I already stated in post #2.

There is a vulnerability, but that's when the computer is on when it will be vulnerable anyway.