securitybreach Posted November 21, 2015 Share Posted November 21, 2015 TrueCrypt continues to fascinate even though it hasn’t been updated in more than a year and has been cleared of backdoors in more than one extensive audit. The German government’s Federal Office for Information Security (BIS) is the latest to inspect and analyze the security of the abandoned open source disk encryption software and once again, it was deemed relatively safe for use, in particular for offline storage of data. In fact, the European Center for Security and Privacy by Design (EC SPRIDE) and Fraunhofer Institute for Secure Information Technology wrote TrueCrypt might safer than previous audits suggest, but cautions that it’s inherently not suitable for securing encrypted data on a running system. “This is because when a TrueCrypt volume is mounted its data is generally accessible through the file system, and with repeated access one can install key loggers etc. to get hold of the key material in many situations,” wrote Eric Bodden, a professor at Fraunhofer SIT. “Only when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure.” Bodden also warned those who continue to download and use TrueCrypt need to address vulnerabilities that have been uncovered by the previous audit conducted by the Open Crypto Audit Project (OCAP) and by Google’s Project Zero research team. OCAP’s audit was the first major endeavor to conduct a cryptanalysis of the TrueCrypt code and found no deliberate backdoors, which was the big fear after its anonymous handlers suddenly pulled the plug on the project shutting down patch and feature development. The two-phase audit, conducted by NCC Group Cryptography Services, did turn up a handful of vulnerabilities, including two that were deemed critical....... https://threatpost.c...uecrypt/115441/ Quote Link to comment Share on other sites More sharing options...
securitybreach Posted November 21, 2015 Author Share Posted November 21, 2015 Considering that the security holes have not been fixed, it makes you wonder if they want you to use insecure encryption methods.. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted November 21, 2015 Share Posted November 21, 2015 Is PGP still a viable encryption or has it been hacked by BIG BRO? Quote Link to comment Share on other sites More sharing options...
securitybreach Posted November 21, 2015 Author Share Posted November 21, 2015 Is PGP still a viable encryption or has it been hacked by BIG BRO? Sort of http://www.geek.com/chips/300-tool-can-decrypt-pgp-truecrypt-files-without-a-password-1533341/ And: http://www.securityweek.com/pgp-email-encryption-fundamentally-broken-cryptography-expert 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted November 21, 2015 Share Posted November 21, 2015 About the first link... I power down my machine every night, so I'm not too worried about a hack that requires access and dissection of the RAM content to steal the users Private Key. I don't see that being a simple hack on a Linux system, unless the root password is "password.". The second link is mostly a criticism of the need to use large keys in PGP. Well, PGP isn't called "pretty good privacy" for nothing. It was never meant to be NSA level encryption. It's more like a lock on a backyard gate... it's just supposed to keep the honest folks honest. 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted December 2, 2015 Share Posted December 2, 2015 Good call Eric. :thumbups: Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.