Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201569369
HistoryNov 25, 2015 - 12:00 a.m.

TrueCrypt vulnerability analysis: than people think the more security-vulnerability warning-the black bar safety net

2015-11-2500:00:00
佚名
www.myhack58.com
6
JSON

! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 2 5 4 4 8 2 1 1 1 0. jpg? www. myhack58. com)
TrueCrypt is a is millions on security and privacy lovers the favorite data encryption tool, but recently it broke some of the vulnerabilities. However, according to well-known Information Security Technology Institute of the Fraunhofer-out of a safety analysis report, it may still have to than people think to be safe.
TrueCrypt security vulnerability analysis
This article up to 7 on page 7 of the report, is in Google’s Project Zero security team revealed the TrueCrypt exist two vulnerabilities, the Fraunhofer Institute to five weeks after the issue. This two vulnerabilities, the most serious, is the use of TrueCrypt can make an application to the normal permissions to run, or in an incomplete sandbox the permission level is raised to system-level or even kernel-level. The Fraunhofer researchers said they also found some unknown TrueCrypt security vulnerabilities.
Although TrueCrypt broke these vulnerabilities, but the analysis of the report, but think of it as a computer memory, and mount the disk for data storage encryption Tool, the main function is still quite safe. Security researchers say the Project Zero vulnerabilities found as well as in the Fraunhofer Analysis Report of those that really should be fixed. However there is no evidence that a hacker can exploit these vulnerabilities to gain access to encrypted stored data. The following is the German Technical University of Darmstadt Eric Bodden, Professor, that is, the Fraunhofer security audit team, the head of the summary of the content:
“Many people do not quite understand, TrueCrypt was supposed to be not too suitable for the protection of those hackers took down the system in the encrypted data. This is because, when the TrueCrypt volume by the file system when accessed, a hacker can implant a Keylogger etc. means to obtain the key value. However, only when the TrueCrypt volume did not mount the file system, and memory in the key is not present when TrueCrypt to keep your data secure.
The final conclusion is that TrueCrypt is in offline encrypted data storage, provides good protection effect. If you need the hard disk on offline backup storage, such as the presence of a carry-on with U-disk inside, then the inside through the TrueCrypt encrypted data can be considered to be relatively safe.”
Found no fatal flaws, but TrueCrypt’s future still unsettling
The German Federal Information Technology security in a analysis report, which is April to TrueCrypt for a security audit results are very similar. Fraunhofer researchers also found that a portion of the programming problem. One of the most serious problem is that TrueCrypt uses a windows programming interface to generate a key to use the random number. In addition, the Fraunhofer researchers also found TrueCrypt in to take a random number manner on the presence of vulnerabilities.
Bodden Professor said:
“Theoretically, generate a random number vulnerability allows hackers to more easily obtain the encrypted data key, to thereby decrypt the data. Therefore, in order to secure the application of the recommendations everyone has been restored vulnerability of TrueCrypt version, the data is re-encrypted.”
Unfortunately, in 1 8 months ago TrueCrypt software development suddenly stopped, the official may have no chance for it to be repaired. Some anonymous developers revealed that this item everyone should use caution.
Bodden says Professor
“In April, security audit, once found part of a buffer overflow vulnerability. However, Fraunhofer researchers through the attempt to discover, in TrueCrypt is running these vulnerabilities is actually the use of Can’t.”
TrueCrypt summary of the problem
All in all, TrueCrypt most of the code is actually not a problem. Previously discovered vulnerabilities, and for the TrueCrypt data storage encryption the main function, and is not much affected, a similar problem may also occur in other encryption software. At this point, it is not than other alternatives better or worse. But it’s the quality of the code is really there to enhance the space, some place, maybe remodeling will be much better, and document the design description needs to be improved. However, this software did it the beginning of the design to do everything.
TrueCrypt the original software designers, who had according to the threat model to write out the appropriate documentation, he shows TrueCrypt is not in the running of the system to properly save data, which our study results are consistent. And if the use smart card or other hardware as the Key for storing the encrypted words, it should be is that no one can bypass, this can better protect your secrets. This encryption system is also possible by other way fall, but obviously relative terms is more excellent.
So use TrueCrypt users can continue to safely use this software until the VeraCrypt or another TrueCrypt alternatives to produce. Although now that TrueCrypt is gone the update source, but now must immediately replace TrueCrypt rumor is obviously bullshit. Fraunhofer researchers represent, at least in a period of time, we can continue to patiently wait for the next suitable encryption products.

JSON