New CS-RC Report – TrueCrypt, June 2014

Posted: 17th June 2014 by Josh in Uncategorized
Tags: ,

The Polder Consortium Computer Security Response Community (CompSec RC) has published a report that provides analysis of the situation and guidance for IT decision makers.

The IT Security community was bewildered by the May 28, 2014 announcement on the TrueCrypt website declaring “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”. The website furthermore directs users to migrate data from disks, volumes and containers previously encrypted with TrueCrypt to “encrypted disks or virtual disk images supported on your platform”.

The situation is made much more difficult by the fact that the TrueCrypt developers have maintained anonymity over the ten year life-cycle of this product. Thus there have been no interviews with the developers and as a result, a lot of conjecture has arisen regarding the mysterious manner in which they terminated the project.

Based on our analysis of this situation we are recommending the following action steps:

  1. It is considered safe (with caveats) to continue using the latest working version (7.1a) but only for the short-term, i.e., the next 6 months. Please do not take this as an endorsement that users should continue using TrueCrypt!
  2. TrueCrypt is no longer a viable option for long-term strategic initiatives. We highly recommend organizations develop a migration plan for transitioning away from TrueCrypt. We may have more specific recommendations at a later date but for guidance see the full report.
  3. We further recommend that users no longer download TrueCrypt or install it on client machines. In particular we recommend against downloading the latest TrueCrypt version 7.2 because there is some (unverified) risk that the TrueCrypt 7.2 install files are compromised. Individuals having TrueCrypt encrypted volumes but not having TrueCrypt already installed should download version 7.1a from GRC’s TrueCrypt? Final Release Repository for the purpose of accessing those files and migrating them to a secure encryption platform.

See the full report here CS-RC Report – TrueCrypt, June 2014.

As a side note, I was the lead contributor for this report.

-Josh

Context:

As some of you have no doubt seen, there is a new 0 Day vulnerability in IE6 – IE11 that allows one to bypass some of Window’s primary security mechanisms of ASLR & DEP.  Specifically, the way IE (mis)handles Adobe Flash allowed this issue to happen.  There currently is no patch from Microsoft, but I do expect one within the next couple days.

The initial exploitation of this vulnerability was targeted to IE9 – IE11 and a specific set of users that an APT group was targeting, but we are now seeing more generalized/non-targeted attacks.

There are a few reasons that this is a significant vulnerability, other than the fact that it is a 0 Day…

-According to Microsoft’s current policy of end of life applications, this vulnerability will not be patched on Windows XP—This means that no matter what version of IE you are running on XP (IE6 – IE8), it will always be vulnerable to this exploit unless extra action is taken (see mitigation options below)

-This vulnerability affects such a wide set of IE versions—In 2013, these versions of IE made up 53% of the desktop browser market share [src]

General Mitigation Options:

The following are the top 5 ways to mitigate this exploit—

-Disable/Remove Adobe Flash:  Because this vulnerability is really a vulnerability between Flash & IE, disabling or removing Flash will remove the vulnerability.

-Enable IE’s “Enhanced Protected Mode” :  EPM was introduced in IE10 as an enhancement to previous versions of IE’s “Protected Mode.”  EPM can have some unintended compatibility issues with other applications/web-apps, so make sure to test before rolling out.

-Use the Enhanced Mitigation Experience Toolkit: [SRC] I have discussed EMET quite a bit in the last year, but if you are not aware of what it is, Brian Krebs has a good primer on it. [SRC]

-Use a different browser: Because this is a vulnerability in IE’s handling of corrupted flash files, switching to a different browser will mitigate the issue—keep in mind that other installed apps (Microsoft Office, etc) may use the IE engine to render HTML and Flash files, which would bring the particular computer back into the scope of this vulnerability.

-Josh

 

Heartbleed IT Infrastructure Vulnerabilities

Posted: 14th April 2014 by Josh in Uncategorized

Though Mashable has a great listing of consumer-specific websites that users should change their passwords on, we have not seen a list maintained for IT Infrastructure vulnerabilities–

Hence, we have started putting together a document that notates heartbleed vulnerabilities in IT infrastructure, which can be found here.

-Josh