For those looking to go a step further, TrueCrypt offered full-disk encryption…at least it did until it was abandoned by its developers. Forshaw found two “privilege elevation” loopholes that could be exploited by hackers to give them full access to the user’s data. The severity of the newly-discovered problems has led to renewed calls for remaining TrueCrypt users to seek an alternative.
Advertisement
The flaws have been patched in Veracrypt version 1.15, which was released on 26 September.
The system encryption service, axed previous year after Microsoft terminated support for Windows XP, was canned without warning due to “unresolved security issues” in May 2014.
TrueCrypt has been used by, among others, David Miranda, the partner of journalist Glenn Greenwald, who was one of the first reporters to publish information provided by former security contractor Edward Snowden about widespread surveillance by the U.S. National Security Agency and its equivalent organization in the United Kingdom, the Government Communications Headquarters.
Serious security flaws are found in TrueCrypt, laying those who bet on the subaru legacy encryption solution vulnerable. He and other researchers agree that the vulnerabilities – which can reportedly be exploited by “abusive drive letter handling” – weren’t deliberately installed.
“Even though my Truecrypt bugs weren’t backdoors, it’s clear that it was possible to sneak them past an audit”, Foreshaw noted.
Forshaw later clarified that he didn’t suggest the bugs were put in intentionally to test auditing measures, but that the fact it had passed so many checks suggested that the audits weren’t stringent enough. However, Forshaw acknowledged that audits typically don’t catch every single bug.
Advertisement
However, he said that doesn’t mean the latest findings should preclude the use of TrueCrypt. “Everyone suspects everything, and no one knows anything”, he said.
