Truecrypt...can it be defeated by a pro?

recently something happened in my work place which I suspect will mean that our security belts will have to be tightened for executive employees who travel frequently.

unfortunately no matter what we've tried certain people will always store documents they should not locally... and with no backing to enforce a policy stating no one should have local data the policy is pretty useless.

I've used gpg4win but with my limited knowledge of it it seems you have to encrypt files as go and specify what is encrypted... it won't as and example encrypt and entire drive and anything added to that drive afterwards.

I dug around and found Trucrypt is popular for entire HD encryption but how secure is it should someone get physical access to a laptop ? With a proper pass phrase of say 20+ characters mix of upper lower,, special characters, numbers etc and a solid algorithm.. are there features of Windows XP that make it possible for a pro to still realistically get the pass phrase... ie windows by default having that password cached somewhere or it is in the ram... or stored in the registry in plain text

Find more posts tagged with

Comments

kalebksp

dynamik wrote: »

I stand corrected. That doesn't seem like much of a "rescue" though, especially if this is being used by less tech-savvy end users. I have my password backed up in a secure location, but that's not going to help my company retrieve anything off my machine if I get hit by a bus.

I guess it depends on your situation, obviously the rescue disk is intend for use if your MBR is overwritten or corrupted. As you stated if your company needs access to your data they're SOL. Which is why I don't recommend TrueCrypt for a business environment. It also illustrates why companies should have a policy stating that only approved forms of encryption configured to they're specifications are allowed.

jibbajabba

Not sure how secure those are, but all our laptops now using Seagate excrypted disks (FDE) ... Someone messed up the master password and we could not find anyone who was able to hack that thing so we had to send it back to Seagate ... They were able to remove the password which is destructive for the data ... which is good in a way

Paul Boz

A few things:

TrueCrypt is excellent software that is used by quite a few security professionals (including the company that I work for.) You can not blow past its full-disk boot sector authentication and it renders tools like Kon-boot worthless.

My gripe with people posing the question about bricking a drive is this: How much does a hard drive cost? How much does a data breech cost? If the data stored on the disk is worth less than or equal to the cost of the disk don't bother with truecrypt (or any full-disk encryption). If the data on the disk holds some type of significant value to your organization (blueprints, client data, etc) than the cost of the disk is negligible. The whole concept of rescue disks doesn't even matter when you look at it in these terms.

kalebksp wrote: »

I guess it depends on your situation, obviously the rescue disk is intend for use if your MBR is overwritten or corrupted. As you stated if your company needs access to your data they're SOL. Which is why I don't recommend TrueCrypt for a business environment. It also illustrates why companies should have a policy stating that only approved forms of encryption configured to they're specifications are allowed.

Your point is moot if the organization has a policy which dictates that the company owns any full-disk encryption backup media and passwords as a supplement to the IT acceptable use policy. The user may maintain their own unique passwords for login systems (windows domain, file server, whatever) but the full-disk encryption password is company property. Language could be included that states that full-disk encryption passwords will be randomly tested as an integrity check on the password on file. At that point the password is re-set by the user and re-recorded for the records. Violation (changing passwords, removing encryption) can be made a fireable offense with legal ramifications for non-compliance. In this scenario if someone is found to have modified the password on their full-disk encryption they can be reprimanded for it and have it re-set or if its criminal / repeat violation they can be terminated and sued.

Hyper-Me

Paul Boz wrote: »

Your point is moot if the organization has a policy which dictates that the company owns any full-disk encryption backup media and passwords as a supplement to the IT acceptable use policy. The user may maintain their own unique passwords for login systems (windows domain, file server, whatever) but the full-disk encryption password is company property. Language could be included that states that full-disk encryption passwords will be randomly tested as an integrity check on the password on file. At that point the password is re-set by the user and re-recorded for the records. Violation (changing passwords, removing encryption) can be made a fireable offense with legal ramifications for non-compliance. In this scenario if someone is found to have modified the password on their full-disk encryption they can be reprimanded for it and have it re-set or if its criminal / repeat violation they can be terminated and sued.

This would be another benefit of using Bitlocker and using GPO's to force the backup of bitlocker recovery information to Active Directory.

Who cares what password each user sets when you can KNOW that once they leave/fired/quit that you can easily recover the data without hoping the password on file is correct.

kalebksp

Paul Boz wrote: »

TrueCrypt is excellent software that is used by quite a few security professionals (including the company that I work for.) You can not blow past its full-disk boot sector authentication and it renders tools like Kon-boot worthless.

I didn't see anyone arguing that TrueCrypt isn't good software. I use it on all my personal systems not only because it's free but because I believe it properly implements full disk encryption. I would be concerned if it's rescue disk did allow for bypassing the password.

I did and do argue that TrueCrypt is not appropriate for most business environments. When I say I don't recommend TrueCrypt for business use I am assuming average users, not security engineers. Obviously that changes the game a bit.

Paul Boz wrote: »

My gripe with people posing the question about bricking a drive is this: How much does a hard drive cost? How much does a data breech cost? If the data stored on the disk is worth less than or equal to the cost of the disk don't bother with truecrypt (or any full-disk encryption). If the data on the disk holds some type of significant value to your organization (blueprints, client data, etc) than the cost of the disk is negligible. The whole concept of rescue disks doesn't even matter when you look at it in these terms.

First of all, losing the password does not brick a drive, it simply makes the data unrecoverable, the drive can still be reformatted and used. Second, the cost of the drive doesn't factor in to the equation. The monetary risks that we should be concerned with are, as you pointed out, the cost of a data breach and the cost of data loss. In my opinion the most logical balance between the two is to use full disk encryption and make sure that the data on the drive is backed up regularly.

Paul Boz wrote: »

Your point is moot if the organization has a policy which dictates that the company owns any full-disk encryption backup media and passwords as a supplement to the IT acceptable use policy. The user may maintain their own unique passwords for login systems (windows domain, file server, whatever) but the full-disk encryption password is company property. Language could be included that states that full-disk encryption passwords will be randomly tested as an integrity check on the password on file. At that point the password is re-set by the user and re-recorded for the records. Violation (changing passwords, removing encryption) can be made a fireable offense with legal ramifications for non-compliance. In this scenario if someone is found to have modified the password on their full-disk encryption they can be reprimanded for it and have it re-set or if its criminal / repeat violation they can be terminated and sued.

How does that make my point moot? What you describe sounds like "a policy stating that only approved forms of encryption configured to they're specifications are allowed." There are downsides to the policy you propose, such as trusting an employee to follow the policy even if there are legal ramifications for non-compliance. That is of course a decision for the company based on their requirements, I don't think there is a one size fits all solution in regards to security and encryption.

Paul Boz

All valid and good points. I'm just trying to provide a rebuttal to the many statements that Truecrypt isn't valid or advisable in corporate environments. You don't have to be a security engineer to put in an additional password. I wouldn't advise the validity of the software in a corporate environment if I didn't see it work in hundreds of corporate environments I've seen (including the one I work at).

kalebksp

Paul Boz wrote: »

All valid and good points. I'm just trying to provide a rebuttal to the many statements that Truecrypt isn't valid or advisable in corporate environments. You don't have to be a security engineer to put in an additional password. I wouldn't advise the validity of the software in a corporate environment if I didn't see it work in hundreds of corporate environments I've seen (including the one I work at).

Point taken. I'm surprised that TrueCrypt worked well in environments with non-technical users. I guess it just depends on the people and whether you can treat them like adults who will follow policies even if they can't completely understand why the policy is necessary, or children who believe that IT and security only exists to make their life harder and therefor don't need to comply with "bogus" policies.

I guess I went a little of topic, but I did remember something funny relating to bogus security policies. I once worked for an employer who's previous IT security guy decided that right-click was a security risk and used group policy to disable right-click on all machines. Good times.

Kasor

I used TrueCrypt at my work and I saw at many place. Nothing is perfect and of course that you always need to maintain a copy at secure location. Physical Security of the Data Center always will be there and come with certainly of risk.

Do not being narrow mind on the security. We create the encrypt code and there always a way to break, the key element is "Time" will demonstrate the theory.

JDMurray

Paul Boz wrote: »

If the data stored on the disk is worth less than or equal to the cost of the disk don't bother with truecrypt (or any full-disk encryption).

This is bad advice. To prove in court that you are doing everything you can to prevent data breeches due to carelessness and negligence, you'll encrypted your hard drives even if they are blank. Not having data protection policies and procedures in place--regardless of your data--could leave you defenseless in front of prosecuting attorneys should you find yourself in court.

Lantzvillian

Depends on if your a government employee. If you have vital information that is worth big dollars or incentive by certain corporations or other agencies... Some of the encryption tools/methods can be brute forced.

Computing power is a commodity. What ever happened to the quantum computer that was in Vancouver? It took a walk to the government side of things...

If you have the money, most encryption methods can be broken with a serious render-farm or substantial computing device.

If you need data secure, keep it off your computer or lock it up in good safe.

msteinhilber

Lantzvillian wrote: »

If you need data secure, keep it off your computer or lock it up in good safe.

I hope the data in the safe is encrypted as well. Safes are much easier to brute force than Truecrypt would be

tiersten

Lantzvillian wrote: »

If you have the money, most encryption methods can be broken with a serious render-farm or substantial computing device.

Excluding any super secret weaknesses in the algorithms and funding on the level of the NSA, I don't see how you can say this. It isn't feasible to get enough computing resources to bruteforce the current encryption algorithms which are deemed to still be secure.

dynamik

JDMurray wrote: »

This is bad advice. To prove in court that you are doing everything you can to prevent data breeches due to carelessness and negligence, you'll encrypted your hard drives even if they are blank. Not having data protection policies and procedures in place--regardless of your data--could leave you defenseless in front of prosecuting attorneys should you find yourself in court.

I believe that was the point he was making; it seems like loss of reputation, legal fees, settlement costs, etc. would be more than the cost of the drive.

JDMurray

dynamik wrote: »

I believe that was the point he was making; it seems like loss of reputation, legal fees, settlement costs, etc. would be more than the cost of the drive.

I was referring to the advice of not to use disk encryption in that case. Using disk encryption when you don't need it is sometimes a good thing too.

Smallguy

veritas_libertas wrote: »

Is cost an issue for you? If not then get something like GuardianEdge or Check Point Full Disk Encryption. Remember the less you pay the worse the support. I am not sure about Bitlocker.

The reason I suggest these is that you are going to need some sort of Central management. The last thing you want is an angry VP who can't get access to his laptop because he change the password yesterday and cannot remember his password. Trust me on that one, I have been there. Not the VP, but almost as bad, an HR person.

Sorry for the Delay but I was working like a mad man

cost is not necessarily an issue but when presenting potential solutions I like to be able to show the pros and cons of solutions

what is nice about Guardian edge is it is enterprise ready and comes with recovery tools as well

dratnol

tiersten wrote: »

Excluding any super secret weaknesses in the algorithms and funding on the level of the NSA, I don't see how you can say this. It isn't feasible to get enough computing resources to bruteforce the current encryption algorithms which are deemed to still be secure.

One of my instructors works in the digital forensics field in Florida. He was on a team that busted a guy for child ****. His day job was changing tires and he lived in a 20' x 20' shed that did not have running water. He had two computers that had multiple gig Bestcrypt containers on it. It is assumed that they contained more **** since he forgot to encrypt a few of his folders.

Anyways two different governmental agencies (one was the Secret Service, I don't remember the other one) have been trying to crack the encryption on these files with some serious hardware for just over a year and a half. They have not had any luck in doing so.

Based on that and other people I have spoken to in the security/encryption field, I am inclined to think that it is pretty secure.

GAngel

dratnol wrote: »

One of my instructors works in the digital forensics field in Florida. He was on a team that busted a guy for child ****. His day job was changing tires and he lived in a 20' x 20' shed that did not have running water. He had two computers that had multiple gig Bestcrypt containers on it. It is assumed that they contained more **** since he forgot to encrypt a few of his folders.

Anyways two different governmental agencies (one was the Secret Service, I don't remember the other one) have been trying to crack the encryption on these files with some serious hardware for just over a year and a half. They have not had any luck in doing so.

Based on that and other people I have spoken to in the security/encryption field, I am inclined to think that it is pretty secure.

If there was true blue state secrets etc on there it would have been cracked in days/weeks. If it's commercially available you can bet there are a host of countries that can get around it. There is more than enough computing power now available to do it before you factor in quantum machines coming online.

I wouldn't be surprised in the least that if it's developed in the USA it has some type of trapdoor built in that in times of "national security" it couldn't be cracked.

tiersten

dratnol wrote: »

Anyways two different governmental agencies (one was the Secret Service, I don't remember the other one) have been trying to crack the encryption on these files with some serious hardware for just over a year and a half. They have not had any luck in doing so.

Based on that and other people I have spoken to in the security/encryption field, I am inclined to think that it is pretty secure.

Pretty much. Although there is the possibility that there is a secret attack or weakness on some of the algorithms which haven't been disclosed and is kept secret for national security reasons. Whilst this is an important case, it is doubtful that it would be important enough to warrant potentially leaking the possibility of an attack.

If you think this is tinfoil hat conspiracy like then look at the history of DES. Differential cryptanalysis was discovered by IBM way back in the 70s but was deemed to be too important to be published. The S boxes in DES were specifically designed to make it more resistant to this attack. It was only publicly revealed when it was independantly found by another team in the 90s.

tiersten

GAngel wrote: »

If there was true blue state secrets etc on there it would have been cracked in days/weeks.

Not really. You can't make the assumption that it would be guaranteed to be broken in days/weeks. We don't know the amount of computing resources and attacks available to the various intelligence agencies around the world but based on current known research, it isn't trivial to crack the current encryption algorithms. It would be big leap to assume that the various TLA agencies have the guaranteed ability to do so.

GAngel wrote: »

If it's commercially available you can bet there are a host of countries that can get around it. There is more than enough computing power now available to do it before you factor in quantum machines coming online.

Have you actually seen what the current state of the art is regarding cryptanalysis? Again, you're making assumptions. If the algorithm is secure and there aren't any known weaknesses then you're looking at an extremely long time to brute force it with current computing resources available.

GAngel wrote: »

I wouldn't be surprised in the least that if it's developed in the USA it has some type of trapdoor built in that in times of "national security" it couldn't be cracked.

DES showed that whilst IBM and the NSA knew about differential cryptanalysis, they intentionally made DES more resistant to it. They didn't weaken it.

laidbackfreak

tiersten wrote: »

Excluding any super secret weaknesses in the algorithms and funding on the level of the NSA, I don't see how you can say this. It isn't feasible to get enough computing resources to bruteforce the current encryption algorithms which are deemed to still be secure.

While it may not be practically feasible to do. It is in theory possible, its the sheer daunting time factor that is the deterrent.

Brute force attack - Wikipedia, the free encyclopedia