U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

TrueCrypt doesn’t include a backdoor according to a security audit

The security audit of the popular encryption software TrueCrypt reveals the absence of the backdoor and other significant flaws exploitable by the NSA. The news of the day is the conclusion of the security audit of the popular encryption tool TrueCrypt that confirmed the absence of any backdoor neither critical design vulnerabilities inside the source code. TrueCrypt is a […]

TrueCrypt doesn’t include a backdoor according to a security audit

The security audit of the popular encryption software TrueCrypt reveals the absence of the backdoor and other significant flaws exploitable by the NSA.

The news of the day is the conclusion of the security audit of the popular encryption tool TrueCrypt that confirmed the absence of any backdoor neither critical design vulnerabilities inside the source code.

TrueCrypt is a free, open-source and cross-platform encryption application, used by millions users worldwide to protect data. The tool could be used to encrypt single files, folders or entire hard drive partitions including the system partition. TrueCrypt is being audited for past two years following the speculation that US Intelligence deliberately compromised the code to make possible the access to encrypted data by its agents.

A team of researcher conducted an analysis that lasted two years and that was arranged in two distinct phases. In the first phase the experts analyzed the blueprints of the software and discovered only 11 issues of medium and low severity in the software.

In the second phase, that was recently terminated, the experts examined TrueCrypt’s implementation of random number generators and critical key algorithms, and several encryption cipher suites.

truecrypt 2

Security Auditors and Cryptography Experts at NCC decided to analyze TrueCrypt software in response to documents leaked by Edward Snowden that hyphotesized a possible backdoor in the application.

“TrueCrypt appears to be a relatively well-designed piece of crypto software,” cryptographic expert Matthew Green explained in a blog post on Thursday. “The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.” “You can find the full report over at the Open Crypto Audit Project website. Those who want to read it themselves should do so. This post will only give a brief summary.”

The report reveals that experts have discovered four different vulnerabilities, but none of them could be exploited by attackers to compromise TrueCrypt. The vulnerabilities and related severity are listed below:

  • Keyfile mixing is not cryptographically sound — Low severity
  • Unauthenticated ciphertext in volume headers — Undetermined
  • CryptAcquireContext may silently fail in unusual scenarios — High severity
  • AES implementation susceptible to cache timing attacks — High severity

Resuming the experts have found no evidence for the presence of a Backdoor in the code of the popular application.

“That doesn’t mean Truecrypt is perfect. The auditors did find a few glitches and some incautious programming — leading to a couple of issues that could, in the right circumstances, cause Truecrypt to give less assurance than we’d like it to.” said Green.

Pierluigi Paganini

(Security Affairs –  Truecrypt, security audit)