Auditing with GRC’s shields up

POSTED BY: Dave B (Staff Writer)

Gibson Research Corp. has been providing an excellent service for years – free of charge

You can find it at GRC’s Shields Up! And… for those of you who like your hyperlinks the same way I take my steak: here’s the raw URL:

The first page will reveal what other websites can see about your connection just by you accessing them. It will tell you how to determine whether your result is “good” or “bad.” Generally, as long as you don’t see any local account names (such as your PC’s active user name) or other personal information in the hostname, it isn’t a big deal.

On the main page, you’ll find an intuitive button interface to several different “probes” and tests you can try against your system. You’ll be given a rating regarding how you match up to “most Windows machines.” This is a less secure, as secure or more secure type rating – one which I believe pretty accurately reflects the continuum of security.

Additionally, it can be very helpful when testing new Firewall or IDS configurations and verifying connectivity of WAN facing network services. You can easily check open ports and even see what service is running on a certain port in some cases.

Overall, I’ve found this free tool provided by Gibson Research to be an excellent addition to any security professional’s toolkit.


Truecrypt or not truecrypt…

POSTED BY: Dave B (Staff Writer)

…that is the question.

Isn’t it?

Recently, I’ve noticed a surge of topics on reddit and the like that continue to perpetuate the rumor that Truecrypt (a popular volume encryption utility) has been compromised or is otherwise unsafe to use.

According to an audit conducted on the Windows version of Truecrypt 7.1a, Truecrypt does not contain any backdoors or serious flaws that would compromise confidentiality under normal circumstances.

Does this also rule out the Truecrypt site itself serving up bad executables to selected IPs/blocks of IPs? No, but using the Github mirror does (find it at: GRC) and verifying all signatures are the same as used in the Open Crypto Audit Project (here: OCAP). Alternatively, you could build it from source using code from the above listed locations.

Still feeling a little uneasy about Truecrypt? That’s OK – a little paranoia can be healthy!

Sadly, in the digital age, it is much easier to ruin a reputation than the decade it takes to build one. There have been instances where the government admitted they were unable to crack Truecrypt (as of 2010 at least: according to this article). That being said, one case stands out (here) where the FBI was able to gain access to a TC volume – although it is unclear whether this was accomplished with technical means or otherwise. Also, see A long list of instances where police weren’t able to decrypt volumes from various popular applications.

Linux is your friend

If TrueCrypt has lost your trust for good, then I’d suggest migrating to Linux and using a tool called “GnuPG.” It is based on the open-PGP standard and makes managing asymmeric keypairs simple.

Also, a special Linux distro called Ubuntu Privacy Remix is available as a .iso for use on a live CD. It creates encrypted TrueCrypt volumes that you can place your super-secret PGP ciphertexts in.

I’d recommend the following settings for UPR volumes:

  • Use the TWOFISH-SERPENT algorithms for the wrapper volume (the one you’ll place your asymmetric ciphertexts in)
  • Use Whirlpool for your hashing algorithm
  • Use a passphrase that is at least 30 chars long, and make it random
  • Use DSA-Elgamal 4098 bit keys for GnuPGP
  • Again, a long, random and secure passphrase is required here

This set up provides you with a margin of safety.

Since UPR saves nothing to the local disk, it is safe to work with files on its desktop. For instance, you could first encrypt the sensitive file with your public key. Next, mount the TrueCrypt volume and place the ciphertext (encrypted file) in it. TrueCrypt will never have access to the plaintext, so even if it is somehow secretly compromised, the ciphertext is safe.

The down-low?

Its simple. TrueCrypt is 99% likely to be safe. Its been verified several times and even passed a bonafide audit with a pretty decent score considering TrueCrypt was not created by a multi-million dollar corporation or state actors. The developers invested a pretty good chunk of their lives into this, and any future discovery of malicious intent withstanding, recieved a lot of flak and permanent damage to their reputations that was probably not deserved.

TrueCrypt is most likely perfectly safe to use, provided that you fully understand what it can and can not do. If your end-point is compromised: it won’t help. If you have theĀ  volume mounted when an armed attacker busts into your home: it won’t help. If your powered down machine is stolen by a burglar: it will do its job. There are plenty of other limitations too, and those were just a few examples that people tend to forget. Overall? I’m still using it. But, then again, my threat model doesn’t include state actors (at least not from this country). But I’m sure others’ do.

One last thought: you’d better not even be obessing about this unless you have end-point security handled!