TrueCrypt is dead
We used to recommend TrueCrypt as an effective file encryption solution, suitable for exchanging data sets over untrusted networks as well as for medium-term offline storage or backups.
Unfortunately, over the last few weeks it has become clear that the TrueCrypt authors have withdrawn their support for the product; and while the source code is available (and is actively being audited), it is not Open Source licensed, and should not be used in the future. TrueCrypt is effectively dead.
What should I do?
What does this mean for people who are currently using TrueCrypt? I’d recommend that you migrate your data out of TrueCrypt and into some other format; not in a rush, because there are no currently-known attacks or vulnerabilities in the product, but in a well-planned way. You should not start any new storage schemes using TrueCrypt.
What alternatives are there?
There doesn’t seem to be any useable and “free” software that does everything that TrueCrypt did, but most people we talk to don’t actually need all of those features at the same time anyway.
We are currently recommending the 7z archive format with AES encyption as a solution to :-
- Cross-platform support
- Protection in transit (email, dropbox, etc); sharing
- Medium-term storage on untrusted media
Please be aware that University-owned data should always be accessible by the University itself; so if the only copy of your data is encrypted in this way, the passphrase used as the key needs to be made (securely) available to the appropriate people (usually your employment line management).
7z is the file format originally implemented by the Open Source 7-Zip file archiver, it is publicly described and there are now multiple software implementations available. It is currently regarded as the ‘best’ performing compression software available. Read more on the Wikipedia entry. Command-line users might like the p7zip implementation, packaged in Debian and the EPEL repository for RedHat.
7z applications usually do not use encryption by default; make sure that you select this option for secure storage.
The security firm PhishLabs has released some interesting research on a new type of phishing attack involving Voice over Internet Protocol (VoIP). Seems the bad guys send a SMS text message to unsuspecting users advising them that their debit card has been deactivated and advising them to enter their card number and PIN to reactivate it.
So far this has only been seen in the United States and has yet to make it to our shores. It will come just as those nasty irritating hoax Microsoft support calls eventually showed up.
So knowing that this type of attack is in use means that you can have the upper hand, before you reply with your credentials consider, have you actually given you mobile number to your bank, contact your bank using the number from the phone book advising them that you have received such a message (don’t delete the message as it maybe be helpful in pursuing the offender).
While scanning my security news feeds I came across this article from azcentral.com which caused me to wince a little. It seems that the Maricopa County Community College District could be spending around $17.1 million, with most of it going on lawyers and services to the millions of people whose personal data was exposed.
The article cites that a breach in 2011 was never addressed properly and this lead to the more costly 2013 event. During April 2013 a server was compromised exposing Social Security numbers and banking information for 2.4 million current and former students and staff from as long as 30 years ago.
Well it is hard to believe that we are well into November and what a month it has been. With the recent Adobe password debacle where 150 million email addresses, their password hashes and the hints were exposed on the internet. Then there was Kiwicon, the New Zealand hacker conference in Wellington, where “AmmonRa” took us for a ride.
With the Christmas shopping season just around the corner many will be purchasing online and there are the usual reminders. Things to watch out for are nicely organised in this SANS article by Lenny Zeltser.
While you are shopping, perhaps this Microsoft blog article from Holly Stewart will encourage you to finally ditch your old XP computer. A couple of noteworthy points in the article are that XP is six times more likely to get infected than Windows 8, and when XP service pack 2 went out of support there was a huge disparity of infections as much as 66% higher than the supported XP service pack 3. So plan now to buy your Windows 8 replacement computer before it gets infected.
There are reports of a recent spam campaign that tries to deceive Dropbox users in to resetting their passwords but instead leads to malware. Dropbox, which is a popular cloud storage service who sometimes do in fact reset users’ passwords when they haven’t been changed for a while. They DON’T send an advisory email though, instead at their website they require a password reset before linking a new computer, phone, tablet, or API app on their web site.
The spam has quite a convincing message along the lines of
We have a warning in our system that you recently tried to login in to Dropbox with a password that you haven;t changed long time already. Your old password has expired and you’ll need to create a new one to log in.
Please visit the page to update your password
Clicking on the link takes the user to a suspicious looking page hosted in the .ru (Russian domain) that tries to pass itself off as a Microsoft site with several downloads for non Microsoft browsers. All very suspicious.
So if you had followed our tips on how to detect phishing emails you would have caught on to their ruse and saved yourself some grief.
Oracle have settled on a quarterly patch period for not only their database products but also Java. I have yet to decide if this is good or bad as I really would like to see a shorter update period to reduce to time that the unpatched vulnerability exists in the wild. The release notes are here for 7u45
The schedule is
14 January 2014
15 April 2014
15 July 2014
14 October 2014
The University of Delaware was on the 22nd July the recipient of a criminal attack on one of its systems. The criminals were able to steal files that contained 72,000 names, addresses and other personally identifiable information for past, present and student employees. The University is working with the Federal Bureau of Investigation and Mandiant to determine the scope of the attack after having taken immediate corrective action. The University has indicated that the attackers used a vulnerability in software acquired from an unnamed vendor.
Over the past several months there has been an uptick in the number of web sites running Content Management Systems that have been compromised. Systems like WordPress, Joomla or Drupal have all been targeted. Site administrators struggle to keep their CMS’s patched and almost never remember to include all the plugins that are used. In many cases the plugin vulnerabilities can do just as much evil as the core CMS vulnerabilities. Due to the breadth and quality of maintenance and support for plugins vulnerabilities and updates are often not monitored or reported.
A couple of very popular plugins announced serious vulnerabilities recently that allow them to execute arbitary PHP on the server, WP Super Cache and W3 Total Cache. So take care of the plugins that you deploy and if you no longer need them then uninstall them.
Here are some examples of phishing emails, and how to detect them.