- Is TrueCrypt Gone? – The short answer is, as far as the name “TrueCrypt” is concerned, it likely is. On 28 May, SANS reported that TrueCrypt had been effectively taken offline and replaced with a warning that TrueCrypt was no longer secure. We are currently reviewing a numbef of alternatives to TrueCrypt for partial / full disk encryption and will post our recommendations soon. One thing to keep in mind is that, although the license for the TrueCrypt project prohibited it’s continued development under the moniker “TrueCrypt”, the project was open source and used / loved by literally millions. The code audit is not complete but, at this time, no actual threat to data encrypted by TrueCrypt has been found. A number of well renound authorities on security have noted that, at this time, panic is not warranted (including Steve Gibson here). The news was abrupt and very sparse and, as a result, rumors ran amok that day and continue to do so. Because of this, I am going to stick to what we know (or believe, based on substatantiated evidence) to be true as of the time of this email. We will continue posting updates to our Facebook page as new details emerge.
- On 28 May 2014, the TrueCrypt website was replaced with a notice “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”
- The TrueCrypt code was open source and was maintained by a community of (previously) annonymous develpers. The license, however, seems to prohibit the project being taken over by someone else (so that it can continue). That said though, a group out of Switzerland is reportedly working to continue the project. Based on the site, it looks like the name of the new project may be TCNext and it will be built on the original TrueCrypt code.
- We are continuing to use TrueCrypt until a legitimate threat is disclosed or a viable successor is found. At this point, we know that development on the TrueCrypt project has ceased and the original developers are attempting to ‘kill’ the project but there have been no actual ‘problems’ noted with version 7.1 of the product (released in early 2012). We anticipate a new GPL (or similarly) licensed fork of the project to emerge based on the original code. In the interim, we are reviewing other options.
Microsoft – According to the Advanced Notification of June 2014, there are a total of 7 bulletins with 2 listed as critical and the remaining 5 listed as important. Both of the critical bulletins address vulnerabilities that can allow remote code execution (someone can install software onto your computer without your permission or knowledge). The important bulletins range from remote code execution to privilege escalation (allowing a user or process / program to run with administrative privileges without the administrative password) and security feature bypass (bypassing specific security features). Most of the updates require a reboot and, at least with the critical vulnerabilities, should be installed as soon as testing permits. Five of the bulletins address problems with Windows itself, one is for Microsoft Office and one is for Microsoft Lync.
Microsoft releases regular updates the second Tuesday of each month, often referred to as ‘Patch Tuesday’. These updates are catagorized as Low, Moderate, Important or Critical. Details on the categories are available here. The updates can include any supported Microsoft product from Windows to Office to Internet Explorer and server products like Exchange and SQL Server. If you have one or more of these products installed, especially if the update is listed as Important or Critial, it’s important that the updates are installed.
Adobe – Adobe released updates to Adobe Reader, Adobe Flash Player and Adobe Illustrator in May. One thing to take away from this, especially in light of all of the recent “I’m going to get a Mac since Windows XP is going away, plus Macs don’t get viruses” chatter that we’re hearing lately. It’s important to note that several of the critical vulnerabilities address problems with software that affect only or affect also the Mac platform. All users are encouraged to review the udpates and apply them as soon as testing permits. All MyIT clients already have these updates installed.
Like Microsoft, Adobe now releases updates to their products on the second Tuesday of each month. Adobe will also release ‘out of band’ updates if necessary to address critical vulnerabilities in their products. Adobe products include Adobe Reader (for viewing PDF files), Adobe Flash Player (often used to watch videos, for interactive content like games, etc.), Adobe Shockwave and the Adobe Creative Suite (Photoshop, Illustrator, Acrobat, Lightroom, etc.).
Java – The latest ‘mainstream’ version of Java is Java 7 update 60. Java 8 is still out and available but isn’t recommended for mainstream use yet.
Java is a tool that’s widely used by banks, online service providers and even security companies for SSL VPN connections. Java’s ‘official’ release cycle is approximately quarterly but Java updates have been ‘fast and furious’ in recent months. It’s worth noting again that, if you don’t absolutely need Java on your computer, it’s not a bad idea to remove it altogether.