VeraCrypt Full Disk Encryption (Win7)

Windows users looking for a free full disk encryption option should consider VeraCrypt full disk encryption. VeraCrypt seems to have become the de facto replacement for TrueCrypt. Most former TrueCrypt users I know have migrated to it, including me. VeraCrypt is an important software because, as of now, it is perhaps the most trusted free full-disk encryption programs available for Windows machines. Continue reading “VeraCrypt Full Disk Encryption (Win7)”

3DSC Day 17: Smartphone Security II

Today’s article will follow up on yesterday’s, and cover three follow-up tasks that will greatly increase the security of your mobile device.  They are:

  • Remove unnecessary/unused apps.  Installing an app allows it tremendous access to your device.  Though apps are sandboxed on both Android and iOS devices, each app you add to your phone increases your attack surface.  Apps can compromise your privacy by collecting, transmitting (often insecurely), and selling your data.  Apps can also compromise your security; if an app has a security hole it may give an attacker or malware access to your device.  Go through your applications and get rid of anything you can’t live without, or whose function cannot be replicated by your web browser. An excellent resource that helps you understand what apps are doing in the background is Clueful.  Clueful is available for Android and iOS, and tells you what apps are really doing in the background.  Use it to determine which apps you should get rid of, and to decide if you should install a certain app or not.
  • Restrict app permissions:  The latest versions of Android (6/Marshmallow) and iOS allow you to have granular control over app permissions. This allows you to decide which apps have access to your phone’s camera, microphone, contacts, location data, and more.  Remember, some apps may require these functions.  A messaging app will need access to your photos if you want to use it to send pictures.  A banking app will need access to your camera if you want to use it to scan and deposit checks.  It is up to you to decide what permissions each app should have.  I recommend erring on the side of caution: when in doubt deny the permission.  If you later find the app needs that permission you can always re-enable it.
    • Android 6.0 and later: To modify these settings in Android 6/Marshmallow open Settings >> Apps.  Tap the gear icon and select App Permissions.  You will be shown Body Sensors, Calender, Camera, Contacts, Location, Microphone.  Tapping any of these will show you the apps that can currently access the selected data set.  A slider button allows you to disable access.
    • Android 5 and earlier:  Earlier versions of Android do not allow you to customize permissions for individual apps.  You should check to see if your phone is upgradeable.  To do so open Settings and scroll to About (or “About Device”, “About Phone”, or similar).  In the About menu open System Update.  If an update to Marshmallow is available for your device you should download and install it at your earliest convenience.
    • iOS:  Open settings and scroll to the botton where the list of your apps begins.  Tapping on an app will let you manage it’s permissions and notifications settings.
  • Manage Your Wi-Fi Networks:  When your Wi-Fi is turned on it is constantly transmitting a list of the Wi-Fi networks your phone has saved.  These can reveal where you live, work, and frequent, and can set you up for a rogue access point attack.  Your set of networks is also incredibly unique and can be used to track your device.  You can defeat most of this simply by turning off Wi-Fi when you leave your home or work.  Though you should do this, it is easy to forget.  It is a good idea to be rendundant and clean up your list of networks.
    • Android:  Deleting a Wi-Fi network in Android is incredibly simple.  Open Settings >> Wi-Fi.  Choose the network you wish to “forget” and tap it.  This will open a dialogue that will allow you to delete or modify the network (modifying will allow you to update the password if necessary).
    • iOS:  The iPhone operating system does not allow you to delete individual networks, except while you are connected to them.  If you have not been extremely careful about managing your Wi-Fi networks, I recommend deleting them all by resetting your network settings.  Be aware that this will delete ALL of your Wi-Fi networks and you will have to re-enter passwords for trusted networks.  To do this navigate to Settings >> General >> Reset >> Reset Network Settings.

VeraCrypt Migration

I admit being a holdout for TrueCrypt.  I wrote about it in my Your Ultimate Security Guide: Windows 7 Edition.  I encouraged it’s use among my friends and family.  I have used it myself.  I have stood so strongly beside TrueCrypt for two reasons.  The first is The Audit.  Being independently audited is incredibly rare among encryption tools and I placed a great deal of trust in the audit which was only recently completed, and the results of which were mostly good.  There were some minor vulnerabilities but nothing to be overly concerned about, and certainly no backdoors.  The other reason I held onto TrueCrypt for so long (and it pains me to admit this) was nostalgia.  TrueCrypt was the gold standard for years and it had been with me through thick and thin, protecting my data on half a dozen personal laptops and across scores of international borders. Letting go of TrueCrypt felt like letting go of an old friend.

But, I didn’t hold onto it out of misplaced loyalty or nostalgia alone.  The audit was huge, and until I had a good reason to believe TrueCrypt was insecure there was no reason to switch.   But audits are not perfect, and now we have that reason.  A new privilege escalation vulnerability was discovered in Windows versions of TrueCrypt (almost two months ago now) that allows the compromise of your full system.  For this reason I am moving, and recommend moving to VeraCrypt as soon as possible.

VeraCrypt Migration
The VeraCrypt interface is updated but still comfortably familiar to TrueCrypt users.

Going back to an un-audited program feels like a huge step backward to me.  I don’t think the developers have maliciously inserted a backdoor, but code is complex and getting encryption right is hard. But there is a very big silver lining.  First, vulnerabilities like the one affecting TrueCrypt can be (and will be, and in this case, already have been) patched.  TrueCrypt’s vulnerabilities will never be patches.  Next, an audit is planned for VeraCrypt that will probably be undertaken after the program is in its next version and has added some new features.  Finally, by increasing the number of iterations from a maximum of  2,000 in TrueCrypt to as many as 500,000 in VeraCrypt, the newer program is significantly stronger against brute-force attacks.  Using VeraCrypt requires almost no learning curve for anyone familiar with TrueCrypt as the two programs are almost identical in up-front operation.

Unfortunately (or fortunately, depending on how you look at it), VeraCrypt and TrueCrypt volumes are incompatible.  This means that if you are using volume-level encryption you will have to create a new VeraCrypt volume, mount your TrueCrypt volume, and drag files into the new one.  If you are using full-disk encryption (which you should be) this will mean fully decrypting your machine and re-encrypting with VeraCrypt.  While it’s decrypted would be an ideal time for a clean install, too.

11/23/2015:  Shortly after this post was published this Ars Technica article was published indicating TrueCrypt is still safer than we thought.  This is good news, but the clock is still ticking on the aging encryption application.

VeraCrypt URL and Checksums:

URL: http://sourceforge.net/projects/veracrypt/files/VeraCrypt%201.16/VeraCrypt_1.16_Bundle.7z/download

SHA256: E885951442D91EF237EC6C4F4622C12D8AB7D377CC5DDFBE2181360072C429F1

SHA512: 80EA23F2D70786A0BC3E1ECEDE12A6644FF4507F0AE0C436E4E5367854F38C16020CE62C083B07C844CAA82117BBCE30029AF986DB41E8A7CD1693A104CAA440