Possibly Cracked TrueCrypt Account At The Center Of Stolen Military Documents Case
from the Federal-Backdoor-Installation dept
A little over a month ago, we covered a FOIA response (if you could call it that…) from the FBI concerning TrueCrypt, in which it withheld all 69 pages of responsive documents. In addition to the ridiculousness of much of the withheld information being easily-accessible online, there was the question about what this denial meant for TrueCrypt.
When the FBI withholds documents, it often does so because the subject of the FOIA involves an ongoing investigation. In this case, the FBI cited an FOIA exemption related to “trade secrets and commercial information,” which none of this was. So, why all the secrecy? Perhaps it was just the agency’s default mode taking over. Or maybe it had something to do with TrueCrypt’s sudden decision to halt development and declare the software “insecure.” Had the FBI managed to “break” TrueCrypt or was its lack of a reponse to this request a signal that it was talking to the people behind it?
What is certain is that the FBI has been able to gain access to a TrueCrypt user’s account.
Scott Glenn, a 35-year-old Harris Corp. employee working at a US military base in Honduras, apparently made off with documents considered to be “military secrets.”
In January, he admitted he hacked into the base commander’s classified email account and copied thousands of messages and more than 350 attached documents, much of which dealt with U.S. military plans and information regarding the Middle East.
The judge who sentenced Glenn to 10 years in prison asserted Glenn grabbed these documents out of a desire to “damage” the “security” of the United States. His lawyer had argued that Glenn was nothing more than a “technological hoarder” — someone who collects this sort of stuff just to be collecting it. He pointed to Glenn’s retention of a secretary’s hard drive that had no discernible value to anyone as evidence of Glenn’s “hoarding” habit. He also pointed out Glenn never tried to distribute the documents or attempted to use them for financial gain.
Glenn, however, has both a troubled legal past and a hazy legal future. He has previously been expelled from a military base for committing benefits fraud and hacking into US databases for Iraqi businesses. He’s also being investigated for “sexually exploiting” Honduran minors.
But the nexus point for this stash of military documents was TrueCrypt.
Glenn read up on the art of espionage and used an elaborate encryption system, TrueCrypt, with a decoy computer drive to distract investigators from another hidden drive that he protected with a complex 30-character password, army counterintelligence expert Gerald Parsons testified.
The FBI’s counterintelligence squad in South Florida was able to crack Glenn’s code, Parsons said.
Parsons said he didn’t know how the FBI agents did it but he estimated it would have taken “billions” of years to crack the code using traditional methods.
This should be a bit concerning for TrueCrypt users. Either Glenn’s password was cracked (rather than TrueCrypt’s encryption) or the questions raised about the predictability of the random-number generator behind the encryption method have some validity. Because “traditional methods” would still be underway — at least according to the expert presented by the prosecutors — something else had to give. The most likely explanation is that Glenn gave up his password or had it trapped by a keylogger or other government surveillance software. The FBI has tried to crack TrueCrypt’s encryption before and had no luck.
With many documents related to the case still sealed, it’s unclear what the government’s expert meant by “cracked.” It likely means TrueCrypt is as secure as it has been, but its appearance in a case centering on a decrypted hard drive doesn’t exactly encourage the throwing of caution to the wind.
Filed Under: encryption, fbi, investigation, scott glenn, truecrypt
Comments on “Possibly Cracked TrueCrypt Account At The Center Of Stolen Military Documents Case”
Is account really the right word here? Maybe you mean ‘volume’?
Save the hyperbole, Techdirt already covered this type of situation before.
Given the audit trails they have now post-snowden, it’s very likely the government knew exactly what Glenn took.
How is “possibly cracked” a hyperbolic statement? I don’t think you know what the word means.
Re: Re: Re:
or he does know what “possibly cracked” means, but the reporter taking the quote doesn’t, and neither does the lawyer the reporter was interviewing.
This story was probably abstracted and dumbed down 7 or 8 times before it got to the reporter, and that assumes the reporter wasn’t outright lied to.
The internal conversations would have gone something like:
The only conclusions you can safely draw from this article is a) they caught someone and b) he had information in a truecrypt volume that the FBI was able to access.
That all depends on have many keys have to be tried to break the encryption, and a complex key may be guessable from someone’s tastes in literature, music etc. or even because it is written down under the screen.
Also the time to crack by trying all keys is an average time, between getting it right with the first try, or only getting it when it is the only possible key remaining.
Not sure about this...
Okay, look: I’m pretty sure AES256 itself is as uncrackable as ever, while TrueCrypt may or may not have some fatal vulnerability signaled by the (unknown) developer’s almost-warrant-canary recommendation to move on to something else (even though the independent code review of TrueCrypt found no obvious weaknesses).
That said, there might be any number of factors facilitating access to the encrypted content here, including but not limited to some sort of plea bargain or the fact that the guy tried to get a (stupidly left mounted) remote drive pulled off-line through a phone call once in custody.
By all means, stop using TrueCrypt if you feel think it’s somehow compromised, but there’s no reason to herald the end of encrypted drives altogether – if anything, this is but a reminder that real security is hard, and not something you can just deploy and forget…
Or they had already installed malware, eg a keylogger into his computer.
Or he wrote it down on a sticky-note. People are stupid sometimes.
We have a winner!
Occam’s razor says hardware key logger. A black bag job takes ten minutes, tops.
Re: Re: Re:
Yeah, that’s where my money would be too.
It’s not worthwhile to break the crypto. It’s far more efficient to just work around it.
Highly unlikely but plausible, they coulda have tried bruteforcing and just got lucky after a few attempts lol
that would be crazy if true
As long as my wife can’t crack TrueCrypt, I’m fine. And she can’t even get into her own lastPass account…
The person at the keyboard is always going to be the weakest part of any encryption. That’s where my money would be on how they accessed his truecrypt volume.
I would suspect the NSA may have gotten involved if they were worried about classified documents.
I’m sure the NSA has some crazy systems that can probably crack an encryption key for many encryption standards if they really wanted to. The problem is it would still be very expensive(since it would take a large computer system) and they would only be able to use in on the highest priority keys. Remember breaking one key is not breaking all encryption, its just that one key. So even if the NSA had a computer that could break an AES256 KEY in weeks, days, hours, once they have that one key it wont give them any more than that one file/account/hdd that they cracked the key for. I’m sure they have much more important things to crack(at least they think they do) then just any criminals information the FBI brings them, especially as forward security becomes more prevalent. However I could see them jumping in when there are classified documents involved.
That said though I would think it is more likely the FBI somehow got his password. The NSA would really not like it to be proven if they have such a capability so they would only use it when they felt it was nation security critical. I have no idea if the Glenn files would be seen as that important.
If the hidden volume was still mounted, it’s possible the password was still in memory. In that case, they could read the password from memory and later use it to decrypt a cloned image.
Re: Re: > "If the hidden volume was still mounted"
It appears that may well have been the case. ElReg has a slightly less confused (TrueCrypt account, lol) take on the story, which mentions:
While detained ahead of his trial, Glenn made a phone call to his mother in which he asked her to relay a request to tell his housemate in Honduras “to disconnect the black box with the blinking lights on top of the batteries.”
The prosecution states that this “black box” was the Synology storage device containing the TrueCrypt compartment with the stolen documents. It also alleges that “the reason [he] tried to send a message to [the housemate] to disconnect the black box is because he wanted to prevent law enforcement from discovering what the Synology contained.”
That sounds to me like he tried and failed to dismount it. See http://www.theregister.co.uk/2015/08/04/truecrypt_decrypted_by_fbi/ for details.
Re: Re: Re: > "If the hidden volume was still mounted"
In other words he had an uncrackable safe, but keeping it locked and unlocking it when he needed access was too much trouble, so he left it unlocked all the time.
They hacked his computer immediately after he was flagged dl’ing the docs. They use Windows Update, among other methods, to deploy RATs.
People talk about Truecrypt and its alleged vulnerability but I have yet to see alternatives that are being adopted that are safe, reliable and open sourced. I’ve seen a fork of Truecrypt called Veracrypt but I have yet to confirm whether it’s safe in all means of the word. Any other alternatives out there?
“Any other alternatives out there?”
That you can trust on the say-so of a random stranger you met on the internet? Well, I guess it depends on your use case.
Truecrypt was one of the few projects out there that was generally considered sufficiently trustworthy for non-coders and non-crypto geeks to feel comfortable using for storing information that could get them jailed or killed.
Using a single letter posted online to destroy trust in TrueCrypt was truly a master stroke. 🙁
Re: Re: Re:
That’s why I ask on public platforms. You get tips on possible alternatives then after getting to know said alternative by name you can go for deeper research, check adoption rates etc. I’m watching this Veracrypt closely.
I find it unlikely the volume was cracked open. More likely he just gave up the password or had it scraped by a keylogger. Anyone that serious about locking a volume will use keyfiles anyway.
Slight problem with keyfiles, they cannot be on the locked volume, and need their own encryption key if they are to be protected. Just how do you protect the master key, without remembering it, righting it down somewhere, or writing down a hint you hope other people do not get.
30 character passwords are difficult to remember. He more than likely had bad opsec and had the password stored somewhere.
Also truecypt allows cascaded encryption. And choice of hash algorithm. Plus it allows use of keyfiles along with the password.