Possibly Cracked TrueCrypt Account At The Center Of Stolen Military Documents Case

from the Federal-Backdoor-Installation dept

A little over a month ago, we covered a FOIA response (if you could call it that...) from the FBI concerning TrueCrypt, in which it withheld all 69 pages of responsive documents. In addition to the ridiculousness of much of the withheld information being easily-accessible online, there was the question about what this denial meant for TrueCrypt.

When the FBI withholds documents, it often does so because the subject of the FOIA involves an ongoing investigation. In this case, the FBI cited an FOIA exemption related to "trade secrets and commercial information," which none of this was. So, why all the secrecy? Perhaps it was just the agency's default mode taking over. Or maybe it had something to do with TrueCrypt's sudden decision to halt development and declare the software "insecure." Had the FBI managed to "break" TrueCrypt or was its lack of a reponse to this request a signal that it was talking to the people behind it?

What is certain is that the FBI has been able to gain access to a TrueCrypt user's account.

Scott Glenn, a 35-year-old Harris Corp. employee working at a US military base in Honduras, apparently made off with documents considered to be "military secrets."

In January, he admitted he hacked into the base commander's classified email account and copied thousands of messages and more than 350 attached documents, much of which dealt with U.S. military plans and information regarding the Middle East.
The judge who sentenced Glenn to 10 years in prison asserted Glenn grabbed these documents out of a desire to "damage" the "security" of the United States. His lawyer had argued that Glenn was nothing more than a "technological hoarder" -- someone who collects this sort of stuff just to be collecting it. He pointed to Glenn's retention of a secretary's hard drive that had no discernible value to anyone as evidence of Glenn's "hoarding" habit. He also pointed out Glenn never tried to distribute the documents or attempted to use them for financial gain.

Glenn, however, has both a troubled legal past and a hazy legal future. He has previously been expelled from a military base for committing benefits fraud and hacking into US databases for Iraqi businesses. He's also being investigated for "sexually exploiting" Honduran minors.

But the nexus point for this stash of military documents was TrueCrypt.
Glenn read up on the art of espionage and used an elaborate encryption system, TrueCrypt, with a decoy computer drive to distract investigators from another hidden drive that he protected with a complex 30-character password, army counterintelligence expert Gerald Parsons testified.

The FBI's counterintelligence squad in South Florida was able to crack Glenn's code, Parsons said.

Parsons said he didn't know how the FBI agents did it but he estimated it would have taken "billions" of years to crack the code using traditional methods.
This should be a bit concerning for TrueCrypt users. Either Glenn's password was cracked (rather than TrueCrypt's encryption) or the questions raised about the predictability of the random-number generator behind the encryption method have some validity. Because "traditional methods" would still be underway -- at least according to the expert presented by the prosecutors -- something else had to give. The most likely explanation is that Glenn gave up his password or had it trapped by a keylogger or other government surveillance software. The FBI has tried to crack TrueCrypt's encryption before and had no luck.

With many documents related to the case still sealed, it's unclear what the government's expert meant by "cracked." It likely means TrueCrypt is as secure as it has been, but its appearance in a case centering on a decrypted hard drive doesn't exactly encourage the throwing of caution to the wind.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 6 Aug 2015 @ 2:54pm

    Is account really the right word here? Maybe you mean 'volume'?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Aug 2015 @ 2:59pm

    >Possibly cracked
    Save the hyperbole, Techdirt already covered this type of situation before.

    https://www.techdirt.com/articles/20140626/06532327686/massachusetts-ignores-5th-amendment-sa ys-defendant-can-be-forced-to-decrypt-his-computer.shtml

    Given the audit trails they have now post-snowden, it's very likely the government knew exactly what Glenn took.

    reply to this | link to this | view in chronology ]

    • identicon
      Rich, 7 Aug 2015 @ 5:40am

      Re:

      How is "possibly cracked" a hyperbolic statement? I don't think you know what the word means.

      reply to this | link to this | view in chronology ]

      • icon
        sigalrm (profile), 7 Aug 2015 @ 8:28am

        Re: Re:

        or he does know what "possibly cracked" means, but the reporter taking the quote doesn't, and neither does the lawyer the reporter was interviewing.

        This story was probably abstracted and dumbed down 7 or 8 times _before_ it got to the reporter, and that assumes the reporter wasn't outright lied to.

        The internal conversations would have gone something like:


        Tech guy: "Yeah, boss, as you'll see on page 273 of my report, we used a keylogger and screenscraper to get his.."

        Boss: "Um, what? a keyscraper? what's that? Wait, you mean you scraped stuff off his keyboard? So that means we used Bio...statistics? Or DNA?"

        Tech guy: "No, no...Listen. So, um, yeah, we cracked his password"

        Boss: "Ok, so we've cracked truecrypt. Awesome. I'll tell my bosses."

        Tech guy: "um, yeah. whatever makes you happy."


        The only conclusions you can safely draw from this article is a) they caught someone and b) he had information in a truecrypt volume that the FBI was able to access.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Aug 2015 @ 3:04pm

    Parsons said he didn't know how the FBI agents did it but he estimated it would have taken "billions" of years to crack the code using traditional methods.

    That all depends on have many keys have to be tried to break the encryption, and a complex key may be guessable from someone's tastes in literature, music etc. or even because it is written down under the screen.
    Also the time to crack by trying all keys is an average time, between getting it right with the first try, or only getting it when it is the only possible key remaining.

    reply to this | link to this | view in chronology ]

  • icon
    Max (profile), 6 Aug 2015 @ 3:08pm

    Not sure about this...

    Okay, look: I'm pretty sure AES256 itself is as uncrackable as ever, while TrueCrypt may or may not have some fatal vulnerability signaled by the (unknown) developer's almost-warrant-canary recommendation to move on to something else (even though the independent code review of TrueCrypt found no obvious weaknesses).

    That said, there might be any number of factors facilitating access to the encrypted content here, including but not limited to some sort of plea bargain or the fact that the guy tried to get a (stupidly left mounted) remote drive pulled off-line through a phone call once in custody.

    By all means, stop using TrueCrypt if you feel think it's somehow compromised, but there's no reason to herald the end of encrypted drives altogether - if anything, this is but a reminder that real security is hard, and not something you can just deploy and forget...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Aug 2015 @ 3:14pm

    Or they had already installed malware, eg a keylogger into his computer.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Aug 2015 @ 3:47pm

    Highly unlikely but plausible, they coulda have tried bruteforcing and just got lucky after a few attempts lol

    that would be crazy if true

    reply to this | link to this | view in chronology ]

  • identicon
    AnonCow, 6 Aug 2015 @ 3:50pm

    As long as my wife can't crack TrueCrypt, I'm fine. And she can't even get into her own lastPass account...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Aug 2015 @ 4:05pm

    The person at the keyboard is always going to be the weakest part of any encryption. That's where my money would be on how they accessed his truecrypt volume.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Aug 2015 @ 4:39pm

    I would suspect the NSA may have gotten involved if they were worried about classified documents.

    I'm sure the NSA has some crazy systems that can probably crack an encryption key for many encryption standards if they really wanted to. The problem is it would still be very expensive(since it would take a large computer system) and they would only be able to use in on the highest priority keys. Remember breaking one key is not breaking all encryption, its just that one key. So even if the NSA had a computer that could break an AES256 KEY in weeks, days, hours, once they have that one key it wont give them any more than that one file/account/hdd that they cracked the key for. I'm sure they have much more important things to crack(at least they think they do) then just any criminals information the FBI brings them, especially as forward security becomes more prevalent. However I could see them jumping in when there are classified documents involved.

    That said though I would think it is more likely the FBI somehow got his password. The NSA would really not like it to be proven if they have such a capability so they would only use it when they felt it was nation security critical. I have no idea if the Glenn files would be seen as that important.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Aug 2015 @ 5:21pm

      Re:

      If the hidden volume was still mounted, it's possible the password was still in memory. In that case, they could read the password from memory and later use it to decrypt a cloned image.

      reply to this | link to this | view in chronology ]

      • icon
        DaveK (profile), 8 Aug 2015 @ 5:41am

        > "If the hidden volume was still mounted"

        It appears that may well have been the case. ElReg has a slightly less confused (TrueCrypt account, lol) take on the story, which mentions:

        While detained ahead of his trial, Glenn made a phone call to his mother in which he asked her to relay a request to tell his housemate in Honduras "to disconnect the black box with the blinking lights on top of the batteries."

        The prosecution states that this "black box" was the Synology storage device containing the TrueCrypt compartment with the stolen documents. It also alleges that "the reason [he] tried to send a message to [the housemate] to disconnect the black box is because he wanted to prevent law enforcement from discovering what the Synology contained."


        That sounds to me like he tried and failed to dismount it. See http://www.theregister.co.uk/2015/08/04/truecrypt_decrypted_by_fbi/ for details.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Aug 2015 @ 1:43pm

          Re: > "If the hidden volume was still mounted"

          In other words he had an uncrackable safe, but keeping it locked and unlocking it when he needed access was too much trouble, so he left it unlocked all the time.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2015 @ 10:08pm

      Re:

      They hacked his computer immediately after he was flagged dl'ing the docs. They use Windows Update, among other methods, to deploy RATs.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 7 Aug 2015 @ 4:13am

    People talk about Truecrypt and its alleged vulnerability but I have yet to see alternatives that are being adopted that are safe, reliable and open sourced. I've seen a fork of Truecrypt called Veracrypt but I have yet to confirm whether it's safe in all means of the word. Any other alternatives out there?

    reply to this | link to this | view in chronology ]

    • icon
      sigalrm (profile), 7 Aug 2015 @ 8:37am

      Re:

      "Any other alternatives out there?"

      That you can trust on the say-so of a random stranger you met on the internet? Well, I guess it depends on your use case.

      Truecrypt was one of the few projects out there that was generally considered sufficiently trustworthy for non-coders and non-crypto geeks to feel comfortable using for storing information that could get them jailed or killed.

      Using a single letter posted online to destroy trust in TrueCrypt was truly a master stroke. :(

      reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 10 Aug 2015 @ 3:40am

        Re: Re:

        That's why I ask on public platforms. You get tips on possible alternatives then after getting to know said alternative by name you can go for deeper research, check adoption rates etc. I'm watching this Veracrypt closely.

        reply to this | link to this | view in chronology ]

  • identicon
    cc71, 7 Aug 2015 @ 6:19am

    I find it unlikely the volume was cracked open. More likely he just gave up the password or had it scraped by a keylogger. Anyone that serious about locking a volume will use keyfiles anyway.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Aug 2015 @ 6:39am

      Re:

      Slight problem with keyfiles, they cannot be on the locked volume, and need their own encryption key if they are to be protected. Just how do you protect the master key, without remembering it, righting it down somewhere, or writing down a hint you hope other people do not get.

      reply to this | link to this | view in chronology ]

  • icon
    toyotabedzrock (profile), 7 Aug 2015 @ 4:17pm

    30 character passwords are difficult to remember. He more than likely had bad opsec and had the password stored somewhere.

    Also truecypt allows cascaded encryption. And choice of hash algorithm. Plus it allows use of keyfiles along with the password.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.