One of the critical vulnerabilities include Internet Explorer 9.

Microsoft customers will have the opportunity to ask questions on the security bulletins in a web-cast  that will be held by Microsoft on July 11, 2012, at 11:00 AM Pacific Time (US & Canada).

As always, you should install the security updates as soon as they are available.

The research was conducted by Chao Zhang and Keith Ross of NYU-Poly; Stevens Le Blond of the Max Planck Institute for Software Systems (MPI-SWS), Germany; and Arnaud Legout and Walid Dabbous of the French research institute I.N.R.I.A Sophia Antipolis.

It is important to mention that  even when a user blocks callers or connects from behind a Network Address Translation (NAT) , it does not prevent the privacy risk.

By using commercial geo-location mapping services, the researchers, found that they could construct a detailed account of a user’s daily activities even if the user had not turned on Skype for 72 hours. In one example, they accurately tracked one volunteer researcher from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France. “If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when,” the authors said.

How do we value our privacy?

The researchers has informed Skype and Microsoft for these vulnerabilities.

Up until recently quantum cryptography thought to be secure to transmit cryptographic keys. Any attempt to eavesdrop the transmission could be easily detected (based on Heisenberg uncertainty principle).  This was proved wrong by the team of researchers from the Norwegian University of Science and Technology (NTNU), the University of Erlangen-Nürnberg and the Max Planck Institute for the Science of Light in Erlangen. The team developed a quantum eavesdropping technique that remotely controls the photon detector.  The researchers wrote that someone “can attack the systems with off-the-shelf components, obtaining a perfect copy of the raw key without leaving any trace of her presence.”

Vadim Makarov, one of the researchers, said that  “The security loophole we have exposed is intrinsic to a whole class of single-photon detectors, regardless of their manufacturer and model.”

Latest update: Truecrypt Shut Down. The sourceforge page informs Truecrypt users to migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

BitLocker and TrueCrypt are data encryption software packages. The question is which one to use and why? BitLocker comes with Windows 7 Ultimate edition. It is also  available in Windows 8.1 Pro, Windows 8.1 Enterprise editions and Windows Server 2012 R2. TrueCrypt is free open source software. As of this last update, TrueCrypt does not support Windows 8. You can find the supported operating systems here.

Michael Pietroforte at 4SYSOPS has two very interesting articles. In the first article he comparesTrueCrypt 5 vs. Bitlocker. There are no significant speed differences between the two programs.  The second article is a discussion about Windows 7 BitLocker. Good news is that with Windows 7 using BitLocker is much easier comparing with Windows Vista.

With BitLocker if your computer does not have a Trusted Platform Module chip the start up key in a USB stick. On the other hand TrueCrypt wants to only to memorize a pass phrase.

Which one to use?

BitLocker:

• Can be used in a whole Windows environment
• Allows storage of startup key in USB stick
• Allows IT Administrators to enforce Group policy

TrueCrypt:

• Can be used with many operating systems including Microsoft and Linux
• It is free and open source.
• It does not require to store a start up key to any device. You must remember the pass phrase. Of course you can store your pass phrase in any storage media at your own risk.

From the above discussion, I believe that for large corporations the preferred solution would be BitLocker. For smaller businesses or for your personal computer or laptop TrueCrypt offers a really great solution.

For the security perspective there is the ‘Evil Maid’ attack that can be used to TrueCrypt to acquire the pass phrase. BitLocker uses trusted boot that can be attacked too.  So, what is the ‘Evil Maid’ attack? In a nutshell the attack is as follows:

• You leave your laptop into your hotel room and you go for breakfast.
• An evil maid (enemy) enters your room and changes the boot-loader.
• Next time you will operate your computer and enter your key it will be transmitted to the eavesdropper.

The attack, along with the software is explained by Joanna Rutkowska.  There is also a very interesting discussion about “Evil Maid’  in Bruce Schneier’s blog.

As a conclusion, both BitLocker and TrueCrypt are excellent programs that can encrypt data. Now that you know the pros and cons of the programs and also the attack methods I hope it is easier to select the appropriate one for your needs.

My personal preference is TrueCrypt for the simple reason that is open source. Being open source makes it very difficult to add a backdoor. The code is visible, anyone can spot it. This might not be the same with commercial products.

(Update April 2014) US consultancy iSEC has completed on April 2014  a detailed two – person code audit of the software seeking security holes. The audit has turned up a dozen bugs in the code that is TrueCrypt, but not signs of backdoors or other critical security holes. You can access the full report in pdf fprmat here.

My comment is that this is a good security lesson to those that believe that unprotected data will be difficult to be discovered or that it is difficult to steal sensitive data which is transmitted without encryption.

References
[1] http://www.heise.de/english/newsticker/news/113228
[2] Robert McMillan, 2008, Details of major Internet flaw posted by accident Available at: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam__malware_and_vulnerabilities&articleId=9110418&taxonomyId=85