Possibly Cracked TrueCrypt Account At The Center Of Stolen Military Documents Case

from the Federal-Backdoor-Installation dept

Thu, Aug 6th 2015 2:36pm — Tim Cushing

A little over a month ago, we covered a FOIA response (if you could call it that...) from the FBI concerning TrueCrypt, in which it withheld all 69 pages of responsive documents. In addition to the ridiculousness of much of the withheld information being easily-accessible online, there was the question about what this denial meant for TrueCrypt.

When the FBI withholds documents, it often does so because the subject of the FOIA involves an ongoing investigation. In this case, the FBI cited an FOIA exemption related to "trade secrets and commercial information," which none of this was. So, why all the secrecy? Perhaps it was just the agency's default mode taking over. Or maybe it had something to do with TrueCrypt's sudden decision to halt development and declare the software "insecure." Had the FBI managed to "break" TrueCrypt or was its lack of a reponse to this request a signal that it was talking to the people behind it?

What is certain is that the FBI has been able to gain access to a TrueCrypt user's account.

Scott Glenn, a 35-year-old Harris Corp. employee working at a US military base in Honduras, apparently made off with documents considered to be "military secrets."

In January, he admitted he hacked into the base commander's classified email account and copied thousands of messages and more than 350 attached documents, much of which dealt with U.S. military plans and information regarding the Middle East.

The judge who sentenced Glenn to 10 years in prison asserted Glenn grabbed these documents out of a desire to "damage" the "security" of the United States. His lawyer had argued that Glenn was nothing more than a "technological hoarder" -- someone who collects this sort of stuff just to be collecting it. He pointed to Glenn's retention of a secretary's hard drive that had no discernible value to anyone as evidence of Glenn's "hoarding" habit. He also pointed out Glenn never tried to distribute the documents or attempted to use them for financial gain.

Glenn, however, has both a troubled legal past and a hazy legal future. He has previously been expelled from a military base for committing benefits fraud and hacking into US databases for Iraqi businesses. He's also being investigated for "sexually exploiting" Honduran minors.

But the nexus point for this stash of military documents was TrueCrypt.

Glenn read up on the art of espionage and used an elaborate encryption system, TrueCrypt, with a decoy computer drive to distract investigators from another hidden drive that he protected with a complex 30-character password, army counterintelligence expert Gerald Parsons testified.

The FBI's counterintelligence squad in South Florida was able to crack Glenn's code, Parsons said.

Parsons said he didn't know how the FBI agents did it but he estimated it would have taken "billions" of years to crack the code using traditional methods.

This should be a bit concerning for TrueCrypt users. Either Glenn's password was cracked (rather than TrueCrypt's encryption) or the questions raised about the predictability of the random-number generator behind the encryption method have some validity. Because "traditional methods" would still be underway -- at least according to the expert presented by the prosecutors -- something else had to give. The most likely explanation is that Glenn gave up his password or had it trapped by a keylogger or other government surveillance software. The FBI has tried to crack TrueCrypt's encryption before and had no luck.

With many documents related to the case still sealed, it's unclear what the government's expert meant by "cracked." It likely means TrueCrypt is as secure as it has been, but its appearance in a case centering on a decrypted hard drive doesn't exactly encourage the throwing of caution to the wind.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, fbi, investigation, scott glenn, truecrypt

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 6 Aug 2015 @ 2:54pm

Is account really the right word here? Maybe you mean 'volume'?
[ link to this | view in chronology ]
Anonymous Coward, 6 Aug 2015 @ 2:59pm

>Possibly cracked
Save the hyperbole, Techdirt already covered this type of situation before.

https://www.techdirt.com/articles/20140626/06532327686/massachusetts-ignores-5th-amendment-sa ys-defendant-can-be-forced-to-decrypt-his-computer.shtml

Given the audit trails they have now post-snowden, it's very likely the government knew exactly what Glenn took.
[ link to this | view in chronology ]
- Rich, 7 Aug 2015 @ 5:40am
  
  Re:
  How is "possibly cracked" a hyperbolic statement? I don't think you know what the word means.
  [ link to this | view in chronology ]
  - sigalrm (profile), 7 Aug 2015 @ 8:28am
    
    Re: Re:
    or he does know what "possibly cracked" means, but the reporter taking the quote doesn't, and neither does the lawyer the reporter was interviewing.
    
    This story was probably abstracted and dumbed down 7 or 8 times _before_ it got to the reporter, and that assumes the reporter wasn't outright lied to.
    
    The internal conversations would have gone something like:
    
    Tech guy: "Yeah, boss, as you'll see on page 273 of my report, we used a keylogger and screenscraper to get his.."
    
    Boss: "Um, what? a keyscraper? what's that? Wait, you mean you scraped stuff off his keyboard? So that means we used Bio...statistics? Or DNA?"
    
    Tech guy: "No, no...Listen. So, um, yeah, we cracked his password"
    
    Boss: "Ok, so we've cracked truecrypt. Awesome. I'll tell my bosses."
    
    Tech guy: "um, yeah. whatever makes you happy."
    
    The only conclusions you can safely draw from this article is a) they caught someone and b) he had information in a truecrypt volume that the FBI was able to access.
    [ link to this | view in chronology ]
Anonymous Coward, 6 Aug 2015 @ 3:04pm

Parsons said he didn't know how the FBI agents did it but he estimated it would have taken "billions" of years to crack the code using traditional methods.

That all depends on have many keys have to be tried to break the encryption, and a complex key may be guessable from someone's tastes in literature, music etc. or even because it is written down under the screen.
Also the time to crack by trying all keys is an average time, between getting it right with the first try, or only getting it when it is the only possible key remaining.
[ link to this | view in chronology ]
Max (profile), 6 Aug 2015 @ 3:08pm

Not sure about this...
Okay, look: I'm pretty sure AES256 itself is as uncrackable as ever, while TrueCrypt may or may not have some fatal vulnerability signaled by the (unknown) developer's almost-warrant-canary recommendation to move on to something else (even though the independent code review of TrueCrypt found no obvious weaknesses).

That said, there might be any number of factors facilitating access to the encrypted content here, including but not limited to some sort of plea bargain or the fact that the guy tried to get a (stupidly left mounted) remote drive pulled off-line through a phone call once in custody.

By all means, stop using TrueCrypt if you feel think it's somehow compromised, but there's no reason to herald the end of encrypted drives altogether - if anything, this is but a reminder that real security is hard, and not something you can just deploy and forget...
[ link to this | view in chronology ]
Anonymous Coward, 6 Aug 2015 @ 3:14pm

Or they had already installed malware, eg a keylogger into his computer.
[ link to this | view in chronology ]
- randomjoe (profile), 6 Aug 2015 @ 3:28pm
  
  Re:
  Or he wrote it down on a sticky-note. People are stupid sometimes.
  [ link to this | view in chronology ]
- Pegr, 6 Aug 2015 @ 5:22pm
  
  Re:
  We have a winner!
  
  Occam's razor says hardware key logger. A black bag job takes ten minutes, tops.
  [ link to this | view in chronology ]
  - sigalrm (profile), 7 Aug 2015 @ 8:29am
    
    Re: Re:
    Yeah, that's where my money would be too.
    
    It's not worthwhile to break the crypto. It's far more efficient to just work around it.
    [ link to this | view in chronology ]
Anonymous Coward, 6 Aug 2015 @ 3:47pm

Highly unlikely but plausible, they coulda have tried bruteforcing and just got lucky after a few attempts lol

that would be crazy if true
[ link to this | view in chronology ]
AnonCow, 6 Aug 2015 @ 3:50pm

As long as my wife can't crack TrueCrypt, I'm fine. And she can't even get into her own lastPass account...
[ link to this | view in chronology ]
Anonymous Coward, 6 Aug 2015 @ 4:05pm

The person at the keyboard is always going to be the weakest part of any encryption. That's where my money would be on how they accessed his truecrypt volume.
[ link to this | view in chronology ]
Anonymous Coward, 6 Aug 2015 @ 4:39pm

I would suspect the NSA may have gotten involved if they were worried about classified documents.

I'm sure the NSA has some crazy systems that can probably crack an encryption key for many encryption standards if they really wanted to. The problem is it would still be very expensive(since it would take a large computer system) and they would only be able to use in on the highest priority keys. Remember breaking one key is not breaking all encryption, its just that one key. So even if the NSA had a computer that could break an AES256 KEY in weeks, days, hours, once they have that one key it wont give them any more than that one file/account/hdd that they cracked the key for. I'm sure they have much more important things to crack(at least they think they do) then just any criminals information the FBI brings them, especially as forward security becomes more prevalent. However I could see them jumping in when there are classified documents involved.

That said though I would think it is more likely the FBI somehow got his password. The NSA would really not like it to be proven if they have such a capability so they would only use it when they felt it was nation security critical. I have no idea if the Glenn files would be seen as that important.
[ link to this | view in chronology ]
- Anonymous Coward, 6 Aug 2015 @ 5:21pm
  
  Re:
  If the hidden volume was still mounted, it's possible the password was still in memory. In that case, they could read the password from memory and later use it to decrypt a cloned image.
  [ link to this | view in chronology ]
  - DaveK (profile), 8 Aug 2015 @ 5:41am
    
    > "If the hidden volume was still mounted"
    It appears that may well have been the case. ElReg has a slightly less confused (TrueCrypt account, lol) take on the story, which mentions:
    
    While detained ahead of his trial, Glenn made a phone call to his mother in which he asked her to relay a request to tell his housemate in Honduras "to disconnect the black box with the blinking lights on top of the batteries."
    
    The prosecution states that this "black box" was the Synology storage device containing the TrueCrypt compartment with the stolen documents. It also alleges that "the reason [he] tried to send a message to [the housemate] to disconnect the black box is because he wanted to prevent law enforcement from discovering what the Synology contained."
    
    That sounds to me like he tried and failed to dismount it. See http://www.theregister.co.uk/2015/08/04/truecrypt_decrypted_by_fbi/ for details.
    [ link to this | view in chronology ]
    - Anonymous Coward, 9 Aug 2015 @ 1:43pm
      
      Re: > "If the hidden volume was still mounted"
      In other words he had an uncrackable safe, but keeping it locked and unlocking it when he needed access was too much trouble, so he left it unlocked all the time.
      [ link to this | view in chronology ]
- Anonymous Coward, 18 Aug 2015 @ 10:08pm
  
  Re:
  They hacked his computer immediately after he was flagged dl'ing the docs. They use Windows Update, among other methods, to deploy RATs.
  [ link to this | view in chronology ]
Ninja (profile), 7 Aug 2015 @ 4:13am

People talk about Truecrypt and its alleged vulnerability but I have yet to see alternatives that are being adopted that are safe, reliable and open sourced. I've seen a fork of Truecrypt called Veracrypt but I have yet to confirm whether it's safe in all means of the word. Any other alternatives out there?
[ link to this | view in chronology ]
- sigalrm (profile), 7 Aug 2015 @ 8:37am
  
  Re:
  "Any other alternatives out there?"
  
  That you can trust on the say-so of a random stranger you met on the internet? Well, I guess it depends on your use case.
  
  Truecrypt was one of the few projects out there that was generally considered sufficiently trustworthy for non-coders and non-crypto geeks to feel comfortable using for storing information that could get them jailed or killed.
  
  Using a single letter posted online to destroy trust in TrueCrypt was truly a master stroke. :(
  [ link to this | view in chronology ]
  - Ninja (profile), 10 Aug 2015 @ 3:40am
    
    Re: Re:
    That's why I ask on public platforms. You get tips on possible alternatives then after getting to know said alternative by name you can go for deeper research, check adoption rates etc. I'm watching this Veracrypt closely.
    [ link to this | view in chronology ]
cc71, 7 Aug 2015 @ 6:19am

I find it unlikely the volume was cracked open. More likely he just gave up the password or had it scraped by a keylogger. Anyone that serious about locking a volume will use keyfiles anyway.
[ link to this | view in chronology ]
- Anonymous Coward, 7 Aug 2015 @ 6:39am
  
  Re:
  Slight problem with keyfiles, they cannot be on the locked volume, and need their own encryption key if they are to be protected. Just how do you protect the master key, without remembering it, righting it down somewhere, or writing down a hint you hope other people do not get.
  [ link to this | view in chronology ]
toyotabedzrock (profile), 7 Aug 2015 @ 4:17pm

30 character passwords are difficult to remember. He more than likely had bad opsec and had the password stored somewhere.

Also truecypt allows cascaded encryption. And choice of hash algorithm. Plus it allows use of keyfiles along with the password.
[ link to this | view in chronology ]