TrueCrypt 7.0–Install & Encrypt USB Flash Drive

With the arrival if my new Dell Inspiron laptop just before some planned vacation travel I decided to try out disk encryption. My plan was to encrypt a USB drive and add an encrypted container for files on my laptop. Using Windows Bitlocker would have required upgrading to a more expensive version of Windows 7 so I went with the free Open Source TrueCrypt. In addition to being Open Source, it’s also cross-platform and runs on Windows, OS X and Linux.

With the arrival if my new Dell Inspiron laptop just before some planned vacation travel I decided to try out disk encryption. My plan was to encrypt a USB drive and add an encrypted container for files on my laptop. Using Windows Bitlocker would have required upgrading to a more expensive version of Windows 7 so I went with the free Open Source TrueCrypt. In addition to being Open Source, it’s also cross-platform and runs on Windows, OS X and Linux.

Installation was simple, after downloading the latest version I ran the installation executable and ran through the wizard. There’s only 5 screens during the install. They’re shown below, along with the options I used. They’re pretty self-explanatory and don’t affect the operation of TrueCrypt itself, just how you want to access it. Nothing gets encrypted during the installation.

I decided to do the full install, rather than install in “portable mode”. Portable mode is used when the extract option is picked on the first screen. It allows encrypted containers to be created but can’t encrypt the system drive. I do the full install so that I have the option of full drive encryption should I decide to go that route. It’s a 64-bit application and uses less than 8MB for the installation.
TrueCrypt Install Screen 1 TrueCrypt Install Screen 2

TrueCrypt Install Screen 3 TrueCrypt Install Screen 4

TrueCrypt Install Screen 5

The beginner’s tutorial referred to on the last screen is available on the TrueCrypt website. Starting up TrueCrypt presents the main screen:

MainScreen

Creating A Encrypted Volume

My USB Flash Drive is already in a USB port (as Drive F:) so I click the “Create Volume” button to start the process of creating an encrypted container on the flash drive. The hidden volume (an encrypted volume within a encrypted volume) is more security than I need. So I’ll create a standard volume. The volume location screen is asking for the name of the encrypted container to be created, and not an existing file to be created.

Volume Creation Wizard Screen 1 Volume Creation Wizard Screen 2 Volume Creation Wizard Screen 3

I pick AES encryption since it benchmarks with the best performance. The benchmarks are based on the current computer and will vary from PC to PC (or even on the same PC run at different times). I took the default AES selection.

Volume Creation Wizard Screen 4 Volume Creation Wizard Screen 5

I have the USB Flash drive formatted with the FAT file system (which is also the original format) for maximum compatibility across Windows, OS X and Linux. So I’m limited to a maximum container size of 4GB since the container is one file and FAT has a 4GB limit. I also enter a nice long phrase for the encryption password and accept the default FAT file system and cluster size. I spend some time moving the mouse around to generate some nice random keys. Once I click format the volume is quickly created.

Wizard6 Wizard7 Wizard8 Wizard9

The final screen in the Wizard lets me know all is well.

Wizard10

TrueCrypt Travel Disk

Since TrueCrypt 7 may not be on every PC I will use the USB flash drive in I want to create a Traveler install on the flash drive. This is done by selecting Tools –> Traveler Disk Setup from the menu. For the file location I entered in F: since that’s my USB flash drive. This does not mean the flash drive must always be mounted as F:, it’s simply where to install the TrueCrypt files. I don’t bother with the autorun options since I dislike any autorun.

traveler1 traveler3

The traveler files occupy less than 4MB on the flash drive and get installed into their own directory (F:TrueCrypt in my case).

Finally, when I want to mount the encrypted volume on the USB drive I run TrueCrypt.exe, select a drive letter to mount it on, enter the path to the volume file and click mount.

use

The encrypted files within the volume are now available just like any other drive. Since the file system is FAT, both on the USB stick and within the encrypted volume I can access the files on my Windows or Mac computers. Linux should work too.

Conclusion

TrueCrypt includes several features I’m not using since I want to keep things simple and I’m not concerned about someone making any effort to crack the encryption. But if my USB drive is lost or stolen, it won’t be easy for the thief to get to my files.

Installation was easy and straight-forward while usage is simple. The hardest part is typing in the passphrase. The longer it is, the more secure it is so mine exceeds two dozen characters and considering my lack of typing skills it’s not uncommon to need two tries.

WordPress – The Windows of the Internet

It’s been widely reported that sites running the standalone version of WordPress are under “attack” and vulnerabilities are being exploited to insert malicious code into the site. I couldn’t help but notice similarities to Microsoft Windows.

While WordPress may not have the same market share as Windows it does have greater mindshare than any other single publishing platform. (OK, I don’t have the stats to back that up so maybe I’m wrong.) There’s even a major hosting company that specifically promotes WordPress standalone hosting. So like Windows, which comes pre-installed on nearly 90% of PCs sold, the barrier to entry is rather small. Back when I was getting started 3 years ago I picked WordPress because it was easy to set up and get going.

Like Windows, WordPress is used by a lot of people who couldn’t care less about the inner workings of the system (operating or content management) but just like what they can do with it.

Like Windows, WordPress is easy to install since most hosting companies provide a script that will do the installation. Until Microsoft started turning on the firewall and auto updates by default Windows was a virus magnet. Just a year ago doing any sort of WordPress upgrade was a major effort. The ability to upgrade from within WordPress is less than a year old, introduced in December 2008, and it still must be triggered by the administrator.

There’s been a lot of blaming the user for not upgrading as a result of these attacks. I find that a bit disingenuous. On the one hand WordPress is promoted as a solution for people who want an easy website so they can concentrate on what they want to say. Now people who picked WordPress for that reason are being blamed for not spending enough time updating their plumbing. Even though I’m someone who spends a lot lot of time with the plumbing because I like it, I can hardly blame people who haven’t upgraded. People who work on and write about WordPress have it as a significant part of their lives, for the vast majority it’s just a thing they use to run their personal website. If they made a mistake, it was in picking WordPress.

I like WordPress a lot and use it exclusively. This recent attack isn’t going to change that. But every so often I look around for something to replace WordPress because I’m spending too much time doing upgrades. Sure, I like working on the “plumbing” but I don’t like logging on and seeing there’s a new security update that plugs a vulnerability and I now have an unplanned upgrade cycle. WordPress 2.8 was released in mid-June, in the three months since then there’s been four security related updates.

So if you’re going to run a standalone WordPress install you need to be a webmaster (or plumber), no matter what your hosting company and the WordPress PR tells you. Don’t want to do it, then check out WordPress.com or Blogger for free hosted solutions or pick something less prone to attack like Moveable Type. Back in Feb 2008 I moved a site to WordPress.com simply so I could avoid the maintenance time on it.

If, like me, you decide to stick with a standalone WordPress site you’ll need to devise a plan to stay current and secure. My own plan is:

  1. Enabled WordPress administration over SSL
  2. I create at least two new IDs on my WordPress site. One to be the administrator and one to use for posting. I change the built in admin ID to a “subscriber” level. Each ID gets a unique and complex password. The administrator ID created by default is useless on my sites, just like the account named “Administrator” on my Windows PCs.
  3. I’m paranoid about security so WordPress’s built-in update facility doesn’t work for me. (My web server doesn’t have the access necessary to write to the WordPress files) I set up SVN to do the updates. Since this is easily scripted it makes updating multiple sites quicker and easier than going into the admin panel for each site.
  4. I did enable the built in update for plugins. I figured the risk was worth it since plugin updates are a huge hassle without the feature.
  5. Backup, Backup, Backup! I backup my database on a daily basis. Eventually I will need this, either because of a hack or because of a system failure. Because the latest backup may not be problem free (if the problem went unnoticed) I then copy this backup file, along with the entire site’s file system to my local PC on a daily basis. From there it gets saved as a daily archive for couple weeks so I can go back to older copies and minimize the loss of data if the problem went unnoticed for a couple days. While I’m paranoid about backups I’m also lazy , so all this had to be scripted and automated as I would never do it manually.

For more information about the current attacks and a list of WordPress security resources you can visit Lorelle on WordPress.

WordPress Administration Over SSL

Since this is my third straight WordPress related post it’s probably obvious that I spent some time digging into WordPress this weekend. This feature (WordPress Administration over SSL) has been in WordPress awhile and was available via plugins for some time before that. Administration over SSL encrypts the traffic between the browser and the server so no one can look in on your traffic. In the case of WordPress this means no one can pluck your password off the network. Without SSL your password is in clear text and can be read by someone who’s able to intercept (“sniff”) the traffic.

WordPress can either encrypt just the login or can encrypt the entire admin session. SSL can be slow and put more strain on the server so you may not want to use it all the time. Of course, your web server must be set up to enable SSL. SSL does require a certificate on the server and these certificates can cost money. But if all you want to do is use SSL for yourself a self-signed certificate can be used. Self-signed certificates aren’t suitable for e-commerce or public sites but it’s enough for what I need. The browser will balk at the self-signed certificate but most modern browsers will all you to add the certificate to the trusted certificates list and silently connect in the future.

I use a virtual private server (VPS) so I control everything from the OS on up and won’t have any trouble using self-signed certificate. I can’t say what other hosts will allow, you may need to buy a certificate from them and you may need to request SSL be enabled for your domain.

Once SSL is enabled and the self-signed (or real) certificate is installed you can enable WordPress administration over SSL by adding one of the following two lines to your wpconfig.php file:

To use SSL on logon only use: define('FORCE_SSL_LOGIN', true);

For SSL on logon and the entire Admin session use: define('FORCE_SSL_ADMIN', true);

Be sure to add it before the require_once(ABSPATH . 'wp-settings.php'); statement. I hastily pasted it at the end of the file and SSL Admin didn’t work for WordPress. Let’s not mention how long it took me to find the problem.

The URL should switch to https:// when you access /wp-admin and your browser should indicate it has a secure connection (such as a padlock in the status bar).

I have SSL enabled for the full admin session. I didn’t do any official benchmarks but performance does seem a little slower at times. But that could be because I’m expecting it and paying more attention. CPU usage also seemed briefly higher when I was running an SSL section, but again, it’s been awhile since I paid attention. But neither the performance or cpu usage were unacceptable and wouldn’t have raised an alarm or been noticed if I wasn’t watching.

The WordPress codex provides details about SSL Administration.

Microsoft Security Updates for July 2008

Padlock graphicMicrosoft has released four security bulletins for July 2008, two of which are for desktops.

MS08-038 addresses a vulnerability in Windows Explorer and is for Windows Vista and carries an “important” rating. The update includes the original Vista, Vista SP1 and Vista x64.

MS08-037 addresses a vulnerability in DNS and is for Windows 2000 SP4, Windows XP SP2 & SP3, and Windows XP x64 original release & SP2. it’s rated as “important”. [Updated: This patch is part of a coordinated, multi-vendor DNS patch.]

These patches, and the others, also affect server OS’s. There’s no Internet Explorer update this month.

Also, Microsoft will begin rolling out an update to Windows Update later this month. Last time they did this they catch grief for updating PCs that were set to “do not update”. This time around they’ll be doing things differently and won’t update PCs set to not update.

Microsoft Security Bulletins for April 2008

Another "Super Tuesday" patched this week but I just got around to firing up my Windows VM’s today (actually it’s been about 12 days since I’ve been in Windows). There were ten updates waiting for me on Windows Vista and eight on Windows XP Home, although not all were security related.

This month’s updates included:

KB945553 (MS08-020) – Vulnerability in DNS client could allow spoofing. This is rated as "Important" for all supported desktop OS’s except Windows Vista SP1, which doesn’t need the update.

KB948590 (MS08-021) – Vulnerability in GDI could allow remote code execution. This is rated as "Critical" for all supported desktop OS’s.

KB944338 (MS08-022) – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution. This is rated as "Critical" for all desktop OS’s except Windows Vista, which doesn’t need the update.

KB948881 (MS08-023) – Critical security update for ActiveX killbits. This is required for all supported desktop OS’s, although the severity ranges from "Important" to "Critical".

KB947864 (MS08-024) – Cumulative security update for Internet Explorer. As expected, all supported versions of IE get the update and all are rated "Critical".

KB941693 (MS08-025) – Vulnerability in Windows Kernel could allow elevation of privileges. This one has an "Important" rating for all supported desktop OS’s.

There were also some security patched for applications. MS08-018 patches a Project vulnerability while MS08-019 patches a vulnerability in Visio. I don’t run either Project or Visio so I didn’t install the updates.

The Malicious Software Removal Tool, Junk Email Filter update (Vista only, in my case at least) and Windows Defender definition updates were also included.

I also received KB938371 (on my Vista SP1 vm) which is an updated needed to add or remove Vista SP1. Since I received Vista SP1 successfully I already had some of the components. According to the bulletin Vista SP1 install "will only install the new components in this rereleased update."

Non-security related patches included an update to Live Writer and a optional Group Policy patch. For some reason my Windows XP Home installation also received .NET 2.0 SP1 although it appears that it was released back in December and I installed the base .NET 2.0 in early January, two patch Tuesday’s ago.

As expected, a reboot was required. So far I haven’t encountered an differences or problems since applying the updates. A subset of these updates also installed on my Windows Home Server and I covered the WHS March Updates here.