2 Vulnerabilities (CVE-2015-7358 and CVE-2015-7359)

Topics: Users Discussion
Jan 2, 2016 at 6:58 AM
Dear Admin and fellow Veracrypt users,

I will have a new computer and will install veracrypt onto it. However, for my old hard drive that I won't be using it on my new computer, I have Truecrypt installed on it and I have a question regarding the recent 2 Truecrypt's vulnerabilities (CVE-2015-7358 and CVE-2015-7359). Your answers/assistance would be really appreciated.

I have a hard drive where I partitioned it into a decoy OS and a hidden OS (both Windows 7), and I installed some sensitve files on it and they are also encrypted by TC in the hidden OS. I very seldom use this hard drive and it is just to store those sensitive files and is set aside when not in used. If I install this hard drive onto my computer, it will not be connected to the internet. I am not a technical person, and from what I read, are the 2 above vulnerabilities apply only if 1) an attacker is on the same network as my computer OR 2) the computer is connected to the internet or 3) the attacker have physical access to my computer when the OS is turned on.

Question:
So, in my case, since I set the hard drive aside and it is never connected to the internet, suppose if a professional hacker steal my hard drive, the above 2 vulnerabilities does not apply in this case, meaning that those 2 vulnerabilities has nothing to do with more easily brute force and decrypt the encrypted OS and its encrypted folders when the hard drive is stolen under storage. Is this understanding correct?

Thanks.
Jan 2, 2016 at 7:33 AM
You said you are using TrueCrypt? Or is it VeraCrypt?

Then, for file storage why would you need a whole operating system on your external old drive? Why not simply fully encrypted partition?
Jan 5, 2016 at 1:08 AM
Edited Jan 5, 2016 at 1:08 AM
Hi Alex512

>>>>>You said you are using TrueCrypt? Or is it VeraCrypt?

Sorry for the confusion. My question is relating to the Truecrypt's vulnerabilities as I have Truecrypt installed on my old hard drive.

>>>>>Then, for file storage why would you need a whole operating system on your external old drive? Why not simply fully encrypted partition?
_
It's not an external drive but an internal harddrive. I am going to get a new system with a new hard drive with Windows 10 installed on it and so I will just set aside the old harddrive with Windows 7 and Truecrypt on it. Because my sensitive files are within the hidden OS (Windows 7) anyway, and so I just set aside this old hard drive for storing the sensitive files, rather than encrypting it all over again like you suggested (i.e., simply a fully encrypted partition).
---------------------------------------------------------------------------------------------------_

Coming back to my original question, if my old hard drive is being stolen when in storage, do the 2 Truecrypt's vulnerabilities (CVE-2015-7358 and CVE-2015-7359) make it easier to brute force and decrypt the encrypted OS and its encrypted files.? From what I read they shouldn't, but I am not a very technical person and so just want to make sure.

Thanks.
Coordinator
Jan 5, 2016 at 8:46 AM
The two vulnerabilities CVE-2015-7358 and CVE-2015-7359 affects TrueCrypt software not encryption and it makes it possible for hacker to attack online Windows machines running TrueCrypt. Encrypted data at rest is not affected by these vulnerabilities.
So, to answer your question: these vulnerabilities don't make it easier to brute force your offline disks.