Is it a hoax, or the end of the line for TrueCrypt?

At the moment, there is little more than speculation as to the appearance today of an ominous note greeting visitors to the TrueCrypt page at SourceForge. The text warns that the open source encryption software is not secure and informs users that development has been terminated.

The page also demonstrates step-by-step instructions explaining how to migrate from TrueCrypt to BitLocker, Microsoft’s file and disk encryption software.

It’s unclear whether the site has been defaced or whether the developers are aware of a critical vulnerability or backdoor that would jeopardize the integrity of the software, which has been downloaded more than 28 million times.

An audit of TrueCrypt was commissioned last year in order to determine if the software had been tampered with in the wake of the Edward Snowden leaks and the depths of surveillance by the National Security Agency. The results of the first phase of the audit were released on April 14 by iSEC Partners on behalf of the Open Crypto Audit Project and no backdoors were found. The first phase focused on the TrueCrypt bootloader and Windows kernel driver. Architecture and code reviews were performed, said Kenneth White, senior security engineer at Social & Scientific Systems, one of the OCAP architects.

A second phase, which has not yet begun, will focus on whether encryption suites, random number generators and critical algorithms have been properly implemented.

Many experts are downplaying the possibility that this is a defacement. Runa A. Sandvik, a privacy and security researcher and advisor on the TrueCrypt audit, told Threatpost that the current version listed on the SourceForge page, version 7.2, was signed yesterday with the same key used by the TrueCrypt Foundation for as long as two years. This was also confirmed by Kaspersky Lab researcher Costin Raiu.

“With a defacement, you would usually just expect to see the website change. In this change, the software seems to have changed as well,” Sandvik said. “The software has been modified to display a warning when you start it, as well as display a warning as part of the standard UI.”

Sandvik said she performed a quick analysis on the installer and saw no network traffic emanating from it.

“If the installer had a keylogger, you would expect the installer to at some point connect to another host and transfer information. Since there is no network traffic, there is no part of the installer that attempts to call home,” Sandvik said. “Note that I just did a very quick analysis, a deeper dive might uncover sketchy bits and pieces.”

Speculation ran amok on Twitter as well that the shutdown had to do with an impending announcement regarding the TrueCrypt audit, which White said, via his Twitter feed, is unfounded and that the announcement has to do with an upcoming OCAP initiative.

“As a general rule, any time a high-profile site gets replaced with a terse static page (much less redirects), I would urge caution,” White told Threatpost, adding that OCAP had reached out to the TrueCrypt developers seeking more information. “But at the moment, I’m afraid I don’t have much to add.”

Categories: Cryptography

Comments (7)

  1. Anon
    2

    Bitlocker has NSA key escrow – maybe this is a government originated move to get people away from secure encryption and over to using products the government can bypass?

    Reply
  2. dongle
    3

    What is strange is this part, for me at least:

    The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.

    Why would this affect all versions or the safety across other operating systems?

    Something funky here…

    Reply
  3. NickieH
    4

    Many are suggesting a Lavabit-style situation, where the developers have been pressured to backdoor their code by Certain Government Agencies, and chosen to push the self-destruct button instead.

    Reply
  4. murky
    5

    How about the developers having just sold out to Microsoft and since they’re not telling, they’re getting away with it? The last line of that page looks very much along the line of wording we’ve seen from Microsoft.

    Reply
  5. Failpoint
    7

    I looked into Truecrypt for usage a while back and chose to not go that route. The whole point of open-sourced crypto is public scrutiny. I could not properly track down the creators, their names, or un-obfuscated DNS entry in whois. Nor is it open-sourced. As above, Microsoft is guilty as charged, even as they threatened 2048-bit pipe encryption in the wake of Snowden. It doesn’t matter when they do not address security flaws in their OS, and cover it up with a dashboard interface and server setup wizards. Such is the case with the registry, propietary re-naming of services, and alternate data streams in the failed NTFS. My solution of using LUKS containers in Linux is fantastic on solid state or disk. Finally, if you like the idea of double or triple encryption, you can write a script to use openSSL in such a way, as long as the script was not set to any static series of algorithms. In linux, I use Gnome Zenity dialogs, but Window users can use VB. You just have to ask yourself, do you want an encrypted drive/folder, or could you just manage encrypted files? Data integrity is part of security, you have a higher risk of fault with encrypted partitions which can cause you to lose everything w/o backup to a separate drive. Microsoft is not exactly known to have a stable filesystem. There are a lot of solutions out there but no, Daemon tools does not address the mission of flexible encrypted storage. Thank you bot, but inline encryption of images is not the answer here.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>