May 30, 2014

TrueCrypt – WTF

truecryptlogoJust a day ago, without any clues that something was amiss, Truecrypt – arguably one of the worlds most popular encryption applications announced that it was no longer safe for people to use it. Instead the developers advised users to immediately begin looking for an alternative. to facilitate this they released a new version of the Truecrypt software that disabled the encryption capabilities of Truecrypt – in effect only allowing people to decrypt existing Truecrypt archives, presumably so they could extract their data and move it to another, safer, application.

This despite the fact that Truecrypt had just successfully completed the first phase of its public audit by the Open Crypto Audit project.

So WTF is going on? Well to be honest there aren’t any clear answers yet. What I can say for sure though is that it isn’t a “web defacement”. The fact that the software was updated and signed with the correct, expected key means points to one of two options:

Option 1.
The project got owned and the hackers gained access to everything including signing keys. However every day that passes without this being challenged makes this less and less plausible.

Option 2.
(note as stated above this is all pure speculation)
The Truecrypt devs did this deliberately. This seems the most likely scenario to me an could be for any one of several reasons:
a. There’s an audit going on right now, and while we know they passed phase one of the audit who’s to say that during this period of scrutiny the devs didn’t find some catastrophic flaw or one was discovered in the wild. Rather than fix it they binned the project. If this was the case we will probably find out when phase 2 of the audit completes.
b. Under pressure from various directions (GOV, LEO, Organised Crime etc) the devs decided enough was enough and followed in Lavabit’s shoes.
c. The devs found they had been owned at some point and hostile code or a flaw had been inserted into their code base meaning historic Truecrypt archives were also suspect.

My guess is that whatever it was, it was sudden and catastrophic given that just two weeks ago the devs were still engaged in phase 1 of the audit and email traffic was positive and upbeat.

What to do?

Well no matter what the truth is, Truecrypt is tainted now. My opinion is that this means is is probably still ok for low to medium risk scenarios but should not be used in high risk scenarios such as something your life or freedom may depend on.

The Truecrypt post recommends FileVault and Bitlocker. These are both fine crypto implementations and are excellent options for most scenarios. i wouldn’t consider them however for any scenario where you are protecting sensitive data from Law Enforcement or Government Actors whether foreign or domestic.

Below is a post from my good friend Thaddeus T Grugq suggesting some alternate crypto implementations you may want to look at as alternatives.

I also recommend reading Runa Sandvik’s excellent analysis for Forbes:

When the truth finally comes out, Ill update this post.

Join the conversation! 1 Comment

  1. Still wondering why people keep using what has consistently failed so far. It’s not like if the NSA did not claim that they have “influenced the design of the crypto standards”.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

About Marc Rogers

Marc has been a hacker since the 80's and has worked in the security industry for almost 20 years. Some of Marc's professional highlights include a decade managing security in the operator Vodafone plc, and 5 years as working as the CSO for a real estate and asset management conglomerate in South Korea. Known as "Cyberjunky", "Cjunky" or just "CJ" in the hacker community Marc is the Head of Security and part of the CFP review board for DEF CON, the worlds largest hacker conference. After spending more than 15 years wrangling hackers, criminals and spooks Marc has seen it all. Sometimes several times at once. Professionally Marc uses his skills as a whitehat hacker and security evangelist to bring a positive outlook on security to today's global organizations. It's this outlook that Marc used when he helped put together the award winning BBC series "The Real Hustle". Today Marc works as the Principal Security Researcher for Lookout Mobile Security.