6 Replies Latest reply on May 29, 2014 11:38 PM by Hayton

    TrueCrypt "is not secure" say developers

    Hayton

      It looks as if the open-source developers of TrueCrypt have decided to pull the plug on its development. They say that since Microsoft ended support for XP TrueCrypt is no longer secure and are advising users to drop it and move to some other disk encryption product.

       

      http://truecrypt.sourceforge.net/

       

      Why they should do this is a mystery. There has been speculation that they were served with a demand by the NSA, FBI or some other agency to weaken the encryption or put in a backdoor to allow covert decryption, and that this was accompanied by a gagging order forbidding them to reveal the existence of the demand and this is their way of alerting TrueCrypt users to this (shades of Lavabit) but so far there has been no convincing explanation of the reason for TrueCrypt's demise.

       

      The advice in the TrueCrypt website to switch to Bitlocker is also somewhat strange, and some users are wondering if this whole thing is a hoax. I don't think it is, but I'm waiting for more information to emerge.

       

       

      Edit - The website is inviting users to download a decrypt-only version of TrueCrypt. Until we're absolutely certain this whole thing is not a hoax, a hack, or the result of some unpleasantness on the part of one of the Acronyms, it might be better not to download it. Just in case.

       

      Message was edited by: Hayton on 30/05/14 00:27:22 IST
        • 1. Re: TrueCrypt "is not secure" say developers
          Hayton

          I thought it wouldn't take long. The story has been picked up and is being discussed and debated in a number of places. Read for instance the comments appended to Brian Krebs' article -

          http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

           

          And the Wilders Security contributors also think there's something very strange going on

          http://www.wilderssecurity.com/threads/truecrypt-forum-gone-truecrypt-either-sto pped-development-or-was-hacked.364391/

           

          Bruce Schneier is sitting on the fence : he doesn't know anything either but he's given links to other sites who also don't know much.

          https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html

           

           

          As for the download on the Sourceforge site,  DON'T DOWNLOAD IT !

          According to theRegister, the download is highly suspect.

          http://www.theregister.co.uk/2014/05/28/truecrypt_hack/


          Even more worrying, The Reg has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo.

           

          Don't run that binary! Someone has built versions of TrueCrypt from vandalised source code (click to enlarge)

           

          We ran the executable in a virtual machine so that you don't have to, and on Windows 8.1 it was blocked by the SmartScreen feature, suggesting it may contain malware. Launching it on an older system immediately displayed the "warning" message before installation proceeded, and the dropped executables contained the above quoted text.

           

           

           

          Edit : SANS have something to say about the certificate used for the download

          https://isc.sans.edu/diary/True+Crypt+Compromised++Removed%3F/18177

           

          • The new "decrypt only" binary was signed with what looks like a valid Truecrypt code signing key (I believe GRC.com investigated this)
          • The PGP signature was valid as well
          • The Truecrypt development team is anonymous, and so far, no word if the code review team was able to reach them.

           

          Message was edited by: Hayton on 30/05/14 05:18:38 IST
          • 2. Re: TrueCrypt "is not secure" say developers
            catdaddy

            Interesting read...Thanks Hayton.

            • 3. Re: TrueCrypt "is not secure" say developers
              Hayton

              The plot thickens. What on earth is this all about? Slide 23 has been censored by the US Government ...

               

              http://digital-forensics.sans.org/summit-archives/2010/18-lord-cryptanalysis.pdf

               

              TrueCrypt slide removed.PNG

               

              That could have been an interesting slide, judging by the one detailing successful attacks against BitLocker

               

              BitLocker successful attacks.PNG

               

               

              Edit - Oh, and as various contributors have been pointing out, TrueCrypt was used by Edward Snowden and Glenn Greenwald to encrypt the contents of drives containing copies of assorted NSA documents, particularly when Greenwald was in transit. If someone had access to a clone of one of those drives - such as might be obtained, say, by detaining Glenn Greenwald for 8 hours at an airport for questioning while his laptop was taken somewhere else for examination - it would be helpful, to say the least, to have some means of accessing the encrypted contents. This story has as many layers as an onion, and as many red herrings as a Chinese fish market.

               

              Message was edited by: Hayton on 30/05/14 00:28:20 IST
              • 4. Re: TrueCrypt "is not secure" say developers

                The TC team were never fans of Microsoft - it's a red flag for me that they would promote bitlocker so aggressively when there are a number of good open source and commercial alternates.

                 

                Also the whole message is weird. If they were tired of the project, all they had to do was say so. If they found critical bugs, I'd have expected them to point them out.

                 

                I'm sure this will unfold in interesting ways.

                • 5. Re: TrueCrypt "is not secure" say developers
                  Hayton

                  SafeBoot wrote:

                   

                  The TC team were never fans of Microsoft - it's a red flag for me that they would promote bitlocker

                   

                  That has been noted by a number of people. As I said, it's very strange.

                   

                  I'm sure this will unfold in interesting ways.

                   

                  Oh, I do hope so. There's a lot more here than has been publicly revealed. I'll keep an eye on it and as soon as there are any new revelations (or even interesting gossip) I'll post some more.

                   

                   

                  Edit - Conspiracy theories are everywhere. How about this one for a start - from the Sourceforge web page :

                   

                  "Using TrueCrypt is not secure as it may contain unfixed security issues" 

                  Embedded content  : "TrueCrypt is not secure as"

                  Boils down to "Not Secure As"

                  which  ....  ah, you're ahead of me.

                   

                  Message was edited by: Hayton on 30/05/14 00:35:01 IST
                  • 6. Re: TrueCrypt "is not secure" say developers
                    Hayton

                    There's more to this than just discontinuing product development. The sourceforge web page is a 301 (Moved Permanently) redirect from the TrueCrypt web site (www.truecrypt.org), where there appears to have been a massive purge of everything related to the project - the site itself, the user forum, code repository, everything.

                     

                    Someone pointed out the strange coincidence that SourceForge last week issued a force-password-reset notice. "No known breach or compromise" must mean what it says, but it leaves open the question whether there was a suspected but unproven breach.

                     

                    sourceforge password change.jpg

                     

                    Edit : SourceForge insist there was no compromise - https://news.ycombinator.com/item?id=7813121

                     

                    https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html   (and except where specified otherwise)

                    ... this has wiped out the TrueCrypt forum too.

                     

                    There were hundreds of users at the TC forum (myself included), which contained a goldmine of information, not just about TrueCrypt itself but also crypto and computer security in general.

                     

                    .... it would seem that that repository of knowledge is gone at a stroke.

                     

                     

                    http://www.wilderssecurity.com/threads/truecrypt-forum-gone-truecrypt-either-sto pped-development-or-was-hacked.364391/

                    the "hacker" didn't just take over truecrypt.org in order to serve malware from it. It is using the domain to discredit TrueCrypt, which makes this a more elaborate attack...


                    "the binary on the website is capable only to decode crypted data, not encode, and may contain trojan. The binary is signed with the valid (old) key. All old versions are wiped, the repository is wiped too."

                     

                    So it looks like a hack

                     

                     

                    http://gigaom.com/2014/05/29/heres-what-you-need-to-know-about-the-sudden-and-my sterious-death-of-truecrypt/

                    this executable was “certified with the official TrueCrypt signing key, proving that whoever updated the website is also in a position to release and certify new versions of the encryption software.”

                     

                     

                    Various posters have speculated that what we have seen is either an emergency counter-response - a scorched-earth policy - or else an automatic fail-safe - a Dead Man's Handle.

                    It has the mark to me of a counter-hack - someone (one or more devs, outside hackers, FBI/NSA/FSB/etc or a combination thereof) gained or asserted control of the project and, to forestall this, someone else (one or more devs not in the first group) broke into the site, trashed as much as possible, and urged everyone away from the project.

                     

                     

                    The highly atypical endorsement of BitLocker raises a number of red flags, and almost everyone has pointed to it as being a deliberate plant. If there was dirty work involved in this project takedown then the Bitlocker endorsement might be a way of signalling to those who know that that's what happened. If there was Acronym involvement then pushing people towards BitLocker makes little sense even if BL (as is widely assumed) has NSA backdoors built-in; it would have been better to have compromised TrueCrypt and let Persons Of Interest keep using it.  Also,

                     

                    The XP thing makes no sense. Windows 7 is moving to dominance and bitlocker is not available to Windows 7 home edition users -- a large portion of that code base.

                     

                    The TrueCrypt code was in the process of being audited. The first stage of the audit is complete. If there were a serious vulnerability, or a deliberate backdoor, in the code the audit should have detected it. The results of the first stage of the audit have now been made public, and so far no significant problems have been detected. The team doing the audit have said they intend to continue with their work - and start the second stage - even though TrueCrypt appears to have been abruptly abandoned.

                    http://arstechnica.com/security/2014/04/truecrypt-audit-finds-no-evidence-of-bac kdoors-or-malicious-code/

                     

                     

                    Steve Gibson has been in contact with Professor Matthew Green of John Hopkins University, who has been one of those conducting the audit

                    http://steve.grc.com/2014/05/28/whither-truecrypt/

                     

                     

                    Research Professor Matthew Green, Johns Hopkins Cryptographer who recently helped to launch the TrueCrypt Audit, is currently as clueless as anyone. But his recent tweetsindicate that he has come to the same conclusion that I have:

                    • I have no idea what’s up with the Truecrypt site, or what ‘security issues’ they’re talking about.
                    • I sent an email to our contact at Truecrypt. I’m not holding my breath though.
                    • The sad thing is that after all this time I was just starting to like Truecrypt. I hope someone forks it if this is for real.
                    • The audit did not find anything — or rather, nothing that we haven’t already published.
                    • The anonymous Truecrypt dev team, from their submarine hideout. I emailed. No response. Takes a while for email to reach the sub.
                    • I think it unlikely that an unknown hacker (a) identified the Truecrypt devs, (b) stole their signing key, (c) hacked their site.
                    • Unlikely is not the same as impossible. So it’s *possible* that this whole thing is a hoax. I just doubt it.
                    • But more to the point, if the Truecrypt signing key was stolen & and the TC devs can’t let us know — that’s reason enough to be cautious.
                    • Last I heard from Truecrypt: “We are looking forward to results of phase 2 of your audit. Thank you very much for all your efforts again!”

                     

                     

                    This whole thing remains a mystery, which is why it's generating so much furious debate.

                     

                    Let the final word (for now) go to David Meyer at gigaom.com, which has a wry comment on the tendency to look for over-complicated solutions to intractable problems. Maybe we're all overlooking something blindingly obvious and terribly simple.

                     

                    http://gigaom.com/2014/05/29/heres-what-you-need-to-know-about-the-sudden-and-my sterious-death-of-truecrypt/

                    security.png

                     

                    Message was edited by: Hayton on 30/05/14 05:38:14 IST