Information Security News
What Happened To TrueCrypt? Encryption Software Development Ends Abruptly ...
News. What Happened To TrueCrypt? Encryption Software Development Ends Abruptly As InfoSec Community Searches For Answers. By Cammy Harbison on May 28, 2014 5:11 PM EDT 0. What happened to TrueCrypt? Why has development ceased?
One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn't safe to use.
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," text in red at the top of TrueCrypt page on SourceForge states. The page continues: "This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."
The advisory, which Ars couldn't immediately confirm was authentic, touched off a tsunami of comments on Twitter and other social media sites. For more than a decade, the open source and freely available TrueCrypt has been the program of choice of many security-minded people for encrypting sensitive files and even entire hard drives. Last year, amid revelations that the NSA can decode large swaths of the Internet's encrypted data, supporters ponied up large sums of money to audit TrueCrypt. Results from phase one of the audit released last month revealed no evidence of any backdoors. Additional audits were pending.
Earlier today, the popular disk encryption tool Truecrypt was essentially removed from Sourceforge, and replaced with a warning that Truecrypt is no longer secure and people should switch to Bitlocker (with instructions as to how to do this). The source code was updated and essentially all functionality was removed but the installer will now just show a message similar to the one displayed on the homepage.
What you probably are asking first about: What does this mean for me if I use Truecrypt?
At this point, there are many rumors, and few facts. It is my recommendation (as always) to stay calm. One thing you want to do right away: Get a copy of the last working version and burn it to CD (actually: 3 CDs) in case it is no longer available and you need to access offline media that are encrypted using Truecrypt. Find out what your alternatives are. In Windows you have Bitlocker, in OS X you got FileVault and in Linux you got LUKS. Sadly, these are not compatible with each other. You will need to find a replacement for portable media that need to move between operating systems. PGP/GnuPG comes to mind as an option.
Now back to what we know so far:
Recently, a community effort was launched to review the Truecrypt code, in particular to check for backdoors and incorrectly implemented crypto algorithms. As far as I know, no significant issue was found to date.
This very much smells to me like a compromised Sourceforge repository. Truecrypt uses Sourceforge for all of its content. At this point, sit back, don't visit the Truecrypt Sourceforge page or download the crippled version, but don't panic (yet).
But, via twitter and e-mail, some additional disturbing facts came in that make this look worse then a simple web site compromise:
Correction about the earlier note that Sourceforge was compromised: Turns out that they asked users to change passwords NOT because of a compromise, but because they changed the hashing algorithm.
Software used by law enforcement organizations to intercept the communications of suspected criminals contains a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password, security researchers said today.
In a scathing advisory published Wednesday, the researchers recommended people stop using the Nice Recording eXpress voice-recording package. It is one of several software offerings provided by Ra’anana, Israel-based Nice Systems, a company that markets itself as providing "mission-critical lawful interception solutions to support the fight against organized crime, drug trafficking and terrorist activities." The advisory warned that critical weaknesses in the software expose users to attacks that compromise investigations and the security of the agency networks.
"Attackers are able to completely compromise the voice recording/surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication," the researchers from security consultancy SEC Consult wrote. "Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN [virtual local area network], depending on the network setup."
China's Shot at Cisco Latest Salvo in InfoSec War of Words
In global information security battle, the rhetoric pendulum this week is swinging decidedly in China's favor as Beijing unleashes a torrent of accusations and warnings at U.S.-based technology companies. The latest salvo came Tuesday when China state ...
Posted by InfoSec News on May 28http://www.theregister.co.uk/2014/05/27/bmw_password_security_shortcomings/
Posted by InfoSec News on May 28http://healthitsecurity.com/2014/05/27/how-it-security-experts-handle-healthcare-network-access/
Posted by InfoSec News on May 28http://www.nytimes.com/2014/05/28/nyregion/hacker-who-helped-disrupt-cyberattacks-is-allowed-to-walk-free.html
Posted by InfoSec News on May 28http://www.foreignpolicy.com/articles/2014/05/27/exclusive_inside_the_fbi_s_fight_against_chinese_cyber_espionage
Posted by InfoSec News on May 28http://www.defenseone.com/management/2014/05/are-paychecks-problem-senate-considers-bonuses-pentagons-cyber-workforce/85258/