It may appear that 2014 is shaping up as ‘Year of the Crypto Catastrophe’. Closely following Heartbleed we are now monitoring the unfolding and curious events surrounding the sudden shutdown of the TrueCrypt project.
TrueCrypt (or TC) has long been a ‘go to’ open source encryption solution to provide a quick solution for protecting data.
Whilst details are very sketchy, it would appear that the TC binaries have been updated to only allow reading from TC volumes, with a warning that TC is no longer safe.
Asterisk’s recommendations at this point are:
- Do not download or update TC right now! (version 7.1a seems to be the most recent version released before the current incident)
- Determine your organisation’s current exposure: assess usage of TC, search for any TC volumes in your fleet (note that TC volumes can be hidden)
- Take steps to ensure any data secured by TC is backed up in a manner which ensures you can recover the contents
- Assess your data encryption requirements: why are you using crypto, what are you protecting data from (casual observer, laptop/drive theft, targeted information theft), what platforms & what functionality is required?
- Assess alternate solutions, and prepare a strategy to move
- Determine the appropriate trigger and time frame for your organisation to change encryption solution
Until more concrete facts emerge, we have captured some of the timeline of this very intriguing story as it unfolded.
Approximately 5 hours ago (3:30am West Australian Time) this tweet landed:
thegrugq then provides an archive of the page:
Some information about the new binary that is available on the TC website lands:
Speculation about what’s going on starts to happen:
and investigation around what actually got uploaded starts:
The investigation continues:
Confirmation that the new binaries were signed by the real PGP key:
What happens when you try to install the new TC:
xabean links to github to better highlight the changes:
Archer has some great advice:
News articles begin:
Confirmation on the new functionality:
Luckily, thegrugq already gave us information about TC alternatives:
and now the speculation has started:
With an interesting line in the new 7.2 code pointed out by a guy on IRC:
Now, this is still early days, so we’re expecting this news to change as more information starts to surface.
KrebsonSecurity did an interview with Matthew Green (the guy who is heading the audit project for TrueCrypt) and had some additional information. He still plans to continue the audit.
And looks like this is the best explanation we are going to have around the TrueCrypt situation: