TrueCrypt Fallout: Early hours

It may appear that 2014 is shaping up as ‘Year of the Crypto Catastrophe’. Closely following Heartbleed we are now monitoring the unfolding and curious events surrounding the sudden shutdown of the TrueCrypt project.

TrueCrypt (or TC) has long been a ‘go to’ open source encryption solution to provide a quick solution for protecting data.

Whilst details are very sketchy, it would appear that the TC binaries have been updated to only allow reading from TC volumes, with a warning that TC is no longer safe.

Asterisk’s recommendations at this point are:

  • Do not download or update TC right now! (version 7.1a seems to be the most recent version released before the current incident)
  • Determine your organisation’s current exposure: assess usage of TC, search for any TC volumes in your fleet (note that TC volumes can be hidden)
  • Take steps to ensure any data secured by TC is backed up in a manner which ensures you can recover the contents
  • Assess your data encryption requirements: why are you using crypto, what are you protecting data from (casual observer, laptop/drive theft, targeted information theft), what platforms & what functionality is required?
  • Assess alternate solutions, and prepare a strategy to move
  • Determine the appropriate trigger and time frame for your organisation to change encryption solution

Until more concrete facts emerge, we have captured some of the timeline of this very intriguing story as it unfolded.

Approximately 5 hours ago (3:30am West Australian Time) this tweet landed:

https://twitter.com/FredericJacobs/status/471735604883890176

thegrugq then provides an archive of the page:

https://twitter.com/thegrugq/status/471741930271809536

Some information about the new binary that is available on the TC website lands:

https://twitter.com/runasand/status/471741572909133824

Speculation about what’s going on starts to happen:

https://twitter.com/matthew_d_green/status/471741836722073600

and investigation around what actually got uploaded starts:

https://twitter.com/cynicalsecurity/status/471742274742013952

The investigation continues:

https://twitter.com/DefuseSec/status/471742363212083200

Another diff:

https://twitter.com/cynicalsecurity/status/471743401361436674

Confirmation that the new binaries were signed by the real PGP key:

https://twitter.com/hdmoore/status/471744014069145600

https://twitter.com/hdmoore/status/471744014069145600

What happens when you try to install the new TC:

truecrypt-9-runasand-2

https://twitter.com/runasand/status/471744625690951681

xabean links to github to better highlight the changes:

https://twitter.com/xabean/status/471746558703448064

Archer has some great advice:

https://twitter.com/ArchrOnSecurity/status/471751244609257472

News articles begin:

http://www.pcworld.com/article/2241300/truecrypt-now-encouraging-users-to-use-microsofts-bitlocker.html

Confirmation on the new functionality:

https://twitter.com/runasand/status/471771828130963456

Luckily, thegrugq already gave us information about TC alternatives:

http://grugq.tumblr.com/post/60464139008/alternative-truecrypt-implementations

https://twitter.com/McGrewSecurity/status/471789973398507522

and now the speculation has started:

https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff

With an interesting  line in the new 7.2 code pointed out by a guy on IRC:

https://github.com/warewolf/truecrypt/compare/master…7.2#diff-889688bf127e7a198f80cbcec61c9571L16

Now, this is still early days, so we’re expecting this news to change as more information starts to surface.

 

UPDATE:

KrebsonSecurity did an interview with Matthew Green (the guy who is heading the audit project for TrueCrypt) and had some additional information.  He still plans to continue the audit.

http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

UPDATE 2:

And looks like this is the best explanation we are going to have around the TrueCrypt situation:

https://twitter.com/stevebarnhart/status/472192457145597952

https://twitter.com/matthew_d_green/status/472193658842673152

https://twitter.com/stevebarnhart/status/472193800874758144

https://twitter.com/matthew_d_green/status/472194641136087040

https://twitter.com/stevebarnhart/status/472195239005147136

https://twitter.com/matthew_d_green/status/472198235679764481

https://twitter.com/stevebarnhart/status/472198615579234304

https://twitter.com/matthew_d_green/status/472198897058590721

https://twitter.com/stevebarnhart/status/472200184433483776

https://twitter.com/stevebarnhart/status/472200478345150464

 

 

Published by

David Taylor

Twitter: @dave_au