TrueCrypt, another myth is falling down?
Many TrueCrypt users have had a nasty surprise visiting the TrueCrypt page at SourceForge, the page content warns visitors that the open source encryption software is not secure and that its development was ended in 5/2014 after Microsoft terminated support of Windows XP.
“The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform,” states the message on Truecrypt website.
The TrueCrypt page at SourceForge at the time I’m writing contains step-by-step instructions explaining how to migrate from TrueCrypt to the Microsoft’s file and disk encryption software BitLocker.
Is this a simple case of defacing or there is the shutdown is motivated by an uncomfortable truth?
On the Internet is circulating the rumors that the developers are aware of a critical vulnerability or backdoor that would jeopardize the integrity of the software and for this reason have suspended its download.
The impact could be really serious, TrueCrypt application has been downloaded more than 28 million times.
On April 14th 2014, iSEC Partners on behalf of the Open Crypto Audit Project released the results of an audit of TrueCrypt that was commissioned last year in order to determine the alleged presence of a backdoor in the wake of the Edward Snowden leaks on the NSA surveillance program. Experts haven’t found evidence of the backdoor presence.
The first phase focused on the TrueCrypt bootloader and Windows kernel drivers, a second phase will be related on whether encryption suites, in particular on the implementation of random number generators and critical algorithms.
Security community doesn’t consider this a simple defacement, as confirmed by Runa A. Sandvik, a privacy and security researcher and advisor on the TrueCrypt audit, and Costin Raiu Chief, security expert at Kaspersky. They both confirmed that the current version listed on the SourceForge page, version 7.2, was signed yesterday with the same key used by the TrueCrypt Foundation for as long as two years.
“With a defacement, you would usually just expect to see the website change. In this change, the software seems to have changed as well,” “The software has been modified to display a warning when you start it, as well as display a warning as part of the standard UI.” Sandvik said to ThreatPost.
The experts also added that the installer is not compromised by the presence of malware:
“If the installer had a keylogger, you would expect the installer to at some point connect to another host and transfer information. Since there is no network traffic, there is no part of the installer that attempts to call home,” Sandvik said. “Note that I just did a very quick analysis, a deeper dive might uncover sketchy bits and pieces.”
Matthew Green, a professor at Johns Hopkins University involved with the audit, seems to exclude a website defacement, below the text of his tweet.
“I think it unlikely that an unknown hacker (a) identified the Truecrypt devs, (b) stole their signing key, (c) hacked their site”
Waiting for news … stay tuned!