If you use TrueCrypt to encrypt your data, you
need to switch to a different encryption software to protect your files,
and even whole hard drives.
The open source and freely available TrueCrypt software has been popular for the past ten years because it was perceived to be independent from major vendors. The creators of the software have not been publicly identified. Edward Snowden allegedly used TrueCrypt, and security expert Bruce Schneier was another well-known supporter of the software. The tool made it easy to turn a flash drive or a hard drive into an encrypted volume, securing all the data stored on it from prying eyes.
The mysterious creators abruptly shut down TrueCrypt on Wednesday, claiming it was unsafe to use. "WARNING: Using TrustCrypt is not secure as it may contain unfixed security issues," read the text on TrueCrypt's SourceForge page. "You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform," the message said.
"It's time to start looking for an alternative way to encrypt your files and hard drive," wrote independent security consultant Graham Cluley.
Consensus: Not a HoaxAt first, there were concerns that some malicious attackers had defaced the site, but it's becoming increasingly clear this is not a hoax. The SourceForge site now offers an updated version of TrueCrypt (digitally signed by the developers so this isn't a hack) which pops up an alert during the installation process to inform users they should use BitLocker or some other tool.
"I think it's unlikely that an unknown hacker identified the TrueCrypt developers, stole their signing key, and hacked their site," said Matthew Green, a professor specializing in cryptography at Johns Hopkins University.
What to Do NextThe site, as well as the popup alert on the software, has instructions on transferring TrueCrypt-encrypted files to Microsoft's BitLocker service, which is built into Microsoft Vista Ultimate and Enterprise, Windows 7 Ultimate and Enterprise, and Windows 8 Pro and Enterprise. TrueCrypt version 7.2 lets users decrypt their files but won't let them create new encrypted volumes.
While BitLocker is the obvious alternative, there are other options to look at. Schneier told The Register he is switching back to Symantec's PGPDisk to encrypt his data. Symantec Drive Encrpytion ($110 for a single user license) uses PGP, which is a well-known encryption method. There are other free tools for Windows, such as DiskCryptor. Security expert The Grugq put together a list of TrueCrypt alternatives last year, which is still useful.
SANS Institute's Johannes Ullrich recommended that Mac OS X users stick with FileVault 2, which is built into OS X 10.7 (Lion) and later. FileVault uses the XTS-AES 128-bit cipher, which is the same one used by the NSA. Linux users should stick with the built-in Linux Unified Key Setup (LUKS), Ullrich said. If you use Ubuntu, the operating system installer has the option to turn on full disk encryption right from the start.
However, users will need a different tool for portable drives that move between different operating system. "PGP/GnuPG comes to mind," Ullrich said on the InfoSec Handlers Diary.
German company Steganos is offering an older version of their encryption tool (version 15 is their latest, but the offer is for version 14) for free to users, which isn't really that ideal.
Unknown VulnerabilitiesThe fact that TrueCrypt may have security vulnerabilities is jarring considering that an independent audit for the software is currently under way and there had been no such reports. Supporters raised $70,000 for the audit because of concerns the National Security Agency has the capability to decode significant amounts of encrypted data. The first phase of the investigation which looked at the TrueCrypt bootloader was released just last month. It "found no evidence of backdoors or intentional flaws." The next phase, which would examine the cryptography used by the software, was scheduled to complete this summer.
Green, who was one of the people involved with the audit, said he did not have advance warning of what the TrueCrypt developers planned. "Last I heard from Truecrypt: 'We are looking forward to results of phase 2 of your audit. That you very much for all your efforts again!'" he posted on Twitter. The audit is expected to continue despite the shutdown.
It's possible that the creators of the software decided to stop development because the tool is so old. Development "ended in 5/2014 after Microsoft terminated support of Windows XP," said the message on SourceForge. "Windows 8/7/Vista and later offered integrated support for encrypted disks and virtual disk images." With encryption built into many of the operating systems by default, the developers may have felt the software was no longer necessary.
To make things even murkier, it appears a ticket was added May 19 to remove TrueCrypt from the secure operating system Tails (also another Snowden favorite). Whatever is the case, it's clear nobody should be using the software at this point, Cluley warned.
"Whether hoax, hack, or genuine end-of-life for TrueCrypt, it's clear that no security conscious-users are going to feel comfortable trusting the software after this debacle," wrote Cluley.
The open source and freely available TrueCrypt software has been popular for the past ten years because it was perceived to be independent from major vendors. The creators of the software have not been publicly identified. Edward Snowden allegedly used TrueCrypt, and security expert Bruce Schneier was another well-known supporter of the software. The tool made it easy to turn a flash drive or a hard drive into an encrypted volume, securing all the data stored on it from prying eyes.
The mysterious creators abruptly shut down TrueCrypt on Wednesday, claiming it was unsafe to use. "WARNING: Using TrustCrypt is not secure as it may contain unfixed security issues," read the text on TrueCrypt's SourceForge page. "You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform," the message said.
"It's time to start looking for an alternative way to encrypt your files and hard drive," wrote independent security consultant Graham Cluley.
Consensus: Not a HoaxAt first, there were concerns that some malicious attackers had defaced the site, but it's becoming increasingly clear this is not a hoax. The SourceForge site now offers an updated version of TrueCrypt (digitally signed by the developers so this isn't a hack) which pops up an alert during the installation process to inform users they should use BitLocker or some other tool.
"I think it's unlikely that an unknown hacker identified the TrueCrypt developers, stole their signing key, and hacked their site," said Matthew Green, a professor specializing in cryptography at Johns Hopkins University.
What to Do NextThe site, as well as the popup alert on the software, has instructions on transferring TrueCrypt-encrypted files to Microsoft's BitLocker service, which is built into Microsoft Vista Ultimate and Enterprise, Windows 7 Ultimate and Enterprise, and Windows 8 Pro and Enterprise. TrueCrypt version 7.2 lets users decrypt their files but won't let them create new encrypted volumes.
While BitLocker is the obvious alternative, there are other options to look at. Schneier told The Register he is switching back to Symantec's PGPDisk to encrypt his data. Symantec Drive Encrpytion ($110 for a single user license) uses PGP, which is a well-known encryption method. There are other free tools for Windows, such as DiskCryptor. Security expert The Grugq put together a list of TrueCrypt alternatives last year, which is still useful.
SANS Institute's Johannes Ullrich recommended that Mac OS X users stick with FileVault 2, which is built into OS X 10.7 (Lion) and later. FileVault uses the XTS-AES 128-bit cipher, which is the same one used by the NSA. Linux users should stick with the built-in Linux Unified Key Setup (LUKS), Ullrich said. If you use Ubuntu, the operating system installer has the option to turn on full disk encryption right from the start.
However, users will need a different tool for portable drives that move between different operating system. "PGP/GnuPG comes to mind," Ullrich said on the InfoSec Handlers Diary.
German company Steganos is offering an older version of their encryption tool (version 15 is their latest, but the offer is for version 14) for free to users, which isn't really that ideal.
Unknown VulnerabilitiesThe fact that TrueCrypt may have security vulnerabilities is jarring considering that an independent audit for the software is currently under way and there had been no such reports. Supporters raised $70,000 for the audit because of concerns the National Security Agency has the capability to decode significant amounts of encrypted data. The first phase of the investigation which looked at the TrueCrypt bootloader was released just last month. It "found no evidence of backdoors or intentional flaws." The next phase, which would examine the cryptography used by the software, was scheduled to complete this summer.
Green, who was one of the people involved with the audit, said he did not have advance warning of what the TrueCrypt developers planned. "Last I heard from Truecrypt: 'We are looking forward to results of phase 2 of your audit. That you very much for all your efforts again!'" he posted on Twitter. The audit is expected to continue despite the shutdown.
It's possible that the creators of the software decided to stop development because the tool is so old. Development "ended in 5/2014 after Microsoft terminated support of Windows XP," said the message on SourceForge. "Windows 8/7/Vista and later offered integrated support for encrypted disks and virtual disk images." With encryption built into many of the operating systems by default, the developers may have felt the software was no longer necessary.
To make things even murkier, it appears a ticket was added May 19 to remove TrueCrypt from the secure operating system Tails (also another Snowden favorite). Whatever is the case, it's clear nobody should be using the software at this point, Cluley warned.
"Whether hoax, hack, or genuine end-of-life for TrueCrypt, it's clear that no security conscious-users are going to feel comfortable trusting the software after this debacle," wrote Cluley.
No comments:
Post a Comment