Security Advisory: TrueCrypt Insecure or Website Hacked?

BolehVPN Beta Client for Android
May 27, 2014
The TrueCrypt Mystery solved…or is it?
May 30, 2014
Show all

Security Advisory: TrueCrypt Insecure or Website Hacked?

 

truecryptTrueCrypt is relied by many security professionals worldwide to create encrypted volumes in which to store sensitive information. It also recently passed the First Phase of an independent security audit and is still being recommended by security expert Bruce Schneier. It is noted that even Edward Snowden used TrueCrypt which was one of the reasons that prompted the security audit.

Therefore it’s highly puzzling when TrueCrypt’s main website started informing its users that it’s insecure and to switch to Windows’ BitLocker instead:

truecrypt

Various news articles are covering it such as NeoWin and PCWorld and there are some who suspect that it is a website hack given the abrupt nature of the notice.

It is noted that Matthew Green, one of the people who worked on the security audit, tweeted that he believed it was a legitimate exit by the developers and not a website hack. It is noted however that he has not heard back officially from the TrueCrypt dveveloper. More concerning is that suspicious behavior is being observed with the latest version of TrueCrypt 7.2 which is reported to show unusual network activity.

neufuse

We will keep you posted as the news rolls in but it is probably best NOT to update to the latest TrueCrypt 7.2 for the moment until we receive official word on what is happening. You can also view Neowin’s discussion thread on this.

Update 29 May 2014 2:43 PM:
Their unofficial IRC channel on Freenode shows the following topic:

* Now talking in #truecrypt
* Topic is ‘Unofficial TrueCrypt channel | Site is potentially compromised so please excercise due diligence before downloading and installing | For now, we don’t know any more than you do.’
* Set by tomaw!tom@freenode/staff/tomaw on Thu May 29 05:32:12

Also it is further noted that whoever did this had the TrueCrypt signing key and signed the new software with it but it is peculiar that they would recommend a Microsoft encryption product like BitLocker.

Forbes has an excellent article on this in which they summised:

It is unclear whether the TrueCrypt developers were compromised or if this is all part of an elaborate plan to end development of the widely used tool. Forbes will continue to cover this unfolding story as more information becomes available.

Leave a Reply

Your email address will not be published. Required fields are marked *