Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

The Mystery Of The TrueCrypt Encryption Software Shutdown

Developers of the open-source software call it quits, saying software "may contain unfixed security issues."

Not long after news spread that TrueCrypt was shutting down, enough theories were circulating about what happened to fill an episode of the TV show 24.

To recap: The developers of the TrueCrypt open-source, on-the-fly encryption software announced Wednesday that they were ending development of the software. In a post online, the developers state the software "is not secure as it may contain unfixed security issues." In addition, they note that the development was ended after Microsoft ended its support of Windows XP, and that later versions of the operating system "offer integrated support for encrypted disks and virtual disk images."

The post urges users to migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on their respective platforms.

"The whole situation is very odd, but there are clues to what might be happening," says Mark Bower, vice president at Voltage Security. "The TrueCrypt development team is largely anonymous, and has unclear origins. On the one hand, TrueCrypt is a product that is supposed to be transparent about its security design, yet there have always been unclear aspects to its origins. On the other hand, it was about to be put through a thorough crowd-funded technical audit. Was there something to hide? Maybe so."

Last month, iSEC Partners released a code audit of TrueCrypt and found no backdoors or serious vulnerabilities in the portion of code it reviewed, which included the Windows kernel driver and bootloader.

Tom Ritter, principal security consultant at iSEC Partners, considers the end of TrueCrypt to be a loss to the open-source community.

"They've been working on it for I think over a decade," says Ritter. "That's a very long time to work on a project, so it might be they had other commitments come up in their lives and didn't want to let the project peter out, so to speak."

The first version of TrueCrypt was released in February 2004. Since its release, it has been downloaded approximately 30 million times. While many people may have downloaded it multiple times over the years, they are still looking at millions of people who are "now stuck with a new version of the software that will only decrypt and a recommendation to move to other encryption software," blogs Steve Pate, chief architect at HyTrust:

Well, we know for sure that AES is still a rock solid encryption algorithm and is widely used across the commercial space and nation states to protect their data. As for TrueCrypt, perhaps a group of part timers just decided to call it a day and end with a cruel twist? Hopefully time will tell what really happened.

What we do know is that TrueCrypt had been put through its paces. In 2013, the Open Crypto Audit Project was funded to ensure that TrueCrypt could be analyzed from a security perspective. The first set of results were released last months and showed that there was no evidence of any backdoors. A second review is still pending and we eagerly await the results of that, but now it may be moot. Whatever the real story is, TrueCrypt's reputation has likely been fatally injured. IT managers that have been relying on TrueCrypt will rightly be concerned about their organizations data security and their own reputation, will be seeking professional alternatives. Strange days.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
theb0x
50%
50%
theb0x,
User Rank: Ninja
5/30/2014 | 4:14:50 PM
Re: TruCrypt users
I do recall in 2009 a bootkit was developed called Stoned which could successfully bypass TrueCrypt. Stoned injects itself into the MBR, a record which remains unencrypted even if the hard disk itself is fully encrypted. During startup, the BIOS first calls the bootkit, which in turn starts the TrueCrypt boot loader. Stoned uses a "double forward" to redirect I/O interrupt 13h, which allows it to insert itself between the Windows calls and TrueCrypt.

I would like to point out that this attack DOES require either physical access to the PC with the user already logged in with admin rights or an end user must be enticed to execute the malware. This DOES NOT actually break the encryption but rather acts as a MITM attack.

TrueCrypt is simply not designed to handle this method of attack.

This method could be applied to other software based encryption such as BitLocker and PGP.

Another flaw is that TrueCrypt stores it's keys in RAM and has been confirmed to be vulnerable to a Cold Boot Attack. This is where the booted machine is powered off and the RAM modules are quickly frozen and the keys can be extracted.

Again, this method requires physical access to the machine that is powered on or suspended.

In conclusion, as long as the attacker has physical or administrative access to the system, software based encryption will never work.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 1:36:46 PM
TruCrypt users
Anyone out there left high and dry by this? I'd love to hear some firsthand experience with the tool and what users plans are next.
<<   <   Page 2 / 2
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
5 Ways to Improve the Patching Process
Kacy Zurkus, Contributing Writer,  8/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&amp;id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup &amp; restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup &amp; restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.