Ominous Warning Or Hoax? Truecrypt Warns Software ‘Not Secure,’ Development Shut Down

[Reefa]

Is it a hoax, or the end of the line for TrueCrypt?

At the moment, there is little more than speculation as to the appearance today of an ominous note greeting visitors to the TrueCrypt page at SourceForge. The text warns that the open source encryption software is not secure and informs users that development has been terminated.

The page also demonstrates step-by-step instructions explaining how to migrate from TrueCrypt to BitLocker, Microsoft’s file and disk encryption software.

It’s unclear whether the site has been defaced or whether the developers are aware of a critical vulnerability or backdoor that would jeopardize the integrity of the software, which has been downloaded more than 28 million times.

An audit of TrueCrypt was commissioned last year in order to determine if the software had been tampered with in the wake of the Edward Snowden leaks and the depths of surveillance by the National Security Agency. Theresults of the first phase of the audit were released on April 14 by iSEC Partners on behalf of the Open Crypto Audit Project and no backdoors were found. The first phase focused on the TrueCrypt bootloader and Windows kernel driver. Architecture and code reviews were performed, said Kenneth White, senior security engineer at Social & Scientific Systems, one of the OCAP architects.

A second phase, which has not yet begun, will focus on whether encryption suites, random number generators and critical algorithms have been properly implemented.

Many experts are downplaying the possibility that this is a defacement. Runa A. Sandvik, a privacy and security researcher and advisor on the TrueCrypt audit, told Threatpost that the current version listed on the SourceForge page, version 7.2, was signed yesterday with the same key used by the TrueCrypt Foundation for as long as two years. This was also confirmed by Kaspersky Lab researcher Costin Raiu.

“With a defacement, you would usually just expect to see the website change. In this change, the software seems to have changed as well,” Sandvik said. “The software has been modified to display a warning when you start it, as well as display a warning as part of the standard UI.”

Sandvik said she performed a quick analysis on the installer and saw no network traffic emanating from it.

“If the installer had a keylogger, you would expect the installer to at some point connect to another host and transfer information. Since there is no network traffic, there is no part of the installer that attempts to call home,” Sandvik said. “Note that I just did a very quick analysis, a deeper dive might uncover sketchy bits and pieces.”

Speculation ran amok on Twitter as well that the shutdown had to do with an impending announcement regarding the TrueCrypt audit, which White said, via his Twitter feed, is unfounded and that the announcement has to do with an upcoming OCAP initiative.

“As a general rule, any time a high-profile site gets replaced with a terse static page (much less redirects), I would urge caution,” White told Threatpost, adding that OCAP had reached out to the TrueCrypt developers seeking more information. “But at the moment, I’m afraid I don’t have much to add.”

Source

[Dodel]

The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP.

Full story :- http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

Hats off to Krebs yet again.

[SlimRock]

TrueCrypt Hack Info:

Diff. b/w latest version and the hoax one:

• https://github.com/warewolf/truecrypt/compare/master...7.2

The binary on the website is capable only to decode encrypted data, not encode, and may contain trojan (seems like it doesn't, but don't believe me). The binary is signed with the valid (usual) key. All old versions are wiped, the repository is wiped too.Assumption #1 The website is presumed hacked, the keys are presumed compromised. Please do not download or run it. And please don't switch to bitlocker.Latest working version is 7.1a. Version 7.2 is a hoaxOn the SourceForge, the keys were changed before any TrueCrypt files uploaded, but now they are deleted and the old keys got reverted back.Why I think so: strange key change, why bitlocker?Assumption #2 Something bad happened to TrueCrypt developers (i.e. take down or death) or to TrueCrypt itself (i.e. found the worst vulnerability ever) which made them do such a thing. So this version is legitWhy I think so: all files are with valid signatures, all the releases are available (Windows; Linux x86, x86_64, console versions, Mac OS, sources), the binaries seems like was built on the usual developer PC (there are some paths like c:\truecrypt-7.2\driver\obj_driver_release\i386\truecrypt.pdb, which were the same for 7.1a). License text is changed too (see the diff below).Why is it ridiculous for TrueCrypt developers to suggest moving to BitLocker? Well, TrueCrypt was strictly against of using TPM because it may contain extra key chains which allow agencies like NSA to extract your private key. So why would they suggest such a thing and not other open-source alternatives? It looks like a clear sign that the developer can't say he's in danger so he did this. As many suppose, this could be the sort of warrant canaryAssumption #2 is more likely true than assumption #1. Sad but true.Assumption #3 7.1a is backdoored and the developer wants all users to stop using it.Why I think so: there is a website http://truecryptcheck.wordpress.com which contains all the hash sums for TrueCrypt 7.1a. Is has only 1 blog record from August 15, 2013, only for TrueCrypt and only for 7.1a. It's a bit strange to make a website with the hash sums for only one program and only one version of it.SourceForge sent emails on 22 May, they said they changed password algorithms and everybody should change their passwords.SourceForge claims everything is as usual (from https://news.ycombinator.com/item?id=7813121):Providing some details from SourceForge:We have had no contact with the TrueCrypt project team (and thus no complaints).We see no indicator of account compromise; current usage is consistent with past usage.Our recent SourceForge forced password change was triggered by infrastructure improvements not a compromise. FMI see http://sourceforge.net/blog/forced-password-change/Thank you,The SourceForge Team [email protected] developers are unknown and currently there is no way to know who is who and who should we listen to.From wikileaks twitter 
(1/4) Truecrypt has released an update saying that it is insecure and development has been terminated http://t.co/lTtSlVJRM3
— WikiLeaks (@wikileaks) May 28, 2014
) Truecrypt has released an update saying that it is insecure and development has been terminated http://truecrypt.sf.net(2/4) the style of the announcement is very odd; however we believe it is likely to be legitimate and not a simple defacement(3/4) the new executable contains the same message and is cryptographically signed. We believe that there is either a power conflict..(4/4) in the dev team or psychological issues, coersion of some form, or a hacker with access to site and keys.From Matthew Green (one of TrueCrypt auditor) twitter 
@SteveBellovin @mattblaze @0xdaeda1a I think this is legit.
— Matthew Green (@matthew_d_green) May 28, 2014
 @mattblaze @0xdaeda1a I think this is legit.TrueCrypt Setup 7.1a.exe:sha1: 7689d038c76bd1df695d295c026961e50e4a62eamd5: 7a23ac83a0856c352025a6f7c9cc1526TrueCrypt 7.1a Mac OS X.dmg:sha1: 16e6d7675d63fba9bb75a9983397e3fb610459a1md5: 89affdc42966ae5739f673ba5fb4b7c5truecrypt-7.1a-linux-x86.tar.gz:sha1: 0e77b220dbbc6f14101f3f913966f2c818b0f588md5: 09355fb2e43cf51697a15421816899betruecrypt-7.1a-linux-x64.tar.gz:sha1: 086cf24fad36c2c99a6ac32774833c74091acc4dmd5: bb355096348383987447151eecd6dc0eDiff between latest version and the hoax one: https://github.com/warewolf/truecrypt/compare/master...7.2Screenshot: http://habrastorage.org/getpro/habr/post_images/da1/1bf/6a5/da11bf6a5225fa718987ba4e54038fc1.pngTopics: https://news.ycombinator.com/item?id=7812133http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/http://www.reddit.com/r/crypto/comments/26px1i/truecrypt_shutting_down_development_of_truecrypt/http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/Twitter stream: https://twitter.com/search?q=truecrypt&src=typdYou may join IRC #[email protected], although there is no OPs right now.

Source : github & Reddit

[sujith]

TrueCrypt alternatives

1. DiskCryptor

The program can encrypt system partitions and non-system partitions supporting all recent versions of the Windows operating system, third-party boot loaders and a lot more.

DiskCryptor supports several encryption algorithm and combinations, hardware AES acceleration if supported by the system, and full support for external storage devices.

This is my favorite right now as it comes closest to TrueCrypt's functionality.

2. AxCrypt

The program cannot encrypt partitions but only individual files. While not a full alternative to TrueCrypt, it can be used to encrypt important files on the system. The program uses AES 128-bit encryption and supports key-files as well.

3. AES Crypt

Available for Windows, Mac, Linux and mobile operating systems. It supports file-based encryption only which means that you can right-click files on your system to either encrypt or decrypt them.

4. Windows Bitlocker

Bitlocker is part of Windows Enterprise and Ultimate editions only, and Pro versions on Windows 8. Claims that Bitlocker has a built-in backdoor for law enforcement and other agencies have never been proven, but it does contain recovery key functionality which can be used to decrypt drives protected by it and may be stored on Microsoft servers and not locally.

5. Cloudfogger

Specifically designed to protect data that you synchronize with cloud services such as Google Drive, OneDrive or Dropbox. It uses 256bit AES and will detect supported cloud providers automatically after installation. Not available for Linux.

6. BestCrypt Container Encryption (commercial)

The program is not free. It supports Windows, Mac OS and Linux, and can create encrypted containers on your drive similarly to how TrueCrypt handled encrypted containers. Supports the creation of multiple encrypted containers which can all be mounted as virtual drives on the system.

Additional features include enhanced hidden containers, full version of wiping and archiving programs, and options to encrypt the Windows swap file.

Supports several algorithms including AES, CAST, Serpent, Twofish and Blowfish.

7. Challenger (free for personal use)

The program can be used to encrypt individual files, folders or drives on Windows. The project website lacks information about ciphers and encryption algorithms used.

8. Cryptsetup

Only available for Linux. Supports TrueCrypt disk formats and others. Source code available.

If you are running an older version you could wait for things to unfold. It is probably the easiest option right now, and unless you are in a situation where you need to be sure that the encryption used is not vulnerable to attacks, waiting a couple of days for official statements or additional information is probably the best course of action.

If you do not want to wait for whatever reason, you may switch to a different encryption program.

First thing you may want to do is decrypt the hard drive. This is only possible for the system partition and not for other partitions or hard drives.

1. The device should be mounted already considering that it is the system partition.
   
2. Right-click on it in the TrueCrypt interface and select Decrypt from the context menu.
   
3. Follow the wizard to decrypt the drive so that it is no longer encrypted.
   

What can you do if you have encrypted a non-system partition?

Unfortunately, not a lot. The only feasible solution that I'm aware of is to mount the drive on the system and copy the files stored on it to another hard drive.

This works only if you have enough free storage space on other hard drives available for the operation. TrueCrypt does not support the decryption of non-system partitions, and there does not seem to be another way around this limitation.

SOurcehttp://www.ghacks.net/2014/05/29/list-truecrypt-encryption-alternatives/

Edited May 29, 2014 by sujith

[Dodel]

kinda posted already Here

Odd as i did search before posting. Oh well I'll report and get it merged, apologies for dupe post.

[Matt]

Topics Merged.

[J.C]

Saw @ pastein: http://pastebin.com/9catw4X7

The message on TrueCrypt's new website got me thinking:

Using TrueCrypt is not secure as it may contain unfixed security issues

Let's isolate the first letter of each word:

(U)sing (T)rueCrypt (i)s (n)ot (s)ecure (a)s (i)t (m)ay ©ontain (u)nfixed (s)ecurity (i)ssues

Result?

utinsaimcusi

Let's spread that!

uti nsa im cu si

That is latin for

"If I wish to use the NSA"

Stay away from future Truecrypt releases. This is clearly a warning from the developers.

Edited June 10, 2014 by J.C

[SnakeMasteR]

WARNING: Using Windows, Linux, MacOSX, any software that has been compiled in any way and has more than 100 lines of code on mother earth and your brain (if you have one) is not secure as it may contain unfixed security issues

Please uninstall Windows, Linux, MacOSX, any software that has been compiled in any way and has more than 100 lines of code on mother earth and your brain (if you have one) as soon as possible

WARNING: Using Windows, Linux, MacOSX, any software that has been compiled in any way and has more than 100 lines of code on mother earth and your brain (if you have one) is not secure