Fear and confusion as iconic TrueCrypt security tool tells world to use BitLocker

A wind up or a wind down?

Something decidedly odd has befallen the hugely popular and iconic TrueCrypt encryption utility used by security-aware users the world over to encrypt data with the plausible certainty that even the NSA geeks with pocket protectors won't be able to break it.

On Wednesday, seemingly out of the blue, the open source project's website suddenly started forwarding to a message on SourceForge stating: "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues."

Without specifying the nature of these issues, the message went on to pin the project's demise on the ending of support for Windows XP, again without explaining why a well-trailed event relating to an obsolete operating system that happened on 8 April would such a dramatic effect on the software.

It's true that the tool offers full disk encryption under XP - the OS lacks such a facility - but it also offers volume encryption under later versions of Windows for anyone (i.e. most FOSS users) who don't trust alternatives. XP's end of life should not have affected this.

Stranger still, users are advised to migrate disk images to Microsoft's commercial BitLocker software, more or less anathema for mistrustful FOSS users not to mention that it is only installed by default on Windows 8.1 Pro/Enterprise.

Coming only weeks after TrueCrypt was given a clean bill of security health by its first ever independent audit, the announcement was so unexpected and curt many suspected that the site has been hacked by a prankster.

Even though it appears that the latest version of the software, TrueCrypt 7.2, was signed with the correct developer key, many in the security community remain sceptical. TrueCrypt's developers are a shy bunch but killing the tool insecure without much explanation is not the accepted MO.

Either way, encryption is a type of software that is painfully susceptible to appearances and the appearance being created here is not good. With conspiracy theories multiplying, most users will stop using the software until a better option becomes apparent.

If the message turns out to be genuine it will be a sad end for a program that famously defied the FBI in 2008 after they were called in to assist with a Brazilian police investigation.

Remember, barely five weeks ago the audit on behalf of the Open Crypto Audit Project (OCAP) found only minor issues with a tool that has become the one certainty in the data paranoiac's security toolchest.

"I think it unlikely that an unknown hacker (a) identified the Truecrypt devs, (b) stole their signing key, (c) hacked their site," commented Mathew Green, a research professor involved with the OCAP initiative, on Twitter.

That being the case, users are now living in the post-TrueCrypt era and need to comes to terms with that as soon as possible.

What can be said is that if the message on TrueCrypt.org is genuine it's almost a case study in how not to being to a close the ten-year history of one of the most important independent security tools still in existence.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechMicrosoftsecurity

More about FBIMicrosoftNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place