Encryption canary or insecure app? TrueCrypt warning says use Microsoft’s BitLocker

If you attempt to visit truecrypt.org, you will be redirected to truecrypt.sourceforge.net and see, “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.”

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

That announcement is followed by a step-by-step guide to help people migrate existing data encrypted by TrueCrypt. This includes how to enable BitLocker if you don’t see it when right-clicking on a drive, or what to do if BitLocker reports a Trusted Platform Module (TPM) error. There’s also a how-to for non-system drives encrypted by TrueCrypt and creating a new virtual hard drive (VHD). At the bottom of the page there is another warning that states, “Using TrueCrypt is not secure.”

There’s a link to download TrueCrypt version 7.2, along with a warning to do so only “if you are migrating data encrypted by TrueCrypt.” There are extensive changes when comparing source code for the two versions. You can now no longer encrypt, but only decrypt with TrueCrypt 7.2. It’s also commented with things like “INSECURE_APP.”

Was this the work of the TrueCrypt team, and is it insecure? The first phase of auditing TrueCrypt source code found “no evidence of backdoors or intentional flaws.” There were a few security vulnerabilities found, but nothing severe. Yesterday, the TrueCrypt Audit Project added a “p.s. We hope to have some *big* announcements this week, so stay tuned.”

Yet cryptographer Matthew Green, who helped start a crowdfunding effort to raise $70,000 so TrueCrypt could be professionally audited, said he had started “to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there.” Green told Brian Krebs, “I think the TrueCrypt team did this. They decided to quit and this is their signature way of doing it. They set the whole thing on fire, and now maybe nobody is going to trust it because they’ll think there’s some big evil vulnerability in the code.”

Was the change legitimate? The Register pointed out that “on Wednesday, a Wikipedia user going under the handle ‘Truecrypt-end‘ tried repeatedly to update the TrueCrypt page with similar text, but these changes were swiftly reverted by moderators.”

There is the possibility that TrueCrypt’s abrupt end-of-life is actually a warrant canary, triggered by a secret subpoena or National Security Letter (NSL) and resulting in a Lavabit-like end.

The flipside….”I’ve long suspected that a government was behind TrueCrypt,” stated Jake Williams, SANS Instructor and Principle at Rendition InfoSec. “The code base is hugely complicated with lots of dependencies and is anything but easy to build, particularly for the Windows version. It’s a great way to obfuscate what is in the binary packages (which 99.9% of Windows users use) that may or may not be in the source code.”

Who knows if it was a government, a canary, or simply as stated….Microsoft ended XP and all other supported versions of Windows include integrated support for encryption.  Or maybe the people behind the free and open source TrueCrypt, people who have safeguarded their identities, are sick to death of being burnt in flame wars.

As it stands now, you should give up TrueCrypt in favor of Microsoft’s BitLocker. The TrueCrypt team also left directions for what to do if you have files encrypted by TrueCrypt on Mac OS X or Linux.

Like this? Here’s more posts:

• Hacking hotels, shells, cellphones, cars and more mischief coming to Black Hat
• Microsoft knew about ‘new’ Internet Explorer zero-day for 7 months but won’t patch
• Yikes, ICS-CERT reminds public utilities about dangers of remote access without firewall
• New NSA Chief expects attacks attempting to damage, destroy critical infrastructure
• Huge demand for NSA-proof email: ProtonMail uses a month’s server capacity in 3 days
• Smart toilet spying on health is a hoax, but is there privacy in a public potty?
• No reasonable expectation of privacy when third parties cross the creepy line?
• Over 70% of energy and financial firms say cyberattacks coming within 12 months
• Microsoft shares 2 cybersecurity papers to protect infrastructure and supply chain

Follow me on Twitter @PrivacyFanatic