Security stories have taken on new life in our post-Snowden information security world.  Truth is stranger than fiction and no conclusion is too far fetched when the details of mass surveillance and data collection capabilities are made public.  The recent and abrupt disappearance of disk encryption tool TrueCrypt (TC) on May 28th is no exception.  The public website for the free tool at truecrypt.org now includes instructions on migrating to Microsoft’s BitLocker with a message that TC is insecure.  Lastly the page includes a single download link to a new limited version (7.2) with only decryption functionality.

Based on current popular opinion and messages from people close to the secret development team, it appears that the plan all along was to pull the plug on the project.  TC’s site states that the effort concluded in May when Microsoft officially ended its development of Windows XP.  Timing still seems off though, as the first stage of crowd funded audit had just completed by the Open Crypto Audit Project with no severe weaknesses found in the algorithms used and no backdoors present in the code.

Commenters and other bloggers have hinted that a possible fork of the project is imminent.  There is no shortage of extreme theories; this is after all one data protection method used by Edward Snowden.

Beloved software always tends to live on in perpetuity through teams of dedicated and interested developers and volunteers.  Within 48 hours of the news, the site truecrypt.ch popped up with the goal of mirroring working versions of the tool and raising support to continue to project.  The attempted revivers of the project note that there were over “4000 Downloads in the first 24 hours” and exclaim “There is still demand for a product like TrueCrypt!”  The last full-featured version available that can create encrypted volumes (7.1a) is being mirrored there and in several other places since.

The final phase of the cryptanalysis being carried out by opencryptoaudit.org will hopefully reach a conclusion about what the referenced insecurity may be.  The average user will probably follow the instructions provided by truecrypt.org as long as they upgrade consistently and are running Windows Vista/7/8 Ultimate or Enterprise versions. Other OS users have to search out alternatives such as LUKS for Ubuntu flavors of Linux and FileVault for OS X.

My unofficial office poll of developers, pen testers, reverse engineers and incident responders produced a wide range of responses for what is next for users of TC.  Many believed that keeping an old version (pre 7.2/7.1a) around to make changes to existing volumes was enough.  Others immediately migrated their sensitive data to Gnu Privacy Guard (GnuPG). GnuPG is a free, open-source and cross platform tool to encrypt files and volumes that uses “Pretty Good Privacy” (PGP) offering similar functionality to that of TC.  PGP for volume protection is also available in the for-profit closed source Symantec Encryption products Desktop and Server.  The retirement of TrueCrypt will continue to raise data encryption and freeware software concerns.

In an industry where truth is stranger than fiction, our goal at Morphick Cyber Security is to offer our clients stability. Our approach of Intelligent Analysis and Morphick Defense has been built to anticipate change and gives us the flexibility to adapt in a quickly changing landscape. No matter what comes, we know we can Win Every Attack.