DBSA:2014-0011

From Digibase Knowledge Base
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Truecrypt Regarded Compromised

Keywords: Truecrypt, Compromised, Encryption, Cryptography

DBSA ID: 2014-0011

Regarding: Truecrypt Regarded Compromised

Writeup: Kradorex Xeron (talk) 21:09, 29 May 2014 (EDT)

Date: 2014 05 30

Last Modified: 20140529200906 by Kradorex Xeron

Who should take note: Everyone, particularily Truecrypt users.

Classification

Priority: HIGH

Rationale: Immediate action is required to ensure sensitive encrypted user data is secured.

Severity: HIGH

Rationale: Secured data is possibly vulnerable. No confirmation indicating otherwise.

Spread of Issue: MULTI-PLATFORM MODERATE

Rationale: Truecrypt is available for Windows, Mac OSX and Linux.

Description

Truecrypt is a product released by an independent team that provides users an encrypted container for their files. Recently Truecrypt's development unexpectedly ceased and was suspiciously replaced with potentially flawed security advice and as well a subsequent release of the software was issued that could only decrypt data and couldn't encrypt data. The developers also have seemingly indicated that the software is insecure and should not be used anymore, going as far as modifying the source code of the software greatly to indicate this. The license has also been modified to create an absolute permission to take the Truecrypt codebase in full without credit and create a new project based on that code.

Various individuals seem to highlight that that this could be a "warrant canary" where Truecrypt's developers are covertly indicating that they and the project and its developers have been compromised by way of government action due to its privacy-enhancing effects that provide individuals security. This is a possibility that we cannot currently discredit and thus the reason for this advisory.

Mitigation/Solution

It is advised to treat Truecrypt as currently compromised and not to trust software released under the Truecrypt name.

Users are advised to investigate alternate encryption mechanisms that are independent of US-controlled entities. US-based companies like Microsoft or Apple cannot be trusted to create secure code that isn't impacted by National Security Letters issued by US government agencies.

Continued Truecrypt use is not advised for highly sensitive data but for continued use, only use versions 7.1a and prior. Do not use 7.2 or later as these versions may be subject to compromise.

References