DBSA:2014-0011
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Truecrypt Regarded Compromised
Keywords: Truecrypt, Compromised, Encryption, Cryptography
DBSA ID: 2014-0011
Regarding: Truecrypt Regarded Compromised
Writeup: Kradorex Xeron (talk) 21:09, 29 May 2014 (EDT)
Date: 2014 05 30
Last Modified: 20140529210906 by Kradorex Xeron
Who should take note: Everyone, particularily Truecrypt users.
Classification
Priority: HIGH
Rationale: Immediate action is required to ensure sensitive encrypted user data is secured.
Severity: HIGH
Rationale: Secured data is possibly vulnerable. No confirmation indicating otherwise.
Spread of Issue: MULTI-PLATFORM MODERATE
Rationale: Truecrypt is available for Windows, Mac OSX and Linux.
Description
Truecrypt is a product released by an independent team that provides users an encrypted container for their files. Recently Truecrypt's development unexpectedly ceased and was suspiciously replaced with potentially flawed security advice and as well a subsequent release of the software was issued that could only decrypt data and couldn't encrypt data. The developers also have seemingly indicated that the software is insecure and should not be used anymore, going as far as modifying the source code of the software greatly to indicate this. The license has also been modified to create an absolute permission to take the Truecrypt codebase in full without credit and create a new project based on that code.
Various individuals seem to highlight that that this could be a "warrant canary" where Truecrypt's developers are covertly indicating that they and the project and its developers have been compromised by way of government action due to its privacy-enhancing effects that provide individuals security. This is a possibility that we cannot currently discredit and thus the reason for this advisory.
Mitigation/Solution
It is advised to treat Truecrypt as currently compromised and not to trust software released under the Truecrypt name.
Users are advised to investigate alternate encryption mechanisms that are independent of US-controlled entities. US-based companies like Microsoft or Apple cannot be trusted to create secure code that isn't impacted by National Security Letters issued by US government agencies.
Continued Truecrypt use is not advised for highly sensitive data but for continued use, only use versions 7.1a and prior. Do not use 7.2 or later as these versions may be subject to compromise.