Jump to content

Strange Doings at TrueCrypt

ebrke

By ebrke
in Security & Networking

 Share

Recommended Posts

ross549

ross549

Posted
Posted

Steve Gibson noted that there is only a Windows EXE available on Sourceforge.....

 

Seems really odd. I bet the project was compromised somehow.

 

Adam

Link to comment
Share on other sites
ross549

ross549

Posted
Posted
The SourceForge page, which was delivered to people trying to view truecrypt.org pages, contained a new version of the program that, according to this "diff" analysis, appears to contain only changes that warn the program isn't safe to use. Significantly, TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key. That suggested the page warning TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank. Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers. In either case, it's a good idea for TrueCrypt users to pay attention and realize that it's necessary to move to a new crypto app. Ars will continue to cover this unfolding story as more information becomes available.

 

http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/?kw=100k_pvs&search=100k_pvs

 

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

TrueCrypt now encouraging users to use Microsoft's Bitlocker - PCWorld

 

The site continued: "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," it read. "Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."

 

...

 

The move was especially puzzling, given that TrueCrypt, a popular security choicefor PCWorld users for several years, had recently passed the first round of a security audit. iSec, the firm that did the audit, found 11 flaws, but none that were immediately exploitable. Otherwise, iSec said it “found no evidence of backdoors or intentional flaws”.

 

Could have been quite a few things. Might even have been some sort of strong arm tactics by some 3-4 letter agencies ...

Edited by LilBambi
Link to comment
Share on other sites
ross549

ross549

Posted
Posted

I heard some speculation that this might have something to do with Snowden's interview on TV tonight. Entirely rumors, though.

 

Adam

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted

I assume this is for all platforms? I thought since truecrypt is an open source encryption application. one would generally assume that people are auditing it quite a bit since it's open source. I wonder if the devs purposely put in a back door to let the NSA bypass it....

 

Oh well.... at least we still have dm-crypt/LUKS (for the moment anyway) https://wiki.archlinux.org/index.php/LUKS

Link to comment
Share on other sites
crp

crp

Posted
Posted

inside job ?

 

this situation is just so weird , for instance why setup a new security key just for a program that does not encrypt ?

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

The speculation is rampant at reddit right now.....

 

http://www.reddit.co...s_ended_052814/

 

Specifically...

 

http://www.reddit.co..._052814/chtf998

 

The binary on the website is capable only to decode encrypted data, not encode, and may contain trojan (seems like it doesn't, but don't believe me). The binary is signed with the valid (usual) key. All old versions are wiped, the repository is wiped too.

 

Assumption #1 The website is presumed hacked, the keys are presumed compromised. Please do not download or run it. And please don't switch to bitlocker.

Latest working version is 7.1a. Version 7.2 is a hoax

On the SourceForge, the keys were changed before any TrueCrypt files uploaded, but now they are deleted and the old keys got reverted back.

Why I think so: strange key change, why bitlocker?

 

Assumption #2 Something bad happened to TrueCrypt developers (i.e. take down or death) or to TrueCrypt itself (i.e. found the worst vulnerability ever) which made them do such a thing. So this version is legit

Why I think so: all files are with valid signatures, all the releases are available (Windows; Linux x86, x86_64, console versions, Mac OS, sources), the binaries seems like was built on the usual developer PC (there are some paths like c:\truecrypt-7.2\driver\obj_driver_release\i386\truecrypt.pdb, which were the same for 7.1a). License text is changed too (see the diff below).

Why is it ridiculous for TrueCrypt developers to suggest moving to BitLocker? Well, TrueCrypt was strictly against of using TPM because it may contain extra key chains which allow agencies like NSA to extract your private key. So why would they suggest such a thing and not other open-source alternatives? It looks like a clear sign that the developer can't say he's in danger so he did this. As many suppose, this could be the sort of warrant canary

Assumption #2 is more likely true than assumption #1. Sad but true.

 

Assumption #3 7.1a is backdoored and the developer wants all users to stop using it.

Why I think so: there is a website http://truecryptcheck.wordpress.com which contains all the hash sums for TrueCrypt 7.1a. Is has only 1 blog record from August 15, 2013, only for TrueCrypt and only for 7.1a. It's a bit strange to make a website with the hash sums for only one program and only one version of it.

SourceForge sent emails on 22 May, they said they changed password algorithms and everybody should change their passwords.

SourceForge claims everything is as usual (from https://news.ycombin...em?id=7813121):

Providing some details from SourceForge:

  • We have had no contact with the TrueCrypt project team (and thus no complaints).
     

  • We see no indicator of account compromise; current usage is consistent with past usage.
     

  • Our recent SourceForge forced password change was triggered by infrastructure improvements not a compromise. FMI seehttp://sourceforge.n...assword-change/

Thank you,

The SourceForge Team communityteam@sourceforge.net

 

 

TrueCrypt developers are unknown and currently there is no way to know who is who and who should we listen to.

From wikileaks twitter https://twitter.com/...69936038461440:

(1/4) Truecrypt has released an update saying that it is insecure and development has been terminated

(2/4) the style of the announcement is very odd; however we believe it is likely to be legitimate and not a simple defacement

(3/4) the new executable contains the same message and is cryptographically signed. We believe that there is either a power conflict..

(4/4) in the dev team or psychological issues, coersion of some form, or a hacker with access to site and keys.

 

From Matthew Green (one of TrueCrypt auditor) twitterhttps://twitter.com/...52508147519488:

@SteveBellovin @mattblaze @0xdaeda1a I think this is legit.

 

TrueCrypt Setup 7.1a.exe:

  • sha1: 7689d038c76bd1df695d295c026961e50e4a62ea
  • md5: 7a23ac83a0856c352025a6f7c9cc1526

TrueCrypt 7.1a Mac OS X.dmg:

  • sha1: 16e6d7675d63fba9bb75a9983397e3fb610459a1
  • md5: 89affdc42966ae5739f673ba5fb4b7c5

truecrypt-7.1a-linux-x86.tar.gz:

  • sha1: 0e77b220dbbc6f14101f3f913966f2c818b0f588
  • md5: 09355fb2e43cf51697a15421816899be

truecrypt-7.1a-linux-x64.tar.gz:

  • sha1: 086cf24fad36c2c99a6ac32774833c74091acc4d
  • md5: bb355096348383987447151eecd6dc0e

Diff between latest version and the hoax one:https://github.com/w...re/master...7.2

Screenshot:http://habrastorage....a4e54038fc1.png

Topics: https://news.ycombin...item?id=7812133

http://www.reddit.co...s_ended_052814/

http://www.reddit.co...ecrypt_is_dead/

http://www.reddit.co...t_of_truecrypt/

http://arstechnica.c...abruptly-warns/

http://krebsonsecuri...-is-not-secure/

Twitter stream: https://twitter.com/...ecrypt&src=typd

You may join IRC #truecrypt@irc.freenode.net, although there is no OPs right now.

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Spoiler alert- he has no idea either. Right now everything I've seen regarding TrueCrypt is pure speculation. No information of any substance has come forward, and that is really interesting/scary.

 

Here's the thing- this is an open source project. Someone has the code for it. Assuming the NSA hit the authors (despite being anonymous) with a NSL, and True Crypt behind in the same way Lavabit did earlier, what's to stop someone from restarting to project elsewhere?

 

This poses interesting implications for Open Source software, assuming the above is true. How should the OSS community respond to such actions? Move projects overseas to international servers? Continue development within the Tor network?

 

Knowing what really happened in the TrueCrypt situation is critical before moving forward.

 

Adam

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

I wanted to see what Bruce Schneier had to say because he uses this and he is a security expert I trust.

Here's his post today https://www.schneier.com/

 

Adam's right. He has no ideas posted but he does have a couple more links (Brian Krebs and Cory Doctorow) than we have here so far.

 

Here's the full link to that blog posting:

 

https://www.schneier...ecrypt_wtf.html

Edited by LilBambi
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Hmmm, another possibility...

 

Since the Windows version is an .exe on SourceForge, maybe the project became an unwitting dev that started using SourceForge's crapware installer for executables and the project's users started getting burned by it in Windows. ;)

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

Interesting.....

 

But the page specifically mentions security problems within TrueCrypt. If the Sourceforge crap was a problem, they could simply move the project to Github....

 

 

Adam

Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted (edited)

Interesting quote from Cory Doctorow's BoingBoing article:

 

Truecrypt is a widely used system for disk-encryption, and is particularly noted for its "plausible deniability" feature, through which users can create hidden partitions within their cryptographic disks that only emerge if you enter the correct passphrase; this is meant to be a defense against "rubber hose cryptanalysis," in which someone is physically or legally threatened in order to coerce them into yielding up her keys. In the "plausible deniability" scenario, the victim can give up the keys to a "harmless" partition while keeping the very existence of a second partition for sensitive material a secret. I am a Truecrypt user, as, apparently, is Edward Snowden, who lectured on the software's use at a Cryptoparty he held in Hawai'i before going on the run.

 

I begin to smell a rat.

 

Remember Lavabit...

Edited by LilBambi
Link to comment
Share on other sites
Guest LilBambi

Guest LilBambi

Posted
Posted

Interesting.....

 

But the page specifically mentions security problems within TrueCrypt. If the Sourceforge crap was a problem, they could simply move the project to Github....

 

 

Adam

 

Good point. But look above. The style of taking it down is very much like Lavabit.

Link to comment
Share on other sites
ebrke

ebrke

Posted
  • Author
Posted (edited)

BoingBoing webpage won't load, neither will a link to this on Twitter. I don't know if just too many people are hitting the sites or if there's a more ominous reason. I did pick up a reference to Glenn Greenwald's believing that TrueCrypt was penetrated on his partner's computer. The lack of any specific information makes this entire situation more than a little alarming.

Edited by ebrke
Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

I think I dated that guy's sister once. She had a stiffer beard, though, if I remember correctly.

Link to comment
Share on other sites
ross549

ross549

Posted
Posted

:P

 

Anyway.... there is one key thought I have about the whole situation. TrueCrypt is Open Source. Someone has the code for it, I guarantee it. So why not just resurrect the project elsewhere? Why does TrueCrypt have to be dead?

 

Adam

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted

This is beginning to be quite the mystery. It will be interesting to see what the real story is.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...