by Michael Mimoso May 28, 2014 , 5:35 pm
Is it a hoax, or the end of the line for TrueCrypt?
At the moment, there is little more than speculation as to the appearance today of an ominous note greeting visitors to the TrueCrypt page at SourceForge. The text warns that the open source encryption software is not secure and informs users that development has been terminated.
It’s unclear whether the site has been defaced or whether the developers are aware of a critical vulnerability or backdoor that would jeopardize the integrity of the software, which has been downloaded more than 28 million times.
An audit of TrueCrypt was commissioned last year in order to determine if the software had been tampered with in the wake of the Edward Snowden leaks and the depths of surveillance by the National Security Agency. The results of the first phase of the audit were released on April 14 by iSEC Partners on behalf of the Open Crypto Audit Project and no backdoors were found. The first phase focused on the TrueCrypt bootloader and Windows kernel driver. Architecture and code reviews were performed, said Kenneth White, senior security engineer at Social & Scientific Systems, one of the OCAP architects.
A second phase, which has not yet begun, will focus on whether encryption suites, random number generators and critical algorithms have been properly implemented.
Many experts are downplaying the possibility that this is a defacement. Runa A. Sandvik, a privacy and security researcher and advisor on the TrueCrypt audit, told Threatpost that the current version listed on the SourceForge page, version 7.2, was signed yesterday with the same key used by the TrueCrypt Foundation for as long as two years. This was also confirmed by Kaspersky Lab researcher Costin Raiu.
“With a defacement, you would usually just expect to see the website change. In this change, the software seems to have changed as well,” Sandvik said. “The software has been modified to display a warning when you start it, as well as display a warning as part of the standard UI.”
Sandvik said she performed a quick analysis on the installer and saw no network traffic emanating from it.
“If the installer had a keylogger, you would expect the installer to at some point connect to another host and transfer information. Since there is no network traffic, there is no part of the installer that attempts to call home,” Sandvik said. “Note that I just did a very quick analysis, a deeper dive might uncover sketchy bits and pieces.”
Speculation ran amok on Twitter as well that the shutdown had to do with an impending announcement regarding the TrueCrypt audit, which White said, via his Twitter feed, is unfounded and that the announcement has to do with an upcoming OCAP initiative.
“As a general rule, any time a high-profile site gets replaced with a terse static page (much less redirects), I would urge caution,” White told Threatpost, adding that OCAP had reached out to the TrueCrypt developers seeking more information. “But at the moment, I’m afraid I don’t have much to add.”