Sudden Death of Free Encryption Service TrueCrypt Baffles Experts

Free disk encryption service TrueCrypt appears to have closed its doors after posting a warning message claiming that it “may contain unfixed security issues”.

Visitors to truecrypt.org will now be re-directed to its home page on open source developer site sourceforge.net.
 
There they’ll be greeted with the warning message about security issues and the following: “This page exists only to help migrate existing data encrypted by TrueCrypt.
 
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
 
What follows is a detailed guide showing users how to migrate from Truecrypt to Bitlocker – the drive encryption feature built into Windows.
 
A new “decrypt only” version of the tool, TrueCrypt 7.2, is available for download at the bottom of the page for Windows, Mac OS X and Linux users.
 
The lack of any further information from the team behind TrueCrypt and the abruptness with which the service appears to have been end-of-lifed led some to suspect hackers may have hijacked the page in a bid to get users to download malware.
 
Paul Ducklin, APAC head of technology at Sophos, warned users in a blog post that the “unprofessional-looking and abrupt download page suggests that you'd be unwise to trust anything about it”.
 
However, Brian Krebs noted that “a cursory review of the site’s historic hosting, WHOIS and DNS records shows no substantive changes recently”.
 
Ducklin speculated that the sudden demise of the encryption service could alternatively be the result of a legal challenge, similar to that which closed down Edward Snowden’s favourite secure email service Lavabit.
 
A final theory is that it had something to do with a major security audit of TrueCrypt spearheaded by cryptographer Matthew Green and begun earlier this year by iSec Partners.
 
The first component has already been completed and apparently found no major vulnerabilities but there’s always a chance the anonymous team behind the service took it down because they knew something bad might come to light when phase two commenced.
 
“I think the TrueCrypt team did this,” Green told Krebs on Security. “They decided to quit and this is their signature way of doing it.”
 
He added that a group of volunteer programmers could still be assembled to continue development of the code in the future.

What’s Hot on Infosecurity Magazine?