The sudden and inexplicable demise of the popular TrueCrypt product is raising eyebrows this week. TrueCrypt was a free encryption product supported by anonymous developers. There was quite a bit of suspicion already about the provenience of TrueCrypt, which sparked an effort to independently validate that it did not contain backdoors or vulnerabilities.
Last October Matthew Greene, crypto expert at Johns Hopkins University Tweeted the following: “I’m saying that trusting an uncertified Windows binary from a mysterious anonymous organization isn’t good practice.” Greene provided those warnings after learning that Greenwald’s partner, David Miranda, had used TrueCrypt to encrypt the files confiscated by the UK when he was retained for nine hours as he passed through Heathrow.
Greene had just launched an effort to audit TrueCrypt. The audit, conducted by iSec Partners, produced the first report April 14, 2014.
Many people have commented on the strange call for anyone using TrueCrypt to switch to Microsoft BitLocker. Aside from the wide ranging loss of trust put in large technology vendors that have been named as participants (willing or unwilling) in the NSA’s PRISM collection programs, BitLocker has serious issues with the way recovery keys are stored.
An alternative to TrueCrypt is GnuPG, an open source, supported, encryption package. It is somewhat cumbersome, especially if using the command line option, but easy to master and highly recommended, especially for journalists.
Enterprise encryption options are much more mature, with key management being the primary differentiator.
I interviewed Mark Hickman, COO of WInMagic, at the RSA Conference this year. Mark points out that encryption itself has become commoditized. While many organizations use BitLocker, Microsoft has addressed one of the major management headaches with an insecure work around. Recovery keys (everyone forgets their pass phrase) are stored in plain text in Active Directory (AD). Sophisticated attackers will know to target AD to gain access to those recovery keys.
A third party key management solution will not only avoid that vulnerability but allow the enterprise to manages encryption on Apple, and Linux products. WinMagic has introduced a pre-boot plugin for authentication that allows user based encryption and little compute overhead for encryption.
Watch the full interview here:
This interview is part of an on-going series of Getting To Know The IT Security Industry. The vendors pay the expense of the production