Closing the Crypt
It came to a sudden surprise to everyone earlier this week when TrueCrypt, a private and almost secretly produced full disk encryption solution called it quits. Out of nowhere TrueCrypt's home page began redirecting visitors to one of their SourceForge file repository pages instead where it made a seemingly strange announcement that due to the fact that Microsoft stopped supporting Windows XP that they would no longer be able to continue to develop TrueCrypt whose first release was a decade ago in February of 2004. Along with everyone else it would seem that TrueCrypt got the message a long time ago that XP was moving towards it's end of life. Back in April of 2009 general support of XP ended and only monthly security updates began to be provided. It had been known for a good deal of time that Microsoft would stop supplying these updates on May 1st of this year after even an initial extension of its EOL. All of this makes it especially confusing as to why, if this is the real reason that the developers of TrueCrypt decided jump ship, that this announcement came so abruptly.
This move by the very secretive, their names or identities are actually unknown to the public, creators of this open source encryption product, that many individuals and entire companies have depended on for years had many crying foul. It seemed that something was up, something not quite right about how they went about things, and in reality the jury is still out on that one even though after some initial research from concerned professionals proved that the web page had not been hijacked and the binaries last being offered compared with other recent versions and were all up to snuff, see Krebs On Security for his initial findings as well - here.
The TrueCrypt SourceForge page went on to show in detail how users of TrueCrypt's Full Disk Encryption product could make the switch over from TC to Microsoft's BitLocker instead, complete with step by step screenshots. Certainly at least a handful of IT professionals that have to deal with their telecommuting staffs and laptop brigades were likely quite busy today as they were put through the tedious process it will take to collect all of these devices from employees, remove TrueCrypt, install a new solution and rinse and repeat. For those who don't know, Installing full disk encryption once takes quite a long time, imagine removing one and doing it again to install another. I can imagine a few less than savory words coming from these offices. That is, if they bother. Perhaps some houses will migrate slowly or simply wait it out hoping everything will turn out just fine for them, or what these "unfixed security issues" may even be. Well, we'll see. One thing is for certain, and this may even be a simple sidenote, but it is very important to have some sort of full disk encryption solution installed on any device such as company laptops that may leave the building (and even those that don't) to avoid the loss of important and private company data. The encryption, as with all encryption will make the data on the device impossible to read if it were to become lost or stolen which is not an uncommon occurrence.
As we watch to see what may become of this interesting move on the part of the TrueCrypt developers, we also can't help to think about what else we are using to sure up our systems. Security is a constant battle and having a strong ally suddenly retreat on you can leave you with an uneasy and precarious feeling. So stay on the qui vive and keep fighting onward, vigilance will be rewarded.