The IT security world reeled last week from the revelation that open-source encryption solution TrueCrypt is apparently no longer secure and will no longer be maintained. TrueCrypt was considered the gold standard in free, open-source encryption — NSA whistleblower Edward Snowden even raved about the software during a so-called CryptoParty in Hawaii in 2012 — so the abrupt announcement was particularly shocking.
Explanations are murky, however, and authentication protocols were still being explored at the time of this writing. TrueCrypt’s website leads with the stark headline “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” before crediting such an admission to the fact that development ended in May “after Microsoft terminated support for Windows XP.” (Security experts have yet to determine a connection between the two events).
Many believe TrueCrypt’s downfall is tied to a crowdfunded $70,000 security audit of the solution’s code, although the first phase of the review revealed no evidence of the kind of glaring holes found earlier this year in OpenSSL software thanks to the Heartbleed vulnerability. Some say it’s simply the right technical move, as full-disk encryption at the infrastructure level is more thorough and easier to implement than apps like TrueCrypt. Far-fetched theories even suggest that a government surveillance body may have forced TrueCrypt to deactivate.
No matter the reasoning, two courses of action are required in light of TrueCrypt’s announcement:
1) Don’t panic. Industry insiders say data is unlikely to be compromised— unless, of course, a TrueCrypt-protected device were lost or stolen. Which is why…
2) TrueCrypt users must migrate their encrypted data to a more secure solution. TrueCrypt advises the use of Microsoft BitLocker, which comes built in to some versions of Windows operating systems, or other encryption solutions like FileVault for Mac.
Moving such data isn’t easy, though, as the complicated instructions on TrueCrypt’s website indicate (decrypt data using TrueCrypt, activate BitLocker, migrate system and non-system drives, create new virtual disk files, initialize and partition them, etc.). And it’s not just TrueCrypt users who should react to last week’s surprise announcement. Given recent revelations about government and corporate surveillance, ongoing data breaches, and decreasing privacy, data encryption should be a critical component of any technology strategy.
All businesses possess proprietary information of some kind: client data, financial reports, protected health and individual information. If a business uses a laptop for business, and any one of those laptops are not encrypted, the whole company may be just one lost or stolen device away from their private data being published online or sold on the Internet black market.
If you currently use TrueCrypt, aren’t sure whether you’ve utilized it in the past, or are concerned about data encryption, contact CMIT Solutions today. We can help you secure your data and maintain its integrity, even in the face of troubling events like this one.