The security world is in an uproar after yesterday’s news that TrueCrypt is unsafe, compromised, or simply discontinued. Whatever has really been discovered or transpired with the popular open source encryption tool, all we have now is a sketchy announcement and wild speculation.
Our immediate concern is that misleading, premature, or even dangerous advice is flying around the internet alongside guesswork and conspiracy theories. What is important to remember for now is that we do not have enough information to draw conclusions or instruct companies to make sweeping changes to their encryption strategy.
Unlike the Heartbleed bug in OpenSSL, there has been no specified weakness or flaw reported in TrueCrypt. There is no indication of a hacking or malware issue. The possibility of a zero-day attack resulting from this situation seems remote.
We view encryption as a vital tool to keeping sensitive data secure. As the risk has not been identified, lacking adequate information, we recommend a priority be placed on identifying an alternate encryption solution and beginning the process of migration.
The risk of not using encryption is higher than continued use of TrueCrypt based on available information. While TrueCrypt’s statement recommended migrating to Bitlocker, this may not be the best solution for all organizations.
For now, we are simply urging clients to:
- Wait to act until we have more information.
- Stay vigilant and wary of any malicious activity on your network that may be an effort to take advantage of the current uncertainty.
- Watch for more information as the TrueCrypt story continues to unfold in the coming hours, days, maybe even weeks.
This advice could change at any time. However, hasty action in such a tenuous situation could add unnecessary risk to data and systems.