Risk Advisory Services has taken the firm stance over the past several years that if your company uses laptops, they should be protected with full disk encryption. The data accessed on a laptop probably contains sensitive information about your customers, employees, trade secrets, or some other sensitive information. Encrypting the hard drive greatly reduces the risk that a lost or stolen laptop will result in a security breach.
On May 28, 2014 I stumbled upon this article from lifehacker.com about TrueCrypt. For the uninitiated, TrueCrypt is free, open source software used to encrypt data at rest. “Data at rest” is information sitting on a drive, as opposed to data in motion, like when you send an email or access online banking. TrueCrypt was developed by an anonymous team of programmers who made the actual code available for review by anyone. The “open” concept was supposed to lend credibility to the encryption software because people who are much smarter than me could look at the code and say, “yes, it works like it’s supposed to”. On the whole, this system worked and TrueCrypt became widely accepted as a strong encryption alternative to paid-for tools for 10 years.
Then, in an unannounced and unexpected move on May 28, 2014 the developers immediately discontinued development and support of TrueCrypt. A cryptic message on their website warns in ominous redfont, “Using TrueCrypt is not secure as it may contain unfixed security issues” and then guides users to migrate to Window’s built in tool, BitLocker. The reasons for removing the software are not clear. Paul Rosenzweig provides very good analysis on Lawfareabout what may have caused the demise of TrueCrypt and what it means to the security industry.
The implications of this development are twofold. First, if your company has implemented TrueCrypt as an encryption tool, it’s time to switch. BitLocker is considered a fine choice in Microsoft environments, and comes standard in Windows 7 Enterprise edition.
The second issue at hand is the state of open source tools. It is my prediction that the open source movement will lose steam in the business community. The Heartbleed vulnerability was caused by OpenSSL, another open source solution that was not properly vetted by the open source community. Often, to minimize costs, businesses will explore free open source software. These two incidents should cause IT staff and management to seriously consider the risk of using free software on their systems.