This is part 4 of an n-part blog series, discussing the things I found to be game changers in Infosec in 2014.
Note: for those who have contacted me asking where Heartbleed and Shellshock are, don't worry - they are coming. I'll concede they are obvious choices for a series like this and that (as much as anything else) is why we didn't start with them.
Item: The Truecrypt scandal
What is (or was) it? Truecrypt project goes dark after being subjected to an independent code review.
Why it's significant? The Truecrypt project has always been shrouded in secrecy. The developers have never been publicly identified and despite the project being open source, getting the code to build on Windows was exceedingly difficult. Like many open source projects, there was a problem confirming that the published binary builds were actually representative of the source code. In any case, people began to fear that a government may have planted a backdoor in the code. A project was crowdsourced to audit the code. The Truecrypt bootloader (the most obvious place to place a backdoor) passed the audit. The remaining funds were then allocated to audit the crypto itself. This is when the project was deprecated by the developers. Coincidence? I've publicly said that I think the project was sponsored by a nation-state. I also think that the project closing shop and the code audit were connected. Others disagree.
Regardless of what you believe, there are lessons here for companies relying on open source software. How much of that software has been audited? A code audit of OpenSSL by a college intern would have found Heartbleed. How dependent are you on a project that may close up shop at a any time? I know several SMBs who went scrambling after Truecrypt ceased support. Internally at Rendition Infosec, we used it for encryption of our external USB drives. Just because software is popular, it doesn't mean that it is secure. It also offers no guarantee that people will continue to support it.
Could it have been prevented? That question doesn't really apply to this item very well... Our reliance on encryption will continue to increase as additional nation-state hacking is exposed. However, to the extent possible, we should seek to confirm that those security products are not causing vulnerabilities themselves.
Stay tuned for more installments in the Infosec year in review.