Someone Is Spying On Researchers Behind VeraCrypt Security Audit
After TrueCrypt mysteriously discontinued itself, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, and privacy conscious people.
Due to the huge popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) announced at the beginning of this month that it had agreed to audit VeraCrypt independently.
Using funds donated by DuckDuckGo and VikingVPN, the OSTIC hired vulnerability researchers from QuarksLab to lead the audit, which would look for zero-day vulnerabilities and other security holes in VeraCrypt’s code.
Now, the most troubling part comes here:
The OSTIF announced Saturday that its confidential PGP-encrypted communications with QuarkLabs about the security audit of VeraCrypt were mysteriously intercepted.
“We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders.” the OSTIF said. “Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared.”
The information linked to the VeraCrypt security audit is so confidential that the OSTIF instructed QuarksLab research team to give “any results of this audit directly to the lead developer of VeraCryptusing heavily encrypted communications.”
This strict instruction was suggested at the beginning of this project to prevent the zero-day vulnerabilities from going into wrong hands or snoopers.
The team of researchers behind this security audit hopes to go public with their findings in mid-September after reporting all the detected vulnerabilities, if any, in VeraCrypt to its original authors and get them patched.
Until then, all the participants of the VeraCrypt Audit Project are required to maintain the utmost secrecy.
However, the sudden disappearance of four PGP-encoded email messages, each sent by independent parties involved in the project, has raised concerned about the leakage of confidential data, including weaknesses found in VeraCrypt.
The OSTIF suspects some outsiders are attempting to listen in on and/or interfere with the VeraCrypt security audit process.
“If nation-states are interested in what we are doing we must be doing something right,” the OSTIF concludes.
Now, the OSTIF has switched to an alternative (undisclosed) encrypted communications process in order to move forward with the VeraCrypt audit project.
Via: The Hacker News