14 DAY TRIAL // The Open Source Technology Improvement Fund (OSTIF) announced over the weekend that people involved in the VeraCrypt security audit noticed that at least four emails had mysteriously disappeared and never reached their destination during the past days.
At the start of August, OSTIF announced that, following sponsorships from DuckDuckGo and VikingVPN, they decided to hire French security vendor QuarksLab to carry out a free security audit for the VeraCrypt project, an open-source freeware utility used for on-the-fly encryption (OTFE).
As the security audit started, on August 13, OSTIF confirmed on its blog suspicions about a third-party intercepting emails between the three parties: OSTIF, the VeraCrypt team, and QuarksLab.
Security audit may yield info on undisclosed & unpatched 0-days
VeraCrypt, like its predecessor the TrueCrypt project, is used all over the world to encrypt computers from prying eyes. As such, all communications, even prior to the security audit announcement, would have been interesting for any third-party trying to get their hands on information about possible zero-days.
Because of this, all communications were carried out using PGP-signed encrypted emails.
OSTIF says that, despite the presence of PGP encryption in all email exchanges, the parties involved found that four emails disappeared from the face of the Earth. In a post on its blog, the OSTIF team wrote the following:
“ We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our ‘sent’ folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared. This suggests that outside actors are attempting to listen in on and/or interfere with the audit process. We are setting up alternate means of encrypted communications in order to move forward with the audit project. If nation-states are interested in what we are doing we must be doing something right. Right? ”
In spite of this incident, OSTIF said it would continue its VeraCrypt security audit, which is expected to finish 30 to 35 days after it started. VeraCrypt is supposed to publish the results in mid-September.A VeraCrypt zero-day would be extremely valuable, not only to nation-states, as OSTIF hinted, but also on the zero-day market, where cyber-security surveillance makers would be very interested in getting their hands on any information they could use or resell to others.