Feeds

TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'

Disk encryption wunderkind in SourceForge switcheroo riddle

Build a business case: developing custom apps

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.

Beginning on Wednesday, the TrueCrypt homepage redirects visitors to the project's official SourceForge-hosted page that displays a message to the effect that the software has been discontinued – and that users should switch to an alternative:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

The page goes on to specifically recommend Microsoft's BitLocker as an alternative for Windows users.

Just who tore up the TrueCrypt site, and why, is still unknown (click to enlarge)

Even more worrying, The Reg has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo.

Don't run that binary! Someone has built versions of TrueCrypt from vandalised source code (click to enlarge)

We ran the executable in a virtual machine so that you don't have to, and on Windows 8.1 it was blocked by the SmartScreen feature, suggesting it may contain malware. Launching it on an older system immediately displayed the "warning" message before installation proceeded, and the dropped executables contained the above quoted text.

An eyebrow-raising list of changes between the source code of version 7.2 and the previous release, 7.1a, can be found here; there is, at this stage, nothing concrete to suggest the suspicious 7.2 binaries were built from the v7.2 source code available from the TrueCrypt SourceForge site.

Judging by the source, the new software not only pops up a warning to not rely on TrueCrypt, it refuses to encrypt data – thus encouraging users to migrate to alternative disk and file encryption utilities.

The binaries are cryptographically signed by the TrueCrypt developers, but there's an argument over whether or not a new and untrusted key was used.

Also on Wednesday, a Wikipedia user going under the handle "Truecrypt-end" tried repeatedly to update the TrueCrypt page with similar text, but these changes were swiftly reverted by moderators.

The motivation for the abrupt U-turn is unclear. Version 7.1a was released in 2012, and the wording of today's warning – "TrueCrypt ... may contain unfixed security issues" – suggests the programmers are unable to update the software, or have been ordered to end development, and have killed it off Lavabit-style.

Or the team was thoroughly hacked by miscreants.

On Wednesday afternoon, San Francisco-time, Kenn White of the crowd-funded TrueCrypt code-auditing project tweeted that he had no explanation for the apparent defacement. Early rounds of the audit have found some vulnerabilities in TrueCrypt, but nothing serious.

Earlier in the day, the audit project claimed: "We hope to have some *big* announcements this week, so stay tuned." These announcements remain a mystery.

Naturally, Reg readers are cautioned to stay as far away from all the knackered TrueCrypt binaries as possible. We'll keep you updated as further details about the situation emerge. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?