Feeds

TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'

Disk encryption wunderkind in SourceForge switcheroo riddle

Choosing a cloud hosting partner with confidence

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.

Beginning on Wednesday, the TrueCrypt homepage redirects visitors to the project's official SourceForge-hosted page that displays a message to the effect that the software has been discontinued – and that users should switch to an alternative:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

The page goes on to specifically recommend Microsoft's BitLocker as an alternative for Windows users.

Just who tore up the TrueCrypt site, and why, is still unknown (click to enlarge)

Even more worrying, The Reg has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo.

Don't run that binary! Someone has built versions of TrueCrypt from vandalised source code (click to enlarge)

We ran the executable in a virtual machine so that you don't have to, and on Windows 8.1 it was blocked by the SmartScreen feature, suggesting it may contain malware. Launching it on an older system immediately displayed the "warning" message before installation proceeded, and the dropped executables contained the above quoted text.

An eyebrow-raising list of changes between the source code of version 7.2 and the previous release, 7.1a, can be found here; there is, at this stage, nothing concrete to suggest the suspicious 7.2 binaries were built from the v7.2 source code available from the TrueCrypt SourceForge site.

Judging by the source, the new software not only pops up a warning to not rely on TrueCrypt, it refuses to encrypt data – thus encouraging users to migrate to alternative disk and file encryption utilities.

The binaries are cryptographically signed by the TrueCrypt developers, but there's an argument over whether or not a new and untrusted key was used.

Also on Wednesday, a Wikipedia user going under the handle "Truecrypt-end" tried repeatedly to update the TrueCrypt page with similar text, but these changes were swiftly reverted by moderators.

The motivation for the abrupt U-turn is unclear. Version 7.1a was released in 2012, and the wording of today's warning – "TrueCrypt ... may contain unfixed security issues" – suggests the programmers are unable to update the software, or have been ordered to end development, and have killed it off Lavabit-style.

Or the team was thoroughly hacked by miscreants.

On Wednesday afternoon, San Francisco-time, Kenn White of the crowd-funded TrueCrypt code-auditing project tweeted that he had no explanation for the apparent defacement. Early rounds of the audit have found some vulnerabilities in TrueCrypt, but nothing serious.

Earlier in the day, the audit project claimed: "We hope to have some *big* announcements this week, so stay tuned." These announcements remain a mystery.

Naturally, Reg readers are cautioned to stay as far away from all the knackered TrueCrypt binaries as possible. We'll keep you updated as further details about the situation emerge. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.