TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'
Disk encryption wunderkind in SourceForge switcheroo riddle
The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.
It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.
Beginning on Wednesday, the TrueCrypt homepage redirects visitors to the project's official SourceForge-hosted page that displays a message to the effect that the software has been discontinued – and that users should switch to an alternative:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
The page goes on to specifically recommend Microsoft's BitLocker as an alternative for Windows users.
Even more worrying, The Reg has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo.
Don't run that binary! Someone has built versions of TrueCrypt from vandalised source code (click to enlarge)
We ran the executable in a virtual machine so that you don't have to, and on Windows 8.1 it was blocked by the SmartScreen feature, suggesting it may contain malware. Launching it on an older system immediately displayed the "warning" message before installation proceeded, and the dropped executables contained the above quoted text.
If http://t.co/HKPiPSPY8h is compromised, it's likely been compromised a good while. I wouldn't trust any recent downloads of the software.— Jonathan Zdziarski (@JZdziarski) May 28, 2014
An eyebrow-raising list of changes between the source code of version 7.2 and the previous release, 7.1a, can be found here; there is, at this stage, nothing concrete to suggest the suspicious 7.2 binaries were built from the v7.2 source code available from the TrueCrypt SourceForge site.
Judging by the source, the new software not only pops up a warning to not rely on TrueCrypt, it refuses to encrypt data – thus encouraging users to migrate to alternative disk and file encryption utilities.
The binaries are cryptographically signed by the TrueCrypt developers, but there's an argument over whether or not a new and untrusted key was used.
Also on Wednesday, a Wikipedia user going under the handle "Truecrypt-end" tried repeatedly to update the TrueCrypt page with similar text, but these changes were swiftly reverted by moderators.
The motivation for the abrupt U-turn is unclear. Version 7.1a was released in 2012, and the wording of today's warning – "TrueCrypt ... may contain unfixed security issues" – suggests the programmers are unable to update the software, or have been ordered to end development, and have killed it off Lavabit-style.
Or the team was thoroughly hacked by miscreants.
On Wednesday afternoon, San Francisco-time, Kenn White of the crowd-funded TrueCrypt code-auditing project tweeted that he had no explanation for the apparent defacement. Early rounds of the audit have found some vulnerabilities in TrueCrypt, but nothing serious.
No one on the TC audit project has anything to do w/ its development or the TC site. We will share any credible updates w/ the community.— Kenn White (@kennwhite) May 28, 2014
Earlier in the day, the audit project claimed: "We hope to have some *big* announcements this week, so stay tuned." These announcements remain a mystery.
Naturally, Reg readers are cautioned to stay as far away from all the knackered TrueCrypt binaries as possible. We'll keep you updated as further details about the situation emerge. ®
Sponsored: Global DDoS threat landscape report