Feeds

TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'

Disk encryption wunderkind in SourceForge switcheroo riddle

Security for virtualized datacentres

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.

Beginning on Wednesday, the TrueCrypt homepage redirects visitors to the project's official SourceForge-hosted page that displays a message to the effect that the software has been discontinued – and that users should switch to an alternative:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

The page goes on to specifically recommend Microsoft's BitLocker as an alternative for Windows users.

Just who tore up the TrueCrypt site, and why, is still unknown (click to enlarge)

Even more worrying, The Reg has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo.

Don't run that binary! Someone has built versions of TrueCrypt from vandalised source code (click to enlarge)

We ran the executable in a virtual machine so that you don't have to, and on Windows 8.1 it was blocked by the SmartScreen feature, suggesting it may contain malware. Launching it on an older system immediately displayed the "warning" message before installation proceeded, and the dropped executables contained the above quoted text.

An eyebrow-raising list of changes between the source code of version 7.2 and the previous release, 7.1a, can be found here; there is, at this stage, nothing concrete to suggest the suspicious 7.2 binaries were built from the v7.2 source code available from the TrueCrypt SourceForge site.

Judging by the source, the new software not only pops up a warning to not rely on TrueCrypt, it refuses to encrypt data – thus encouraging users to migrate to alternative disk and file encryption utilities.

The binaries are cryptographically signed by the TrueCrypt developers, but there's an argument over whether or not a new and untrusted key was used.

Also on Wednesday, a Wikipedia user going under the handle "Truecrypt-end" tried repeatedly to update the TrueCrypt page with similar text, but these changes were swiftly reverted by moderators.

The motivation for the abrupt U-turn is unclear. Version 7.1a was released in 2012, and the wording of today's warning – "TrueCrypt ... may contain unfixed security issues" – suggests the programmers are unable to update the software, or have been ordered to end development, and have killed it off Lavabit-style.

Or the team was thoroughly hacked by miscreants.

On Wednesday afternoon, San Francisco-time, Kenn White of the crowd-funded TrueCrypt code-auditing project tweeted that he had no explanation for the apparent defacement. Early rounds of the audit have found some vulnerabilities in TrueCrypt, but nothing serious.

Earlier in the day, the audit project claimed: "We hope to have some *big* announcements this week, so stay tuned." These announcements remain a mystery.

Naturally, Reg readers are cautioned to stay as far away from all the knackered TrueCrypt binaries as possible. We'll keep you updated as further details about the situation emerge. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.