Feeds

TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'

Disk encryption wunderkind in SourceForge switcheroo riddle

Build a business case: developing custom apps

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.

Beginning on Wednesday, the TrueCrypt homepage redirects visitors to the project's official SourceForge-hosted page that displays a message to the effect that the software has been discontinued – and that users should switch to an alternative:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

The page goes on to specifically recommend Microsoft's BitLocker as an alternative for Windows users.

Just who tore up the TrueCrypt site, and why, is still unknown (click to enlarge)

Even more worrying, The Reg has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo.

Don't run that binary! Someone has built versions of TrueCrypt from vandalised source code (click to enlarge)

We ran the executable in a virtual machine so that you don't have to, and on Windows 8.1 it was blocked by the SmartScreen feature, suggesting it may contain malware. Launching it on an older system immediately displayed the "warning" message before installation proceeded, and the dropped executables contained the above quoted text.

An eyebrow-raising list of changes between the source code of version 7.2 and the previous release, 7.1a, can be found here; there is, at this stage, nothing concrete to suggest the suspicious 7.2 binaries were built from the v7.2 source code available from the TrueCrypt SourceForge site.

Judging by the source, the new software not only pops up a warning to not rely on TrueCrypt, it refuses to encrypt data – thus encouraging users to migrate to alternative disk and file encryption utilities.

The binaries are cryptographically signed by the TrueCrypt developers, but there's an argument over whether or not a new and untrusted key was used.

Also on Wednesday, a Wikipedia user going under the handle "Truecrypt-end" tried repeatedly to update the TrueCrypt page with similar text, but these changes were swiftly reverted by moderators.

The motivation for the abrupt U-turn is unclear. Version 7.1a was released in 2012, and the wording of today's warning – "TrueCrypt ... may contain unfixed security issues" – suggests the programmers are unable to update the software, or have been ordered to end development, and have killed it off Lavabit-style.

Or the team was thoroughly hacked by miscreants.

On Wednesday afternoon, San Francisco-time, Kenn White of the crowd-funded TrueCrypt code-auditing project tweeted that he had no explanation for the apparent defacement. Early rounds of the audit have found some vulnerabilities in TrueCrypt, but nothing serious.

Earlier in the day, the audit project claimed: "We hope to have some *big* announcements this week, so stay tuned." These announcements remain a mystery.

Naturally, Reg readers are cautioned to stay as far away from all the knackered TrueCrypt binaries as possible. We'll keep you updated as further details about the situation emerge. ®

Next gen security for virtualised datacentres

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?