Slashdot Mirror

← Back to Stories (view on slashdot.org)

App Maker's Code Stolen in Malware Attack (bbc.com)

Posted by msmash on from the security-woes dept.

Mac and iOS software developer Panic has had the source code for several of its apps stolen. An anonymous reader writes: Panic founder Steven Frank said in a blog post that it happened after he downloaded an infected copy of the video encoding tool Handbrake. He said there was no sign that any customer data was accessed and that Panic's web server was not affected. Users have been warned to download Panic's apps only from its website or the Apple App Store. Panic is the creator of web editing and file transfer apps Coda and Transmit, and the video game Firewatch. On May 2, Handbrake was hacked, with the Mac version of the app on one of the site's download servers replaced by a malicious copy. In what Mr Frank called "a case of extraordinarily bad luck", he downloaded the malicious version of Handbrake and launched it "without stopping to wonder why Handbrake would need admin privileges... when it hadn't before. And that was that, my Mac was completely, entirely compromised in three seconds or less."

7 of 73 comments (clear)

  1. company name is panic by ganjadude · · Score: 3, Funny

    seems to fit perfectly right now

    --
    have you seen my sig? there are many others like it but none that are the same
  2. That was a really good malware target.. by SuperKendall · · Score: 4, Insightful

    Although as he said you might wonder why a video encoder would need admin access to a computer, I have to admit that I myself would have been taken in by this from a lifetime of being conditioned that various video players always seem to need system access...

    That made Handbrake a really good target for malware as it was more likely people would not question admin access nearly as much.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  3. Whatever happened to by Anonymous Coward · · Score: 2, Funny

    Certain computers never getting hacked, malware, or virused up?

    1. Re:Whatever happened to by ilsaloving · · Score: 4, Informative

      Certain computers never getting hacked, malware, or virused up?

      Except that has never ever been true, except to the OS zealots who tie their personal identity to their chosen platform like some weird religious devotee.

      It's funny, I've gotten into arguments on slashdot for this exact thing, by people who were so offended when said that their favourite OS (no matter what it is) isn't a perfect panacea. They went so far as to accuse me that I "don't know security" because, for example, I disagreed that just using FreeBSD didn't make that automagically immune to security threats.

      What happened to Mr. Frank is a perfect example of what I was talking about. It doesn't matter how secure you think your OS is, because there is *always* a way to compromise it. Even if your OS isn't directly exploitable, an application you run on top of it may be. If not, the meatspace component certainly still is.

      All it takes is a single mistake, a single lapse in judgment for something potentially catastrophic to happen.

      There is no such thing as perfect security. All you can do is put up more barriers than a malicious actor has the patience to tear down. That includes appropriate training for people. Anyone who tells you different is either grossly misinformed, or is trying to sell you something.

    2. Re:Whatever happened to by Guybrush_T · · Score: 2

      Agreed in general. However, in that precise case, it is not true.

      Windows has always had a model of "download whatever you find on the internet and run it". So most people only know that model and that hurts (when you download handbrake).

      On Linux (and progressively MacOS), you would almost never download something from a website and execute it. You download software with yum or apt and that should make sure that (unless it is compromised, but it is much harder) :

      • - The software will work well with the rest of the OS / other software
      • - The software does not contain malware / viruses
      • - The software has not been modified by a man-in-the-middle.

      If you live in a windows world, those are things you don't even think about, and this is a huge security problem. You can say no-one is immune to security risks, but certain software management systems are certainly more dangerous than others.

    3. Re:Whatever happened to by nine-times · · Score: 2

      It doesn't matter how secure you think your OS is, because there is *always* a way to compromise it... There is no such thing as perfect security.

      I'm glad you put this. Although, my preferred way of saying it is, "security" is not the about making unauthorized access impossible. Short of completely and irrevocably destroying something, you can't make unauthorized access to it impossible. Security is about making unauthorized access difficult, dangerous, easily discovered, and otherwise unappealing.

      If you want to get more precise (and don't mind a little complication) it's about achieving a favorable balance between "making it difficult for unauthorized people to gain access," and "making it easy for authorized people to gain access", that balance being determined by the sensitivity of the compromise and the sophistication of the likely attackers.

      That is to say, if the information you're protecting is publicly available anyway, and the people likely to attack you are stupid, then you shouldn't devote a lot of resources to your security. It's not just "It's not worth the additional security", but rather, "tightening security would be a bad move". Tightening security unnecessarily almost inherently makes it more difficult for authorized users to gain access, which does a few bad things. First, it may create a false sense of security, which makes people more negligent toward security practices. On the other hand, your authorized users will be less likely to take security seriously, since they know that an inappropriate amount of security is being applied to something trivial. That, in turn, increases the likelihood that an authorized user will find a way to bypass your security entirely, in order to serve their own convenience (e.g. "They keep locking this door, which is annoying. I'll just prop the door open."). Bypassing security procedures in this way opens security holes that you won't be aware of.

      So yes, there's no such thing as perfect security, but I just want to point out that it's not just, "However many barriers I put up, someone could theoretically tear them down." It's also, "If I put up too many barriers in the wrong places, I might accidentally make it harder for me to see an attacker coming."

  4. Re:Don't Panic by TWX · · Score: 2

    The problem is now it may not be that easy to identify legitimate releases from malicious distribution.

    We had this problem back in the shareware day. Renegade BBS software got this treatment, and that plus Cott Lang's unusual versioning scheme based on month as the first couple of numbers made it difficult to determine if a downloaded copy of Renegade was actually Lang's software or if it was compromised and had backdoors that the malicious party had created to later exploit when calling into one's BBS.

    Perhaps this kind of thing can serve as a warning to developers, don't use your dev boxes as general purpose computers. Sure it means having to either have more than one computer or else having to use virtual machines or chroot environments etc, but if one's important work is compromised like this it can have far reaching implications. Just easier to not use the same equipment for both functions.

    --
    Do not look into laser with remaining eye.