No server can ever be 100% defensible against remote attacks, unless you disconnect it from the internet (which kinda defeats the purpose for a download server). However bugs, loopholes, and oversights can happen, even with the best security software in place. Supply chain attacks are one of the most effective attacks on software, but are also one of the hardest to pull off due to the levels of security inherent on the vast majority of servers. ![]() ![]() The attack occurred because a malicious individual or group of individuals hacked either the servers from which users download the CCleaner package, or on which the developers build the package (I have seen conflicting reports on this point, so am including both possibilities here) and replaced the official package with their own - thus users were still downloading from the correct location without any form of redirection or misdirection, the packages were still internally signed correctly, but the package they received was compromised (often referred to as a supply chain attack). We don't provide an officially released CCleaner, so we don't have a product directly affected in this case. Those appear to be affected by the hack and any of their users that ran the software would be infected. There are a other projects which illegally package and distribute CCleaner (not permitted by the publisher) without scanning or download CCleaner from Piriform without scanning and hashing. Finally, our app download servers and our centralized server which stores the app database are on independent machines in separate data centers with different login credentials, so if something somehow managed to infect a self-hosted publisher's download server or even our own download servers, our platform would correctly show the hash as invalid and refuse to open or run the installer. Additionally, our open source apps and any online installer apps are digitally signed using a code signing certificate. Our platform does the same for all portable app downloads as well, comparing them to our stored online hashes for all apps. If the hashes don't match, our online installers will show an error and delete the downloaded file without running or opening it. We scan any files downloaded by our online installers prior to release and hash them. ![]() All our releases are scanned by at least two major antivirus engines before release. We don't distribute CCleaner, so we are unaffected.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |