CCleaner was hacked
-
Hackers broke into British company Piriform’s free software for optimizing computer performance last month potentially allowing them to control the devices of more than two million users, the company and independent researchers said on Monday.
Well, that's special.
A version of CCleaner downloaded in August included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorized programs, security researchers at Cisco’s (CSCO.O) Talos unit said.
“There is nothing a user could have noticed,” Williams said, noting that the optimization software had a proper digital certificate, which means that other computers automatically trust the program.
Fucking hell, that was a sophisticated attack.
-
@polygeekery said in CCleaner was hacked:
Hackers broke into British company Piriform’s free software for optimizing computer performance last month potentially allowing them to control the devices of more than two million users, the company and independent researchers said on Monday.
Well, that's special.
A version of CCleaner downloaded in August included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorized programs, security researchers at Cisco’s (CSCO.O) Talos unit said.
“There is nothing a user could have noticed,” Williams said, noting that the optimization software had a proper digital certificate, which means that other computers automatically trust the program.
Fucking hell, that was a sophisticated attack.
Hmm. Well. So much for ever using anything by them, then, if they can't even keep their signing certificates safe.
-
@polygeekery said in CCleaner was hacked:
“There is nothing a user could have noticed,” Williams said, noting that the optimization software had a proper digital certificate, which means that other computers automatically trust the program.
Well yeah, digital certificates are not and have never been a strong security measure against malware. They're just meant to make it harder for attackers. Like antiviruses or firewalls.
Unlike, say, proper fucking sandboxing. Which isn't possible for tools like CCleaner, but it would make them unnecessary in the first place.
-
@polygeekery said in CCleaner was hacked:
British company
When will people learn to leave the software to the Americans. I'm sure there's things the British are good at like... uh. But software? Leave it to us.
@polygeekery said in CCleaner was hacked:
Fucking hell, that was a sophisticated attack.
Could be an inside job, how big is this company?
-
@blakeyrat said in CCleaner was hacked:
When will people learn to leave the software to the Americans.
When the world did that, we end up with Adobe and Oracle.
Thanks, but no thanks
-
@blakeyrat said in CCleaner was hacked:
I'm sure there's things the British are good at like... uh.
Tea. We're pretty good at tea. And queueing. And complaining about the weather.
-
@raceprouk said in CCleaner was hacked:
Tea. We're pretty good at tea.
It is better when served ice cold.
-
Having never actually found myself in need of an antivirus, I always assumed CCleaner was generic crapware. Guess I was right in the end.
-
@pie_flavor it's just a bunch of shortcuts for clearing temporary data and caches + a registry cleaner for gamers
-
@raceprouk said in CCleaner was hacked:
@blakeyrat said in CCleaner was hacked:
I'm sure there's things the British are good at like... uh.
Tea. We're pretty good at tea. And queueing. And complaining about the weather.
One time we complained about the weather while queuing for tea.
It was raining.
-
@blakeyrat said in CCleaner was hacked:
Could be an inside job, how big is this company?
Hard to tell, but their jobs link shows a company picture with about 25 people.
https://www.piriform.com/about/jobs
It looks like they started by accident by making a useful utility, and it's grown from there. Their jobs page proudly claims they're still a "startup culture".
So that probably means they're still in "make things first, be professional later".
So I doubt malice; I'm totally leaning to incompetence.
-
-
@polygeekery said in CCleaner was hacked:
It is better when served ice cold.
You're wrong.
(Is that my Southern ancestors I hear screaming?)
-
@dcon said in CCleaner was hacked:
Our new parent company, the security company Avast
Huh. TIL that Avast owns Piriform now.
-
-
Actual thingy from Piriform:
I use CCleaner, so at first, I was concerned. But then I remembered I'm on 64-bit Windows.
-
@raceprouk said in CCleaner was hacked:
Actual thingy from Piriform:
I use CCleaner, so at first, I was concerned. But then I remembered I'm on 64-bit Windows.
Oh. I only just now read the end of the title.
People still use 32-bit Windows? What the hell for?
-
@pie_flavor said in CCleaner was hacked:
What the hell for?
If you have a computer with 4GB or less of RAM, it may not be worth it.
-
@pie_flavor said in CCleaner was hacked:
People still use 32-bit Windows? What the hell for?
Playing old 16-bit games without having to set up a VM. Well, that's my reason, anyway. (And none of my desktop machines have over 4GB of memory.)
-
@scarlet_manuka said in CCleaner was hacked:
@pie_flavor said in CCleaner was hacked:
People still use 32-bit Windows? What the hell for?
Playing old 16-bit games without having to set up a VM. Well, that's my reason, anyway. (And none of my desktop machines have over 4GB of memory.)
Your answer only raises more questions.
-
@steve_the_cynic said in CCleaner was hacked:
@polygeekery said in CCleaner was hacked:
Hackers broke into British company Piriform’s free software for optimizing computer performance last month potentially allowing them to control the devices of more than two million users, the company and independent researchers said on Monday.
Well, that's special.
A version of CCleaner downloaded in August included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorized programs, security researchers at Cisco’s (CSCO.O) Talos unit said.
“There is nothing a user could have noticed,” Williams said, noting that the optimization software had a proper digital certificate, which means that other computers automatically trust the program.
Fucking hell, that was a sophisticated attack.
Hmm. Well. So much for ever using anything by them, then, if they can't even keep their signing certificates safe.
Our signing cert is in source control for the build process' automatic signing step. It's conceivable these guys just slid in a replacement executable and just used the automated processes to get it signed and uploaded as legit.
-
@pie_flavor Games don't become less good just because newer games have been made.
-
@scarlet_manuka unless their main feature is looking pretty. Like almost every shooter game made after 1995.
-
@gąska I don't really play shooter games so that's not a problem for me.
-
@raceprouk said in CCleaner was hacked:
I'm sure there's things the British are good at like... uh.
Tea. We're pretty good at tea. And queueing. And complaining about the weather.
If you want to convince an American that there are things that should be left to the British, choose anything but tea.
-
@pie_flavor said in CCleaner was hacked:
Oh. I only just now read the end of the title.
People still use 32-bit Windows? What the hell for?There are raisins other than old games. Believe me, you don't want to know the details.
-
@laoc said in CCleaner was hacked:
@raceprouk said in CCleaner was hacked:
I'm sure there's things the British are good at like... uh.
Tea. We're pretty good at tea. And queueing. And complaining about the weather.
If you want to convince an American that there are things that should be left to the British, choose anything but tea.
You're aware that whole event was actually about taxation, right?
-
@raceprouk said in CCleaner was hacked:
If you want to convince an American that there are things that should be left to the British, choose anything but tea.
You're aware that whole event was actually about taxation, right?
Sure. I tend to read shit I link to. Sometimes I even link shit because I read it before.
-
@tsaukpaetra said in CCleaner was hacked:
Our signing cert is in source control for the build process' automatic signing step.
Jesus, NO.
-
@raceprouk said in CCleaner was hacked:
You're aware that whole event was actually about taxation, right?
They were just trying to brew the entire bay at once, and it's been widely misunderstood.
-
@raceprouk said in CCleaner was hacked:
And complaining about the weather
To be fair, you do have a significant geographical advantage for that.
-
@polygeekery said in CCleaner was hacked:
@raceprouk said in CCleaner was hacked:
Tea. We're pretty good at tea.
It is better when served ice cold.
That's revenge you're thinking of.
-
@laoc said in CCleaner was hacked:
@pie_flavor said in CCleaner was hacked:
Oh. I only just now read the end of the title.
People still use 32-bit Windows? What the hell for?There are raisins other than old games. Believe me, you don't want to know the details.
See: WtfCorp thread.
-
@heterodox said in CCleaner was hacked:
@tsaukpaetra said in CCleaner was hacked:
Our signing cert is in source control for the build process' automatic signing step.
Jesus, NO.
As someone who has no idea whatsoever about executable signing and certificates, what are better ways of doing it that don't impair devs' and testers' ability to test and debug?
-
@gąska said in CCleaner was hacked:
As someone who has no idea whatsoever about executable signing and certificates, what are better ways of doing it that don't impair devs' and testers' ability to test and debug?
Nothing about testing and debugging that requires signed executables. If you must (e.g. for a driver), keep a T&D certificate in the repo (signed by private CA vs. public CA).
-
@gąska Two certs. One internally issued and trusted for debug builds.
One carefully controlled for release builds.
-
@heterodox said in CCleaner was hacked:
Nothing about testing and debugging that requires signed executables. If you must (e.g. for a driver), keep a T&D certificate in the repo (signed by private CA vs. public CA).
@weng said in CCleaner was hacked:
Two certs. One internally issued and trusted for debug builds.
One carefully controlled for release builds.Yes and yes.
We have automated as much as possible so far, but builds for deployment go through me and I sign them and stage them for distribution. I am the only person who has access to the certificates used for deployment. Even I do not have immediate access to the certificates. As part of the build process I have to input a password to gain access to where they are stored.
If those certificates were ever compromised a lot of clients could have their data compromised. We can be relaxed about a lot of things, but not those certificates.
-
@polygeekery As long as there's at least one person who will let your company not suddenly stop selling products when you get hit by a bus and no one has the password.
-
@magus that is taken care of also. ;)
-
@heterodox said in CCleaner was hacked:
@polygeekery said in CCleaner was hacked:
It is better when served ice cold.
You're wrong.
Hot tea is good for remembering that life is hard and doesn't taste good.
-
@polygeekery said in CCleaner was hacked:
@magus that is taken care of also. ;)
The password is hidden in plain sight
-
@timebandit said in CCleaner was hacked:
@polygeekery said in CCleaner was hacked:
@magus that is taken care of also. ;)
The password is hidden in plain sight
Exactly. Give @Polygeekery enough and he'll tell them to you
-
@polygeekery said in CCleaner was hacked:
Even I do not have immediate access to the certificates. As part of the build process I have to input a password to gain access to where they are stored.
Optimally the certificate/key pair for production should be on a smart card/USB token. Impervious to online attacks and easy to pass down; you just pull it out of storage and enter the PIN once the release "czar" has signed off.
-
@heterodox said in CCleaner was hacked:
@polygeekery said in CCleaner was hacked:
Even I do not have immediate access to the certificates. As part of the build process I have to input a password to gain access to where they are stored.
Optimally the certificate/key pair for production should be on a smart card/USB token. Impervious to online attacks and easy to pass down; you just pull it out of storage and enter the PIN once the release "czar" has signed off.
I'm not sure I'd trust a smart card though, given how many CACs I've seen fail...
-
@sloosecannon said in CCleaner was hacked:
I'm not sure I'd trust a smart card though, given how many CACs I've seen fail...
I've never seen one fail; I've seen one go through a wash/dry cycle and keep going. And this smart card would not be used every day; it'd almost never be used at all. That being said, of course you should have a backup or an officer of the company should be able to request a new one from the CA, given the bus factor mentioned above.
-
@scarlet_manuka said in CCleaner was hacked:
@pie_flavor Games don't become less good just because newer games have been made.
It may be that the new questions involve why 16-bit programs don't work on a 64-bit OS without having a VM in between.
-
@raceprouk said in CCleaner was hacked:
@laoc said in CCleaner was hacked:
@raceprouk said in CCleaner was hacked:
I'm sure there's things the British are good at like... uh.
Tea. We're pretty good at tea. And queueing. And complaining about the weather.
If you want to convince an American that there are things that should be left to the British, choose anything but tea.
You're aware that whole event was actually about taxation, right?
Technically, it wasn't even the taxes themselves. The bigger issue was the lack of representation in the British government for (tax-paying) British subjects in British colonies.
-
@pie_flavor said in CCleaner was hacked:
People still use 32-bit Windows? What the hell for?
I have a Windows convertible that came with 32-bit Windows; it has 2 GB of RAM and can't be upgraded. It's not a high performance gaming machine by any means, but it works well as a media consumption device that can run actual software and older games.
-
@parody said in CCleaner was hacked:
@pie_flavor said in CCleaner was hacked:
People still use 32-bit Windows? What the hell for?
I have a Windows convertible that came with 32-bit Windows; it has 2 GB of RAM and can't be upgraded. It's not a high performance gaming machine by any means, but it works well as a media consumption device that can run actual software and older games.
But then you wouldn't need CCleaner.
-
@heterodox said in CCleaner was hacked:
@sloosecannon said in CCleaner was hacked:
I'm not sure I'd trust a smart card though, given how many CACs I've seen fail...
I've never seen one fail; I've seen one go through a wash/dry cycle and keep going. And this smart card would not be used every day; it'd almost never be used at all. That being said, of course you should have a backup or an officer of the company should be able to request a new one from the CA, given the bus factor mentioned above.
Hmm. Then again, I'm not an IT guy for that system, I just hear "My CAC is screwed up again" "Call IT". It's entirely possible the failure happens somewhere else in the system...