We’re working on the assumption that there’s no point in paying - the attacker has no reason to keep their end of the bargain. The source code theft was confirmed when we received an email from the attacker (with a few source code files attached as proof of the theft) demanding a large bitcoin ransom to prevent the release of the source code, which would “suffocate” our company, in their words. The method the attacker used prevented them from cloning all of our source code - they were making educated guesses at our repo names, one-by-one, which did not expose everything. Thanks to good logging (thank you, James) we got a very complete picture. Then, the forensics: we began combing through our logs to try to determine the extent of what was accessed which, to reiterate, we believe is limited to source code and personal data on my Mac. The vast majority of these things were changed or rolled simply out of an abundance of caution - again, there’s no indication our web servers were compromised - but in this kind of a situation, you change all the locks. And that was that, my Mac was completely, entirely compromised in 3 seconds or less.īy the time news broke of the HandBrake infection, git credentials had already been stolen from my Mac and used to clone several of our source code repositories, according to our logs.Īs soon as I discovered the infection on my Mac, I disabled it, took the Mac out of commission, and we began the incredibly lengthy process of changing all of my passwords, rotating the relevant secret keys throughout our infrastructure, and so on, to re-lock our doors and hopefully prevent anything else from being stolen. I also likely bypassed the Gatekeeper warning without even thinking about it, because I run a handful of apps that are still not signed by their developers. So, I managed to download within the three day window during which the infection was unknown, managed to hit the one download mirror that was compromised, managed to run it and breeze right through an in-retrospect-sketchy authentication dialog, without stopping to wonder why HandBrake would need admin privileges, or why it would suddenly need them when it hadn’t before. I didn’t think too much of this, as we’ve been in a similar situation with a broken Sparkle update channel once before (the worst). There was a note in HandBrake’s update dialog that the incremental update was not available, and that I’d have to download an entirely fresh copy from their server. I finally decided, for whatever reason, to do the update. HandBrake had been nagging me for some time to install an update. The other important fact is that I feel like a monumental idiot for having fallen for this. (As a reminder, we never store credit card numbers since we process them with Stripe, and all Panic Sync data is encrypted in such a way that even we can’t see it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |