Online criminals target download servers because users trust them and developers neglect them. Once a download server is up and running, it needs little maintenance so regular updates and security checks are easily overlooked.
In a recent tale of download server woe, the well-regarded open source transcoding application Handbrake was attacked. One of its download servers was compromised and the application’s binary infected with the Proton Remote Access Tool (RAT). RATs are a common type of malware used to spy on users by logging their keystrokes, controlling their webcams, and reading their files. Handbrake’s secondary download server was compromised — the project has a couple of mirrored servers — so anyone who installed Handbrake before the malware was discovered had a 50% chance of being infected.
My aim is not to pick on the Handbrake project: it’s far from the first project to be attacked in this way. Large enterprise organizations have been the victim of similar attacks. What interests me is that the effects of this sort of attack are easily mitigated by the software’s user. They can compare the hash of the binary they downloaded with a known good hash of the released software. If the hashes are different, the downloaded binary isn’t the same as the binary uploaded by the project.
A hash is a mathematical function which, when given some data, produces a unique string, the hash. The same input data always produces the same hash. Different data almost always produces a different hash. So, if the hashes are different, you can be certain — for a reasonable definition of certain — that the binary hasn’t been tampered with. There are weaknesses in this system; the server hosting the hashes could be compromised too, but that indicates a much more serious problem with a project’s security than a single poorly secured server.
Handbrake does publish hashes on a secure server. Anyone who compared the published hashes to the hashes of the downloaded binary would have spotted the mismatch. But the average user has no clue what a hash is, nevermind how they might go about generating one and comparing it to published hashes.
Some update software — including the one used by Handbrake for recent releases — automatically checks hashes to make sure the downloaded binary matches, but for direct download servers, that facility doesn’t exist. The question is this: what responsibility do open source and commercial projects have to educate their users? Should every download page prominently advise users of the potential risks of downloading software from the project? That wouldn’t be great from a marketing perspective, but nor are thousands of infected users.
Whatever the solution to the problems of communicating the importance of hashing and digital signing to users, developers and server administrators have a responsibility to secure and manage their infrastructure. Server hardening, regular updates, and intrusion detection are non-negotiable for any high-risk server. If projects don’t have the necessary expertise, they should use a hosting platform with managed security.