Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[HtpcUserAri]

JRiver team,
First, thank you for excellent software and also for disclosing the recent server infiltration and keeping everything above-board.
Could you please provide (re)assurance that the media center software itself has no possibility of having been injected with a zero-day piece of malware? I think, for example, of NotPetya being spread through the seemingly benign accounting software M.E.Doc (see link to really interesting article here). Remember also the CCleaner attack that infected millions of PCs by a similar means (link here).
Now that there is precedent, when a software provider or distributor's server is compromised, injection of malware into the software being distributed needs to be considered.
Thank you for checking into this and for your considered reply. I know it has been a difficult few weeks and we, your users, are grateful for the work you have done to investigate all possibilities and address any issues.
Ari

[Matt]

We virus check every build with the latest virus scanner before release.

[JimH]

Many attacks, including the one on our servers, use SQL injection.  Our servers use SQL interfaces for the databases, but JRiver Media Center doesn't.

[HtpcUserAri]

Yes, of course. And the antivirus software of all the users who install it will also scan it (which represents even more scans from different companies' threat databases and heuristic analyses).
But this question is being asked of a software company whose servers were just compromised. And we know that standard AV scans won't detect viruses whose signatures haven't been isolated, reported, and distributed yet (I'm a layman, but I believe those are called zero-day attacks until they are published). Same as the NotPetya and the CCleaner attacks linked to above.
Following a multi-server compromise, of a company that distributes software to (how many?) customers, wouldn't it be prudent to at least execute the software in a sandbox and watch its behavior? Or at least the packets going in and out? And also get this verified by a third party?
...and then use that information to reassure current and future (paying) customers who will need to install the software on their own machines (and use administrative credentials to do so)?

Please don't read this in the wrong vein. I don't intend to be combative or to start some sort of argument (I'm not actually sure what the counter argument is from a company that has been recently compromised?) but I really want first proof and then reassurance.

Again, as above, great software and I thank you for it. Please do what you can to ensure I can continue to install updates and new versions.

[Hendrik]

Our development and file hosting servers were never reached by the intruders. The file hosting is on Amazon S3, far away from the servers we use for order processing and our general website, which were the ones under attack. And the development systems are entirely separate from that as well.

Even with full unfettered access to the web servers that were breached, there is no link to the actual Media Center binaries, any of the plugins it uses, or our development systems.

The problem with the "proof" you are asking for is that proving a negative is nearly impossible. Malware could be hiding, biding its time - exactly to escape early detection.
As such the best we can do is verify that the servers with this data were in fact never reached, which rules out infection in the first place. Which due to the physical and logical separation is an absolute certainty at this point. Of course we checked!

Additionally, all our binaries are digitally signed. If they had been modified, the signature would be damaged, which is practically impossible to fake. The Signature carries the name of who signed it and the date of signing, which allows us to verify that in fact no binary was ever touched.

All servers that were infected have been entirely rebuilt from scratch, exactly for that reason - we can never prove that we cleaned out everything, unless we just throw away the entire server.

[JimH]

Hendrik's answer is excellent and definitive.

Please don't spread fear needlessly.