![](https://s3.amazonaws.com/mostvulnerable/assets/img/watering_hole-scalable.jpg) # Inauthentic Downloads This is a list of developers that have been hit with a **watering hole attack** or are _potential targets_, and provide _no way to authenticate_ their software with PGP. Some of the software in this list is critical backup software that runs as _root_ to clone disks, like _SuperDuper!_. _Backup software is the ultimate target of the watering hole attack_. > Watering hole is a computer attack strategy, in which the victim is a particular group (organization, industry, or region). > In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. > Eventually, some member of the targeted group gets infected. > > Relying on websites that the group trusts makes this strategy efficient, even with groups that are resistant to spear phishing and other forms of phishing. # The Lowest Standards "Missed the Mark" | Cryptographic Signature (PGP) | Checksum (SHA256) | Exploited | Tell them to sign --------------------------------|-------------------------------|-------------------|-----------------------------------------------|------------------ Transmission BitTorrent | No | Yes | Compromised [(2 times)][tran-exp] | [Submit an issue][tran-tell] 1Password | No (WTF?) | No | Unknown | [Email them][1p-tell1] CCleaner - Avast | No (WTF?) | No | Compromised [1][clnr-exp] | [Submit a ticket][clnr-tell] Elmedia Player - Eltima | No | No | Compromised [1][elpl-exp] | [Email or Forum][elpl-tell] Folx - Eltima | No | No | Compromised [1][folx-exp] | [Email or Forum][folx-tell] SuperDuper! | No | No | Unknown | [Email them][supd-tell] Carbon Copy Cloner | No | No | Unknown | [Submit an issue][ccc-tell] Arq Backup | No | No | Unknown | [Email them][arq-tell1] Librevault | No | No | Unknown | [Submit an issue][lib-tell] GIMP | No | Yes | Unknown | [Submit an issue][gimp-tell] Blender | No | Yes | Unknown | [Submit Feedback][blend-tell] [tran-exp]: https://en.wikipedia.org/wiki/Transmission_%28BitTorrent_client%29#Website_breach [tran-tell]: https://github.com/transmission/transmission/issues [1p-tell1]: mailto:support+kb@agilebits.com?subject=Question%20about%201Password [clnr-exp]: https://www.bleepingcomputer.com/news/security/ccleaner-compromised-to-distribute-malware-for-almost-a-month/ [clnr-tell]: https://support.avast.com/support/tickets/new [elpl-exp]: http://www.zdnet.com/article/trojan-malware-for-mac-osx-spread-via-compromised-media-player-downloads/ [elpl-tell]: https://mac.eltima.com/contacts.html [folx-exp]: http://www.zdnet.com/article/trojan-malware-for-mac-osx-spread-via-compromised-media-player-downloads/ [folx-tell]: https://mac.eltima.com/contacts.html [supd-tell]: mailto:support@shirt-pocket.com?subject=Support Request [ccc-tell]: https://support.bombich.com/hc/en-us/requests/new [arq-tell1]: mailto:support@arqbackup.com?subject=Please PGP sign -mostvulnerable.com [lib-tell]: https://github.com/Librevault/librevault/issues [gimp-tell]: https://bugzilla.gnome.org/enter_bug.cgi?product=gimp-web [blend-tell]: https://devtalk.blender.org/c/site-feedback _[Edit Chart](https://github.com/sosumii/mostvulnerable.github.io/blob/master/index.htm) - [Report Issue](https://github.com/sosumii/mostvulnerable.github.io/issues)_ # FAQ ### What is the functional difference between a checksum and a signature? > >* Checksums ensure [data integrity](https://en.wikipedia.org/wiki/Data_integrity). > >* Cryptographic signatures ensure [data authenticity](https://en.wikipedia.org/wiki/Authentication). > >When downloading a file, errors may occur during that process. Malware also could modify the downloaded file if you're machine is infected. The file's fingerprint (checksum) is there to tell you that the file is not altered. > >An attacker may host a malicious version of *transmission* on his website and makes it available to download. Verifying the checksum in this case is useless: the only way for you to be sure that you did not download a malicious version of *transmission* is to check its signature(s). ### What about Gatekeeper? > >* Any Developer ID accepted by Gatekeeper will be allowed to run. > * _Eg._ Transmission users were autoupdated to compromised binaries with **VALID `codesign` Developer IDs**. > ### I love that software. What do I do? > >* [Tell them](index.htm#toc1) you would like to keep using their software and you would like to authenticate it with a PGP signature. > * Some people say they don't understand how PGP works. Some say they don't care. > >* Use modern software from developers that are not averse to security best practices. > * [See Exemplary list below](index.htm#toc4) > ### See an issue or want to add to this website? > >* Fork it or create an issue on [GitHub](https://github.com/sosumii/mostvulnerable.github.io/). > # Exemplary Best Practices Exemplary | Cryptographic Signature (PGP) | Checksum (SHA256) | Category -------------------------------|--------------------------------------------------|-------------------|---------------------------------------------- [Espionage][esp] - Greg Slepak | Yes - [key][esp-pgp] | Yes | Encryption and Plausible Deniability [XQuartz][xqt] - Apple Inc. | Yes - [key][xqt-pgp] | Yes | Apple's open-source effort to develop X.Org for MacOS [Swift][swft] - Apple Inc. | Yes - [k][swft-pgp1][e][swft-pgp2][y][swft-pgp3] | No | Apple's open-source Swift language [Transmit][tpnc] - Panic Inc. | Yes - [key][pnic-pgp] | Yes | Upload, download, and manage files on tons of servers - [redeemed from a hack][redeemed from a hack] [Coda][cpnc] - Panic Inc. | Yes - [key][pnic-pgp] | Yes | Open, manage, & edit your local and remote code - [redeemed from a hack][redeemed from a hack] [Mumble][mum] | Yes - [key][mum-pgp] | Yes | Open source, low-latency, high quality voice chat software [KeyPassX][kpx] | Yes - [key][kpx-pgp] | Yes | Password Manager with [migration from 1Password][kpx-1p] [pass][pas] | Yes - [key][pas-pgp] | No | CLI password manager with [migration from 1Password script][pas-1p] [Password Safe][pws] | Yes - [key][pws-pgp] | Yes | Password Manager _"Designed by renowned security technologist Bruce Schneier"_ [Duplicati][dup] | Yes - [key][dup-pgp] | Yes | Backup encrypted to S3, SFTP, SMB, local, etc [Bitmessage][bmg] | Yes - [key][bmg-pgp] | No | P2P entrypted store and forward messaging [redeemed from a hack]: index.htm#toc5 [esp]: https://www.espionageapp.com/ [esp-pgp]: https://www.taoeffect.com/other/A884B988.asc [xqt]: https://www.xquartz.org/ [xqt-pgp]: https://sks-keyservers.net/pks/lookup?op=get&search=0x8C2D409E37F53663 [swft]: https://swift.org/ [swft-pgp1]: https://sks-keyservers.net/pks/lookup?op=get&search=0xD441C977412B37AD [swft-pgp2]: https://sks-keyservers.net/pks/lookup?op=get&search=0x9F597F4D21A56D5F [swft-pgp3]: https://sks-keyservers.net/pks/lookup?op=get&search=0x63BC1CFE91D306C6 [tpnc]: https://panic.com/transmit/ [cpnc]: https://panic.com/coda/ [pnic-pgp]: https://keybase.io/panic/pgp_keys.asc [mum]: https://wiki.mumble.info/wiki/Main_Page [mum-pgp]: https://sks-keyservers.net/pks/lookup?op=get&search=0x88048D0D625297A0 [kpx]: https://www.keepassx.org/ [kpx-pgp]: https://www.keepassx.org/gpg/0x83135D45.asc [kpx-1p]: http://keepass.info/help/base/importexport.html#imp_1pwpro [pas]: https://www.passwordstore.org/ [pas-pgp]: http://www.zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc [pas-1p]: https://www.passwordstore.org/#migration [pws]: https://pwsafe.org/ [pws-pgp]: https://sks-keyservers.net/pks/lookup?op=get&search=0x1D795A91FA175557 [dup]: http://www.duplicati.com/ [dup-pgp]: http://pgp.mit.edu/pks/lookup?search=0xC20E90473DAC703D&op=index [bmg]: https://bitmessage.org/wiki/Main_Page [bmg-pgp]: http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x0C5F50C0B5F37D87 # Redeemed Redeemed | Cryptographic Signature (PGP) | Checksum (SHA256) | Exploited | Note -----------------------|--------------------------------------|-------------------|--------------------------------------------------|-------------------------------------------- HandBrake | [Yes][hand-redeem] - [key][hnd-pgp] | Yes | Watering hole attack. Corrected [1][hand-exp] | Thanks to [@sr55](https://github.com/sr55) Linux Mint | [Yes][mint-redeem] - [key][mnt-pgp] | Yes | Watering hole attack. Corrected [1][mint-exp] | They sign their SHA256 sums. Kinda a PITA. Transmit - Panic Inc. | [Yes][pnic-redeem] - [key][pnic-pgp] | Yes | Watering hole attack. Corrected [1][hand-exp] | Thanks Panic! Some one at Panic is awesome! Coda - Panic Inc. | [Yes][pnic-redeem] - [key][pnic-pgp] | Yes | Watering hole attack. Corrected [1][hand-exp] | Panic's PGP signature gives me wood. [hand-redeem]: https://github.com/HandBrake/HandBrake/issues/728 [hand-exp]: https://www.macrumors.com/2017/05/07/handbrake-app-security-warning-servers-hacked/ [hnd-pgp]: https://sks-keyservers.net/pks/lookup?op=get&search=0x021DB8B44E4A8645 [mint-redeem]: https://linuxmint.com/verify.php [mint-exp]: http://blog.linuxmint.com/?p=2994 [mnt-pgp]: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x300F846BA25BAE09 [pnic-redeem]: https://library.panic.com/transmit5/release-integrity/ [pnic-exp]: https://www.macrumors.com/2017/05/17/panic-source-code-stolen-in-handbrake-attack/ [pnic-pgp]: https://keybase.io/panic/pgp_keys.asc