No matter how many security precautions you take, there may still danger lurking in your PC
I consider myself a security-aware computer user. I have a firewall set up, I have up-to-date antivirus software running, I stay away from sketchy software downloads, and I avoid sites that offer free ‘stuff’. And I never open attachments sent via email or text, even from people I know.
By all accounts, my computers should be malware free. In my home office, I have a Windows PC, a Linux server, and a MacBook Pro. I have 2 webcams, several routers, a laser printer, and numerous devices that are considered IoT (Internet of Things).
I recently listened to a really interesting webcast by Ecylpsium and read their research paper “Perilous Peripherals: The Hidden Dangers Inside Windows & Linux Computers.”
And frankly now I’m worried. Really worried.
Sign your firmware
For those unaware, a computing device contains software in many of its nooks and crannies. Of course, we all know about software installed on our hard drives. But, did you know that the hard drive itself contains embedded software to help make it work? This embedded software is known as firmware. And it’s located in devices such as webcams, touchpad controllers, network hubs, USB hubs, and lurks in about every sophisticated piece of electronics that you have.
Computing device manufacturers don’t build these components themselves. Instead, they buy them from third parties, from all over the world.
Here’s where things get scary. Ecylpsium found that a majority of the firmware in these devices are NOT code signed. According to them:
“…we then demonstrated a successful attack on a server via a network interface card with unsigned firmware used by each of the big three server manufacturers [ed. Dell, Lenovo, HP]. Once firmware on any of these components is infected using the issues we describe, the malware stays undetected by any software security controls.”
Think about that. No matter how cautious you are, your computer is still vulnerable to attacks because third party component manufacturers are not signing their firmware.
Code signing has been used for over 30 years to authenticate that software comes from where it says it comes from and that it hasn’t been modified by a third party. Why are these component manufacturers not taking the necessary precautions then using decades proven technology?
Have you heard these code signing excuses?
When I talk to folks in large organizations and ask this question about code signing their software, I hear these common responses:
“The more code we have to sign, the more code signing keys we need to make available to our developers and that increases our risks, so we just don’t bother.”
“Our developers say we (the PKI team) slow them down and they just bypass our processes anyway.”
“We have bigger fish to fry.”
“We aren’t aware of all of the software development going on in our organization.”
Folks! Code signing is easy. Most software development environments provide a nifty handy-dandy tool that takes only milliseconds to run. However, what is NOT easy (for developers) is knowing the ins and outs of code signing certificates and keys. What’s not easy is for InfoSec teams to provide developers with an easy to use code signing service that is also fast. What’s not easy is for InfoSec teams to automatically enforce the processes and policies on their development teams that secure the code signing process.
Why Venafi makes code signing easy
Now, let me stop for a moment for a brief, self-serving commercial:
All this changed when Venafi introduced Next-Gen Code Signing last year. With Venafi Next-Gen Code Signing, there should be no excuses why a software team of any size doesn’t sign the code they produce. Next-Gen Code Signing automates managing code signing certificates (including issuance through revocation), works with the tools that software developers normally use (including those commonly used for DevOps and Internet of Things), doesn’t add any noticeable time to a software build, and automatically enforces the code signing policies that InfoSec deems important. And most importantly, this secure process eliminates the need for any code signing keys to ever leave a secured storage location (like an HSM or Venafi’s own trusted key storage).
I’m not sure how we change this. I guess it starts with the big computer manufacturers requiring their suppliers to sign all of their firmware. And that requires their customers complaining about it. Or it may take a major malware incident.
Planes, trains and automobiles - Do you code sign?
But the more I think about this, the more concerned I get. I used to develop safety-critical software for airplanes. Today’s planes rely 100% on software and components that come from many different suppliers. During my flight to San Francisco this week to attend RSA, I wondered what precautions Boeing (or Airbus) have taken to ensure that their suppliers code is not tampered with. On BART (San Francisco bay’s mass transit service) I wondered the same thing. There’s a lot of software needed to make BART run.
And my mind didn’t stop there.
What about our power grids? The medical devices keeping patients alive in ICUs? The list goes on…
Is your organization creating software that should be code signed