Back in the good ‘ole days when I was in IT, my most favorite Windows OS was that of XP. During these times, Microsoft was still notorious about releasing software patches that had flaws in them. But at least, you had a choice of when you wanted to download them and uninstall any if you came across any with a known flaw. But now, with Windows 10, and for that matter, even any hardware or firmware updates, you really have no choice in the matter.
The updates get pushed down into your computer, and to make matters even worse, you cannot uninstall any in case you become aware of any flaws in them. Just about every major IT vendor is doing this, and it seems like that nobody really cares anymore even if the patches and/or upgrades really work, or if they pose more of a security risk to you and your business.
Apart from Windows, the latest example of this is with ASUS. This is a rather well-known computer manufacturer, based out of Taiwan. They also produce other brand name devices, such as laptops, mobile phones, smart home systems, and other electronics-based gadgets.
Just recently (I believe it was last month), ASUS pushed out its round of security updates to the customers that make use of their hardware. But instead of making these machines more secure, it was discovered that these updates contained a nasty malware that impacted over 500,000 computers worldwide. How is this being possible, especially given a strong name like ASUS?
Apparently, the malware was not a result of poor source code being written-rather it was a security weakness in the way that the updates and patches were actually validated (this is yet another automated process). This process makes use of a complex methodology called “Code Signing”.
We won’t get into all of the techno jargon into this (we will in a later blog), but essentially, many hardware and software vendors use this as a proof positive that their respective updates/patches have passed a rigorous QA check, and more importantly, they have been deemed as authentic.
This simply means that that these individual packages have not been altered in any way, and have bee developed by trusted sources at the vendor. But, these packages (which are the updates and patches) don’t get pushed down to the customer directly; rather, they make their way around through the Internet through various servers, and then they finally approach their end destination-our computers.
But these servers need to have high level assurances that the packages that are being transmitted to them and have to push out are the real deal. This is where the principles of “Code Signing” come into play. Again, this is a digital seal that proves to the server the authenticity and identity of the software publisher, as well as to ensure that the software code has not been tampered or changed prior to download (in the word of Cryptography, this is known as “Integrity”).
But, if these digital seals are not properly managed, a Cyberattacker can very easily take advantage of this by attaching a seal to a malware, thus tricking the server into thinking that it is receiving and pushing out the real thing. As a result, these servers have no way of “knowing” whether valid signed certificates consist of good or bad updates.
In the end, it is consuming public that is then impacted with this malware. In the case of the ASUS attack, once a computer downloaded this malware, an encrypted message was then transmitted back to the Cyberattacker, which then alerted them that they now have a backdoor (or another way in) into that specific computer. From this point, the Cyberattacker then transmitted even more malware to the victim’s computer.
My thoughts on this?
These kinds of Cyberattacks are technically known as “Supply Chain Attacks”. This is actually a newer form of threat vector that is emerging, and slowly starting to make its way into the Cybersecurity Landscape. As the American public, we don’t hear too much about this, because the news is inundated about other forms of Cyberattacks, such as Ransomware, Crpytojacking, Social Engineering, etc.
These kinds of attacks have traditionally targeted manufacturers of durable goods, hence its name. For example, some time ago, I wrote an article for a client about this very same issue, but on a different theme. In this case, the Chinese were accused of implanting very small cameras into the motherboards of computers as they were being produced.
The intention was of course, to spy on American vendors, and the victims this time were the Amazon and Apple, even though both of them have denied that they were spied on.
But its not just computers that are being targeted, it is really anything that has an electronic component to it and which can receive and transmit data. This could be anything ranging from your Smartphone all the way to the new fancy car that you purchase.
The explosion of the Internet of Things (IoT) have made things even worse. This has only further proliferated the surface for more Supply Chain Attacks to take place, as more electronic gizmos are being connected all together.
It isn’t only until recently, most notably with the ASUS attack, that the software industry has now become a target of these kinds of attacks. But although in the end it is the customer that is the most impacted by this, it is also the software vendor’s brand and reputation that is going to take a huge hit as well. Except for Microsoft, most of the American public has garnered a certain level of trust with the hardware and software vendors from whom they have purchased products from.
Because of this, we also have assumed that any patches or upgrades that we receive from them will be safe for consumption by our computers, servers, workstations, and even wireless devices. In other words, this goodwill that has been generated has now been transmitted to their code signing procedures, because it has become an extension of brand trust as well.
But with the ASUS attack, nothing can be taken for granted anymore. Unfortunately, we have to assume that everything out there is unsafe and hope and pray that when we do actually download a patch or an upgrade, no harm will come of it. But in wake of this, the Cybersecurity community has offered three general tips that the CIO, CISO, or IT Security Manager must take heed of. They are as follows:
*Know the process of the code signing process that resides in your company. Take particular notice of there the Public and Private Keys are stored for this.
*Have a comprehensive audit trail implemented to keep track of who is involved in the code signing process and establish a chain of custody for those keys as just described previously.
*Establish a set of checks and balances. In other words, give access to those employees that must absolutely be involved in the code signing process.
Finally, more technical information about the ASUS Attack can be found at this link: