Operating systems and application platforms have to toughen the protection of their code to prevent the increasing number of supply chain attacks, the annual Black Hat USA cybersecurity conference was told.
“The government is not coming to save you,” keynote speaker Mark Tait, chief operating officer of Florida-based Corellium, which sells mobile application development tools, said Wednesday.
“The only way to tackle it at the scale it’s needed is to fix the underlying technology. Platform vendors have to step up.”
If platforms don’t act there will be such a widespread compromise “it will make everything we’ve seen until now look like peanuts in comparison.”
“All of the easy answers,” – turn off software updates, or ban managed service providers because malicious updates are passed through them to customers – “are bad, and the hard answers are really difficult. They bring you into necessary conflict with some very entrenched, substantial business interests.”
For example, he said, Google and Apple don’t allow third-party anti-malware companies to scan their application stores for bad apps. Nor do they allow on-device telemetry, which would give forensic evidence of high-volume application exploitation on smartphones. In fact, he argued, we’re only getting a “tiny glimpse” of the number of mobile exploits.
By comparison, when security researchers find Windows malware they can search repositories of malicious artifacts to find patterns, alert possible victims and possibly make attributions.
On the other hand, Tait said, while Windows has an entitlements system for managing identity and access, few organizations use it correctly. As a result attackers can escalate their access privileges.
“To fix Windows we have to de-privilege applications,” Tait argued. Windows has two categories of privilege, he said: ‘Yes’, which allows everything to have system access, and ‘Maybe yes,’ which means all applications run at medium integrity.
“We need to break these privileges apart into a workable entitlement system that developers actually use, because entitlements give the machine a machine-readable understanding of what the app should be allowed to do. That means if the app is compromised the ability of malware to do things outside the scope of the application becomes dramatically reduced.”
Asked what application developers can do to prevent supply chain attacks, Tait replied, “code signing has to be everywhere.” Supply chain attacks can compromise certificate authorities, but at least signed code gives defenders a point of contact if they find suspicious application activity and want to check if it’s legitimate.
Code signing can also mandate entitlements, he added, as well as provide a trusted date to the certificate. That way an access entitlement can be made for a first application build, and canceled in subsequent builds.
Broadly, supply chain attacks indirectly go after targets by hitting the applications, platforms or partners that victims use – anything ranging from internet-connected heating and ventilation (HVAC) systems to network management platforms like SolarWinds Orion. Supply chain attacks have changed the risk levels and costs to both nation-state and cybercriminal attackers, Tait said. Malware – particularly ransomware – can be more widely spread, while nation-states can more easily do espionage on more targets. For example, he said, nine U.S. federal agencies and 100 commercial firms were victimized by the compromise of Orion’s update system.
What is worrisome, Tait said is that in a number of recent supply chain attacks there is “credible evidence” that security researchers had quietly found vulnerabilities in the applications or systems before they were compromised. However, somehow the information got into the hands of threat actors.
One lesson, he said, is that security researchers hunting for zero-day vulnerabilities need to keep their systems locked down because they are targets too.
Another lesson, Tait said, is that software companies and platforms that offer bug bounties should think twice about offering more money for chains of zero-day exploits than single exploits. Companies should want researchers to notify them of potential bugs as soon as possible, he said.
The annual Black Hat USA cybersecurity conference is taking place both online and at a Las Vegas hotel.
