[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders

Michael Carbone michael at accessnow.org
Thu May 15 09:15:12 PDT 2014 

Fabio Pietrosanti (naif):
> Hi all,
> 
> i think that would be very important to organize a project to Audit the
> functionalities of Auto-Update of software commonly used by human rights
> defenders.
> 
> Most of Governmental's managed client-side attacks are done trough
> proper MITM to tweak the target into downloading and/or executing something.
> 
> It's plenty of major and minor software that have security
> vulnerabilities that could be exploited in the following processes and
> procedures:
> - Auto-Update of software
> - Version Checking (to notify a new existing version)
> - Web Page providing Download/Update information
> 
> If only one of the previously defined functionalities can be exploited
> by a clever MITM (because not properly secure), the target (a normal
> target, not a paranoid one) is likely compromised.
> 
> In past the IT Security and Hacking environment looked at this problems,
> but then no big progress has been done, everything has been abbandoned
> and auto-update/version-checking/software-download-methods has been of
> the pure interests of governmental agencies.
> 
> Organizations that now take care of the security of software being used
> by human rights defenders should look at this kind of problem a bit
> deeper, by organizing such a projet and/or providing proper funding for
> such purpose.
> 
I think this should include putting pressure on OSes and distros to
deliver update checks, software, and crash reporting over HTTPS. Common
practice is HTTP (even in linux distros) and it makes it very easy to
malicious actors to fingerprint the software used by individuals for
exploitation analysis (as we've read the NSA does with Windows crash
reports).

While the MITM threat is hopefully low as any tweaked software won't
install due to signing and checksumming, it's a huge leak of personal
information that makes targeting and exploitation much easier for
malicious actors.

Michael

-- 
Michael Carbone
Manager of Tech Policy & Programs
Access | https://www.accessnow.org

GPG: 0x81B7A13E
Fingerprint: 25EC 1D0F 2D44 C4F4 5BEF EF83 C471 AD94 81B7 A13E

More information about the liberationtech mailing list