[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Fri May 23 12:39:37 PDT 2014
Il 5/20/14, 4:24 AM, Tony Arcieri ha scritto:
>
> Also note that most software update systems are one key (or sadly in
> many cases, zero keys) away from being remote code execution
> vulnerabilities.
>
> All of these attacks are covered by The Update Framework:
>
> http://theupdateframework.com/
But it's not so unrealistic that most of that small software being used
by people on-field will move or change their update framework.
Still the activity to be done is to:
a) identify mostly used software by people on-field
b) audit them
c) have the manufacturer to fix their existing update procedures
But we just do not have any kind of data on the security status of small
softwares being used by people on-field on their outdated windows/osx
machines.
What i know for sure is that those kind of techniques are heavily
exploited by governmental agencies and no-one from the security
community is trying to fix that kind of problem.
--
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org
More information about the liberationtech
mailing list