Black Hat Conference Explains That Only Platforms Can Prevent Supply Chain Attacks

At the annual Black Hat USA Cyber Security Conference, it was stated that operating systems and application platforms should tighten the security of their code to prevent an increasing number of supply chain attacks.

"The government isn't coming to save you," keynote speaker Mark Tait, chief operating officer of Florida-based Corleum, which sells mobile application development tools, said Wednesday.

“The only way to deal with this is to fix the underlying technology. Platform vendors will have to step up.”

If the platforms don't work there will be broad consensus like "this looks like a peanut compared to what we've seen so far."

"All the easy answers," - turn off software updates, or ban managed service providers because malicious updates are passed through them to customers - "are bad, and the hard answers are really hard. They give you something very important." bring in substantial commercial interests with necessary conflicts."

For example, he said, Google and Apple don't allow third-party anti-malware companies to scan their application stores for bad apps. Nor do they allow on-device telemetry, which would provide forensic evidence of high-volume application exploitation on smartphones. In fact, he argued, we're only getting a "small glimpse" of the number of mobile exploits.

By comparison, when security researchers find Windows malware, they can search repositories of malicious artifacts to find patterns, alert potential victims, and potentially accuse.

On the other hand, Tait said, while Windows has an entitlement system for managing identity and access, few organizations use it correctly. As a result attackers can elevate their access privileges.

"To fix Windows we have to de-privilege applications," Tait argued. Windows has two categories of privilege, he said: 'yes', which allows the system access to everything, and 'probably yes', which means all applications run at medium integrity.

“We need to break these privileges down into a workable entitlement system that developers actually use, because entitlements give a machine-readable understanding of what the app should be allowed to do. This means that if the app is compromised If done, the ability of malware to do things outside the scope of the application is dramatically reduced."

When asked what application developers can do to prevent supply chain attacks, Tait replied, "Code signing should be everywhere." Supply chain attacks can compromise certificate authorities, but the signed code at least gives defenders a point of contact if they find suspicious application activity and want to check if it's legitimate.

Code signing can also mandate entitlements, as well as provide a credible date for the certificate, he said. This way access entitlements can be created for the first application build, and revoked in subsequent builds.

Broadly speaking, supply chain attacks pursue targets by targeting the applications, platforms or partners used by the victims – anything from Internet-connected heating and ventilation (HVAC) systems to network management platforms such as SolarWinds Orion. Supply chain attacks have changed the risk level and cost for both the nation-state and cybercriminal attackers, Tait said. Malware – particularly ransomware – can be spread more widely, while nation-states can more easily spy on more targets. For example, he said, nine US federal agencies and 100 commercial firms were victimized by the compromise of Orion's updated system.

Worryingly, Tait said several recent supply chain attacks contained "credible evidence" that security researchers had quietly found vulnerabilities in applications or systems before they were compromised. However, somehow the information fell into the hands of the threatening actors.

One lesson, he said, is that security researchers hunting for zero-day vulnerabilities need to keep their systems locked out because they are also targets.

Another lesson, Tait said, is that software companies and platforms that offer bug bounties should think twice about offering more funding for a series of zero-day exploits than for single exploits. . He said companies should notify researchers of potential bugs as soon as possible.

The annual Black Hat USA Cyber Security Conference is taking place both online and in a Las Vegas hotel.