Why Are Software Development Process Audits Important?
D-Link makes a variety of network equipment, both for home and business users. They release the software for this equipment, for the most part, as open source software. This allows techie users to review the code to see if it does anything bad and since the software is useless unless you bought the hardware, there is no revenue impact to releasing it as open source.
There is, of course, a downside to showing off your software if you screw up. For closed source vendors like Microsoft, if they screw up and researchers or hackers don’t find the bug before the vendor does, they can issue a patch, mutter something about fixing bugs and move on.
In the open source world you are exposing yourself to anyone on the planet ‘outing’ you and that is what happened to D-Link.
In one version of their software that they made available for the world to look at, they included the private signing key and pass phrases to use it in the software that they made available for people to review.
They did this in February and the key recently expired so it is no longer useful – hence talking about it is not a problem.
However, if a hacker found that key while the key was still valid and signed the software at that time, that malicious software will still show as valid.
Hackers want their software to be signed so that it looks legitimate. Here is the dialog box that a Windows user would get if the software is signed. Notice it says verified publisher:
On the other hand, if the software has not been signed, then the windows user will get a dialog that looks like this. Notice this one says unknown publisher and is a different color than the one above.
Technically there is something called certificate revocation which allows a software publisher to invalidate a signing certificate. There are a couple of problems with that, however. The first is that the publisher has to known that the certificate has been compromised. The second is that the system that is using the certificate has to proactively check to see if that certificate has been invalidated. I assume that for the 6 months that D-Link’s certificates were available online, they were not aware that they were exposing the family jewels.
Hackers sometimes break into a company to steal their certificates, but if it is available in plain sight, that is so much more excellent.
A software development process audit should have detected the fact that D-Link was not securing these keys correctly. Like the combination to the bank vault, these keys should not have been laying around somewhere for a developer to accidentally include in an upload of the source code.
Process is certainly a “first level of defense” against hackers. Not having good security practices is like leaving a loaded gun around. No guarantee that someone will get shot with it, but it does reduce accidental shootings if you store it unloaded and locked up. I would compare what D-Link did to accidentally shooting THEMSELVES.
Just like you don’t do a virus check on your PC one time and call it good, you need to do process audits periodically. This won’t solve all the world’s problems, but it will cut down self inflicted wounds.
My theory is that we should not make things any easier for hackers than you have to.
In the mean time, I would be very careful installing any D-Link software.
Information for this post came from Ars Technica.