From Nautil.us, June 9:
We Already Know How to Stop SolarWinds-Like Hacks
Last year, hackers made headlines after they breached SolarWinds, a software company that specializes in network monitoring software. About 33,000 organizations, including the Pentagon, the U.S. State Department, and some intelligence agencies, use Orion, one of SolarWinds’ products. Orion was designed to monitor the users’ networks to make sure they were functioning properly and, ironically, kept safe.
The breach seems to have started with an attack on Microsoft products, including the Microsoft Office 365 server SolarWinds was using. Office 365 handles email, among other things, and email servers are notoriously hard to protect against malware infection because they have to process data from computers all over the Internet. The attackers then mounted a supply chain attack, meaning that instead of directly attacking government offices, the attackers compromised the Orion software that those organizations used, before the software was actually delivered to them.
Copying a digital signature is already hard enough that hackers hardly ever try it.
What could software manufacturers do to defend against such an assault? Recently, researchers from Ohio State University and Potomac Research LLC, led by Noeloikeau Charlot, published a paper on the idea of using “physically unclonable functions.” Physically unclonable functions, or PUFs, exploit the fact that, at a microscopic level, even mass-produced computer chips have tiny differences from one chip to the next. PUFs leverage that to let every chip in a computer, smartphone, or other device generate a signal that no other chip can generate. Just like your bank might want to check your fingerprint before you access your safety-deposit box, an online bank can check a device’s PUF to make sure that only someone with the right device is accessing a bank account. PUFs can be impressively distinct. “The researchers,” according to a press release, “believe it would take longer than the lifetime of the universe to test for every possible combination available.”
PUFs are a great technical idea, but they suffer from a few drawbacks. A fingerprint identifies a person, but a PUF identifies a device. If you use more than one device, as many people do, either you have to always have the correct one handy or the bank has to know the PUFs for all of them. And registering a new PUF would require that you convince your bank that you own both the new device and the old one, a process that could give hackers another opportunity to impersonate you and gain access to your account. By definition, backing up a PUF is impossible, so if you don’t have multiple devices registered, then losing one means starting over from scratch. And if someone steals a device that’s registered to the bank, you would need a way to revoke the registration before hackers can break into the device and use the PUF.
While there are situations where PUFs could be very useful, the researchers are, unfortunately, barking up the wrong tree when it comes to hackers. We already have the technical tools to prevent hacks like SolarWinds. We can identify devices using digital signatures. We just don’t use them correctly.
If a PUF is like a fingerprint, a digital signature is like an ID card with a ridiculously long ID number written on it. If you have the right information, you can copy a digital signature from one device to another, so multiple devices are not a problem, just like you can make a copy of an ID card given enough time and resources. On the other hand, you can prove that you have the right digital signature without giving away the key information, just like it would be very difficult for someone to copy an ID card if they can only briefly examine it. Unlike PUFs, there isn’t a physical barrier to copying a digital signature. But the fact is, copying a digital signature is already hard enough that hackers hardly ever try it.
These attacks were coming from inside a system that had already been vouched for.
Compromising an email server is like trying to infiltrate a post office. Fingerprint scanners and ID cards will help catch someone who is impersonating a postal worker. But what about a drone hidden in a package? Even if you can accurately determine where it came from, that doesn’t necessarily tell you whether it’s safe or not. Instead, the post office might have to start X-raying every sufficiently large package. This quickly becomes an arms race: Attackers try to disguise the drones, while the defenders try to get better at identifying them. This is basically the current situation with malware, and with email servers in particular.
Office 365 has a single sign-on feature, meaning that a company can tie all of its computers into a single log-in system. So once the attackers had broken into SolarWinds’ Office account, they apparently used it to access other SolarWinds systems, including the one which publishes updates to the Orion software....
....MUCH MORE
