Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders

Fabio Pietrosanti (naif) lists at infosecurity.ch
Wed May 14 22:36:07 PDT 2014


Hi all,

i think that would be very important to organize a project to Audit the
functionalities of Auto-Update of software commonly used by human rights
defenders.

Most of Governmental's managed client-side attacks are done trough
proper MITM to tweak the target into downloading and/or executing something.

It's plenty of major and minor software that have security
vulnerabilities that could be exploited in the following processes and
procedures:
- Auto-Update of software
- Version Checking (to notify a new existing version)
- Web Page providing Download/Update information

If only one of the previously defined functionalities can be exploited
by a clever MITM (because not properly secure), the target (a normal
target, not a paranoid one) is likely compromised.

In past the IT Security and Hacking environment looked at this problems,
but then no big progress has been done, everything has been abbandoned
and auto-update/version-checking/software-download-methods has been of
the pure interests of governmental agencies.

Organizations that now take care of the security of software being used
by human rights defenders should look at this kind of problem a bit
deeper, by organizing such a projet and/or providing proper funding for
such purpose.

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org




More information about the liberationtech mailing list