Way back in 1977, a computer scientist from the University of Nebraska coined “Weinberg’s law:”
If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.
The problem is that since Weinberg made his law, software has become a lot like buildings – an integral part of our civilization which can have serious, even deadly, impacts when it fails. And the woodpeckers have been evolving – getting bigger, smarter, and in some cases state sponsored.
This week’s woodpecker of interest is whoever managed to compromise the update server of a password manager program used by thousands of organizations to guard the keys to their systems. This woodpecker pushed out an update which put the affected systems in contact with a command and control server and loaded what we can only assume to be password stealing malware.
There are multiple levels of badness here…
Badness level 1 – A lot of people are (hopefully) changing passwords on a lot of systems right now – and there may be a lot of compromised systems already under control of the attackers.
Badness level 2 – Trojanized software updates have the potential to cause organizations to defer installing important security updates, and give attackers more time to exploit vulnerabilities.
Badness level 3 – Password managers are one of the better ways we have of dealing with the weaknesses of passwords as an authentication mechanism. Eroding trust in all password managers by compromising one could encourage organizations to adopt home grown solutions which may end up being less secure than a well built, well managed password manager.
Incidents like this one have real costs – a lot of companies are going to have to spend a lot of time and money dealing with the direct fallout – changing passwords, finding and cleaning up compromised systems, and the like. But there are other costs that go far beyond the organizations who are directly affected – loss of trust in things we depend on for our businesses – supply chains, service providers, security tools and more. Loss of trust leads to a loss of productivity and innovation.
I hope that this incident doesn’t put companies or individuals off using password managers. They are certainly a better alternative than most of the ways we tend to store secrets.
I hope that this incident doesn’t encourage companies to skip installation of important updates. Leaving systems vulnerable to attackers is not a good solution to anything.
What I do hope this incident spurs is a realization that we need to continue to develop tools and best practices which make software development and the provision of SaaS services safer and more secure, AND we hold companies accountable when they fail to use those tools and standards properly.
There are a number of ways to do this… maybe the architecture of at least some software needs to be regulated more like the architecture of buildings, aircraft, or other complex systems. Maybe there needs to be a “UL seal” for software developers and SaaS providers. Maybe tort law can provide a market driven solution. In the end, it’s probable that a mixture of solutions for different situations will emerge.
We are going to keep increasing our reliance on software for critical infrastructure. The woodpeckers will keep evolving, getting smarter, bigger and faster. And as we move more and more of our systems to cloud based service providers, the number of targets that a determined woodpecker needs to successfully attack to make a significant dent in society is decreasing. We must do better.