News broke today that a variety of serious vulnerabilities have been identified in the Hardware Against Software Piracy (HASP) license management system of popular license management software used in corporate and ICS environments to activate software on PCs and servers. If these vulnerabilities are left unpatched, the popular license management USB-token can be used to open a hidden remote access channel for cyberattackers. Christopher Littlejohns, EMEA Manager at Synopsys commented below.
“In this article Kaspersky clearly attributes the root cause of many such ICS related software vulnerabilities to ineffective secure software development practices. Whilst the industry is gradually raising their game, in part due to the activity of hackers, security researchers finding issues, and customer demands, many are still behind the curve on many aspects. In this case there were a number of contributing factors including inappropriate configuration, open ports, lack of authentication, the use of vulnerable components, and an apparent lack of security focused testing. Interestingly Kaspersky used a tried and tested hacking technique, namely ‘fuzzing’ to uncover the vulnerability and then developed it with other common techniques to cause multiple opportunities for the execution of code on the machine. These machines would be used to monitor and control ICS devices, so the potential impact is enormous. This is exactly the sort of penetration that Nation Intelligence services, Criminals and Terrorists crave and keep to themselves for future exploitation. It is all the more worrying that the installation of software that is supposed to prevent the operation of proprietary software is the very thing that causes a systemic vulnerability. Users will generally have high trust in such software, particularly when it comes from a key supplier. All in all this demonstrates that Software Supply Chain Management is a crucial aspect of modern business operations, and over trusting software from suppliers can be a dangerous mistake. Organisations that are rely on their IT systems being secure need to verify their software is secure as well as verify that their suppliers have a secure development lifecycle. If you don’t then you have abdicated that responsibility and may suffer severe consequences.”
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.