Hello All,
Here's an interesting scenario for you security buffs out there - I've been approached to think about the issues and return with some verdicts and would appreciate some intelligent ideas I'm sure you can conjure up...
Company A has its software installed on lots of customer Windows machines around the world. The software has effectively got 'root' access on the machine, and talks regularly to a central server to gain upgrades etc. If the software is tampered with, the computers could well cause disruption.
[ Yes, really bad idea. Microsoft should indeed be shot for allowing it. ]
The upgrades can be 'pushed' out at will to a subset of customers, or to all. The software, having full Administrator access, needs to be careful.
Or, more to the point, the procedure for releasing upgrades and changes to the software needs to be highly secure.
One idea that was my initial on the subject is as follows:
Six 'trusted' employees, six 'secure' servers. Employees are minor shareholders in the company. For an upgrade to be pushed out, a majority of the trusted employees must submit the same upgrade package to a majority of the servers, and the servers between them must agree that the upgrade is verified as coming from the claimed sources. Combined, they should check out. If any one employee, or one machine, were to raise a black flag, the process is aborted. In the event that a bad upgrade is indeed rolled out any two employees can activate a rollback procedure (which I can't think of procedurally right now).
Normally I would of course be thinking in terms of specialised identity and verificaton equipment, but Company A doesn't exactly have the resources of the CIA or NSA, so remote servers and a chain of trust is the closest they can get.
PGP keys all round I suspect.
A nightmare to secure, and is still open to attack, both internally and externally, however thats how I see it. I warn that I got almost three hours sleep last night due to "server issues" so if I make no sense thats probably why.
Comments/suggestions on completely different ideas/etc most welcomed. I don't have experience in this field.
Thanks all,
James