I recently traveled to Denver to attend the American Society for Training and Development’s (ASTD) International Conference and Exposition (ICE). I stayed at the Embassy Suites next to the conference venue, the Colorado Convention Center. (The conference was fantastic, by the way, but that’s not what this post is about…)
While I was there the FBI warned of a new way bad guys are attacking travelers’ laptops. It seems they are causing popups to appear on the laptops of hotel guests suggesting that they update some software package or another. Of course, the notices are bogus and the “updates” contain some kind of malware. From the advisory:
The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection.
This is good advice. It should apply to all public internet connections. In fact, it should apply to all internet connections one does not trust 100%, such as public wireless connections. (Some of you may be thinking “but I cannot trust anything 100%. I know. And you should always use caution when downloading software, but bad guys tend to target public access points more than the ones in your home.)
So what should you do to exercise that “extra caution”? The advisory suggests “checking the author or digital certificate” of the items you download, such as updates. That’s good advice and you should be doing that all the time. The problem is that not all vendors make that easy to do. In the traditional “is it good or bad”? scenario, most vendors hide the validation phase from the user. That’s good because you don’t see a dialog for an event that rarely goes wrong, but it’s bad because you don’t know what packages actually do the validation! Microsoft signs all its updates.
The basic signing process works like this: the manufacturer (vendor) creates the update. They then use a software tool that computes a hash value of the update. In the future I’ll write about how hashes work, but for now, think of it as a unique value corresponding to the update (it’s not really unique, but we can talk about that later). The vendor then encrypts that value with a private key (again, more about that later). When you download the update, you get the encrypted hash value, too. Your computer then decrypts the value using the public key of the vendor and re-computes the hash of the update. If the values match, the update is genuine. If it is still confusing, you can check the Wikipedia article on Digital signatures.
If you don’t know how to verify the update and you cannot find out how to do so by checking your favorite search engine or the vendor’s site, what should you do? Don’t download the software! The advisory recommends checking for updates before your trip. Even if you travel for a week, you shouldn’t be missing too many critical updates if you do that.
Next time you travel, make sure you update your software before you set out.