Security Implications of Pirated Software

A while ago, when I was travelling a journalist told me that he never pays for our software as he can easily download a tool to crack Windows XP (he was still running XP). We had an interesting discussion afterwards (besides the fact that he showed me how he steals our goods) about security. He ran a tool with highest privileges and was then proud how Windows worked without a key. I asked him how he could be sure that the tool did not install any backdoor on his machine, while cracking it – and he went kind of pale….

We know of these stories and we know that pirated copies of Windows, which can be downloaded often are coming with pre-installed malware. As you might have heard, we disrupted another botnet last week, which spread through the supply chain: Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain.

This leads for me to another fairly interesting question: Most governments today are relying on Common Criteria certification to evaluate products. However, to me a good product is the result of a good engineering and assembling process. So, when it comes to software, make sure that the development process is designed to lead to “secure” results (e.g. ISO 27034) and having a deeper look into your supply chain generally makes sense if I look at the botnet takedown.

Roger

Enhanced by Zemanta

One thought on “Security Implications of Pirated Software

  1. “I asked him how he could be sure that the tool did not install any backdoor on his machine, while cracking it – and he went kind of pale…”
    Poor guy, the answer is simple, the tool is probably an free piece of software, this means he has access to the code thus no issue, he can see and look what the code does. He is even less sure that there is no backdoor on MS products…

    “So, when it comes to software, make sure that the development process is designed to lead to “secure” results (e.g. ISO 27034)” : This is why iexplore, a so well known MS piece of software that obviously respects the ISO 27034 devl process and lead to “secure” results but was lacking to solve some critical security holes since years …

    Windows was never designed with security in mind, security patches have been added afterwards. It is not because MS did not try, it is because make Windows secure is almost as impossible to achieve as making a farm house as secure as the US Fed Gold reserve…

Leave a Reply