Why Chain-of-Trust is important when applying software updates

PA DSS (Payment Application Data Security Standard) requirement 7.2 talks about having a process to deliver patches and updates in a secure manner with a known chain of trust.

A few months ago, I wrote about chain of trust for installation and updates files. The following incident is the reason why that is so important.

Attackers broke into a server that ESTSoft used to update their ALZip compression application and replaced the update files with files containing malware. These malware infected updates caused a compromise of 62 computers at SK Communications (that used the program). These compromised computers were used to break into another computer on the same network that had a database that contained the names, user IDs, hashed passwords, birthdates, genders, telephone numbers, and street and email addresses. All this was user information for the telecom’s Cyworld social networking website and the Nate web portal.

A majority of the 49 million population of South Korea was affected by this breach. This incident could have easily been prevented if ESTSoft had established a process of digitally signing their software updates and the signatures were automatically verified before the updates were applied.

While PA DSS requirements apply to only Payment Application vendors, every software vendor must consider the impact of a breach or compromise of their site or software that might lead to larger incidents.