Stolen creds don't kill whitelisting: McAfee
McAfee global CEO David DeWalt has said that his company will continue to use whitelists in its security products despite the fact that they have been repeatedly exploited by hackers who use stolen trusted certificates to sign malware.
McAfee CEO David DeWalt (Screenshot by Darren Pauli/ZDNet Australia)
The infamous Stuxnet family stole Authenticode-signed certificates from Realtek and JMicron to push malware through to whitelist-protected computers. Hackers also stole a VeriSign certificate, which US-based Vantage Credit Union used for its Quicken and Microsoft Money software. That certificate was then used to legitimise malware.
DeWalt said that the Microsoft software stack is too complex for whitelisting to work effectively alone, and noted that malware applications that pass Microsoft checks using stolen certificates are not automatically trusted by McAfee.
"Microsoft stack still is so complex for an operating environment that whitelisting is very challenging, hence the need for blacklisting. We see combination of blacklisting and whitelisting and cloud intelligence as a key for all of us to solve these problems."
"Whitelisting and blacklisting have flaws, but we do see a combination of the two that is very powerful," DeWalt said. "Whitelisting, where only one source can update the operating system, is much more secure ... where there is only one trusted source, only one point of vulnerability."
Speaking of the recent certificate breaches, Sophos researcher Chester Wisniewski said on his blog that he is "not a big fan of the chain of trust".
"I do not know who should be trusted, nor do I know what their practices are for securely managing and storing these certificates," Wisniewski said.
"This doesn't even take into account that just about anyone who chooses can buy one of these certificates without strong verification or reason for trust."
McAfee and Intel
McAfee's chief executive also talked about his company's new parent Intel. DeWalt said the deal will essentially help boost chipset sales and trigger security vendors to focus products on the bottom stack.
"Security has been already pervasive in the Intel chip technology but hasn't been utilised very effectively," DeWalt said. "In our partnership with Intel, we have come to be more awakened by the features that are there."
"[Symantec's] Altiris has attempted to build some integration for the AMT layers and [Intel] vPro [processors], but it's open for everyone — it hasn't been taken advantage of yet."
DeWalt said the company will help push sales of vPro chipsets, which he noted have yet to thoroughly penetrate enterprises.
Security offerings in the post-Intel acquisition will filter out during next year, but DeWalt would not be drawn on in which quarter the first products will emerge, citing that the US$7.68 billion deal has yet to be finalised.
Its products will utilise benefits in chipset functionality including power management and firmware updating. "We have to patch computing devices multiple times a day ... power management functionality allows you to wake up a device, update it and hibernate it," De Walt said.
"The lower in the stack you are, the more you can do."