The old adage that time is money is proven once again when it comes to volunteer computing. According to The New York Times, anyone can use the Berkeley Open Infrastructure for Network Computing (BOINC) platform to donate processing power, storage or other unused resources to the advancement of scientific endeavors. Anyone with a PC can scour the sky for aliens, help cure disease, map radiation or perform any number of other philanthropic activities.

To make this work, you download software from the project you choose and run it on your machine. Obviously, security is a critical consideration in doing that safely. For the attacker, a large pool of computing power, storage or bandwidth is a potential gold mine. These resources can facilitate all kinds of cybercriminals efforts, from botnets to bitcoin mining to brute-forcing cryptographic keys.

Safety Tips for Volunteer Computing

I’m not bringing this up to scare users off. Users are generally pretty safe participating in BOINC projects. In fact, its website claims that no security incidents have been attributed to BOINC. That said, just because something hasn’t happened yet doesn’t mean you shouldn’t take reasonable precautions.

While there are some safety and security measures built into the platform, it’s important for users to be aware of potential cyberthreats and improve their online hygiene to participate in these projects safely.

Know the Project

First and foremost, it is critical that individuals understand the volunteer computing projects in which they intend to participate. The BOINC platform provides a mechanism to digitally sign code that is delivered by projects, but it’s still important that users educate themselves.

Signing the code provides assurance of the signer’s identity, but does the participant really know who that is? The BOINC platform is open to all, so users will likely encounter malware dressed up as research — rogue projects — or fake sites designed to look like known projects — spoof projects. These are not commonplace, but it’s vital to make sure the volunteer project you connect to is legitimate.

Code signing relies on the security of a project’s private key. Otherwise, the security of the process can be circumvented. If you think this doesn’t happen, consider that attackers specifically targeted Adobe’s code signing repository to sign malware. Additionally, attacker groups have stolen certificates to sign code.

It happens accidentally, too. D-Link, for example, accidentally posted its code-signing keys on the internet. Ask yourself, is the project taking the right measures to project its participants? If the answer is negative or unknown, you may want to select something different.

Understand the Software

You may wish to investigate what other guidance or features the project and platform offer. The IBM World Community Grid security page, for example, outlines steps to audit both the BOINC agent and project software included in the Community Grid. It also explains how to further reduce the attack surface by suppressing IP information, refraining from connecting to reference sites and prohibiting the BOINC client from attaching to additional projects.

Users must understand the security model of the software itself by reading the manual, or at least the parts of it that pertain to security. BOINC uses nonprivileged accounts to sandbox the project from the rest of the operating system. This is the default for every platform except Windows. If you’re running Windows and you want to enable sandboxing, you need to take specific steps when installing.

Consider Enhanced Measures

Lastly, it can be beneficial to investigate a few enhanced security measures. You might choose to limit the software you run to that which you compile yourself. If you’re an experienced programmer or have access to a code-scanning tool, this might give you additional confidence. Alternatively, you might consider running the client inside a disposable virtual machine within a hypervisor. Such a mechanism creates further isolation between the agent and project software and the host system.

There are options available to you from a security standpoint. Just like you would practice appropriate security hygiene in all the other activities you undertake, it’s useful to do so for volunteer computing as well.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today