The old adage that time is money is proven once again when it comes to volunteer computing. According to The New York Times, anyone can use the Berkeley Open Infrastructure for Network Computing (BOINC) platform to donate processing power, storage or other unused resources to the advancement of scientific endeavors. Anyone with a PC can scour the sky for aliens, help cure disease, map radiation or perform any number of other philanthropic activities.

To make this work, you download software from the project you choose and run it on your machine. Obviously, security is a critical consideration in doing that safely. For the attacker, a large pool of computing power, storage or bandwidth is a potential gold mine. These resources can facilitate all kinds of cybercriminals efforts, from botnets to bitcoin mining to brute-forcing cryptographic keys.

Safety Tips for Volunteer Computing

I’m not bringing this up to scare users off. Users are generally pretty safe participating in BOINC projects. In fact, its website claims that no security incidents have been attributed to BOINC. That said, just because something hasn’t happened yet doesn’t mean you shouldn’t take reasonable precautions.

While there are some safety and security measures built into the platform, it’s important for users to be aware of potential cyberthreats and improve their online hygiene to participate in these projects safely.

Know the Project

First and foremost, it is critical that individuals understand the volunteer computing projects in which they intend to participate. The BOINC platform provides a mechanism to digitally sign code that is delivered by projects, but it’s still important that users educate themselves.

Signing the code provides assurance of the signer’s identity, but does the participant really know who that is? The BOINC platform is open to all, so users will likely encounter malware dressed up as research — rogue projects — or fake sites designed to look like known projects — spoof projects. These are not commonplace, but it’s vital to make sure the volunteer project you connect to is legitimate.

Code signing relies on the security of a project’s private key. Otherwise, the security of the process can be circumvented. If you think this doesn’t happen, consider that attackers specifically targeted Adobe’s code signing repository to sign malware. Additionally, attacker groups have stolen certificates to sign code.

It happens accidentally, too. D-Link, for example, accidentally posted its code-signing keys on the internet. Ask yourself, is the project taking the right measures to project its participants? If the answer is negative or unknown, you may want to select something different.

Understand the Software

You may wish to investigate what other guidance or features the project and platform offer. The IBM World Community Grid security page, for example, outlines steps to audit both the BOINC agent and project software included in the Community Grid. It also explains how to further reduce the attack surface by suppressing IP information, refraining from connecting to reference sites and prohibiting the BOINC client from attaching to additional projects.

Users must understand the security model of the software itself by reading the manual, or at least the parts of it that pertain to security. BOINC uses nonprivileged accounts to sandbox the project from the rest of the operating system. This is the default for every platform except Windows. If you’re running Windows and you want to enable sandboxing, you need to take specific steps when installing.

Consider Enhanced Measures

Lastly, it can be beneficial to investigate a few enhanced security measures. You might choose to limit the software you run to that which you compile yourself. If you’re an experienced programmer or have access to a code-scanning tool, this might give you additional confidence. Alternatively, you might consider running the client inside a disposable virtual machine within a hypervisor. Such a mechanism creates further isolation between the agent and project software and the host system.

There are options available to you from a security standpoint. Just like you would practice appropriate security hygiene in all the other activities you undertake, it’s useful to do so for volunteer computing as well.

more from Application Security

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…