Sunday, February 7, 2021

Software Supply Chain hmmms

So, anyway, I've been thinking a bit about the SolarWinds hack, and thinking how lucky we were that it was the only event of its kind, (Yes, my tongue is firmly in my cheek), and then a few days ago, I saw this article in the Register.

The headline is partly "What happens when a Chrome extension with 2m+ users changes hands, raises red flags,", but being a little cynical, I think a better question would be, "What happens when a Chrome extension with 2m+ users changes hands, and _doesn't_ raise red flags".

And then, a couple of days ago, I saw an excellent MalwareBytes blog about an Android app with 10m-ish users, that also changed hands, and is now regarded as malicious and has been removed from Google Play. As you can see from the blog, the app was pretty instantly obvious that it was being... uh ... a bit pushy.

I look at things like those two events, and think, "That's a pretty good way to get yourself on millions of devices pretty quickly."

And then I think, "I wonder how many more apps, or browser extensions, have quietly changed hands to someone of hostile intent, and _haven't_ been noticed?"

Yes, it costs the perp some money to get these things, but then they could be on tens of millions of devices, quietly harvesting uids, and pws, to all sorts of services.

Nation States actors would do this. RansomWare dudes would do this. Both adversaries are easily financially capable of this.

The potential RansomWare consequences are instantly clear, and potentially costly if you ignore them. The Nation State level implications are more subtle, but this is exactly how you could end up with more hacks like SolarWinds.

So the question then becomes, how do you handle it, and the short answer is, with great difficulty.

The slightly longer answer is, if you are a builder of products, you have to really think hard about your software supply chain, and maybe not trust everything, and then

(1) Consider what you would do if some open source components, on say, Github, are compromised
(2) Consider how you detect that some of your own source components werer modified, ala SolarWinds
(3) Given the potential for uids and pws to have been harvested by apps that have quietly "changed hands", you should assume that it's a matter of "when" and not "if", the Bad Guys get in your network, or in your supply chain somewhere.

I will try to find some less nebulous answers about what to do.

Oh, but don't get me started about Firmware Supply Chain.

Stay safe, folks. It's tricky out there.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)