Tag Archives: Supply Chain

Supply Chain Attacks Are Going Strong

This time the attack is against an eCommerce platform, PrismWeb, that is used by College bookstores.

The attack is similar to other attacks, in the the hackers somehow got into the company’s system and inserted a tiny bit of Javascript that steals credit card data – very similar to Magecart that is affecting sites from TicketMaster to British Airways.  PrismWeb is integrated into the various college bookstore websites and when a student goes to checkout, the malware is downloaded from PrismWeb as part of the Javascript needed to operate the checkout process.

These attackers are clever in that the attacks take the data, format it as JSON, encrypt it and upload it in a way to make it look like Google Analytics data.

The data being stolen is credit card number, expiration date, CVV, billing name an address and phone.

Over 200 college bookstores have been affected, translating to tens of thousands of students – or more.

What is important to understand here is the concept, not the fact that 200+ colleges have been impacted.

If you use a service and that service has access to your data (remember card data is only one class of data these guys might want – trade secrets and medical data are two others, for example), you are potentially at risk if you don’t protect yourself.

One thing that all of these attacks have in common is that the data is being uploaded from your site to the attackers.  If your site should not be uploading data unsolicitedly (as in not in direct response to a user’s query), you need to be aware id this is happening and alert.

Of course, attackers can change their MO, but so far, of the thousands of sites affected, this is a common theme.

Ultimately, the problem is with the vendor.  Somehow they were compromised.  And the compromise was not detected.

In this case the customers – the 200+ college bookstores – are left to clean up the mess from the vendor.

MAYBE they will be compensated.  Maybe they will have to sue their vendor (that is no fun and will not get them any money for years, even if they win).  That is all a function of how well their Vendor Cyber Risk Management process works.

Ultimately, it is your problem to deal with and right now, most companies are not paying enough attention to it and the hackers are having a field day.  That is, until they are hacked.  At which point they throw millions at it.  Not a great strategy  – for YOU or for YOUR CUSTOMERS.

Source:  Bleeping Computer.

 

Facebooktwitterredditlinkedinmailby feather

More Supply Chain Woes, Courtesy of Asus

Here is an interesting combination of countries.

Multi-billion dollar Taiwan based computer make Asus makes a wide range of computers sold worldwide.

Russian anti-virus maker Kaspersky, whom the White House says is a threat to national security and should be banned (which I basically think is mostly true), identified that hackers attacked Asus’s software update mechanism and told US computer users (and other countries) that their computers were infected with malware.

How did it happen?  Hackers hacked Asus’ software update system and got Asus to send their customers malware to install.

Nice!

So is the Russian company outing the Chinese company Asus because they are enemies?

Or is the KGB trying to prove that Kaspersky is not a threat?

Or, is Kaspersky just doing what it’s software it is supposed to be doing.

The fact that the malware was SIGNED with Asus’ encryption key says that the hackers compromised Asus’ internal controls.

The attack was very targeted apparently.  Similar to the CCleaner attack, even though the malware was downloaded a million times, only 600 specific MAC addresses on PCs were targeted.

One VERY IMPORTANT point here.  According to Kaspersky, Asus has been very unresponsive to the issue.

So, what do you do?

First of all, my recommendation would be to remove Asus from your approved vendor list now.  If they come up with a better story you can always add them back in later.  The only way companies will get serious about cybersecurity is if it affects their financials.

That being said, this whole supply chain attack business (think Flame, CCleaner and even NotPetya was delivered as a supply chain attack) is becoming a huge problem and likely not going away any time soon.

This means that companies need to protect themselves.

Creating and implementing a vendor cyber risk management program is a start.

Make sure that you have adequate CYBER insurance.

Next figure out what you exposure is.  Are you buying parts (soft or hard) and integrating it into your product or software?  You are at a higher risk.

Are you a higher value target (like a tech company, financial services provider, have a lot of customer information, etc.)?  That puts you at risk.

While patching is a bit of a band-aid, it is one of the best band-aids that we have today.  This means EVERY SINGLE APPLICATION THAT IS INSTALLED ON EVERY SINGLE DEVICE – whether it is a server, desktop, laptop, phone, tablet or thermostat.  If it is on your network or talks to your network, it has to be patched fully,  Think about how bad patching habits worked out for Equifax.

As I said, this is not going to end soon — it is something that you should apply some think time to.  The potential impact on your brand could be very high, depending on your business model.

Source: Motherboard.  To see if your computer is infected, check out this Wired article.

 

 

Facebooktwitterredditlinkedinmailby feather

Uber Is Uber Bad

Ars technica is reporting that Uber is scrambling to try to recover from an itty bitty problem.  Apparently, someone posted Uber source code (probably an Uber employee) to the public source code repository GitHub.  GitHub is a wonderful tool for storing open source software code in a way that is easy for developers to share.

Only one tinsy, weensy problem.

This code contained the userid and password to access Uber’s driver database and someone – at least one someone – downloaded the database of personal information on every single Uber driver.

Oops!

Now Uber is trying to get GitHub to tell them every single person who accessed that code.  I don’t know enough about GitHub to know if they even keep records like that – they may well not do that for a variety of reasons and certainly are not legally required to do that.

This is an example of the supply chain problem that I was talking about in my previous post, only slightly twisted.  Let’s say this was the code to a library that you licensed and it contained sensitive information in it and it was publicly available.

Just so that no one is deluded into thinking this is an isolated problem, the ars folks ran a simple query against GitHub and came up with 296,000 entries similar to the Uber problem (server names, ip addresses, userids and passwords).

A similar search for WordPress came up with 2,000,000 matches.

While some of these did not contain the actual password value and other servers were not accessible from the public Internet (however, a hacker who hacks into the company using other means could still use those credentials to get at the database), many of them seem to point to production servers, accessible from the Internet, with userids and passwords.  For obvious legal reasons, ars did not try to log in to any of those servers.

Let’s assume that 30% of the entries are valid – either internally or externally and only 20% are accessible externally.

20% of 296,000 means that almost 60,000 web sites and 400,000 WordPress sites are vulnerable.

This search was hardly exhaustive and GitHub is only one such public repository.

THIS IS A SUPPLY CHAIN PROBLEM OF SIGNIFICANT MAGNITUDE.

Mitch

Facebooktwitterredditlinkedinmailby feather