Tag Archives: Supply Chain

Security News for the Week Ending June 21, 2019

Asus Was Not Alone

I wrote about the Asus supply chain attack in March (search for Asus in the blog search box).  Attackers, somehow, compromised the development environment, injected malware and allowed the system to compile, digitally sign and distribute it through the software update process.  Hundreds of thousands of clients were infected as a result.

Now we are learning that Asus was not alone.  Kaspersky Labs, the Russian antivirus firm that the U.S. Government loves to hate, says that there were more.

In all cases, the development process was compromised and infected software was distributed – including:

  • game maker Electronics Extreme
  • Innovative Extremist, a web and IT company
  • Zepetto
  • Plus at least three other companies

All of these companies are current or former game makers and all had their internal development environments compromised to the level that hackers were able to get them to distribute digitally signed malware.  Source: Kaspersky.

 

Samsung warns Users To Check Their TVs for Viruses – Then Unwarns

Last Sunday Samsung put out a notice on Twitter:

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”

Then they deleted the message as if someone figured out that if users thought their TVs were breeding grounds for bad stuff, they might not buy  new TV.  When Samsung was asked about it, the reporter got no reply.

YOU DO scan your smart TV for malware every few weeks, don’t you?  Source: The Register

 

The Consequences of A Data Breach

By now everyone is aware of the data breach reported by Quest Labs and Labcorp, among others.  But there is another part of the story.

As I have reported, the source of the breach was a third party vendor – American Medical Collection Agency –  the vendor cyber risk management problem.

Now that the breach has become public, customers are fleeing from AMCA like the proverbial rats and the sinking ship.

As a result of that, the lawsuits already filed and to be filed and the regulators snooping around, AMCA’s parent company, Retrieval-Masters Creditors Bureau, Inc. ,has filed for bankruptcy.

It seems the company’s future is pretty cloudy.  Source: CNN.

 

Your Tax Dollars At Work

A Florida city has taken the opposite tactic that Baltimore did and decided to pay a hacker’s ransom demand instead of rebuilding from scratch.

Rivieria Beach, Florida, population 34,000, was hit by a ransomware attack three weeks ago.  Like many cities and towns, Riveria Beach likely didn’t prioritize IT spending very high and crossed it’s fingers.

The Baltimore hacker asked for about $95,000, which the city refused to pay.  They have now agreed to implement a number of IT projects that have been ignored for years and spending $18 million.

In this case, the hacker was bolder, asking for $600,000, which if the city has typically poor IT practices, was the only way to get their data back.

The reason why we hear about all of these attacks on cities is that their budget project is legally much more public.  If a private company pays a ransom, there is, most of the time, no legal requirement to disclose it.  Source: CBS.

 

Facebooktwitterredditlinkedinmailby feather

Supply Chain Attacks Are Going Strong

This time the attack is against an eCommerce platform, PrismWeb, that is used by College bookstores.

The attack is similar to other attacks, in the the hackers somehow got into the company’s system and inserted a tiny bit of Javascript that steals credit card data – very similar to Magecart that is affecting sites from TicketMaster to British Airways.  PrismWeb is integrated into the various college bookstore websites and when a student goes to checkout, the malware is downloaded from PrismWeb as part of the Javascript needed to operate the checkout process.

These attackers are clever in that the attacks take the data, format it as JSON, encrypt it and upload it in a way to make it look like Google Analytics data.

The data being stolen is credit card number, expiration date, CVV, billing name an address and phone.

Over 200 college bookstores have been affected, translating to tens of thousands of students – or more.

What is important to understand here is the concept, not the fact that 200+ colleges have been impacted.

If you use a service and that service has access to your data (remember card data is only one class of data these guys might want – trade secrets and medical data are two others, for example), you are potentially at risk if you don’t protect yourself.

One thing that all of these attacks have in common is that the data is being uploaded from your site to the attackers.  If your site should not be uploading data unsolicitedly (as in not in direct response to a user’s query), you need to be aware id this is happening and alert.

Of course, attackers can change their MO, but so far, of the thousands of sites affected, this is a common theme.

Ultimately, the problem is with the vendor.  Somehow they were compromised.  And the compromise was not detected.

In this case the customers – the 200+ college bookstores – are left to clean up the mess from the vendor.

MAYBE they will be compensated.  Maybe they will have to sue their vendor (that is no fun and will not get them any money for years, even if they win).  That is all a function of how well their Vendor Cyber Risk Management process works.

Ultimately, it is your problem to deal with and right now, most companies are not paying enough attention to it and the hackers are having a field day.  That is, until they are hacked.  At which point they throw millions at it.  Not a great strategy  – for YOU or for YOUR CUSTOMERS.

Source:  Bleeping Computer.

 

Facebooktwitterredditlinkedinmailby feather

More Supply Chain Woes, Courtesy of Asus

Here is an interesting combination of countries.

Multi-billion dollar Taiwan based computer make Asus makes a wide range of computers sold worldwide.

Russian anti-virus maker Kaspersky, whom the White House says is a threat to national security and should be banned (which I basically think is mostly true), identified that hackers attacked Asus’s software update mechanism and told US computer users (and other countries) that their computers were infected with malware.

How did it happen?  Hackers hacked Asus’ software update system and got Asus to send their customers malware to install.

Nice!

So is the Russian company outing the Chinese company Asus because they are enemies?

Or is the KGB trying to prove that Kaspersky is not a threat?

Or, is Kaspersky just doing what it’s software it is supposed to be doing.

The fact that the malware was SIGNED with Asus’ encryption key says that the hackers compromised Asus’ internal controls.

The attack was very targeted apparently.  Similar to the CCleaner attack, even though the malware was downloaded a million times, only 600 specific MAC addresses on PCs were targeted.

One VERY IMPORTANT point here.  According to Kaspersky, Asus has been very unresponsive to the issue.

So, what do you do?

First of all, my recommendation would be to remove Asus from your approved vendor list now.  If they come up with a better story you can always add them back in later.  The only way companies will get serious about cybersecurity is if it affects their financials.

That being said, this whole supply chain attack business (think Flame, CCleaner and even NotPetya was delivered as a supply chain attack) is becoming a huge problem and likely not going away any time soon.

This means that companies need to protect themselves.

Creating and implementing a vendor cyber risk management program is a start.

Make sure that you have adequate CYBER insurance.

Next figure out what you exposure is.  Are you buying parts (soft or hard) and integrating it into your product or software?  You are at a higher risk.

Are you a higher value target (like a tech company, financial services provider, have a lot of customer information, etc.)?  That puts you at risk.

While patching is a bit of a band-aid, it is one of the best band-aids that we have today.  This means EVERY SINGLE APPLICATION THAT IS INSTALLED ON EVERY SINGLE DEVICE – whether it is a server, desktop, laptop, phone, tablet or thermostat.  If it is on your network or talks to your network, it has to be patched fully,  Think about how bad patching habits worked out for Equifax.

As I said, this is not going to end soon — it is something that you should apply some think time to.  The potential impact on your brand could be very high, depending on your business model.

Source: Motherboard.  To see if your computer is infected, check out this Wired article.

 

 

Facebooktwitterredditlinkedinmailby feather

Uber Is Uber Bad

Ars technica is reporting that Uber is scrambling to try to recover from an itty bitty problem.  Apparently, someone posted Uber source code (probably an Uber employee) to the public source code repository GitHub.  GitHub is a wonderful tool for storing open source software code in a way that is easy for developers to share.

Only one tinsy, weensy problem.

This code contained the userid and password to access Uber’s driver database and someone – at least one someone – downloaded the database of personal information on every single Uber driver.

Oops!

Now Uber is trying to get GitHub to tell them every single person who accessed that code.  I don’t know enough about GitHub to know if they even keep records like that – they may well not do that for a variety of reasons and certainly are not legally required to do that.

This is an example of the supply chain problem that I was talking about in my previous post, only slightly twisted.  Let’s say this was the code to a library that you licensed and it contained sensitive information in it and it was publicly available.

Just so that no one is deluded into thinking this is an isolated problem, the ars folks ran a simple query against GitHub and came up with 296,000 entries similar to the Uber problem (server names, ip addresses, userids and passwords).

A similar search for WordPress came up with 2,000,000 matches.

While some of these did not contain the actual password value and other servers were not accessible from the public Internet (however, a hacker who hacks into the company using other means could still use those credentials to get at the database), many of them seem to point to production servers, accessible from the Internet, with userids and passwords.  For obvious legal reasons, ars did not try to log in to any of those servers.

Let’s assume that 30% of the entries are valid – either internally or externally and only 20% are accessible externally.

20% of 296,000 means that almost 60,000 web sites and 400,000 WordPress sites are vulnerable.

This search was hardly exhaustive and GitHub is only one such public repository.

THIS IS A SUPPLY CHAIN PROBLEM OF SIGNIFICANT MAGNITUDE.

Mitch

Facebooktwitterredditlinkedinmailby feather