View profile

Weekly Reading's from Anant - Feb Week 2

Anant Shrivastava
Anant Shrivastava
Focus for the week: Software Supply Chain
Software supply chain attacks have been a talk of the town since start of 2021. Starting from SolarWinds attacks (refer here and here) and the topics have just not stopped being in limelight. Software Supply chain attacks are basically targeting entities which are not in your direct control but are a major contributor in your application development process. This includes but not limited to:
  1. Development Tools (IDE’s, supporting tools..)
  2. OS repositories (Debian / RedHat / Chocolatey repositories…)
  3. Language specific repositories (npm, php, ruby, python pip…)
  4. CI / CD Tools (Jenkins, TravisCI, TeamCity…)
If we consider these, the typical supply chains go 2-3-4 or more levels deep in terms of vendor connections. There is no straightforward way to detect and preemptively protect yourself against such attacks. (Haroon also deliberated on this here and here)
Haroon has painted a very grim but very real picture here
The current focus on “supply chain” security will no doubt see the VC-backed creation of next-gen start-ups claiming to solve the problem, but this part of the problem seems intractable. There’s the “easy” suite of software you know about: applications installed on your infrastructure and their dependencies. But, for one, this ignores your vendor’s own vendors. In addition, what product is going to provide guidance on the provenance of the code running in your monitors (on processors we didn’t even know were there?). Will we examine the firmware on the microphone that people are now using for their Zoom calls? Will we re-examine it post-automatic-update? There are way too many connected pieces of code to tackle the problem from this angle.
OWASP has had this pegged as A9 in OWASP TOP 10 2017 (introduced in 2013 and has been at A9 ever since). “Yours truly” talked about a subsection of this 2015 during c0c0n and many people have already talked about this area for some time (BlackHat 2015 talk by Kymberlee Price and Jake Kouns, and Jeff Williams 2012 talk also MITRE’s white paper in 2013, presentation and ATT&CK ID: T1195). This is not a very new topic, however limelight is finally shining on this. I hope this brings out some concrete efforts and not just snake oil, products.
While we are on “attacks on supply chain systems” some interesting references I would like to add.
This was a fascinating research work back in 2016, and multiple discussions happened. The hard fact is the problem remains as shown https://medium.com/@williambengtson/python-typosquatting-for-fun-not-profit-99869579c35d and https://lwn.net/Articles/834078/ (probably pay walled medium link)
2018 saw the attack on event-stream NPM package, which helped overall NPM ecosystem. NPMaudit is now a default thing with package installation and that is a huge positive step in the right direction.
Github Issue #116 event-stream
The latest research posted by Alex Birsan dubbed as Dependency Confusion brings a lot of funny scenario’s in play. I loved the attack as its simple yet very effective. However, I must admit this is again one of those things where the true effects of it are yet to come out.
This attack relies on the fact that the official repositories don’t have the package name reserved, and the organization is using it internally only. The package managers look at official sources first and then any local source. This means if I reserve a package name on official source, I would have control over your environment. Fun fact is this is not so easy to fix, if we shift the focus of package managers to local first that can lead to local DLL injection like scenarios. While looking for defense against such attacks, I have found interesting conversations here and at original hackernews.
An interesting angle to this supply chain attacks comes as a botched up attempt where people assume putting a Software composition analysis software will solve all your problems. To this effect OWASP provides Dependency check tool, but it is simply a composition analysis tool whereas OWASP also works on Dependency Track tool, which aims to solve bigger set of problem. However, both are not fully covering the attack landscape in this area.
From a defense perspective number of things I would prefer to quote:
Key Practices in Cyber Supply Chain
Risk Management: Observations from Industry
3 Ways to Mitigate Risk When Using Private Package Feeds
GitHub - visma-prodsec/confused
I hope this gives you a good understanding of the Software supply chain attacks and various activities surrounding them that has happened so far.
More Reading
I intend to keep this section in every news letter and cover various interesting references I could not cover as part of the newsletter.
  1. Kernel Level vulnerability found and fixed https://seclists.org/oss-sec/2021/q1/107?s=09
  2. Inter-process communication dumping tool for linux https://github.com/guardicore/IPCDump
  3. Building a secure CI-CD pipeline for terraform: https://tech.ovoenergy.com/building-a-secure-ci-cd-pipeline-for-terraform-infrastructure-as-code/
  4. Uncovering a 24-year-old bug in the Linux Kernel: https://engineering.skroutz.gr/blog/uncovering-a-24-year-old-bug-in-the-linux-kernel/
Well, this brings us to the end of this newsletter. Reply to the email or send me a note over twitter if you find this helpful or annoying or interesting. If you feel this fits your bill subscribe and I will see you all next week.
Did you enjoy this issue? Yes No
Anant Shrivastava
Anant Shrivastava @anantshri

This infrequent newsletter contains my commentary around IT (sec) topics

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.
Bhopal, India