Archive for the ‘supply chain’ Category

Two new supply-chain attacks come to light in less than a week

October 23rd, 2018
Two new supply-chain attacks come to light in less than a week

Enlarge (credit: Brian Smithson / Flickr)

Most of us don’t think twice about installing software or updates from a trusted developer. We scrutinize the source site carefully to make sure it’s legitimate, and then we let the code run on our computers without much more thought. As developers continue to make software and webpages harder to hack, blackhats over the past few years have increasingly exploited this trust to spread malicious wares. Over the past week, two such supply-chain attacks have come to light.

The first involves VestaCP, a control-panel interface that system administrators use to manage servers. This Internet scan performed by Censys shows that there are more than 132,000 unexpired TLS certificates protecting VestaCP users at the moment. According to a post published last Thursday by security firm Eset, unknown attackers compromised VestaCP servers and used their access to make a malicious change to an installer that was available for download.

Poisoning the source

“The VestaCP installation script was altered to report back generated admin credentials to vestacp.com after a successful installation,” Eset Malware Researcher Marc-Étienne M.Léveillé told Ars. “We don’t know exactly when this happened, but the modified installation script was visible in their source code management on GitHub between May 31 and June 13.” VestaCP developer Serghey Rodin told Ars his organization is working with Eset to investigate the breach to better understand the attack.

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, malware, supply chain | Comments (0)

Touchscreens ‘at risk from chip in the middle attack’, warn researchers

August 25th, 2017

Researchers call for manufacturers to recognize that compromised hardware is a real possibility

Posted in chip-in-the-middle attack, hardware threats, Mobile, supply chain | Comments (0)

Five Billion Tests Later: IoT and Industrial Control System Protocols Raise Alarms

August 9th, 2017

In-brief: Close to five billion “fuzzing” tests conducted during 2016 reveal protocols used by industrial control systems, vehicles and Internet of Things devices to be weaker, on average, with many crashing hundreds of times and revealing vulnerabilities that could be used by malicious actors.  A study of 4.8 billion automated…

Read the whole entry… »

Related Stories

Posted in connected devices, critical infrastructure, fuzzing, Internet of things, protocol, published research, Reports, software, software development, supply chain, survey, Top Stories, trends, vulnerabilities | Comments (0)

Flaw In D-Link Software Affects 400K Devices

July 8th, 2016

In-brief: A vulnerability in software by device maker D-Link is much more widespread than initially believed, affecting hundreds of thousands of Internet connected devices, including cameras, home routers, wireless access points and network attached storage. A vulnerability in software by device maker D-Link is much more widespread than initially believed, affecting hundreds of thousands of Internet connected devices, including cameras, home routers, wireless access points and network attached storage. The security firm Senrio said on Thursday that a vulnerability it first disclosed in June in D-Link’s DCS-930L Network Cloud Camera also affects “a huge range of products” made by that company. More than 120 models across Connected Home Products, including cameras, routers, access points, modems, and storage, are affected by this single vulnerability, Senrio said in a statement. As many as 400,000 D-Link devices that are accessible from the public Internet are vulnerable to remote attack as a result of the remote code […]


Definitive Guide to DLP

Posted in broadband router, cameras, critical infrastructure, customer premises equipment (CPE), d-link, embedded device, hardware, home gateway, Internet of things, NAS, Patching, router, Senrio (Xipiter), supply chain, Switch, system on chip, trends, vulnerabilities | Comments (0)