Share this page!

Lea Kissner Profile picture
Twitter logo
2 Feb, 17 tweets, 5 min read
Finishing up this session at #enigma2021 is from Trey Herr speaking about "BREAKING TRUST – SHADES OF CRISIS ACROSS AN INSECURE SOFTWARE SUPPLY CHAIN"

[ *cough* #SolarWinds #SolarWindsHack *cough* ]

usenix.org/conference/eni…
The software supply chain is huge and reaches everywhere.

In the US and elsewhere there's a lot of COTS (commercial off the shelf) software being used.

We don't build most of the software that we use, from mobile phones to container architechture.
Our mental models around supply chain (and regulatory architecture) are built around the hardware supply chain
Collected 139 incidents since Oct 2019 from public information
A software supply chain attack is when attackers access and edit software somewhere in the complex supply chain to compromise down the chain.

Also have to look at vulns -- those can easily become attacks!
Disclaimer: this is based on public information, so it probably undercounts certain high-value targets or places which aren't so covered by press.
[yes this is hard to read. sorry]

Software supply chain attacks land all through the chain.
What we compile and the dependencies we use matter a lot.

There is not going to be one silver bullet.

Updates are a problem; there's an opportunity to push fixes but require a lot of trust
* Software supply chain attacks have been popular and are going to be more so [*cough*#SolarWinds *cough*]
* They're high-impact -- you can get a lot of targets with one hack
* Used to great effect by state attackers
Trends:
* state attacks especially China and Russia
* attacks undermined public-key cryptography (code signing)
* attacks targeted widely-used open-source projects
* 25% of these incidents targeted app stores and developer tools
* 26% of incidents targeted software updates
Distribution vector by year -- that orange bar is attacks on software updates. About half that were targeting build infrastructure.
Nearly 1/3 of the state attackers target updates.
Let's talk about #SolarWinds !
* Compromised at least as early as 2019
* Malicious code was carried through dev pipeline and released to the world
* Could compromise 18k+ different companies based on that
Recommendations:
* US government needs to get smartest about assessing risk and creating a risk register and fund improving IT
* the security issues of software supply chains are not new and not going to get better fast
* it's hard to have the baseline level of security
* too much focus on dev, not enough on deploy
* the risk management strategies are too much in PDF, not code
Improve the baseline: make it easier to have good supply chain security
Better protect open source: fund it!
Counter systemic threats: the US can't do this alone and should be working with allies on this

Support strong cryptography and tools!
[end of talk]

Report from @CyberStatecraft here:
atlanticcouncil.org/in-depth-resea…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lea Kissner

Lea Kissner Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @LeaKissner

Lea Kissner Profile picture
3 Feb
Next up at #enigma2021, Alex Gaynor from @LazyFishBarrel (satirical security company) will be talking about "QUANTIFYING MEMORY UNSAFETY AND REACTIONS TO IT"

usenix.org/conference/eni…
Look for places where there are a lot of security issues being handled one-off rather than fixing the underlying issue Image
We tried to fix credential phishing mostly by telling people to be smarter, rather than fixing the root cause: people being able to use phished credential.

2-factor auth just ... fixes the problem. ImageImage
Read 15 tweets
Lea Kissner Profile picture
3 Feb
It's time to talk about @zoom_us security over @zoom_us at #enigma2021 by Merry Ember Mou with the talk "BUILDING E2EE AND USER IDENTITY"

usenix.org/conference/eni…
Zoom's launched end-to-end encryption 5 months after the white paper was published
* prevents eavesdroppers between users who are speaking to each other
* protection against compromised servers Image
[ here's the E2EE whitepaper from Zoom]

github.com/zoom/zoom-e2e-…
Read 20 tweets
Lea Kissner Profile picture
3 Feb
@carmelatroncoso is speaking about "CONTACT TRACING APPS: ENGINEERING PRIVACY IN QUICKSAND" at #enigma2021

usenix.org/conference/eni…
Engineering contact-tracing apps has been a marathon

Why make them?
* manual contact-tracing became totally overwhelmed with covid cases
* can we supplement with technology? Image
Constraints: security and privacy
* protect from misuse: surveillance, target marginalized individuals, etc.
* purpose limitation by default
* hide user's identity, location, behaviour
* preserve system integrity
Read 18 tweets
Lea Kissner Profile picture
3 Feb
In more pandemic talks at #enigma2021, Mark Funk is here to talk about "DESIGNING VERIFIABLE HEALTH SOLUTIONS FOR GLOBAL PANDEMIC"

usenix.org/conference/eni…
This is about work done with a nonprofit to try to find a way to prevent infected people from entering a location in a privacy-preserving way.

(Stopped this work when it became clear that this was being built for a world which wouldn't exist any time soon.) Image
Right now, we ask people to self-diagnose, which requires on diagnosis and truthfulness

There are stronger mechanisms like PCR tests Image
Read 25 tweets
Lea Kissner Profile picture
3 Feb
Last day of #enigma2021 and we're kicking off with @cooperq from @EFF talking about "DETECTING FAKE 4G LTE BASE STATIONS IN REAL TIME"

usenix.org/conference/eni…
Focus on tech which targets at-risk people (e.g. activists, rights defenders, sex workers) Image
What is a cell site simulator?

*transmitter or receiver which intercepts metadata from cell phones, often by pretending to be a legit cell tower Image
Read 21 tweets
Lea Kissner Profile picture
2 Feb
Last talk at #enigma2021 today is @iMeluny speaking about "DA DA: WHAT SHARK CONSERVATION TEACHES US ABOUT EMOTIONALITY AND EFFECTIVE COMMUNICATION STRATEGIES FOR SECURITY AND PRIVACY"

usenix.org/conference/eni…
I dreamt of being a shark scientist and worked my ass off to get a scholarship to one of the top programs. My career took a loop, but to this day I find lessons from sharks for security and privacy.
Lessons:
Incidents are emotional
* Risks will never be zero
* Public is ill-informed and fear is common
* science-based policy is not the norn
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @LeaKissner has new unrolls!

Check out other threads from @LeaKissner!

Read all threads by @LeaKissner