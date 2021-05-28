Imagine you are a chicken rancher. Your chickens are free-range, no antibiotics, and (most importantly) hypo-allergenic. So, people with egg allergies can use your eggs to make cookies and other goodies.
Conversely, if your customers ever inadvertently eat store-bought eggs, they will die. You can see the value in your eggs.
But who would ever want to harm your egg business? You are small. You only serve a small geographic area. Imagine, you have a very elite clientele. Because your eggs are so unique, your clientele consist of some very influential and powerful people. If a criminal wanted to target a powerful person, they wouldn’t have to do it directly. All they have to do is gain access to your hen houses and plant store bought eggs, then wait for you to deliver them to your clients. It doesn’t even matter to the criminal if they hurt others as well. Those would merely be collateral damage to the criminal. As long as their target is affected, their mission is complete.
This is pretty much how supply-side software attacks happen. A legitimate software vendor with lackadaisical security on their software repository (the henhouse) gets infiltrated by a threat actor (criminal). A legitimate file (your precious eggs) gets infected with malware (store bought eggs), then the threat actor simply waits for the vendor to ship out the infected file and for the clients to receive it.
Does this happen? You bet it does! A few months ago, a huge software vendor, SolarWinds, had this happen to them. It affected about 18,000 of their high-value customers.
So, now we find we can’t even trust the vendors to keep their software repositories (their hen houses) safe. But what can you do about it? One slight solution before you install any new software or any update, is to upload the software to virustotal.com and have the file scanned for you at no cost. It’s not foolproof, but it will give you at least a small measure of assurance the file hasn’t been tampered with.
There are two catches to this method. First, VirusTotal is a public website, so you don’t want to upload any sensitive files. Second, VirusTotal will only report a file as malicious if: 1) VirusTotal has seen it before, AND, 2) The antivirus engines it uses to scan the file have verified the file as malicious. What this means to you is, if the good “eggs” were just switched out for bad “eggs” this morning, VirusTotal will not know it’s bad, and you will install malicious software. Hence, with this technique, your mileage may vary.
Your valuable eggs are precious to you, and your trusting clients are important to you. Therefore, you want to make the best decisions for your company—for your sake and for the sake of your clients.
