Add supply chain catalog #284
Conversation
Fix minor issue for Juniper Incident
Add new attacks
- 2019: ShadowHammer - 2019: Dofoil
- Impact section, shadowhammer2019 - Fix typo, dofoil2018
|
I'm thinking that we could create a folder for all similar resources, so as to not end up with a ton of folders at the root level. But this can be done later as well. Not a pressing matter. |
|
I agree, I can relocate all of this to a subdirectory and then move things around :) |
|
Hi @lumjjb, I reviewed the directory structure and it appears to me it's reasonable (i.e., |
I made a root README that introduces the topic (taking some text from in-toto assessment that I re-wrote for this context) Then moved most of prior README content into /compromises sub-directory, so that the (future) solutions can be separate from the catalog of past compromises.
|
I submitted a PR for restructuring the README -- reflecting on goals in Supply Chain Security Initiative pre-meeting notes, I tried to capture the two parts
I suggest we make the directory top-level for now and refactor into a I suggest the name of this directory be simply |
There was a problem hiding this comment.
see PR for README refactor based on discussion in SIG meeting (I think it was 2019-09-04 though not explicit in notes that we don't intend the catalog to be exhaustive, rather to be useful toward education and coming up with best practices, etc.
also suggest making catalog a flat list of files (for example, instead of 2017/ccleaner.md, just make it 2017-ccleaner.md which I think would make browsing a lot easier)
|
Hi @ultrasaurus , I can't seem to find the PR you mentioned. Am I missing something? |
| More than 34 organizations affected, including Symanted, Northrop Grumman, | ||
| Morgan Stanley, Dow chemical, Yahoo, Rackspace, Adobe and Google. | ||
|
|
||
| ## Type of Compromise |
There was a problem hiding this comment.
Let's set a good example for caps consistency from contributing guide for our new additions.. I think we need to add a CI for this. Which unfortunately will probably fail for our existing repo :p
|
|
||
| It seems that the attackers have been able to hack | ||
| the source code repository but not developer keys. | ||
|
|
|
@SantiagoTorres I attempted to make a PR against the branch in your fork here: SantiagoTorres#1 |
|
Hi @lumjjb ! I addressed your comments. I also updated the PR wit some incidents that users submitted. @ultrasaurus I merged your suggestion, so it's ready for another review. Thanks! |
|
|
||
| | Name | Year | Type of compromise | Link | | ||
| | ----------------- | ------------------ | ------------------ | ----------- | | ||
| | [electron-native-notify] | 2019 | Source Code Compromise | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm)[2](https://komodoplatform.com/update-agama-vulnerability/)| |
There was a problem hiding this comment.
is [electron-native-notify] supposed to have a link?
| | Name | Year | Type of compromise | Link | | ||
| | ----------------- | ------------------ | ------------------ | ----------- | | ||
| | [electron-native-notify] | 2019 | Source Code Compromise | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm)[2](https://komodoplatform.com/update-agama-vulnerability/)| | ||
| | [ShadowHammer](compromises/2019/shadowhammer.md) | 2019 | Multiple steps | [1](https://www.csoonline.com/article/3384259/asus-users-fall-victim-to-supply-chain-attack-through-backdoored-update.html), [2](https://securelist.com/operation-shadowhammer/89992/) | |
There was a problem hiding this comment.
broken links: since README is in compromises directory, need to remove compromises/ from links
|
|
||
| | Name | Year | Type of compromise | Link | | ||
| | ----------------- | ------------------ | ------------------ | ----------- | | ||
| | [electron-native-notify] | 2019 | Source Code Compromise | [1](https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm)[2](https://komodoplatform.com/update-agama-vulnerability/)| |
There was a problem hiding this comment.
[electron-native-notify] supposed to have a link?
The README.md of supply-chain-security/compromises was adding a compromises prefix to its relative links. This would make the links direct to a 404 rather then the correct location.
| | [Monju Incident](2014/monju.md) | 2014 | Publishing infrastructure| [1](https://www.contextis.com/en/blog/context-threat-intelligence-the-monju-incident) | ||
| | [Operation Aurora](2010/aurora.md) | 2010 | Watering-hole attack | [1](https://www.wired.com/2010/03/source-code-hacks/) | | ||
| | [ProFTPD](2010/proftpd.md) | 2010 | Source Code Repository | [1](https://www.zdnet.com/article/open-source-proftpd-hacked-backdoor-planted-in-source-code/) | | ||
| | [gentoo rsync compromise](2003/gentoo-rsync.md) | 2003 | Source Code Repository[1](https://archives.gentoo.org/gentoo-announce/message/7b0581416ddd91522c14513cb789f17a) | |
There was a problem hiding this comment.
This line is missing a column separator... I think it should be Source Code Repository | [1]
and 2003/gentoo-rsync.md is a broken link -- looks like the actual file has a typo in filename
|
@ultrasaurus thank you! I did a click-test through all the links this time (on gh, rather than locally). It should be ok now... |
root README that introduces the topic (taking some text from in-toto assessment that I re-wrote for this context) additional README for /compromises sub-directory, so that the (future) solutions can be separate from the catalog of past compromises.
This is intended to be the starting point of the supply-chain security project.
For discussion about this, see #224