The Codecov Incident - How do supply chain attacks work?
Vložit
- čas přidán 26. 07. 2024
- Read Cryptography Inventory White Paper - cryptosense.com/whitepapers/c...
In April 2021, San Francisco-based technology company Codecov discovered that attackers had compromised its software platform, in yet another digital supply chain attack. Although the attack was identified and reported in April, the tampering reportedly started back in January. A hardcoded credential inside a Docker image was discovered to be the weak point that allowed them to get access to Codecov's code.
The consequences of this attack have been far reaching. Using environment variables to store secrets such as keys in a CI environment can be very dangerous - potentially allowing malicious people to get access to your GitHub or other code repository.
While it's useful to have a close copy of your production environment in order to carry out effective testing, some people are not careful to remove live credentials (used in PROD) from their test site. These service credentials are a juicy target for hackers.
The GPG key used by Hashicorp as a code signing key was compromised in this attack. Widely used tools such as Terraform and Vault were left vulnerable.
What can you do if you have been affected by this type of supply chain attack and your environment variables from your CI environment are now exposed? You'll have to roll them (update everything) but what if you don't know which keys and credentials are really being used? How many times are these credentials being used?
If you don't have an efficient system for maintaining an inventory of your cryptography, this kind of project has to be done manually, and it can take a team of developers weeks to complete.
Read our white paper on building a cryptography inventory: cryptosense.com/whitepapers/c...
/////
Find out more about Cryptosense: cryptosense.com/
Follow us on Twitter: / cryptosense
/////
Cryptosense CEO Dr. Graham Steel was formerly an academic researcher before founding Cryptosense in 2013. His cryptography expertise is the basis for the company's 'Analyzer' technology which allows customers to protect themselves against losing sensitive data. - Věda a technologie
When it comes to cryptography knowledge these videos have it COVERED
lol