PDA

View Full Version : Cautionary tales on upgrade risks



DuckHook
February 16th, 2021, 07:57 AM
https://nakedsecurity.sophos.com/2021/02/16/how-one-man-silently-infiltrated-dozens-of-high-tech-networks/

Both fascinating and troubling at the same time.

There's a danger in turning this into an exercise in needless paranoia, but it's useful to know where attack vectors can hide, even from seemingly trustworthy sources.

We live in an age where judicious vigilance is a necessity.

zebra2
February 16th, 2021, 03:53 PM
Back in the late 80s I was importing Assembly Language routines into my Basic scripts. So the potential for this has existed from the very start. But even throwing out the mal intent it amounted to an import of the shortcomings of others in exchange for the desired faster speed of the assembler routines. Hence the need for continued updates! And the vulnerabilities. Looking back over the situation as it exists, who could resist that.

DuckHook
February 16th, 2021, 06:42 PM
…it amounted to an import of the shortcomings of others in exchange for the desired faster speed … who could resist that.
Indeed.

Our modern tech world is built on this process of leveraging. We are able to conduct this exchange of ideas because a vast network of developers have used the fruits of each other's work upon which to build their own. So, in some ways, the article was a statement of the obvious.

What I found interesting about it was the way that malware could be hidden in the distribution system. It doesn't have to be in the packages themselves—which could check out to be squeaky clean—but in the delivery system. It was a nuance that I was only vaguely aware of. It's more than a little sobering when a white hat shows it to be not only real but so easy to exploit.