From 7f653ef406b4306fc9a8f15f62e8b4826eae0477 Mon Sep 17 00:00:00 2001 From: Daniel Gray Date: Sun, 31 Mar 2024 08:48:51 +0000 Subject: [PATCH] Common Threats: Supply chain attacks --- docs/basics/common-threats.md | 23 ++++++++++++++++++++++- theme/assets/stylesheets/extra.css | 6 ++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/docs/basics/common-threats.md b/docs/basics/common-threats.md index 67bd483b19..5c26a1aed0 100644 --- a/docs/basics/common-threats.md +++ b/docs/basics/common-threats.md @@ -9,13 +9,14 @@ Broadly speaking, we categorize our recommendations into the [threats](threat-mo - :material-incognito: Anonymity - Shielding your online activity from your real identity, protecting you from people who are trying to uncover *your* identity specifically. - :material-target-account: Targeted Attacks - Being protected from hackers or other malicious actors who are trying to gain access to *your* data or devices specifically. - :material-bug-outline: Passive Attacks - Being protected from things like malware, data breaches, and other attacks that are made against many people at once. +- :material-package-variant-closed-remove: Supply Chain Attacks - A vulnerability or exploit introduced into otherwise good software either directly or through a dependency from a third party. - :material-server-network: Service Providers - Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server). - :material-eye-outline: Mass Surveillance - Protection from government agencies, organizations, websites, and services which work together to track your activities. - :material-account-cash: Surveillance Capitalism - Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors. - :material-account-search: Public Exposure - Limiting the information about you that is accessible online—to search engines or the general public. - :material-close-outline: Censorship - Avoiding censored access to information or being censored yourself when speaking online. -Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-target-account: Targeted Attacks, but they probably still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. +Some of these threats may be more important to you than others, depending on your specific concerns. For example, a software developer with access to valuable or critical data may be primarily concerned with :material-package-variant-closed-remove: Supply Chain Attacks and :material-target-account: Targeted Attacks. They will likely still want to protect their personal data from being swept up in :material-eye-outline: Mass Surveillance programs. Similarly, many people may be primarily concerned with :material-account-search: Public Exposure of their personal data, but they should still be wary of security-focused issues, such as :material-bug-outline: Passive Attacks—like malware affecting their devices. ## Anonymity vs. Privacy @@ -57,6 +58,26 @@ By design, **web browsers**, **email clients**, and **office applications** typi If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://learn.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. +:material-package-variant-closed-remove: Supply Chain + +Supply chain attacks are a type of :material-bug-outline: Passive Attack which can be part of a larger :material-target-account: Targeted Attack. + +There are few ways in which this type of attack might be carried out: + +1. A contributor or employee might work their way into a position of power within an organization and then abuse that position to add some malicious code. +2. A developer may be coerced by an outside party to add malicious code. +3. An individual or group might identify a third party software dependency (also known as a library) and work to infiltrate it with the above two methods, knowing that it will be used by "downstream" software developers. + +These sorts of attacks can require a lot of time and preparation to perform and are risky because they can be detected, particularly in open source projects if they are popular and have outside interest. Unfortunately they're also one of the most dangerous as they can never be entirely mitigated. We would encourage readers only use software which has a good reputation and makes an effort to reduce risk by: + +1. Only adopting popular software that has been around for a while. The more interest in a project the, the greater likelihood that external parties will notice malicious changes. A malicious actor will also need to spend more time gaining community trust with meaningful contributions. +2. Automated build infrastructure for released binary code reduces the attack surface such as, a compromised developer workstation or breached server. It provides accountability to others involved in the project in that binaries are produced from a central source code repository. +3. Code signing on individual commits and releases increases an auditable trail of who did what. For example: Was the malicious code in the software repository? Which developer added it? Was it added during the build process? +4. In open source projects the code should have commit messages which are explain exactly what the associated code does. This makes it easier for external parties to verify and detect if the code doesn't match the description. +5. The number of contributors or maintainers, a lone developer may be more +susceptible to being coerced or forced into adding malicious code by an external party. +6. Economical pressure that would occur if a company was involved with negligent behavior that enabled malicious code to be added. This may very well mean software developed by "Big Tech" has more scrutiny than a lone developer who doesn't answer to anyone. + ## Privacy From Service Providers :material-server-network: Service Providers diff --git a/theme/assets/stylesheets/extra.css b/theme/assets/stylesheets/extra.css index c4c7e46390..f8733bd272 100644 --- a/theme/assets/stylesheets/extra.css +++ b/theme/assets/stylesheets/extra.css @@ -45,6 +45,7 @@ --pg-blue: #0e66ae; --pg-green: #2e7e31; --pg-blue-gray: #546d78; + --pg-amber: #d19d00; } :root, [data-md-color-scheme="slate"] { --md-default-bg-color: rgb(26, 26, 27); @@ -64,6 +65,7 @@ --pg-blue: #74b9f1; --pg-green: #72cd75; --pg-blue-gray: #9ab2bc; + --pg-amber: #d19d00; --md-footer-bg-color--dark: var(--md-default-bg-color); } @@ -301,6 +303,10 @@ details[class="downloads annotate"] > p .md-annotation span span::before { color: var(--pg-blue-gray); } +.pg-amber { + color: var(--pg-amber); +} + /* Make header icons smaller */ .md-header__button.md-icon svg { height: 1rem;