What Is a Supply Chain Attack?

This article was originally written in 2017.

We all know the story of the Trojan horse. What we don’t know is why the Trojans didn’t take the horse and lock it in a room for a week, flood it, and then haul it out in the town square once they were sure it was safe. If the Trojans had been less trusting, a smelly wooden eyesore would be the worst of their problems. Instead, they lost everything.

Even though everyone knows this story, we still make the same mistake today: we are too trusting.

It’s now 2017, and data breach is the norm. Over the last ten years, 9 billion records have been compromised, with nearly 2 billion in 2017 alone. Even as we adapt better security practices and spend more money to protect ourselves, attackers are finding new ways to exploit weaknesses in a company’s defenses.

One increasingly common attack is called a supply chain attack, where an attacker slips malware or a rootkit into a software update without the developers noticing. This is the type of attack which caused the massive Target breach of 2013 that gave attackers access to 41 million consumers’ personal information.

The idea that malware is lurking in your software updates is frightening — and it should be. If a supply chain attack succeeds, the hacker gains access to millions of computers all at once. All it takes is one developer making a mistake or not reviewing the code thoroughly, and a contaminated update is released to everyone using the software. These attacks create disruption all the way up to the Executive level — but what can be done to prevent them?

Fortunately, SpiderOak has an answer.

Our Secure Application Updater is based on the platform we created to build our own products. We use blockchain technology to secure every step of the release process, verifying the identify of each developer working on it and ensuring the code is never tampered with. Using cryptography, we can help you be absolutely sure that malicious code will never make it into your updates.

It’s time to change the way we think about protecting our companies. Stop trusting everyone and you can change how history will remember you: not as a tragedy, but as a breach-free company with some questionable taste in horse sculptures.

……

A dangerous threat that takes advantage of the inherent trust between users and their software providers is a growing trend.

“Security researchers from Check Point Software Technologies recently found around 50 malware-infected Android applications hosted on Google Play that had been downloaded millions of times. They determined that the malicious code was actually part of a third-party SDK that app developers had integrated into their apps.”

What can we expect in 2018?

In 2018, we expect to see advanced threat actors playing to their new strengths, honing their new tools and the terrifying angles described above.