The ShadowHammer Attack - 1 Million Asus computers affected shows proprietary is no better than open source - But maybe what you don't see won't hurt you?
Cyber-security and antivirus company Kaspersky dropped a bomb on Asus laptop users this week, revealing that malware was distributed through the Asus Live Update utility. It masqueraded as a legitimate security update, and even boasted a "verified" certificate -- hosted on Asus servers -- to make it appear valid. Kaspersky has deemed this attack "one of the biggest supply-chain incidents ever." Such attacks spiked 78% between 2017 and 2018. This shouldn't raise alarms for just Asus users. It should prompt you to seriously consider whether you want Windows on your PC. Because the possibility of this ever happening on a desktop Linux OS like Ubuntu is minuscule.
What's even more frightening is that Kaspersky discovered the same type of technique used against the Asus Live Update software was also leveraged against three other vendors. The company promised to reveal more substantial information at an upcoming Security Analyst Summit in Singapore.
For Linux: In a nutshell, this means even if a trusted developer is compromised, there are various other individuals who will likely take notice. But even that isn't enough, so Canonical takes things a step further.
"From an end-user point of view, Ubuntu uses a signed archive approach where each package is cryptographically hashed and the list of hashes signed in such a manner that our package manager will not install packages which fail the signature and integrity checks," Murray explains.
This means that even if an Ubuntu mirror (an external software source not directly managed by Canonical) was compromised and someone uploaded malicious copies of packages there, it would fail the signature check and would not be installed.
One Linux distro Pop!_OS, uses the power of blockchain to ensure that the firmware updates being delivered to its users have no possible way of being manipulated.
See www.forbes.com/sites/jasonevan…
#security #linux #shadowhammer
from Beiträge von Danie van der Merwe https://ift.tt/2YJz3Ek
via IFTTT
What's even more frightening is that Kaspersky discovered the same type of technique used against the Asus Live Update software was also leveraged against three other vendors. The company promised to reveal more substantial information at an upcoming Security Analyst Summit in Singapore.
For Linux: In a nutshell, this means even if a trusted developer is compromised, there are various other individuals who will likely take notice. But even that isn't enough, so Canonical takes things a step further.
"From an end-user point of view, Ubuntu uses a signed archive approach where each package is cryptographically hashed and the list of hashes signed in such a manner that our package manager will not install packages which fail the signature and integrity checks," Murray explains.
This means that even if an Ubuntu mirror (an external software source not directly managed by Canonical) was compromised and someone uploaded malicious copies of packages there, it would fail the signature check and would not be installed.
One Linux distro Pop!_OS, uses the power of blockchain to ensure that the firmware updates being delivered to its users have no possible way of being manipulated.
See www.forbes.com/sites/jasonevan…
#security #linux #shadowhammer
from Beiträge von Danie van der Merwe https://ift.tt/2YJz3Ek
via IFTTT
Comments