Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Update SSC compromise catalog #1275

Merged
merged 2 commits into from
Jun 21, 2024
Merged

docs: Update SSC compromise catalog #1275

merged 2 commits into from
Jun 21, 2024

Conversation

abhisek
Copy link
Contributor

@abhisek abhisek commented Jun 12, 2024

This is first in a (expected) series of PRs to update the supply chain compromises catalog.

  • Fix link in index
  • Update incident title to make it verbose
  • Add note to review incidents that are possibly outside the scope of SSC security

@netlify Netlify
Copy link

netlify bot commented Jun 12, 2024
edited
Loading

Deploy Preview for tag-security ready!

Name Link
🔨 Latest commit 7a1993f
🔍 Latest deploy log https://app.netlify.com/sites/tag-security/deploys/667549170eedf80008105dfc
😎 Deploy Preview https://deploy-preview-1275--tag-security.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@abhisek abhisek force-pushed the docs/improve-scs-compromise branch 2 times, most recently from ca169f5 to 93efd39 Compare June 12, 2024 18:15
mnm678
mnm678 reviewed Jun 13, 2024
View reviewed changes
Copy link
Collaborator

@mnm678 mnm678 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes! Let's see if we can get the categorization notes resolved before merging.

supply-chain-security/compromises/2010/fsf-website.md Outdated
@@ -1,5 +1,7 @@
# Free Software Foundation Website Hack

**Note:** Review if this incident can be categorized as supply chain incident as per [compromise definitions](../compromise-definitions.md)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like it was categorized as a supply chain attack because the compromise happened at the source code

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading the referenced doc at https://www.computerworld.com/article/1439287/free-software-foundation-s-software-repository-hacked.html

I see original entrypoint for attacker was SQL Injection. Subsequently they extracted credentials from the database through SQL injection, uploaded a PHP reverse shell and gained access to the server that contains the source code for the website. There doesn't seem to be any evidence that this source code is in turn consumed by any other party. This seems like a first party attack without any impact to a third party.

If we still have to retain this, I feel we should change the classification type to Attack Chaining because a multi-step attack was performed to gain access to the server and deface the website.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-categorizing this as Attack Chaining makes sense to me

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mnm678 Updated the category. Over to you.

supply-chain-security/compromises/2013/apt.md Outdated Show resolved Hide resolved
@abhisek abhisek force-pushed the docs/improve-scs-compromise branch from 93efd39 to 5df3ac1 Compare June 14, 2024 16:22
@abhisek abhisek requested a review from mnm678 June 14, 2024 16:28
@abhisek abhisek force-pushed the docs/improve-scs-compromise branch from c5ac3b5 to ce7adf2 Compare June 21, 2024 09:33
abhisek added 2 commits June 21, 2024 15:04
@abhisek
docs: Update SSC compromise catalog
e921144 
fix: Linter errors

docs: Add reference to apt vulnerability description

Signed-off-by: abhisek <[email protected]>
@abhisek
docs: Update category for FSF websie hack incident
7a1993f 
Signed-off-by: abhisek <[email protected]>
@abhisek abhisek force-pushed the docs/improve-scs-compromise branch from ce7adf2 to 7a1993f Compare June 21, 2024 09:34
@mnm678 mnm678 merged commit 4c02840 into cncf:main Jun 21, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnm678 mnm678 mnm678 approved these changes

@lirantal lirantal Awaiting requested review from lirantal

@mlieberman85 mlieberman85 Awaiting requested review from mlieberman85

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abhisek @mnm678