INVITATION TO CYBERSECURITY 80 Another type of supply chain attack is known as a watering hole attack. In this attack, hackers go after a website that their target frequents. The hackers gain unauthorized access to the third party’s web server and implant malicious code on it. The website then becomes the point of attack. When the target visits the website, the malicious code can potentially exploit the target. Drive-by-download exploits are useful in watering hole attacks. One downside of watering hole attacks is that they are coarse-grained. Everybody that visits the compromised website is subject to attack, not just the target. Computer hardware can also be compromised in a supply chain attack. The United States government has issued directives prohibiting federal agencies from purchasing certain computer hardware products made in China. The concern was that the hardware might be used for espionage and possibly other malicious purposes. China has denied the allegations, but it is impossible for them to completely validate their claims. As Ken Thompson noted, if you do not trust the source, no amount of reassurance from them will be able to convince you. In a sophisticated form of a hardware supply chain attack known as interdiction, attackers intercept otherwise secure hardware on the way to the target and compromise it before delivery. Attackers need to do this quickly and undetectably to avoid raising suspicion. Products like smartphones and smart home devices, if intercepted and compromised, could provide attackers with extraordinary access to spy on their targets. 4.1.2.5 Obtaining Physical Access Obtaining physical access to a computer system is a powerful way for an attacker to gain unauthorized access. An evil maid attack is an attack where a hacker gains physical access to an unattended computer and compromises it. It is so-called because people often leave their laptops in their hotel rooms when they go out, creating an opportunity for the hotel housekeeping service to access their devices. Even if the housekeeping service does not have a resident hacker, a hacker could gain access to the room by social engineering hotel staff or through some other way. If the unattended device is not protected with a password, or if the user is still logged in when the attacker starts using it, then the attacker has easy access. If the user is an administrator, then the attacker can view and change anything and everything on the device. This would include viewing stored wireless network and web browser passwords. The attacker can also use the web browser to navigate to websites. If the user is still logged in or if the browser automatically populates usernames and passwords, then the attacker would have control over the victim’s cloud accounts. The attacker could also add malware to the computer for ongoing access, and could change security settings such as firewall, user accounts, and certificate settings. The attacker could also exfiltrate data from the computer either over the network or onto a portable hard drive or USB stick, or take pictures of some of the data on the device. If the logged in user is not an administrator, the attacker would have more limited access but could still accomplish some of these
RkJQdWJsaXNoZXIy MTM4ODY=