Assessing Supply Chains ~ The People
When assessing potential products include a review of executives, technical staff, investors, and board of directors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Unifi | Dream Machine Pro | Ubiquiti | pfSense | Network Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Update 4/12/24 — I definitely have more comming on this topic as it relates to the Microsoft Breach, specifically. Also leading a discussion on supply chain security at an IANS conference in Boston and hope to have more stories by then to share. :)
I wrote in my last post about a third-party hosted Mapbox API called by the Ubiquiti console. When you perform a security assessment on a product you should also take a look at any third-party components that device uses. The first thing you need to do is identify the third-party components which isn’t always easy. As I mentioned before, those third-party components in a network device could be leveraged in a supply chain attack.
An executive order from President Biden in May 2021 requires software companies to provide a bill of materials. I’m wondering how this applies to the software inside a network appliance or network security product.
Let me start by saying that in this post I am presenting some of the steps I would take in the analysis of a third-party component from Mapbox in the Ubiquiti Dream Machine Pro. I am NOT writing this to tell you there is any problem with this component and this is not a complete analysis. This post is only a representation of my thought process when I am considering whether or not to use a new product, service, or open-source code. I like to know where who's selling it to me and how it was developed.People
One of the things I look at when I evaluate a product is who is involved in building, designing, developing, and directing product development. It is important for investors to do this as well when considering companies they may what to purchase as part of a merger or acquisition. Too many times, acquired companies are the target of a data breach.
Here are some of the things you can look at to evaluate who is involved in creating and directing the development of products you purchase. These steps I took below are not an all-inclusive list and I am not making any judgments on this particular product. I’m just showing you what I look at for any product I purchase or include in code I’m developing. When I’ve been involved in M & A work I do a more thorough investigation including interviews and technical inspection of products.
CEO
The first and most obvious thing to look at is who is the CEO of the company. I looked up the CEO of Mapbox on LinkedIn by searching for “Mapbox CEO” and filtering on people. He’s connected to many people I know because he used to work at Amazon. I might have even met him before because I’m an Amazon hero, but I don’t recall.
Once you find a person on Linked in you can see things like their experience in relation to the product and company at which they work and their connections. Seeing who they worked for in the past and their roles give you an idea of their level of experience. The CEO of Mapbox has a strong technical background. GM of MapReduce at AWS is quite impressive.
The one thing that stood out on this list was Ozon. I’d never heard of it. It turns out that this is supposed to be the “Amazon of Russia.” That’s interesting.
I wondered what other connections the CEO had to Russia. The website below claims the CEO is a Russian resident in the U.S.
Given what is going on with Russia and Ukraine at the moment, you might be taken aback by that information.
Before you immediately judge someone based on their country of origin, consider the following points:
- In college, I was curious about doing business in Russia. Everything in Russia was opening up and I thought it was a fascinating country. The country itself does not only have to do with its current leadership and their decisions.
- I have friends who are Russian. Wonderful, friendly, funny friends. People are people. Government leaders are another matter.
- The people in or from a country may not agree with the actions taken by their government. I have visited other countries where I myself was judged on the basis of actions taken by my country, with which I did not agree at the time.
- I cannot tell you if the links I am providing here are true or not without doing a lot more research — which I don’t have time for right now. If I were actually preforming this research I would cross-reference any links and information multiple times with credible sources and talk to the company itself if possible.
Further research into the CEO’s Twitter account shows the following:
Those are only two examples of information you can find about a CEO, not a complete picture. You might be satisfied with these results or what to research further depending on how deep of an assessment you are trying to perform.
Investors
Look at the investors of the company. Here we can see 4 lead investors and 11 investors total. I would be interested to know who the 4 lead investors are, as they may have some influence over technical decisions.
Empede Capital appears to be located in Abu Dhabi.
Premjinvest is in Bangalore India.
You could continue to go down the list researching investors. Of course, you’d want to correlate this with other legitimate sources, and a more detailed investigation of any of this concerned you.
Look up each of these investment companies, how much they invested, and who runs each fund. In addition to who runs it, determine who actually puts money into the fund, and how much. A fund could be run by a person who doesn’t invest a lot of money but simply manages the fund. That person may only what the people who put the money into the fund instruct, depending on how it is structured.
I learned something about investors because I used to perform due diligence for venture capitalists and was involved in angel investing groups. Different types of investors will have different levels of involvement with the actual decisions made at a company.
Cross-reference information
You may want to further research other people involved in the company. Like I said, cross-reference and verify all information with multiple sources. When I pull up the details on Crunchbase I get a different CEO name from the one I got when I searched for the CEO of Mapbox on LinkedIn.
According to Wikipedia, “In March 2021, the company appointed a new chief executive officer Peter Sirota, replacing Eric Gundersen who has been with Mapbox since 2010.” That quote references a Bloomberg article.
I could go on and on mapping out who is involved in building a particular product down to the technical staff members, and others involved in the company.
Understand where your vendors develop and test software.
I was recently pondering where the software was designed and developed for the Ubiquiti product after reviewing some comments on newsgroups related to that product. Someone pointed out the job descriptions page for the company, which is always a good source of information beyond the company locations.
As I mentioned in that thread, a company may have multiple locations that develop different aspects of the product including hardware, web and cloud-hosted software, and the firmware that runs on various products.
On the Mapbox careers page I clicked on open positions and it took me to this map, but it’s not really clear if these are jobs within the company or advertising their developer network.
A map seems to indicate the comany has locations in San Francisco and DC in the US, Japan, Finland, and Belarus.
The job descriptions and requirements at various locations can give you an idea where the software is developed — and more importantly tested. If the software is tested in China, for example, a new law requires that any security vulnerabilities are first disclosed to the Chinese government.
https://therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules/
Vendors must share all vulnerability reports with the Ministry of Industry and Information Technology (MIIT) within two days.
When you use a product or purchase a company, it’s a good idea to understand who is funding the product, who is directing development of the product, who is building it, and what third-party components the products leverage. Taking this a step further you can determine if the Mapbox API includes any third-party components and repeat the process on any of those components.
Should Ubiquiti incorporate a third-party API into a network security product console?
Supply chain attacks are a complex problem. As I mentioned in my post on real-time third-party code injection, a better approach would be to host the code yourself if possible. Valid reasons exist for why a company may want to use this API to retrieve real-time information. Tracking all this map data is going to be a full-time job and Mapbox provides a very helpful service.
How could this map be used against you as a Ubiquiti customer? If someone has access to update the map data they might be able to insert an attack into that data that runs in your web browser. For example, they might insert a cross-site scripting attack and redirect you to other domains or send sensitive data back to their own servers. That is just one of many types of security problems that can occur from running third-party code in a product.
Here are some things that Ubiquiti could do to further protect customers:
- For any static code such as JavaScript URLs, they could use an sub-resource integrity (SRI) check to validate the integrity of the code. However, if this code pulls in other third-party code or data that could be subject to injection that could show up in a device that is not enough.
- They could host a proxy service on one of their own domains and put a WAF-proxy solution in front of the Mapbox API call. Of course, this is extra overhead but security generally takes some effort.
- They could ask the vendor to provide a solution where they could host the data and code themselves and get updates from the vendor.
- In any case, there should be production and test versions. Ubiquiti should only be allowing a specific version of the API and data they have tested to get delivered live to customer devices. Updates would first go into a QA environment for testing, verification, and analysis, and then get pushed out to a production environment. Once pushed to customers, deployments should be static except for data, which should only come from trusted third-parties. This is exactly how we used some third-party components we leveraged on a banking website. The vendors did not get to update the code that got delivered to our customers on the fly any time they wanted.
Hopefully, Ubiquiti has taken steps to prevent any malicious code injections from the API or someone who gets between the API and the customer device (a man-in-the-middle attack).
Proper product security assessments
Many times people ask me on consulting calls which product they should use. Sometimes they want to know what product every other company is using. I wrote about that approach in my post on Copycat Security:
Instead of telling companies which products to use, I tell them about available products and how I would perform the analysis if I worked at their company. I cannot provide a valid assessment of a product I have not studied in-depth and personally used. Looking at who designs and develops a product is part of that equation. This whole series of blog posts would be part of a product security assessment.
As you can imagine, without testing out a product to this level of detail I cannot honestly say it is a good product to use or not in your environment. I would only be guessing based on what I know. With a proper product security assessment, I can provide a much more accurate evaluation. It is also helpful to understand the environment and technical architecture where the customer plans to use the product. It is impossible to find every flaw or know every problem, but with a deep-dive hands-on assessment of a product or service, I can understand a lot more and make a proper recommendation.
Do your own full assessment of this and any other products you use
There may be absolutely no problem with this API. I’m not here to provide a security assessment of this particular product without the company’s permission ~ or compensation. (I get asked to do free product demos, assessments, evaluations, and promote products all the time ~ the last of which I don’t do, so don’t ask.)
It’s up to you to perform a proper security assessment if you decide to use this or any other product. That includes open-source code. This post gives you some steps you can take to start the process of assessing the company or product using publicly available information. This is only part of what I would do to assess a product for use by a company.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2022
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab