Paul Asadoorian

Eclypsium | Supply Chain Security for the Modern Enterprise

Contributors to this post: Mickey Shkatov, Alex Bazhaniuk So What Happened? Last week, Sophos released a bombshell report on what they’re calling “Pacific Rim”—and no, we’re not talking about giant robots fighting sea monsters. Sophos chronicles a five-year ordeal involving nation-state threat actors targeting network appliances, particularly Sophos firewalls. The ... Read More

In this episode of Below the Surface, host Paul Ascadorian and guest Patrick Garrity discuss the complexities of vulnerability tracking and prioritization. They explore various sources of vulnerability data, the significance of known exploited vulnerabilities, and the concept of weaponization in cybersecurity. The conversation delves into the challenges posed by ... Read More

Introduced in 2006, Cisco’s NX-OS powers the Cisco Nexus series network switches primarily targeted at large enterprise data centers and service providers. Cisco’s NX-OS represents a different architecture than Cisco IOS (Internetworking Operating System), implementing a Linux sub-system that allows for better memory management, process scheduling, and device driver support ... Read More

Contributions from Mathew Mullins, Supply Chain Security Consultant here at Eclypsium. Introduction Penetration tests come in many different varieties with the scope varying from all-inclusive to highly specific. When the penetration testing engagement includes devices there is an opportunity to both highlight weaknesses and weaponize the firmware. Many resources and ... Read More

Introduction The Bus Pirate is an open-source hardware hacking platform designed for interfacing with various protocols and hardware interfaces, serving as the “Swiss Army Knife” of hardware hacking. I always keep one with me as you just never know when you will find yourself trying to hack some electronics and ... Read More

It’s time to rethink the pivotal role incentives play in shaping behavior to find and disclose software vulnerabilities. More accurate guidance to reflect real-world risks and a tiered verification process to establish potential impact could slow misleading submissions. The post Dark Reading: Why CVEs Are an Incentives Problem appeared first ... Read More

Linux provides several tools and techniques that allow users to query systems for information about hardware and firmware (This post builds on our previous post Linux Commands To Check The State Of Firmware). Just this information alone does not validate the supply chain, but provides data that can be used ... Read More

One time while attending a conference and getting ready to hop in an Uber (although it may have been a cab at the time), I was passing my luggage to be loaded in the vehicle. Perhaps it was the Las Vegas heat, coupled with being exhausted after a long conference, ... Read More

Firmware security analysis is a critical aspect of modern cybersecurity. As our devices become more interconnected and reliant on firmware, understanding the vulnerabilities in this often overlooked layer of software is paramount. In this article, we delve into EMBA, a powerful open-source firmware security analysis tool. We'll explore its history, ... Read More

Validating The Digital Supply Chain For more insights on hardware hacking, check out the webinar: Spooky Experiments – Building Your Own Security Research Lab. With the help of the Eclypsium research team (and others mentioned below), I set out to look inside some of the Android TV devices on the ... Read More