This site may earn affiliate commissions from the links on this page. Terms of use.

Asus isn't having a very good March. There are fresh allegations of major security breaches past the company's employees, this fourth dimension involving GitHub. The news comes on the heels of a security trouble the visitor is even so dealing with.

Earlier this week, Kaspersky Labs and Symantec both publicly stated that a major security alienation at Asus had put the company'southward customers at risk. Co-ordinate to Kaspersky Labs, upwards to a million systems might accept been infected past a hacked version of Asus' LiveUpdate software, as role of a goal of targeting ~600 very specific users past MAC address. Asus has released a argument on the attacks, confirming the assail was classified as an APT (Advanced Persistent Threat), a type of attack typically deployed past nation-states or potentially in corporate espionage rather than past ordinary hackers.

A security analyst that goes by SchizoDuckie contacted Techcrunch to share details of a security breach he discovered in Asus' human being firewall. According to him, Asus was improperly publishing its ain employee passwords in repositories on GitHub. He was able to access internal company e-mail every bit a result where nightly builds of apps, drivers, and tools were shared. The business relationship was owned by an engineer who had reportedly left information technology open for at least a year. TC reports that SchizoDuckie shared screenshots to validate his findings, though they oasis't been released.

TechCrunch implies that this vulnerability isn't how the hackers from the before attack gained access to Asus' servers, writing:

The researcher's findings would non have stopped the hackers who targeted Asus' software update tool with a backdoor, revealed this week, simply reveals a glaring security lapse that could have put the visitor at hazard from similar or other attacks. Security firm Kaspersky warned Asus on January 31 — just a day before the researcher'south ain disclosure on February i — that hackers had installed a backdoor in the company'due south Asus Live Update app. The app was signed with an Asus-issued document and hosted on the visitor'south download servers.

It isn't clear if Asus has identified exactly how its LiveUpdate app was compromised. Supposedly the app was compromised from July through November of last year and the GitHub business relationship with the published passwords was active for at least a yr before the disclosure was fabricated to Asus on February i. The timelines overlap significantly. SchizoDuckie also reported finding company passwords exposed on GitHub in two other engineers' accounts.

"Companies have no clue what their programmers do with their lawmaking on GitHub," SchizoDuckie said. Asus has said it couldn't verify Schizo'due south claims, just that "Asus is actively investigating all systems to remove all known risks from our servers and supporting software, as well as to ensure in that location are no data leaks."

These sorts of security issues aren't unique to Asus — nosotros've seen a number of companies nailed by leaky credentials — but they speak to how complex a claiming information technology is to secure modern infrastructure and but how easy it is for information to leak.

Now Read:

  • Asus Acknowledges, Responds to Set on just Disputes Kaspersky Numbers
  • Asus Will Combine AMD APUs, Nvidia GPUs in Upcoming Laptops: Report
  • Asus Live Update Pushed Malware to i Million PCs