Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It? — Krebs on Security

https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/

You can have it fast, cheap, or secure — pick any two.

It seems to be possible as long as “secure” isn’t one of your choices.

“Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product,” Schneier wrote.
We don’t often hear about intentional efforts to subvert the security of the technology supply chain simply because these incidents tend to get quickly classified by the military when they are discovered.
Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

Most of the U.S. government’s efforts to police the global technology supply chain seem to be focused on preventing counterfeits — not finding secretly added spying components.

Finally, it’s not clear that private industry is up to the job, either. At least not yet.

Supply chain challenges definitely fit into categorythings I can’t change“.

58 Comments

  1. Tomi Engdahl says:

    Joseph Bernstein / BuzzFeed News:
    Amazon canceled some ads on Bloomberg’s properties, sources say due to China spy chips story; sources: Apple did not invite Bloomberg to fall product event — Amazon pulled its fourth quarter advertisements on Bloomberg’s website, a move some within the media giant think is retribution …

    Amazon Has Pulled Its Ads From Bloomberg Over China Hack Story
    https://www.buzzfeednews.com/article/josephbernstein/amazon-pulled-ads-bloomberg-over-china-hack-story

    Sources say both Amazon and Apple are taking retributive measures against the outlet that alleged they were hacked by China.

    Reply
  2. Tomi Engdahl says:

    Building a Proof of Concept Hardware Implant
    https://hackaday.com/2018/10/24/building-a-proof-of-concept-hardware-implant/

    [Nicolas Oberli] of Kudelski Security wanted to do more than idly speculate, so he decided to come up with a model of how an implanted hardware espionage device could interact with the host system. He was able to do this with off the shelf hardware, meaning anyone who’s so inclined can recreate this “Hardware Implant Playset” in their own home lab for experimentation. Obviously this is not meant to portray a practical attack in terms of the hardware itself, but gives some valuable insight into how such a device might function.

    Build Your Own Hardware Implant
    https://research.kudelskisecurity.com/2018/10/23/build-your-own-hardware-implant/

    Reply
  3. Tomi Engdahl says:

    IFTLE 397: Malicious Embedded Chips? And TSMC Rides the Leading Edge
    https://www.3dincites.com/2018/10/iftle-397-malicious-embedded-chips-and-tsmc-rides-the-leading-edge/

    Malicious Embedded Chips in our Mother Boards?

    Early October brought a report from Bloomberg that I have heard was the top tech story circulating at the DoD and DARPA.

    For years, articles about counterfeit chips, and our reliance on Asian-made chips – where they could be modified in ways to pass on information or allow hacks – have worried us. Now…. we’ve got something new to worry about.

    The 3rd party discovered that the servers customers installed in AWS’ networks to handle the video compression were assembled by Super Micro Computer, a San Jose CA company that also supplied the server motherboards. Nested on the servers’ motherboards, the testers found a tiny microchip, that wasn’t part of the boards’ original design.

    Amazon reported the discovery to U.S. authorities. Elemental’s servers were found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. Investigators reportedly determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines.

    Elemental was just one of the hundreds of Super Micro customers

    The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment. While Apple and Amazon denied the Bloomberg report [link] Bloomberg defended its reporting, indicating that “…the companies’ denials are countered by six current and former senior national security officials, who in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation.

    One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and classified, nature of the information.”

    Certainly, if nothing else, these reports have opened eyes to the issue of not having the capability for packaging and assembly in the US for consumer products, as well as DoD applications.

    https://www.reuters.com/article/us-china-cyber/apple-amazon-deny-bloomberg-report-on-chinese-hardware-attack-idUSKCN1ME19J

    Reply
  4. Tomi Engdahl says:

    Hardware Cyberattacks: How Worried Should You Be?
    https://www.darkreading.com/vulnerabilities—threats/hardware-cyberattacks-how-worried-should-you-be/d/d-id/1333167

    How to fit hardware threats into your security model as hardware becomes smaller, faster, cheaper, and more complex.

    Reply
  5. Tomi Engdahl says:

    Supply-chain attack on cryptocurrency exchange gate.io
    https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/

    Latest ESET research shows just how far attackers will go in order to steal bitcoin from customers of one specific virtual currency exchange

    On November 3, attackers successfully breached StatCounter, a leading web analytics platform. This service is used by many webmasters to gather statistics on their visitors – a service very similar to Google Analytics.

    by compromising the StatCounter platform, attackers can inject JavaScript code in all websites that use StatCounter.

    Attackers modified the script at http://www.statcounter.com/counter/counter.js by adding a piece of malicious code

    Reply
  6. Tomi Engdahl says:

    Microsoft Finds Pirated Windows on Too Many New Computers
    Company also discovers malware and coin miners on these PCs
    https://news.softpedia.com/news/microsoft-finds-pirated-windows-on-too-many-new-computers-523595.shtml

    Microsoft has conducted its own investigation on the Asian new PC market, only to discover an insane number of computers sold with a pirated Windows license.

    As reported by The Economic Times, Microsoft purchased PCs between May and July from Asian markets in an attempt to determine how many of them are shipped with counterfeit Windows licenses and malware pre-installed.

    Reply
  7. Tomi Engdahl says:

    DUST Identity Emerges From Stealth to Protect Device Supply Chain
    https://www.securityweek.com/dust-identity-emerges-stealth-protect-device-supply-chain

    Boston, MA-based start-up firm DUST Identity has emerged from stealth with $2.3 million seed funding led by Kleiner Perkins, with participation from New Science Ventures, Angular Ventures, and Castle Island Ventures. It was founded in 2018 by Ophir Gaathon (CEO), Jonathan Hodges (VP engineering) and Dirk Englund (board member).

    DUST, an anagram for ‘diamond unclonable security tag’, has developed a method to ensure the provenance and integrity of any object. Its purpose is to protect the physical supply chain from manufacture to installation, and during continued use. In essence, a very tiny spray of diamond particles is applied to any surface. The pattern created is random but unique to each object. This is scanned and recorded, and becomes the object’s fingerprint. Any physical attempt to tamper with the object disturbs the fingerprint and becomes known.

    The spray pattern is random by design. DUST takes the view that if it could predefine a pattern, then an adversary would be able to copy it. Instead it allows the vagaries of nature and the environment to create an unclonable unique pattern.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*