Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It? — Krebs on Security

https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/

You can have it fast, cheap, or secure — pick any two.

It seems to be possible as long as “secure” isn’t one of your choices.

“Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product,” Schneier wrote.
We don’t often hear about intentional efforts to subvert the security of the technology supply chain simply because these incidents tend to get quickly classified by the military when they are discovered.
Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

Most of the U.S. government’s efforts to police the global technology supply chain seem to be focused on preventing counterfeits — not finding secretly added spying components.

Finally, it’s not clear that private industry is up to the job, either. At least not yet.

Supply chain challenges definitely fit into categorythings I can’t change“.

109 Comments

  1. Tomi Engdahl says:

    We Built the Supply Chain We Wanted … Not the One Needed
    https://www.eetimes.com/we-built-the-supply-chain-we-wanted-not-the-one-needed/

    The lessons of COVID-19 may be numerous but one stands out. The global supply chain is skewed towards one part of the world. This represents a great danger to everyone. If this wasn’t clear before, despite attempts by some to point out the dangers of this imbalance, it is now obvious the system needs to be corrected. And corrected it will be. Globally, and by the different regions.

    The price of production outsourcing to China is too high. Today, it is measured in the loss of lives — by the tens of thousands. The expected cost-efficiencies cannot be justified anymore.

    Reply
  2. Tomi Engdahl says:

    Apple scoffed at Bloomberg claims that its servers were compromised by a surreptitious component. But the truth is, the printed circuit board supply chain is quite vulnerable.

    Three Ways to Hack a Printed Circuit Board
    https://spectrum.ieee.org/computing/hardware/three-ways-to-hack-a-printed-circuit-board

    Reply
  3. Tomi Engdahl says:

    Over the past two years, the global supply chain has been hit with two major upheavals: the United States-China trade war and, more cataclysmically, COVID-19.

    https://techcrunch.com/2020/08/17/how-tech-can-build-more-resilient-supply-chains/?tpcc=ECFB2020

    Reply
  4. Tomi Engdahl says:

    5 Essential Post-COVID Actions for Supply-Chain Businesses
    https://www.designnews.com/industry/5-essential-post-covid-actions-supply-chain-businesses?ADTRK=InformaMarkets&elq_mid=14273&elq_cid=876648

    Rethinking and remaking the supply chains, production, financial markets and global economies to be resilient will be essential. But how?

    How can businesses perform better in this new world and become more resilient for the next crisis? Put differently, how can companies ensure their survival while contributing to the safeguard of their respective economies? According to Verzelen, five things must happen:

    Employees must be protected.
    Financial health must be maintained.
    Marketing and sales must be adaptive.
    The supply chain must be safeguarded.
    The ecosystem must be helped.

    Reply
  5. Tomi Engdahl says:

    I thought this was the best ‘plain English’ summary of what’s happening. Of course the Cozy Bear link is still speculative but it makes good headlines…

    ~18,000 organizations downloaded backdoor planted by Cozy Bear hackers
    Russia-backed hackers use supply chain attack to infect public and private organizations.
    https://arstechnica.com/information-technology/2020/12/18000-organizations-downloaded-backdoor-planted-by-cozy-bear-hackers/

    About 18,000 organizations around the world downloaded network management tools that contained a backdoor that a nation state used to install malware in organizations the used the software, the tools provider, SolarWinds, said on Monday.

    The disclosure from Austin, Texas-based SolarWinds, came a day after the US government revealed a major security breach hitting federal agencies and private companies. The US Departments of Treasury, Commerce, and Homeland Security departments were among the federal agencies on the receiving end of hacks that gave access to email and other sensitive resources, Reuters reported. Federal agencies using the software were instructed on Sunday to disconnect systems that run the software and perform a forensic analysis of their networks.

    Security firm FireEye, which last week disclosed a serious breach of its own network, said that hackers backed by a nation-state compromised a SolarWinds software update mechanism and then used it to infect selected customers who installed a backdoored version of the company’s Orion network management tool.

    The backdoor infected customers who installed an update from March to June of this year, SolarWinds said in a document filed on Monday with the Securities and Exchange Commission. The implant “was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products,” Monday’s filing said. SolarWinds, which said it has about 300,000 Orion customers, put the number of affected customers at about 18,000.

    “SolarWinds by its nature has very privileged access to other parts of your infrastructure,” Chapple, a former computer scientist at the National Security Agency, said in an interview. “You can think of SolarWinds as having the master keys to your network, and if you’re able to compromise that type of tool, you’re able to use those types of keys to gain access to other parts of the network. By compromising that, you have a key basically to unlock the network infrastructure of a large number of organizations.”

    The hacks are part of what the federal government and officials from FireEye, Microsoft, and other private companies said was a widespread espionage campaign that a sophisticated threat actor was carrying out through a supply chain attack.

    In blog post FireEye published Sunday night, the company said it uncovered a global intrusion campaign that used the backdoored SolarWinds’ update mechanism as an initial entryway “into the networks of public and private organizations through the software supply chain.” Publications—including The Washington Post and The New York Times—cited unnamed government officials saying Cozy Bear, a hacking group believed to be part of the Russian Federal Security Service (FSB) was behind the compromises.

    Reply
  6. Tomi Engdahl says:

    SolarWinds’ Update Server Could Be Accessed in 2019 Using Password ‘solarwinds123′: Report
    https://www.newsweek.com/solarwinds-update-server-could-accessed-2019-using-password-solarwinds123-report-1554986

    SolarWinds’ update server was accessible by using the simple password “solarwinds123″ in late 2019, according to a security researcher.

    News broke on Sunday that SolarWinds’ OrionIT product was hacked as far back as March, with malware added to a software update that was downloaded by thousands of clients. The cyberattack went undetected for months, compromising the computers at top federal government agencies and potentially impacting hundreds of prominent American corporations.

    As the damage continues to be investigated, experts have begun pointing to concerns about potentially substandard security protocols. Security researcher Vinoth Kumar told Reuters he alerted SolarWinds last year that its update server could easily be accessed by anyone using the simple password: “solarwinds123.”

    “This could have been done by any attacker, easily,” Kumar told the news agency.

    Kumar initially told Newsweek that the issue had been present for more than three weeks before it was fixed. After this article published, the researcher followed-up to say that he’d discovered the problem appeared to be present all the way back in June 2018.

    Alleged Russian SolarWinds Hack ‘Probably an 11′ On Scale of 1 to 10, Cybersecurity Expert Warns
    https://www.newsweek.com/alleged-russian-solarwinds-hack-probably-11-scale-1-10-cybersecurity-expert-warns-1554606

    Acybersecurity expert warned that the alleged Russian hack of SolarWinds software, which affected top government agencies, is “probably an 11″ in terms of seriousness on a scale of one to 10

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*