قالب وردپرس درنا توس
Home / Technology / Technical supply chain is more vulnerable than ever

Technical supply chain is more vulnerable than ever



A shot that was heard around the world was kicked last week when Bloomberg published his article "The Big Hack: How China Used A Small Chip To Filter American Companies." In that, Jordan Robertson and Michael Riley, explain how Chinese spies infiltrated nearly 30 American companies by including compromised microchips in Supermicro motherboards, which these companies then used over data centers. Once installed in data centers, these microchips could be reached by the bad actors who could then control the motherboards far away. As the article says, this was "the most important supply chain attack known to have been conducted against American companies."

To make even more connection with the potential size of this, Robertson and Riley quoted a former US intelligence officer who said: "Think of Supermicro as Microsoft by the hardware world." He then continued, "Attacking Supermicro motherboards are like attacking Windows. It's like attacking the whole world."

When the dust began to settle from the first shock of what Bloomberg claimed, most of the companies mentioned in the article refused its requirements. Apple even wrote a letter to the Congress, saying that the story was "simply wrong." Both the UK National Security Center and US Homeland Security have said that they believe that Apple and Amazon tell the truth ̵

1; and that the alleged Supermicro hack never happened. 19659002] Whether the Bloomberg story is valid, supply chain attacks already occur in nature, and this should be a wake for all of us.

The software is even easier to pollute than hardware

While the Supermicro story applies to an alleged attack on a hardware supply chain. Scary is that it's much easier for bad actors to infiltrate and hack a software supply chain. With hardware, you must physically access something to perform a hack. With software you can do it anywhere.

For this purpose, I have seen 10 events over the last 2 years that triangulate a severe escalation of software supply attacks. In particular, opponents have directly injected vulnerabilities into open source ecosystems and projects. In some cases, these compromised components have been used and unknowingly used by software developers to gather applications. These compromised applications, which are believed to be safe, will then be made available to both consumers and businesses. The risk is important – and it is unknown to all, except for the person who intentionally planted the compromised component inside the software supply chain.

Historically, software hackers have occurred after a new vulnerability has been published, not before. Effectively, "bad people" have noticed publication – and when a new vulnerability has been announced, they move quickly to exploit it before "good men" can patch it. It's a good business model – especially when you consider that only 38 percent of companies monitor and manage the supply chain software.

Today the game has changed. Organizations must now struggle to crack down vulnerable vulnerabilities directly into the supply of open source components. In such an example from February 2018, a core contributor to the conventional exchange ecosystem (a common JavaScript code package) had his obligations in compromise. A bad actor, who uses these credentials, published a malicious version of conventional-changelog (version 1.2.0) to npmjs.com. While the intentional compromised component was available only in the supply chain for 35 hours, it estimated that it was downloaded and installed more than 28,000 times. Some percent of these vulnerable components were then collected into applications that were then released into production. As a result, these organizations unintentionally released a Monero Cryptocurrency mine in the wild – and the perpetrators of the supply chain hack deserved themselves well.

Here's the point: If the Bloomberg report on Supermicro is valid or not, the attacks are already valid on our technology supply chains – both software and hardware. Now, talking more about ways to secure our supply chains is more than ever.

Brian Fox is SVP and Chief Technology Officer of Sonatype.


Source link