The view of an expert – Krebs on security



[ad_1]

Earlier this month, I spoke at a conference on cybersecurity in Albany, New York, alongside Tony Sager, senior vice president and chief evangelist of the Center for Internet Security and former bug hunter United States National Security Agency. We spent a lot of time discussing many issues, including supply chain security, and I asked Sager if he had heard of rumors Supermicro – a high-tech company based in San Jose, California – would have inserted backdoors into the technology sold to a number of US companies.

Tony Sager, Senior Vice President and Chief Evangelist at Internet Security Center.

The event that Sager and I talked about was prior to the publication of the Bloomberg BusinessweekThe controversial story that Supermicro cheated around 30 companies by buying backdoor hardware. Sager said he did not hear about Supermicro in particular, but we did discuss at length the challenges of controlling the technology supply chain.

Below are excerpts from our conversation. I have learned a lot of things and I hope you too.

Brian Krebs (BK): Do you think that Uncle Sam spends enough time focusing on the supply chain security problem? This seems to be a very big threat, but also a difficult threat to counter.

Tony Sager (TS): The federal government has been worried about this kind of problem for decades. In the 70s and 80s, the government was more dominant in the technology sector and had not experienced this massive internationalization of the technology supply chain.

But even then, there were people who saw where all this was going on, and there were very big government programs to look at that.

BK: Right, the Foundry of trust I think the program is a good example.

TS: Exactly. It was an attempt to help support a US-based technology industry so that we had an Aboriginal workplace, and we only had authorized staff and a total control over processes and components.

BK: Why do you think more and more companies are not pushing to produce data via code and hardware foundries here in the United States?

TS: Like many things in terms of security, the economy always wins. And finally, the incremental costs of relocated parts and labor overwhelmed attempts to manage this challenge.

BK: But there are certainly areas of computer hardware and network design in which you absolutely must have a much higher assurance of integrity.

TS: Okay, and that's how they approach things to Sandia National Laboratories [one of three national nuclear security research and development laboratories]. One of the things they looked at was whether a person could introduce something into the design of a nuclear weapon.

The basic premise of the design was to assume that a person in the process could be subverted in one way or another, and the whole design philosophy is built around the fact of Make sure no one can approve what is happening in a particular process and that there is control ever observed on any aspect of the system. So there are a lot of technical and procedural controls there.

But the bottom line is that this is really a lot harder [for non-nuclear electronic components] because of the current relocation of electronic components, as well as the software that runs on this hardware.

BK: So is the government fundamentally interested only in the security of the supply chain, as long as it affects the goods it wants to buy and use?

TS: The government still holds regular meetings on supply chain risk management, but there is no easy answer to this problem. The technical ability to detect something that is wrong has been overwhelmed by the ability to do something about it.

BK: Wait what?

TS: Suppose that a nation-state dominates a technological element and that it can theoretically insert something into it. The attacker in this case also has a risk model. Yes, it could put something in the circuits or the design, but its risk of exposure also increases.

Could I, as an attacker, control the components entering certain designs or products? Of course, but it is often difficult to know what the target of this product is or how you will guarantee that your target will use it. And there are still a limited number of bad guys who can pull that stuff out. In the past, it was much more lucrative for the attacker to attack the supply chain on the retail side, to attack machines targeted at targeted markets in order to reduce the impact of this activity.

BK: Targeting your attack becomes problematic if you do not really limit the number of targets affected by compromised hardware.

TS: Yes, you can put something into everything, but suddenly you end up with a huge problem collecting large data. As an attacker, you have created a different type of scan problem. Of course, some countries have more opportunities than others to filter huge amounts of data they collect.

BK: Can you talk about some of the things that the government has generally done to determine if a particular technology provider could try to drag a few compromised devices from one of several orders?

TS: There is this concept of "blind purchase", where if you think the threat vector is that someone enters my supply chain and harms the safety of individual machines or of Machinery groups, the government finds a way to buy specific systems so that no one can target them. In other words, the seller does not know that it is the government that buys it. It is a fairly standard technique to overcome this difficulty, but it is a permanent game of cat and mouse.

BK: I know you said before this interview that you're not willing to comment on the specific claims set out in Bloomberg's recent article, but it seems that the supply chain attacks targeting cloud providers could be very attractive for an attacker. Can you talk about how big cloud providers could mitigate the risk of incorporating hardware compromised by the manufacturer in their operations?

TS: It is certainly a natural place to attack, but it is also a complicated place to attack – especially the very nature of the cloud, which brings together many tenants on one machine. If you attack a target with on-site technology, it's very simple. But the goal of the cloud is to house machines and use the same resources more efficiently, so that there can be many users on a given machine. So, how do you target that in an attack of the supply chain?

BK: Is there anything in the way these cloud-based businesses are operating – perhaps just on a large scale – that makes them perhaps more resilient to supply chain attacks vis-à-vis vis-à-vis companies from other sectors?

TS: This is an excellent question. The opposite trend is that to get the type of speed and scale desired by googles and Amazons and microfofts around the world, these companies are much less likely to settle for standard equipment. in fact now more inclined to build their own.

BK: Can you give some examples?

TS: These cloud computing vendors have had a lot of discussion about what they have in common – what parts of the design could they work with to create a market they could exploit. We are therefore starting to witness a real shift from standard components to benefit elements designed by the service provider or closely involved in the design. They can therefore also incorporate security checks for this hardware. Now, if you rely on people to implement exactly the designs, the problem is different. But these are really complex technologies, so it's not trivial to insert backdoors. It's getting harder and harder to hide these kinds of things.

BK: It's interesting, considering that each of us has focused on various cloud platforms. Are there any other examples of how cloud providers can make it more difficult for attackers to subvert their services through supply chain shenanigans?

TS: One of the factors is that they deploy this technology fairly regularly. In addition, the lifespan of these cloud providers' technology is only a few years old. They all want faster, more efficient and more powerful equipment, and a dynamic environment is much harder to attack. This in fact turns out to be a very costly problem for the attacker, as it may have taken a year to get off, but in many cases, the short life of this technology [with the cloud providers] really increases the costs for the attackers.

When I looked at claims from Amazon, Google, and Microsoft, the architecture and designs that support this service model combine a lot of power, including the implementation of ever-greater security systems. Yes, they still often use non-US parts, but they are really aware of them when they do. This does not mean that these types of supply chain attacks are impossible to eliminate, but that they do not become easier over time.

BK: It seems to me that the majority of the government's efforts to secure the technology supply chain consist of looking for counterfeit products that could end up in tanks, ships and planes and causing problems look at commercial technology. Do you think that is correct?

TS: I think this description is right. It's a logistics problem. This counterfeit problem is a related problem. Transparency is a philosophy of general design. Another is the responsibility and traceability back to a source. There is this buzzword saying that if you can not integrate security, incorporate responsibility. Basically, the notion was that you often can not create optimal or perfect security, but if you can implement accountability and traceability, that's a pretty powerful deterrent as well as a needed help.

BK: For example….?

TS: Well, the focus is on high-quality, non-editable journaling. If you can create strong accountability in case of a problem, I can find it far enough to make the problem more technically challenging for the attacker. Once I know that I can trace the construction of a computer map to a certain place, you have created a different type of security challenge for the attacker. So the notion that exists exists, although you may not be able to prevent all attacks, it causes different kinds of difficulties for the attacker, which is good news for the defense.

BK: Is supply chain security therefore more of a physical security or cybersecurity problem?

TS: We like to think about this because we fight all the time in cyber, but often it's not true. If you can force attackers to subvert your supply chain, you must first remove mid-level criminal elements and force them to do things that are not in cyberspace, such as creating shell companies, de-wine, etc. And in these areas – especially the human dimension – we have other mechanisms that are activity detectors.

BK: What role does network monitoring play here? Technology experts often tell me that companies should be able to detect trade-offs in the supply chain because at some point they should be able to see tons of data leaving their networks if they properly monitor their networks. What do you think of the role of effective network monitoring in the fight against potential attacks from the supply chain?

TS: I am not so optimistic about it. It's too easy to hide. Monitoring consists of detecting anomalies, whether in the volume or type of traffic expected. This is a difficult category of problem. For the US government, with perimeter monitoring, the ability to monitor traffic and the natural movement of the entire Internet to the default encryption are still compromised. So a lot of things do not affect us because of tunneling and encryption, and the Defense Department in particular has really struggled with that.

Now, obviously, you can do intercepted traffic with proxies and inspect everything there. The network perimeter is ideally the one where you want to do it, but the speed and volume of traffic is often just too good.

BK: Has the government not already done this with the "trusted Internet connections" program, or Einstein, in which it consolidates all that traffic at the gateways and tries to inspect the entrances and exits?

TS: Yes, they create a problem of volume and maximum speed. To monitor this and not interrupt the traffic, you must have advanced technology, and manage an already encrypted ton. If you try to use this proxy method, perform an inspection, and then re-encrypt the data, it is often difficult to keep up with the fast pace.

BK: Does that mean it's a waste of time to do this surveillance on the perimeter?

TS: No. The attacker could have taken foot initially through a legitimate tunnel and someone would have taken control of an account within the company. You may not know the true meaning of a particular packet flow going through the perimeter until this thing is passed and executed. So, you can not solve all the problems of the perimeter. Some things just because obvious and logical to catch them when they open in the office.

BK: Do you see a parallel between the challenges of securing the supply chain and those of securing companies? Internet of Things (IoT) so that they do not continue to become a threat to national security for all critical infrastructure, such as DDoS attacks, as we have seen in recent years?

TS: Absolutely, and again, the security economy is so convincing. With IoT, we have the cheapest parts possible, devices with a relatively short life span and it is interesting to hear people talk about the regulations relating to IoT. But much of the discussion I've heard recently is not about top-down solutions, but rather about how we learn from places like the Food and Drug Administration on the certification of medical devices. In other words, are there any known characteristics that we would like to see applied to these devices before they become, in a generic sense, safe?

BK: How do IoT and supply chain issues need to be solved in order to access the code that powers the hardware and detects vulnerabilities? Where does responsibility lie?

TS: I used to make a living with other peoples software and find zero day bugs. What I understood was that our ability to find things as humans with limited technology would never solve the problem. The deterrent effect that people thought that someone was inspecting their software generally was getting more positive results than the actual appearance. If they made a mistake – deliberately or not – they would have to work hard and if there was a method of transparency, we would find one or two and we would make a big deal when we did it. a deterrent.

BK: It sounds like an approach that would work well to help us feel better about the security and the code inside these election machines that have recently been undergoing such a thorough review.

TS: We are thinking about this now, thinking about electoral devices. We are sort of going through this classic argument that hackers are sporting the noble flag of truth and sellers are attacking responsibility. Thus, some providers seem to want to do something different, but at the same time they are trapped in the good intentions of the open vulnerability community.

The question is: how can we bring a certain degree of transparency to the process, presumably that the suppliers do not expose their trade secrets and the code to the world? What can they demonstrate in terms of the cost-effectiveness of development practices to solve certain problems before they manifest themselves? This is important because elections require a result: public confidence in the outcome. And of course, a better way to do that is to increase transparency.

BK: What, if any, are the takeaways for the average user here? With the proliferation of IoT devices in homes, can we hope to see more tools allowing users to better control how these systems behave on the local network?

TS: The most of [the supply chain problem] the inability of the person to do anything, and beyond the ability of small businesses to tackle it. In fact, it is outside the autonomy of the average business to know it. We need more national attention to the problem.

Is NIt is almost impossible for consumers to buy electronic products that are not connected to the Internet. Chipsets are so cheap and the ability for each device to have its own built-in Wi-Fi chip means that [manufacturers] let's add them, whether it makes sense or not. I think we will see more security enter the market to manage the devices. For example, you can define rules that the appliances can only communicate with the manufacturer.

We will see more easy-to-use tools available to consumers to help manage all of these devices. We are already beginning to see the struggle for dominance in this space already at the level of the domestic gateway and the management of the network. As these devices become more and more numerous and complicated, the means to manage them will be more oriented towards the consumer. Some broadband providers already offer services that tell you what devices work in your home and allow users to control when these devices are allowed to communicate with the Internet.


Since the beginning of Bloomberg's history, The US Department of Homeland Security and the National Cybersecurity Center, a unit of the British spy agency, the GCHQ, have both publicly stated that they had no reason to doubt the vehement denials from Amazon and Apple that they have been affected by incidents involving the security of Supermicro's supply chain. Apple has also written a strongly worded letter to lawmakers who deny the claims of history.

At the same time, Bloomberg reporters have published a follow-up article citing new evidence on file to support the claims made in their original article.



Tags: Blind Purchase, Bloomberg Businessweek, Center for Internet Security, Einstein Program, Internet of Things, Supply Chain Security, Tony Sager, Trusted Internet Connections

This entry was posted on Friday, October 12th, 2018 at 9:03 pm and is filed under A Little Sunshine, The Coming Storm.
You can follow the comments of this entry via the RSS 2.0 feed.

You can go to the end and leave a comment. Ping is currently not allowed.

[ad_2]
Source link