IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Krebs - Supply Chain 101
Post #425,896
by Another Scott
10/14/18 1:59:16 PM
10/14/18 1:59:16 PM
Reply
New Krebs - Supply Chain 101
https://krebsonsecurity.com/2018/10/supply-chain-security-101-an-experts-view/

12 OCT 18

Supply Chain Security 101: An Expert’s View

Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.

The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.

Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.

[...]

BK: Wait…what?

TS: Suppose a nation state dominates a piece of technology and in theory could plant something inside of it. The attacker in this case has a risk model, too. Yes, he could put something in the circuitry or design, but his risk of exposure also goes up.

Could I as an attacker control components that go into certain designs or products? Sure, but it’s often not very clear what the target is for that product, or how you will guarantee it gets used by your target. And there are still a limited set of bad guys who can pull that stuff off. In the past, it’s been much more lucrative for the attacker to attack the supply chain on the distribution side, to go after targeted machines in targeted markets to lessen the exposure of this activity.

BK: So targeting your attack becomes problematic if you’re not really limiting the scope of targets that get hit with compromised hardware.

TS: Yes, you can put something into everything, but all of a sudden you have this massive big data collection problem on the back end where you as the attacker have created a different kind of analysis problem. Of course, some nations have more capability than others to sift through huge amounts of data they’re collecting.

[...]


Interesting stuff.

Cheers,
Scott.
Post #425,905
by Ashton
10/14/18 10:04:35 PM
10/14/18 10:04:35 PM
Reply
New Thanks! for this unusually pellucid essay on an abstruse--possibly Existential-grade--topic.
Even moi can follow the progression; shall have to digest the mass later, when in Logic-102 mode (..a mindset I try to eschew more nowadays) than in those halcyon days before Science Itself became 'controversial' within the devolved zeitgeist. I doubt that more than a handful of the faux-governing parts of the Cabal,could appreciate/would even try to read ..such a summary of these n+1 either/ors necessary: to grok this even to a mediocre level.

(I don't try to teach cats calculus, nor any random Trumpist what the phrase "deductive Reasoning" demands of the jelloware.) Futility sucks. At least though, the Worker Bees in IT at various levels in 'Security' appear to be relatively immune to the doggerel of the current Appointees* heading the Cabinet positions (invariably awarded to ones whose sole aim is unDoing whatever is the actual raison d'etre of that group.)
     Krebs - Supply Chain 101 - (Another Scott) - (1) - Oct. 14, 2018, 01:59:16 PM EDT
         Thanks! for this unusually pellucid essay on an abstruse--possibly Existential-grade--topic. - (Ashton) - Oct. 14, 2018, 10:04:35 PM EDT

Holy cran.
36 ms