11.8 C
New York
Saturday, October 31, 2020
Home Trends The tech supply chain is more vulnerable than ever

The tech supply chain is more vulnerable than ever

A shot heard around the world was fired last week when Bloomberg published its article “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” In it, Jordan Robertson and Michael Riley, explain how Chinese spies infiltrated nearly 30 U.S. companies by including compromised microchips in Supermicro motherboards, which those companies then used across data centers. Once installed in the data centers, those microchips could be accessed by the bad actors who could then control the motherboards from afar. As the article states, this was “the most significant supply chain attack known to have been carried out against American companies.”

To give even more context to the potential scale of this, Robertson and Riley quote a former U.S. intelligence official who said, “Think of Supermicro as the Microsoft of the hardware world.” He then continued, “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”

As the dust began to settle from the initial shock of what Bloomberg was claiming, most of the companies mentioned in the article vehemently denied its claims. Apple even wrote a letter to congress, saying the story was “simply wrong.” Both the U.K. National Cyber Security Center and U.S. Homeland Security have said they believe Apple and Amazon are telling the truth — and that the alleged Supermicro hack never happened.

Regardless of whether the Bloomberg story is valid, supply chain attacks are already happening in the wild, and this should be a wake-up call for all of us.

Software is even easier to pollute than hardware

While the Supermicro story pertains to an alleged attack on a hardware supply chain, the scary truth is that it’s much easier for bad actors to infiltrate and hack a software supply chain. With hardware, you need to physically access something in order to conduct a hack. With software, you can do it from anywhere.

To this end, I’ve witnessed 10 events during the past 2 years that triangulate a serious escalation of software supply chain attacks. Specifically, adversaries have directly injected vulnerabilities into open source ecosystems and projects. In some cases, these compromised components have been subsequently and unwittingly used by software developers to assemble applications. These compromised applications, which are assumed to be safe, are then made available for use by consumers and businesses alike. The risk is significant — and it’s unknown to everyone except the person that intentionally planted the compromised component inside of the software supply chain.

Historically, software hacks have occurred after a new vulnerability has been publicly disclosed, not before.  Effectively, “bad guys” have paid close attention to public disclosures — and any time a new vulnerability has been announced, they move quickly to exploit it before “good guys” can patch it. It’s a great business model — especially when you consider that only 38 percent of companies are actively monitoring and managing their software supply chain hygiene.

Today, the game has changed. Organizations now must contend with the fact that hackers are intentionally planting vulnerabilities directly into the supply of open source components. In one such example from February 2018, a core contributor to the conventional-changelog ecosystem (a common JavaScript code package) had his commit credentials compromised. A bad actor, using these credentials, published a malicious version of conventional-changelog (version 1.2.0) to npmjs.com. While the intentionally compromised component was only available in the supply chain for 35 hours, estimates are that it was downloaded and installed more than 28,000 times. Some percentage of these vulnerable components were then assembled into applications that were then released into production. The result is that these organizations then unwittingly released a Monero cryptocurrency miner into the wild — and the perpetrators of the supply chain hack profited handsomely.

So, here’s the point: Whether the Bloomberg report on Supermicro is valid or not, attacks are already happening on our technology supply chains — both software and hardware. Now more than ever, it’s time to talk about ways to secure our supply chains.

Source: VentureBeat

To Read Our Daily News Updates, Please Visit Inventiva Or Subscribe Our Newsletter & Push.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

- Advertisment -

Most Popular

E dukan on rent- your business, your brand. Take your dukan online! 

A year ago, nobody would have thought the world will change like this. But here we are living a life that people call new...

The pregnant deer – A beautiful management story

In a forest, a pregnant deer is about to give birth. She finds a remote grass field near a strong-flowing river. This seems a safe place. Suddenly...

Here’s the effect of COVID-19 on the Aviation and Shipping Industry!

The COVID-19 (coronavirus pandemic) has an adverse effect on the world's Economy and Trade. According to the reports, global economic growth is...

Top 4 cities in India to start a startup

India is an amazing place where you can start your start-up for the very first time. When it comes to counting the...

Recent Comments

%d bloggers like this: