Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 9

Bloomberg, Supermicro, and Hardware Supply Chain Attacks

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Morning, everybody. How you doing today? Interesting one on the box. Today. We're going to talk about this absolutely earth-shattering report that came from Bloomberg yesterday about a possible hardware supply chain attack. Now the report alleges and numerous Anonymous sources behind it that a company called supermicro, which is actually one of the largest motherboard manufacturers in the planet inserted unauthorized chips into various customers products that gave access to a third party.

So basically they put a hardware hacking device on these orders in the name some pretty big names. They called out saying that Apple was a customer and that Elemental which is a video Processing Company that had some rather large government contracts and was eventually acquired by eight of us was also customer now, The biggest waves the fact that all the companies named are issuing vehement denials and to the point where Cecil's are putting an aims online say no this never happened.

We told the reporters repeatedly this never happened. I meant Bloomberg obviously has a strong reputation. They also have a army of lawyers. So there's going to be a lot of he said she said there's an interesting journalistic Integrity thing calling out here and then I want to dive in and out because that's not very productive that's going to play out over the next few days and weeks.

What I think is really interesting is even just the concept of a hardware supply chain attack. A lot of what we do and security is built on I don't want to say trust but trust because when you're building out certain security controls you trust that they work in a certain Manner and hopefully you're testing at and we never assume anything and Security will always want to verify so trust but verify and put when your fundamental platform that processes things is compromise that causes a huge amount of issues.

You'll see in regards to this bluebird. Number of Security Experts on people like us as well respected in the community some of the impacts in those impacts are you know, if you can't trust the hardware you're running all the time suffer controls built up with the assumption that the hardware platform actually execute them more and if it doesn't and goes around there's no way for software to detect that and that's really one of the biggest challenges in virtualization without without in the cloud as well is that there's this your building up a set of security controls to match and the value of the data in your in your deployment and you need to be aware of what the risks are on that.

They could be subverted. I am and in this case I'll give you an example of adduction and relate to this case but it helps explain it. So when we location does the H-E-B access the lock in your browser, the reason why we suggest encrypting off at that level, which is really high up after a whole bunch of things that happened at me to look at physical networking connection Communications across that Wire to establish a connection between two points moving it up the chain to the operating system in a whole bunch of other things.

We suggested the application layer because that prevents any compromise at the lower levels. It reduces the risk of the impact of any of those compromise doesn't prevent it reduces the risk. So if I've been cramping at the very top of the stack, so just my application in your application.

Can I unencrypt. Then everything in between? Even if a capital Communications they have to break that encryption the similar thing we talked about end-to-end encryption in messaging apps things like WhatsApp things like signal telegram. The reason why end-to-end encryption is so important is because it assumes me and you the only two devices that have the encryption keys to to access the conversation.

Everything else is below even if they capture that conversation or they divert that Network traffic somewhere else has a copy stream and no matter what they do. They have to deal with this encrypted packet this a concept insecure. Talk about is the fact that it's also secure by Design and it's also understanding the environment in which you're executing.

So the scary thing about a hardware supply chain attack is that a lot of people simply don't consider it. They don't work through some of the issues and they don't realize that a compromise Hardware platform or the extent of the impact of compromise Hardware platform could happen when you're talking about your Baseline servers in the motherboard on that server being compromised at the hardware level everything that you do in the OS has the potential potential of being compromised because if you are Hardware's compromised anything and you doing crip, so if we do that same thing that end and point the memory on that server could potentially be accessed because memory at the end of the day is a physical thing in this Hardware hack is a physical thing and it could access to bypass the route.

I'm around some protections and access that memory directly. So now the technical complexity of an attack like this is absolutely off the charts. So it's unlikely that it can actually occur, but it is Possible for some really sensitive applications and that's why I think the report called out Elemental creative.

Yes and apple some sensitive data to be religious and see how this plays out from a story perspective from a hardware supply chain attack. And that's why people are so concerned because it's extremely difficult to defend against the hardware. We build is extremely complicated. So the vast majority of Manufacturers weather there in the US Canada Europe have their stuff built in asia-pacific and the reason being is that that's where the great factories are.

That's where their factories capable of killing volume scale the qualities I needed our because when you do something like a CPU trillions of transistors on a CPU and having a few extra gates in there trying to find that post production is almost impossible. So it's really difficult to verify the validity of the hardware which is why do this kind of attack is so scary because now you're not sure but it could be if there's a hardware intercept on your devices.

And then how do you handle that in song? For you can't really handle the theoretical Xin software. That is an extreme attack is extremely involved. It's real resource-intensive. It would take a mountain of effort and resources to pull it off, especially the Target and pull it off. So against security is compromised between business value and cost to defend the data vs.

You're costing attacking it. This one's not done. We're going to see a lot of hardware and supply chain attacks are so terrifying security Community are so difficult to defend against what do you think? Let me know. Hit me up online at Mark NCAA for those of you in the blog in the comments down below.

There's always my email me at Mark n. C. I hope you're set up for a fantastic Friday and a great weekend the long weekend for me. So I'll be back on the air on Tuesday. Hope you have a good one. I'll talk to you online and on the show on next week.

Morning, everybody. How you doing today? Interesting one on the box. Today. We're going to talk about this absolutely earth-shattering report that came from Bloomberg yesterday about a possible hardware supply chain attack. Now the report alleges and numerous Anonymous sources behind it that a company called supermicro, which is actually one of the largest motherboard manufacturers in the planet inserted unauthorized chips into various customers products that gave access to a third party.

So basically they put a hardware hacking device on these orders in the name some pretty big names. They called out saying that Apple was a customer and that Elemental which is a video Processing Company that had some rather large government contracts and was eventually acquired by eight of us was also customer now, The biggest waves the fact that all the companies named are issuing vehement denials and to the point where Cecil's are putting an aims online say no this never happened.

We told the reporters repeatedly this never happened. I meant Bloomberg obviously has a strong reputation. They also have a army of lawyers. So there's going to be a lot of he said she said there's an interesting journalistic Integrity thing calling out here and then I want to dive in and out because that's not very productive that's going to play out over the next few days and weeks.

What I think is really interesting is even just the concept of a hardware supply chain attack. A lot of what we do and security is built on I don't want to say trust but trust because when you're building out certain security controls you trust that they work in a certain Manner and hopefully you're testing at and we never assume anything and Security will always want to verify so trust but verify and put when your fundamental platform that processes things is compromise that causes a huge amount of issues.

You'll see in regards to this bluebird. Number of Security Experts on people like us as well respected in the community some of the impacts in those impacts are you know, if you can't trust the hardware you're running all the time suffer controls built up with the assumption that the hardware platform actually execute them more and if it doesn't and goes around there's no way for software to detect that and that's really one of the biggest challenges in virtualization without without in the cloud as well is that there's this your building up a set of security controls to match and the value of the data in your in your deployment and you need to be aware of what the risks are on that.

They could be subverted. I am and in this case I'll give you an example of adduction and relate to this case but it helps explain it. So when we location does the H-E-B access the lock in your browser, the reason why we suggest encrypting off at that level, which is really high up after a whole bunch of things that happened at me to look at physical networking connection Communications across that Wire to establish a connection between two points moving it up the chain to the operating system in a whole bunch of other things.

We suggested the application layer because that prevents any compromise at the lower levels. It reduces the risk of the impact of any of those compromise doesn't prevent it reduces the risk. So if I've been cramping at the very top of the stack, so just my application in your application.

Can I unencrypt. Then everything in between? Even if a capital Communications they have to break that encryption the similar thing we talked about end-to-end encryption in messaging apps things like WhatsApp things like signal telegram. The reason why end-to-end encryption is so important is because it assumes me and you the only two devices that have the encryption keys to to access the conversation.

Everything else is below even if they capture that conversation or they divert that Network traffic somewhere else has a copy stream and no matter what they do. They have to deal with this encrypted packet this a concept insecure. Talk about is the fact that it's also secure by Design and it's also understanding the environment in which you're executing.

So the scary thing about a hardware supply chain attack is that a lot of people simply don't consider it. They don't work through some of the issues and they don't realize that a compromise Hardware platform or the extent of the impact of compromise Hardware platform could happen when you're talking about your Baseline servers in the motherboard on that server being compromised at the hardware level everything that you do in the OS has the potential potential of being compromised because if you are Hardware's compromised anything and you doing crip, so if we do that same thing that end and point the memory on that server could potentially be accessed because memory at the end of the day is a physical thing in this Hardware hack is a physical thing and it could access to bypass the route.

I'm around some protections and access that memory directly. So now the technical complexity of an attack like this is absolutely off the charts. So it's unlikely that it can actually occur, but it is Possible for some really sensitive applications and that's why I think the report called out Elemental creative.

Yes and apple some sensitive data to be religious and see how this plays out from a story perspective from a hardware supply chain attack. And that's why people are so concerned because it's extremely difficult to defend against the hardware. We build is extremely complicated. So the vast majority of Manufacturers weather there in the US Canada Europe have their stuff built in asia-pacific and the reason being is that that's where the great factories are.

That's where their factories capable of killing volume scale the qualities I needed our because when you do something like a CPU trillions of transistors on a CPU and having a few extra gates in there trying to find that post production is almost impossible. So it's really difficult to verify the validity of the hardware which is why do this kind of attack is so scary because now you're not sure but it could be if there's a hardware intercept on your devices.

And then how do you handle that in song? For you can't really handle the theoretical Xin software. That is an extreme attack is extremely involved. It's real resource-intensive. It would take a mountain of effort and resources to pull it off, especially the Target and pull it off. So against security is compromised between business value and cost to defend the data vs.

You're costing attacking it. This one's not done. We're going to see a lot of hardware and supply chain attacks are so terrifying security Community are so difficult to defend against what do you think? Let me know. Hit me up online at Mark NCAA for those of you in the blog in the comments down below.

There's always my email me at Mark n. C. I hope you're set up for a fantastic Friday and a great weekend the long weekend for me. So I'll be back on the air on Tuesday. Hope you have a good one. I'll talk to you online and on the show on next week.