Video Of Day

Breaking News

On The Bloomberg Businessweek Story: Provide Chain Safety Speculation

the grugq via Medium:

Everything thrown at the wall that seemed to stick
Bloomberg accuses the PLA of hardware tampering render chain attacks. If this is at all true, it is a pretty large deal. If it is completely false, it is however a pretty large bargain (but thats betwixt Bloomberg’s lawyers too SuperMicro, the society allegedly transportation the hacked server boards.) Supply chain attacks are a scary vulnerability because the rootage of trust has to start somewhere, too if it starts inwards a no-name Chinese subcontractor factory…it’s possibly non the ideal foundation. I’ve attempted to collect equally much information actual information equally I tin terminate based on the Bloomberg statement:
The illicit chips … were connected to the baseboard administration controller
Before the wild speculation though, it must live on mentioned that the floor is brusque on show too high on apartment out denials.
Update: are a horrendous tire burn downwardly for cyber security. That’s why Amazon’s statement well-nigh the audit rings truthful to me.
The pre-acquisition audit described 4 issues amongst a spider web application (not hardware or chips) that SuperMicro provides for administration of their motherboards. All these findings were fully addressed earlier nosotros acquired Elemental. The outset 2 issues, which the auditor deemed equally critical, related to a vulnerability inwards versions prior to 3.15 of this spider web application (our audit covered prior versions of Elemental appliances equally well),
Auditing multiple versions of the same server is already a lot of work, scouring them for camouflaged grain of rice sized backdoors seems a footling excessive. The 4 issues:
  • Two critical issues inwards the BMC spider web server (accessible over IPMI)
  • Two non critical ones (probably well-nigh encryption or lack thereof) that were mitigated yesteryear Amazon’s planned deployment
These findings telephone truthful to me, this is what a typical infosec due diligence analysis is going to do — look at the interfaces too ports, run across what functionality at that topographic point is, what bugs at that topographic point are, too what needs to live on hardened/fixed.
Stripping the boards too hunting for tiny camouflaged rogue modchips is pretty intense for an audit. However, if the modchip was buggy too alerted the auditors to dig deeper, too thus it is for certain possible. Things that could tip the auditors off:...
...MORE

grugq on patreon 

No comments