Rethinking Security Again…
I’m at the BlackBerry Security Summit this week and wouldn’t you know it, while I’m here Bloomberg blasted out a story indicating pretty much all the major companies that use Supermicro servers may have been hacked. BlackBerry is talking about the need for a different approach to security and mostly focusing on the spreading nightmare that IoT represents for security but, with this alleged hack, maybe we should be thinking about what they are proposing even more broadly.
Let me explain.
The Supermicro Chinese Government Hack
Now most, if not all, of the companies that were supposedly compromised by this nasty hardware exploit are denying that it actually happened. But Bloomberg is sticking with their story and, if it is true, they are likely underplaying the exposure.
You see, right now, the most secure sites are treating everything but their servers as if they are coming off the Internet. VPNs are dead, people get limited access which can become even more limited if they are coming in from unsecure locations and every effort is being made to assure that PC, Smartphone, and Tablet access doesn’t result in a breach. This is largely due to both the liability of a breach, which has been going up sharply, and the massive fines the EU is handing out if there is a breach.
But the servers were thought to be safe and servers tend to be clustered, treated as a trusted resource and often connected to other groups of servers via trusted links both inside and outside of the company. If you can compromise a server there is a pretty good chance you not only have compromised the related firm but every trusted, from an IT perspective, partner that the firm has. Given hybrid cloud deployments and the report that this initially targeted firms that have substantial cloud services, and increasingly use either cloud or hybrid cloud designs the level of compromise could be far more massive than we’ve ever seen.
And it shouldn’t be lost that once a cloud server is compromised, given the proliferation of the hybrid cloud concept, that the compromise could spread to every customer the service has. Now this wouldn’t be just servers because clients connect to these things as well and generally aren’t that well protected. This means an attack like this on a firm like Amazon, Apple or a government entity like the DOD could compromise and expose most of the nation to a data breach, ransomware or, particularly scary, root kits that could lay dormant and pop up days, weeks, or even years later.
The fact that they apparently caught this through data traffic monitoring, which is kind of a last defense and suggests the attacker was already pulling significant amounts of data (which triggered the flag) suggests the damage could be far greater than we now realize.
By the way this doesn’t include the SEC issue of lack of transparency (the firms are denying this actually happened) or the GDPR problem given the report indicates that traffic analysis was the trigger without mentioning the type or amount of traffic. I should point out we are only seeing coverage that the report exists, the report itself hasn’t been disclosed.
Now what BlackBerry was talking about this week wasn’t a defense of servers but a defense for IoT Devices called BlackBerry Spark. The approach they showed on the screen was not even a limited perimeter security method but security in depth. You secure not only the hug, network and device from the world you secure it from each other so if one device is compromised, much like in this case if one server is compromised, you still are protected, and you don’t have the kind of global disaster that this alleged Chinese part might have caused.
In a world of IoT this is critical because the clear majority of IoT devices just don’t have the resources to run anti-malware and there is a very real chance that some of these devices, much like the servers above, were intentionally compromised when manufactured. So, you can’t really trust anything completely effectively throwing under the bus any form of perimeter protection definitive because you can’t assure what is already behind the perimeter.
I’m also wondering if the base OS in a server upon which the various virtual machines reside shouldn’t be something like BlackBerry QNX, which carries a higher security requirement, to better assure it isn’t compromised and thus better protects the containers running the virtual instances. That might be an even stronger Security In Depth solution which, I expect, will be increasingly critical for Cloud services particularly the largest and those that serve governments.
Wrapping Up: It’s Getting Really Scary Out There
Now what is particularly fascinating is the seeming conclusion that only Supermicro was compromised. Given this was allegedly caught through a unique combination of traffic analysis and due diligence through an Amazon acquisition you have to wonder how many other classes of product were also compromised using the same or similar part. We have a nasty habit of seeing a breach and acting like it is isolated before we do the work to see whether that assumption is true. We really don’t want to report up to management that they are screwed to a massive degree because the practice of “shoot the messenger” is often institutionalized.
We’ll hope this is just a canary in a coalmine thing and not evidence of a far larger breach which would result in massive GDPR fines, compromises to national defense, and a catastrophic SEC lack of disclosure event. Not to mention identity theft etc. Yep maybe it is truly time we rethought security and not just IoT but the whole damn thing. (By the way, as an aside, I was also concerned that at the Microsoft Ignite event Microsoft indicated that they were running into far too many customers who had global admin accounts that were widely held and poorly secured with trivial passwords).
We are likely do for the mother of all data breaches, I expect it won’t end well.
Post script: After I finished this John Chen CEO of BlackBerry spoke to me on this. BlackBerry has a technology called BSIMS which is specifically designed to prevent the kind of exploit Bloomberg is reporting. It is interesting to note that this is used on phones based on Qualcomm technology but not on devices made by Apple suggesting there may be more of these little chips floating around. You iPhone users, you may want to make sure you are saying nice things about China just in case…