Shining a Light on Supply Chain Security

One of the few areas of information security that has yet to receive the kind of intense study it deserves is supply chain security, the way that software and hardware manufacturers up and down the continuum handle the security of their products while they’re in production. That’s about to change, though, as researchers at the University of California at Irvine are establishing a program to look at ways to improve supply chain security, among other key topics.

The field of information security is full of interesting and challenging topics to which researchers and experts can apply their brain power. IoT security, malware research, DDoS protection, exploit mitigation, and many other problems all present technical challenges and have attracted plenty of attention over the years. Perhaps supply chain security isn’t quite as attractive as the other problems, but as recent events have shown, it’s no less important.

Some security researchers have been raising the alarm about the issue of malware being pre-installed on hardware devices for a decade or more. Chris Wysopal, the CTO of Veracode, coined the term certified pre-owned many years ago to describe such devices, and at the time it seemed like a clever turn of phrase to describe a relatively small problem. And that’s what it was, at least for a while. Occasionally a story would surface about a batch of USB drives or digital picture frames that included some random trojan or backdoor, but the stories would fade quickly and everyone would move on with their lives.

But that was all before the recent NotPetya attack. That campaign began as an apparent ransomware outbreak, infecting machines in a number of organizations around the world, but mainly in Ukraine. After researchers dug into the code, they found that NotPetya wasn’t really ransomware and was designed to destroy information on compromised machines. They also discovered that the main distribution mechanism for the malware was an update server for the Ukrainian accounting software M.E. Doc that the attackers had compromised. A number of the automatic updates for the software had been backdoored several weeks earlier, giving the attackers access to each of the machines that had installed the compromised software. After researchers identified the backdoor and law enforcement got involved, the makers of M.E. Doc produced a new version of the application that they said was clean.

“M.E.Doc has created an update that will ensure safe work in the program. The update mentioned contains enhanced protection from the virus-encryptor,” a statement from Intellect Services, the makers of M.E. Doc, said.

The NotPetya attack was a clear illustration of the potential for mayhem that lies in the software and hardware supply chain. Whoever was behind the attack had persistent, quiet access to computers in many of Ukraine’s largest corporations. Why they chose to expose that access in order to install a piece of wiper malware poorly disguised as ransomware is up for debate, but what is clear is that this is a serious problem. Attackers know the value of the update servers operated by major software makers, and it’s safe to assume that they are going after them continuously. That they haven’t succeeded more often (as far as we know) is a testament to the work done by the security teams at those companies. But there is a lot of work that still needs to be done to address the larger issue, which is the integrity of the infrastructure used to create and distribute the software we all use every day. That’s what the researchers at UCI intend to look at.

“A significant percentage of cyber breaches involve supply-chain compromise. Supply-chain- based risks include counterfeit, malware-embedded or otherwise compromised hardware and software, whether used directly by a purchaser or embedded in other devices. CPRI has identified software and other supply-chain security as a high priority research issue,” the university said.

“In particular, the project will explore the use of blockchain – a distributed virtual-ledger technology offering security, transparency, immutability and authenticity – to better secure software and other vital supply chains.”

Part of the challenge in supply chain security is that the supply chain itself is often opaque. Many software and hardware vendors tend not to talk much about the suppliers and partners they use, out of concern for security. That’s sensible but it makes life difficult for researchers trying to get a picture of what’s going on. Some vendors have no interest in letting outsiders see any of this (see: Apple), but let’s hope that others will be open and forthcoming, as the issue affects us all.

Dennis Fisher


Data Protection Vendor Evaluation Toolkit

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.