& cplSiteName &

Security Fun: NFV & Supply-Side Attacks

Craig Matsumoto
9/28/2017
50%
50%

DENVER -- NFV & Carrier SDN -- Getting comfortable with NFV? Great! Now let's talk about the security nightmares it enables.

Ray Watson, VP of global technology for Masergy Communications Inc. , brightened the room here Thursday morning during a "Securing the Cloud" session by talking about supply-side attacks -- the art of planting back doors in software, unbeknownst to the developers. The classic example is dual elliptic curve encryption, which includes a flaw that's believed to have been planted by the NSA.

It's no stretch to imagine this happening to virtual network functions. "The real nightmare is that VNF vendors themselves are pushing bugs," Watson said.

After all, supply-side attacks work best when inserted into software that's "known" to be good. Such an attack was disclosed last week, involving the CCleaner tool from vendor Piriform.

Some attacks are more ambitious than others. CCleaner, for instance, was reaching out to secondary targets inside companies like Cisco, Intel, and Microsoft, possibly "hoping to infect Microsoft patches and Cisco patches," Watson said.

Amusingly, this means it was a supply-side attack designed to enable more supply-side attacks.

The supply-side problem is not unique to NFV; it's a threat to any software. But in NFV circles, the thought of supply-side attacks is a sobering reminder that the transition of functions into software creates new points of vulnerability.

Security has been drawing headlines lately because of the stunning size and bravado of some attacks, from the Mirai botnet's DDoS attacks to the Equifax breach. Not all of the attacks come from nation-states, though. Exploits, malware and even the code to control Mirai -- it's all readily available to any amateur.

That's created a gross asymmetry; it's much easier to launch an attack than it is to stop one. "Until we can address that asymmetry we're going to continue to see more spectacular attacks," said Michael Sabbota, director of security solutions consulting for Arbor Networks .

On the plus side, VNF attacks won't likely be the biggest threat to any carrier. Uncreative attack methods still work, so that's what the attackers tend to use.

"Over 90% of the attacks that I tracked last year at Masergy were based on phishing," Watson said. And the goal is usually just to grab someone's login credentials, "because ultimately, if someone can get the credentials to your servers and can get the credentials to your Active Directory, they'll take that all day long before they'll try to come up with zero-day attacks."

— Craig Matsumoto, Editor-in-Chief, Light Reading

(0)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Featured Video
From The Founder
The 'gleaming city on a hill,' Steve Saunders calls it. But who is going to take us from today's NFV componentry to the grand future of a self-driving network? Here's a look at the vendors hoping to make it happen.
Flash Poll
Upcoming Live Events
October 18, 2017, Colorado Convention Center - Denver, CO
November 1, 2017, The Royal Garden Hotel
November 1, 2017, The Montcalm Marble Arch
November 2, 2017, 8 Northumberland Avenue, London, UK
November 2, 2017, 8 Northumberland Avenue – London
November 10, 2017, The Westin Times Square, New York, NY
November 30, 2017, The Westin Times Square
May 14-17, 2018, Austin Convention Center
All Upcoming Live Events
Slideshows
Photo Review: Operations Transformation Forum 2017
More Slideshows
Infographics
With the mobile ecosystem becoming increasingly vulnerable to security threats, AdaptiveMobile has laid out some of the key considerations for the wireless community.
Hot Topics
Can Fixed Wireless Fix Rural Broadband?
Mari Silbey, Senior Editor, Cable/Video, 9/25/2017
Why Amazon May Be Cable's Biggest Threat
Mari Silbey, Senior Editor, Cable/Video, 9/22/2017
AT&T: Is It a Bird? A Plane? No, It's a COW!
Dan Jones, Mobile Editor, 9/27/2017
The Strange Case of Gas Pumps & Bluetooth Skimmers
Dan Jones, Mobile Editor, 9/28/2017
Sprint's 'Magic' Small Cell Takes to the Air
Dan Jones, Mobile Editor, 9/27/2017
Upcoming Webinars
Webinar Archive
Animals with Phones
Dog Training for the Important Stuff Click Here
We're done with "Fetch" and "Sit." How about "Spreadsheet!"?
Latest Comment
Live Digital Audio

Understanding the full experience of women in technology requires starting at the collegiate level (or sooner) and studying the technologies women are involved with, company cultures they're part of and personal experiences of individuals.

During this WiC radio show, we will talk with Nicole Engelbert, the director of Research & Analysis for Ovum Technology and a 23-year telecom industry veteran, about her experiences and perspectives on women in tech. Engelbert covers infrastructure, applications and industries for Ovum, but she is also involved in the research firm's higher education team and has helped colleges and universities globally leverage technology as a strategy for improving recruitment, retention and graduation performance.

She will share her unique insight into the collegiate level, where women pursuing engineering and STEM-related degrees is dwindling. Engelbert will also reveal new, original Ovum research on the topics of artificial intelligence, the Internet of Things, security and augmented reality, as well as discuss what each of those technologies might mean for women in our field. As always, we'll also leave plenty of time to answer all your questions live on the air and chat board.

Like Us on Facebook
Twitter Feed