& cplSiteName &

Security Fun: NFV & Supply-Side Attacks

Craig Matsumoto

DENVER -- NFV & Carrier SDN -- Getting comfortable with NFV? Great! Now let's talk about the security nightmares it enables.

Ray Watson, VP of global technology for Masergy Communications Inc. , brightened the room here Thursday morning during a "Securing the Cloud" session by talking about supply-side attacks -- the art of planting back doors in software, unbeknownst to the developers. The classic example is dual elliptic curve encryption, which includes a flaw that's believed to have been planted by the NSA.

It's no stretch to imagine this happening to virtual network functions. "The real nightmare is that VNF vendors themselves are pushing bugs," Watson said.

After all, supply-side attacks work best when inserted into software that's "known" to be good. Such an attack was disclosed last week, involving the CCleaner tool from vendor Piriform.

Some attacks are more ambitious than others. CCleaner, for instance, was reaching out to secondary targets inside companies like Cisco, Intel, and Microsoft, possibly "hoping to infect Microsoft patches and Cisco patches," Watson said.

Amusingly, this means it was a supply-side attack designed to enable more supply-side attacks.

The supply-side problem is not unique to NFV; it's a threat to any software. But in NFV circles, the thought of supply-side attacks is a sobering reminder that the transition of functions into software creates new points of vulnerability.

Security has been drawing headlines lately because of the stunning size and bravado of some attacks, from the Mirai botnet's DDoS attacks to the Equifax breach. Not all of the attacks come from nation-states, though. Exploits, malware and even the code to control Mirai -- it's all readily available to any amateur.

That's created a gross asymmetry; it's much easier to launch an attack than it is to stop one. "Until we can address that asymmetry we're going to continue to see more spectacular attacks," said Michael Sabbota, director of security solutions consulting for Arbor Networks .

On the plus side, VNF attacks won't likely be the biggest threat to any carrier. Uncreative attack methods still work, so that's what the attackers tend to use.

"Over 90% of the attacks that I tracked last year at Masergy were based on phishing," Watson said. And the goal is usually just to grab someone's login credentials, "because ultimately, if someone can get the credentials to your servers and can get the credentials to your Active Directory, they'll take that all day long before they'll try to come up with zero-day attacks."

— Craig Matsumoto, Editor-in-Chief, Light Reading

(2)  | 
Comment  | 
Print  | 
Related Stories
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
9/29/2017 | 11:38:04 AM
Re: open source connection
Hi Joe, We actually actually discussed both Kleptography (the intentional weakening or backdooring of cryptographic standards such as EC-PRNG in Linux and elsewhere) as well as Heartbleed (the most likely non-intentional flaws in OpenSSL). Your observation is correct that these are not technically supply side, but the effects are basically the same. As an industry we need to be able to trust patches.
Joe Stanganelli
Joe Stanganelli
9/29/2017 | 5:44:32 AM
open source connection
Relatedly, this is one of the issues that comes up in open-source security a lot. While not technically "supply-side," I suppose, these backdoors have similar effect. The piece reminded me of the audit of open-source encryption software TrueCrypt. Once things got really underway with that audit, TrueCrypt totally disappeared; the website began warning people that TrueCrypt may not be secure -- and directed people to instead install...Microsoft's BitLocker.
Featured Video
Upcoming Live Events
March 16-18, 2020, Embassy Suites, Denver, Colorado
April 20, 2020, Las Vegas Convention Center
May 18-20, 2020, Irving Convention Center, Dallas, TX
May 18, 2020, Hackberry Creek Country Club, Irving, Texas
September 15-16, 2020, The Westin Westminster, Denver
All Upcoming Live Events
Upcoming Webinars
Webinar Archive
Partner Perspectives - content from our sponsors
Challenges & Key Issues of Constructing 'MEC-Ready' 5G Bearer Networks for Carriers
By Dr. Song Jun, Senior Solution Architect, Huawei Datacom Product Line
Good Measures for 5G Service Assurance
By Tomer Ilan, Senior Director of Product Management, RADCOM
Automation Scores Against Operational Costs – The Business Benefits of Automation and Orchestration
By John Malzahn, Senior Manager, Service Provider Product Marketing, Cisco Systems
All Partner Perspectives