Security Strategies

Security Fun: NFV & Supply-Side Attacks

DENVER -- NFV & Carrier SDN -- Getting comfortable with NFV? Great! Now let's talk about the security nightmares it enables.

Ray Watson, VP of global technology for Masergy Communications Inc. , brightened the room here Thursday morning during a "Securing the Cloud" session by talking about supply-side attacks -- the art of planting back doors in software, unbeknownst to the developers. The classic example is dual elliptic curve encryption, which includes a flaw that's believed to have been planted by the NSA.

It's no stretch to imagine this happening to virtual network functions. "The real nightmare is that VNF vendors themselves are pushing bugs," Watson said.

After all, supply-side attacks work best when inserted into software that's "known" to be good. Such an attack was disclosed last week, involving the CCleaner tool from vendor Piriform.

Some attacks are more ambitious than others. CCleaner, for instance, was reaching out to secondary targets inside companies like Cisco, Intel, and Microsoft, possibly "hoping to infect Microsoft patches and Cisco patches," Watson said.

Amusingly, this means it was a supply-side attack designed to enable more supply-side attacks.

The supply-side problem is not unique to NFV; it's a threat to any software. But in NFV circles, the thought of supply-side attacks is a sobering reminder that the transition of functions into software creates new points of vulnerability.

Security has been drawing headlines lately because of the stunning size and bravado of some attacks, from the Mirai botnet's DDoS attacks to the Equifax breach. Not all of the attacks come from nation-states, though. Exploits, malware and even the code to control Mirai -- it's all readily available to any amateur.

That's created a gross asymmetry; it's much easier to launch an attack than it is to stop one. "Until we can address that asymmetry we're going to continue to see more spectacular attacks," said Michael Sabbota, director of security solutions consulting for Arbor Networks .

On the plus side, VNF attacks won't likely be the biggest threat to any carrier. Uncreative attack methods still work, so that's what the attackers tend to use.

"Over 90% of the attacks that I tracked last year at Masergy were based on phishing," Watson said. And the goal is usually just to grab someone's login credentials, "because ultimately, if someone can get the credentials to your servers and can get the credentials to your Active Directory, they'll take that all day long before they'll try to come up with zero-day attacks."

— Craig Matsumoto, Editor-in-Chief, Light Reading

RayWatson_Masergy 9/29/2017 | 11:38:04 AM
Re: open source connection Hi Joe, We actually actually discussed both Kleptography (the intentional weakening or backdooring of cryptographic standards such as EC-PRNG in Linux and elsewhere) as well as Heartbleed (the most likely non-intentional flaws in OpenSSL). Your observation is correct that these are not technically supply side, but the effects are basically the same. As an industry we need to be able to trust patches.
Joe Stanganelli 9/29/2017 | 5:44:32 AM
open source connection Relatedly, this is one of the issues that comes up in open-source security a lot. While not technically "supply-side," I suppose, these backdoors have similar effect. The piece reminded me of the audit of open-source encryption software TrueCrypt. Once things got really underway with that audit, TrueCrypt totally disappeared; the website began warning people that TrueCrypt may not be secure -- and directed people to instead install...Microsoft's BitLocker.
Sign In