Advertisement

Blog

Supply Chain Alert: Take Hackers Very Seriously

A subplot in the ongoing WikiLeaks saga involves hackers targeting attacks against companies, governments, and politicians they deem hostile to the Website.

Hackers in the other camp are also attacking WikiLeaks because they consider the release of hundreds of thousands of classified communications and thousands of diplomatic cables an act of war against the United States.

In another recent high-profile attack, a group of hackers wreaked havoc on Gawker Media sites for being “arrogant.” Millions of users' names and personal data were compromised during the course of the attack. In an email sent to the Website, Mediaite, an individual with the username “Gnosis” wrote that Gawker’s “arrogance” towards the hacker community incited the attacks.

However, these are only two incidents among thousands that occur every year. Anyone involved in the electronics supply chain should be concerned, of course. But how should you react?

The hacking community has gotten smarter, more adept, and much larger during the past few years. They are also politically active, as the high-profile attacks against WikiLeaks, its foes, and Gawker show.

Not taking the hacker community seriously can be likened to when leaders throughout history ignored the angry cries of its citizens. But in today's Internet age, outraged netizens are not burning down castles or storming the Bastille. Instead, they are organizing concerted attacks against network infrastructures that could easily bring down the operations of an OEM or any firm with a direct link to the supply chain.

Actually, the overwhelming majority of so-called hackers is not interested in causing chaos, but is just curious about how software and hardware work. Cracking security codes for them is like trying to solve a puzzle, not unlike trying to figure out a complicated physics or calculus problem. Modifying the Xbox machine code or getting past a modem’s security locks are but among thousands of sample hacks.

Electronics OEMs have used the court system to react against perceived hacker threats in the past. {complink 5703|Texas Instruments Inc.}, for example, has sent cease-and-desist letters to individuals who communicated how they cracked its calculators’ device codes. {complink 379|Apple Inc.} has long sought to lock down its iPhone, which, of course, has just stoked the interest of those seeking to jailbreak the device. Then there is {complink 3426|Microsoft Corp.}, which shut down more than a million of Xbox Live subscribers’ accounts worldwide last year after discovering through Internet connections that owners had hacked their consoles.

Are OEM legal attacks against hackers the smartest and most far-sighted thing to do? I leave that subject open to debate. But a potential resolution could come down to something as simple as following basic codes of respect and decency that do not necessarily overlap with following the letter of the law.

It is perfectly legal — in Europe, anyway — for handset OEMs to allow telecommunications service companies to lock down smartphones so that users cannot download and use Skype, while forcing consumers to pay ridiculously high prices to make a phone call from France to Greece. Or Microsoft can shut down users’ accounts for doing what they want with Xbox consoles they have purchased. Also, remember that the Gawker attacks were triggered by something as seemingly benign as perceived snottiness.

At the end of the day, it comes down to realizing that there are legions of hackers who are prepared to react if they feel that your company has stepped on their toes. Also, anyone who has input about how the supply chain is managed should realize that network attacks are not just the security department’s problem, either. Many networks remain ridiculously easy to penetrate, yet funding gets blocked by bean counters who know little about what they are up against.

So whether would-be attackers are high-minded individuals who want to make a political statement or career criminals seeking to broker stolen data, listen to what the hacking community is saying, and never say “impossible,” regardless of how secure your IT system is supposed to be.

20 comments on “Supply Chain Alert: Take Hackers Very Seriously

  1. stochastic excursion
    December 16, 2010

    Efforts by the government to legislate security on the internet have fallen far short of their goal.  The complexity of network-based software has outstripped the security efforts of a lot of organizations. 

    Curiously, many that use the internet take a fatalistic, prone posture with regard to security.  Diligence costs money, but the risk of compromising control of your computer definitely should be taken seriously.  Strong passwords routinely updated are cheap and go a long way to preventing having your system taken over.

    The internet is designed so that an adequate defense is actually the best defense.  I wonder if a strategy of centralized blocking of those computer addresses with a history of nefarious activity is a good approach.  I think if this kind of lock-down is based on real evidence, that a court can review, it could end a lot of the hacker problems.

  2. SP
    December 16, 2010

    In the modern age, hacking is as good as stealing. And according to the rule of the land the stealing has to be dealt with legal process. The thing is hackers are as brilliant as actual designers, so they got to be taken seriously.

  3. Barbara Jorgensen
    December 16, 2010

    Bruce, thanks for bringing this up. I am fascinated by the political agenda behind the WikiLeaks debate. I can tell you how and why I respect hackers so much: in the course of researching an article, I discovered IBM has a full-time, 27/7 real-time lab that does nothing except track attacks and try to hack into its own products. I know IBM isn't the only organization that does this. The time, money and resources spent on out-hacking hackers is enough to convine me they should be taken very seriously.

  4. AnalyzeThis
    December 16, 2010

    The internet is designed so that an adequate defense is actually the best defense.  I wonder if a strategy of centralized blocking of those computer addresses with a history of nefarious activity is a good approach.  I think if this kind of lock-down is based on real evidence, that a court can review, it could end a lot of the hacker problems.

    I really doubt this strategy would help. The main problem with blocking IP addresses to block hackers is that hackers are exact group of people who will be able to most easily circumvent such a block. Besides, these days, there are too many options and methods to access the Internet: you block a hacker's home IP? Big deal. They use a neighbor's wireless. They go down to a Starbucks. They wouldn't even need to resort to IP spoofing.

    But taking that idea a little further, it has been suggested in the past that IP blocks or additional security controls should be levied against geographic areas which have proven to be hotbeds of hacker activity, specifically parts of Russia. However, this idea is also flawed in my opinion, as surely large numbers of people will be blocked despite their innocence. Such a solution would be like arresting all the residents of a crime-heavy neighborhood.

    Anyhow, good article, and it's true: hackers pose a much bigger threat then they did even ten years ago. For example, in the future, I don't think it's unrealistic that we'll see a scenario (this is just one example) where hackers attack a supply chain in order to sabotage a company, bringing its stock price down and thus enriching the hackers… who invested accordingly.

  5. stochastic excursion
    December 17, 2010

    It's true about IP and network card addresses being straightforward to change.  This leads down the path of having a computer license, which there are very compelling reasons to avoid.  I'm thinking there should be some middle ground, but that the line in the sand isn't crossed beyond which an “enemies list” mentality prevails.

     

  6. Ms. Daisy
    December 17, 2010

    Obviously from the Wikileak attack and counter attacks, hacking has become the electronic war zone and the warriors – the hackers need to be taken really seriously. The collateral harm done to the populace is what worriesme. thw question becomes, how do we finda middle ground since there is not going to be a victor or vanquish in this fight or better “still power play”.

  7. Hardcore
    December 17, 2010

    Much nonsense is talked about hackers and network security, personally I blame the media for most of this.

    Hackers need to be broken down into specific groups, because some of these sub-groups are  critical for I.T development, specifically I am thinking about Linux.(its birth was from 'hacking' and taking apart Unix), strictly speaking it was a legal breach, but look at the positive outcome.

    Then there are the 'hardware-hackers'  these are the people that may take a device such as Microsoft's new controller, and make it usable with other computing devices.

    Microsoft initially took exception to this, and started issuing cease and desist orders, now suddenly Microsoft is 'on-board'.

    Then we have network hackers, which may in some cases be made up of the above groups.

    Finally the 'script-kiddies' which in many hacker communities are considered the 'scum', these are usually the ones that get caught because they do not know what they are doing, they use automated software written by 'real' hackers, generate viri from 'toolkits' written by real software & exploit hackers ,and operate out of places like starbucks, libraries or even home addresses.

    The 'kiddies' are the ones that cause the most disruption, purely because of the shear numbers, but in many cases they are the 'stupid' victims, much of the software they use (and don't understand), is actually gateway systems used by professional hackers, to perform hacks on systems via the 'kiddies' own machine{ this is why IP blocks and checks will never work, and why 'bot' networks are so powerful}

    Many of the  websites taken down, were not 'hacked' because there was some 'amazing' super hacker, but rather the networks were not designed properly, were running software with known public exploits,or the custom software was written by poorly trained/inexperienced programmers, or worse….. Microsoft systems.

    In fact if you look at companies that have 'exposed' networks many of them are vulnerable because they will not employ competent computing staff, or fail to enforce staffing policies related to network and ownership of the data paths.

    In many cases they get what they deserve.

     

     

     

     

     

  8. Anna Young
    December 17, 2010

    There's one set of “hacking” and a group of “hackers” I can't work up the anger to dislike. These are the ones who disassemble a product so they know how it works and sometime, as you said, try to make such products compatible with whatever else is out there in the market. These “hackers” may make things difficult for companies that want to sell products that are then locked into their own eco-system (companies like Apple, for instance, that prefer to lock a phone into a service operator's domain) but they advance technological innovations by removing the roadblocks myopic company executives place in the way of consumer usage.

  9. Hardcore
    December 17, 2010

    Yes it is very popular, a few  websites on the internet that are dedicated to this form of research………

    But thanks to the American government it is now 'illegal', another example of a complete overreaction in an attempt to close certain  copyright laws.

    The stupidity of this  action now means that in theory it is illegal to reverse engineer mobile phone and other systems, (sounds good), until you consider that Law enforcement relies on such information to extract details of criminal activity from mobile phones.

    The police forensic teams don't have the time/resources to take apart and reverse engineer every mobile phone to extract information, they relied on the  hardware/software phone hackers for the information to extract the data.

    The irony is that laws which are supposed to clamp down on the criminals actually assists the criminals.

    The people bringing in all these laws need to learn that laws only impact people that are willing to follow them, which  criminals are not…….. which is why they are criminals.

     

    And if the Americans get their way… and continue to enforce their laws in other countries jurisdictions, it is only the 'free' honest people that are going to feel the pain.

     

  10. prabhakar_deosthali
    December 18, 2010

    From the ancient times we have seen that wherever there is money to be made  or wealth to be seized there are attacks.  The ancient attackers came in physical form armed with weapons and opened looted wealth from weaker sections of the society. Even some stronger nations invaded the week nations and took all the wealth they could carry to their homeland.  This is the law of nature that in a given society you will have people with good intentions as well as evil intentions.  The internet with its open coonectivity and world-wide acces is one of the easiest means in the evil hands to carry out their evil intentions. To bring to this mayhem we need some control authiority  for the internet.( like we have a UN security council for all international defense matters ) . We ned to sectionalize this internet to bring in more security for classified information, Personal private infromation, commercial transactions , Advansed research data. We need now these compartments . Current internet technology virtually allows any computer i the world to access any other computer in the world and have a two way data traffic . This openness has to stop. Otherwise like an atom-bomb someday this internet will go into the evil hands and can casue catestrophies to occur. the next generation internet protocols not only should address the increased address space but a clear vision on the security of all the content lying in millions of servers, gadgets and appliances attached to it.

  11. Taimoor Zubar
    December 19, 2010

    If hackers were to target a company and cause severe damage to it, one of the most effective areas to target would be company's information systems. Almost all companies have computerized information systems and companies are heavily dependent on them. Decision making inside the organization is heavily linked with the data in the information systems. A slight manipulation in the data through an attack, if goes unnoticed, may create havoc in the company. I think information systems should be one of the most critical areas that every company should protect.

  12. mfbertozzi
    December 20, 2010

    Maybe Internet as biggest public and shared contents worldwide repository could have common guidelines on its government.

    United Nations Commission on Science andTechnology for Development (CSTD) has created past December 6th a working group on improvements to the Internet Governance Forum (IGF).

    Could this help on it or it is only a dream?

  13. stochastic excursion
    December 20, 2010

    Openness adds value to the internet, both for service providers and users.  An example of a middle ground between heavy restrictions and complete access is a gated community model. 

    Social networks like Facebook are a good example of this on the application layer: if you have credentials, you're in.  Applying this principle to the network layer, so that a server only recognizes certain IP address, could thwart most denial-of-service attacks.

  14. Hardcore
    December 20, 2010

    “Maybe Internet as biggest public and shared contents worldwide repository could have common guidelines on its government.

    United Nations Commission on Science andTechnology for Development (CSTD) has created past December 6th a working group on improvements to the Internet Governance Forum (IGF).

    Could this help on it or it is only a dream?”

    Personally I  would say we need less bureaucrats  sticking their noses in everything, on the whole the internet has done just fine without continual interference from the UN.

    The one issue I do see with the Internet, is that for the fist time mankind is putting its reliance in  technology that cannot be reliably archived in the centuries to come.

    That is to say you can go digging in Egypt or Greece and find reliable remnants of a civilizations past learning we are now getting past that stage, at some time in the future if there was an 'event' that seriously impacted the infrastructure resulting in its destruction, then mankind would truly be set back further than the dark ages.

    None of the learning or technology would be available. (remember 1 dead battery in your mobile phone ,brings your whole communication network crashing down), this will be the issue that dictates our future.

  15. Bruce Gain
    December 21, 2010

    It's funny you brought up IBM. I remember taking a tour of an IBM wafer fab in 2000 and was surprised to learn then that they were using a WiFi network. That was about the time when the first WEP code was cracked (I did not diagnose the security wall at the plant) and so many users and businesses that had WiFi left them unlocked. I imagine IBM sure has learned a lot about security practices since then.

  16. Bruce Gain
    December 21, 2010

    I like your analysis. The disparities in security protocols from one enterprise to another has always amazed me. Many IT workers just don't get the resources, either, but they get blamed for attacks.

  17. Hardcore
    December 22, 2010

    There is a lot of stupidity with wireless networks.

     

    I was in a law office the other day getting some contracts signed, tried to get network access to the internet, but the network was locked down tight….

    That is until i went into the conference room and in a cupboard was a wireless router , with a strip of paper on top, giving all the Admin and user access settings.

    Prior to that I was watching a bank being fitted out, a small  branch single floor. Now to save money on cables and infrastructure they had  installed a wireless router in the secure area then used that to link the individual cashier terminals to the main computer.

    I made a mental note NEVER to use that particular bank.

    With ineptitude at this level, you really do not need to be much of a hacker to gain access to sensitive computer systems.

     

    But again we come back to the way people are, that they seem to think because they own a computer of a mobile phone that somehow they became computer experts, enabled to 'root' the systems and install all manner of unverified software, we see it now with the apple Iphone.

  18. hwong
    December 31, 2010

    Yes I agree that we have to take security very seriously. I heard that with the popularity of iphone, google have been hacking our privacy such that when we access our bank accounts it catches our passwords. That is so freaking scary. So does that mean that we cannot log in to banks or other important websites via 3G networks?

  19. Backorder
    December 31, 2010

    Someone said, there is no good or evil. Only perception makes it so. Though this wouldnt really fit into the overall social scheme of things, I think this brings to the fore the heart and soul of Hacking or Cracking. While, stealing/robbing/violating/hurting/killing people and destroying assets could easily be classified as evil by most, using a technical skill and hard gained knowledge to compete against and eventually defeat a system which tries to keep out the ignorant sounds more like a fun and challenge activity. Hackers are intelligent students of a science and just because they will termed being on the evil side of things, does not stop them from seeking satisfaction from their skills. The more skilled they are the more they are confident of their invincibilty. For them the entire thing is a game where they are competing with the individuals who designed and who mantain the security systems. And who knows, they might be the same people too! And yeah, no one became a skilled hacker because they had evil intentions to start with. People lie, cheat  and steal when they realise they have become competent and powerful. Isnt it true for all walks of life and not just the internet?

  20. Hardcore
    January 1, 2011

    I just wish that the majority of 'hackers'  were 'Intelligent students of Science', unfortunately the large majority are idiot 'script kiddies' utilizing the work of a small group of professional hackers, it is the script kiddies that provide the cover for professional hackers, purely down to the shear number of them , same as in chess a good player sacrifices the pawns. 

    Take a professional safe cracker, maybe it would take him years to train up someone with absolutely no knowledge in safes, and ultimately their learning would be limited by their own ability.

     The difference with the internet is that it takes absolutely no skill what soever because computer programs don't work in the same way as existing knowledge systems do. As long as you have half a brain and are able to download a script or program and then run it, it is the executing program that encompasses the knowledge of the original programmer rather than the moron pressing the start button, and therein lies the danger.

    We are at a stage where 24/7/365 'bot' programs are continually patrolling network systems, and doing so completely unaided by humans. Within 15-20 minutes of any device being connected to the network, the programs start examining the interfaces for exploits, if an exploit is found the results are compiled into reports and then forwarded to human decision makers.

    Ultimately the issue is 'traffic volume', the more traffic there is on the network , the harder they are to detect, when they are detected most are dealt with fairly quickly.

     

     

     

     


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.