This week, the idea of a similar approach for hardware, such as computer chips, took a step forward.
The Cybersecurity and Infrastructure Security Agency released a voluntary report on Monday material nomenclature, or HBOM, Supply Chain Risk Management Framework. (Software version is naturally known as SBOM.)
Although hardware vulnerabilities don’t get as much attention as software vulnerabilities, they made headlines in 2018 when researchers revealed widespread flaws in processors – dubbed Meltdown and Specter – that would allow attackers to steal data. They also made the news this summer.
“By improving transparency and traceability through HBOM, stakeholders can identify and address potential risks within the supply chain, ensuring that the digital landscape remains robust and secure in the face of emerging threats and challenges,” Deputy Director of the CISA National Risk Management Center. Mona Harrington said.
A working group of government and industry representatives developed the framework and, of course, some of the business groups who helped develop it praised the final product. Outside of the task force, cyber professionals who focus on hardware security offered a range of reactions from praising to unimpressed.
Hardware issues, SBOM comes and goes
The framework addresses some basic principles on subtopics such as a methodology for standardizing the naming of component attributes and a format for identifying and providing information about different types of components.
In addition to a vulnerability checking tool, HBOMs can be used to check regulatory compliance, the executive notes.
Researchers said last month that several generations of Intel processors had vulnerabilities dating back to 2014, potentially affecting billions of devices. (Intel said in a statement at the time that while “the attack would be very complex to carry out outside of such controlled conditions, affected platforms have mitigation available through a microcode update.”)
Other vulnerabilities surface evenly.
Besides HBOM, CISA has been working hard on the SBOM issueAlso, with mixed resultsand a White House in 2021 decree included a focus on SBOM. On the other hand, a legislative proposal last year to have Defense Department contractors provide software bill of materials to the Pentagon passed. attacked by industry opposition.
Some approved of the final product, while others were less enthusiastic.
“This resource plays a critical role in taking proactive approaches to effectively mitigate risk,” said Robert Mayersenior vice president of cybersecurity and innovation at US Telecom and co-chair of the Information and Communications Technology Supply Chain Risk Management Working Group that released the framework.
The setting is “amazing” and “awesome,” said Kiran Chinnagangannagaridirector of product and technology at Securin, a company that performs penetration testing to eliminate vulnerabilities in organizations.
- “The sector has been struggling for some time. There was a lot of discussion about creating a nomenclature around the hardware,” he told me. “I think it’s a great direction.”
- This is also part of a trend toward “bill of materials” in other areas, such as AI and data, Chinnagangannagari said.
Andreas Kuhlmann, CEO of Cycuity, has written about HBOMs several times. He said the framework moved the idea of HBOMs in “a positive direction” but added it fell short of what was needed.
- “It’s very supply chain driven, and that’s a very important aspect,” he told me. “What I miss, and I think is equally important, is tracing HBOMs throughout the life cycle of a product.”
- “Once the chip is in a box, you have to follow it through its life cycle,” he continued. “When you find a box 10 years later, you want to know what’s in it.”
“I don’t think it has much impact and I don’t know why people would comply with it,” said David BrumleyCEO of ForAllSecure and Professor of Cybersecurity at Carnegie Mellon University.
- The document, he said, closely resembles the technological rivalry between the United States and China and aims to help organizations avoid products made there. He emphasized a story on US states and local governments still purchasing Huawei products.
- It could, however, be of some use to the energy sector in particular, Brumley said.
Hackers steal $200 million from crypto firm Mixin
The Hong Kong-based crypto company Mix said it was hacked over the weekend and lost nearly $200 million, TechCrunchreports Lorenzo Franceschi-Bicchieral.
“In the early morning of September 23, 2023, Hong Kong time, the database of cloud service provider Mixin Network was attacked by hackers, resulting in the loss of some assets. » » the company wrote on X, formerly Twitter. “Deposit and withdrawal services on Mixin Network have been temporarily suspended. After discussion and consensus between all nodes, these services will be reopened once the vulnerabilities are confirmed and fixed.
- It remains unclear how the hackers were able to infiltrate Mixin’s system, which “is a decentralized, cross-chain exchange network that allows users to transfer digital assets,” Franceschi-Bicchieral writes.
- Mandianta cyber incident response company owned by Google, assists Mixin in incident response and investigation. Mixin, which did not immediately respond to TechCrunch’s request for comment, said it would later release an unspecified “solution” for handling stolen assets.
- Last weekend’s Mixin hack is the largest ever in the crypto industry in 2023, according to Rekt data. North Korean pirates have been behind a series of hacks targeting cryptocurrency, cybersecurity firms and UN experts say. U.N. experts said cyberattacks helped fund the country’s nuclear and ballistic missile programs.
UK to launch ‘hunt forward’ operations
The UK will soon launch “hunt-forward” operations, which will allow military cyber officials to deploy to other countries to detect malicious activity on local networks, according to the lieutenant general. Tom Copinger-Symesdeputy commander of British Strategic Command, the record» reports Alexander Martin.
Copinger-Symes, who previously helped create the UK’s National Cyber Force, said in an interview that the program is intended to help partners secure their own networks, making it a practice to both offensive and defensive.
US Cyber Command pioneered the term, but Copinger-Symes added that the UK version will bring together experts from its intelligence and defense communities, while the US cyber team tends to work within individual agencies. Regardless, that system is still being scaled and the force is struggling to find “the people and skills” needed for the job, Copinger-Symes said.
Bermuda Prime Minister says ‘sophisticated and deliberate’ cyberattack hampers government services
After a massive cyberattack last Wednesday, the Bermuda government is still struggling to restore service and identify the source of the incident, Bermuda’s premier said. David Burt said yesterday, THE Associated Press reports.
“It is clear that this was a sophisticated and deliberate attack that resulted in unprecedented strain on fundamental government systems,” Burt said, adding that officials are working to identify what happened. past and how it was carried out. At a news conference, he declined to provide further details, citing national security concerns.
- But Thursday, Burt said: “Our first indication is that this is coming from an external source, most likely from Russia, and we are working with agencies to ensure we can identify any particular issues and ensure services are restored as quickly as possible.”
- Andaccording to local media, Burt also indicated that other Caribbean countries may also have been targeted.
As of Monday, Bermuda’s transportation, education and health systems were operating normally, Burt said, but it could take weeks before all services, such as some state agencies and mail systems, are fully restored.
- Deputy Attorney General Lisa Monacoformer director of CISA Chris Krebs and former State Department cyber coordinator Chris Painter discuss the next generation of cyber threats for a Washington Post Live today at 9 a.m.
- Senior Risk Analyst CISA Christian Lowry makes remarks at Quantum World Congress today at noon.
- The House Oversight and Accountability Committee convenes a subcommittee hearing on fighting ransomware attacks tomorrow at 1 p.m.
- The Senate Select Committee on Intelligence will hold a public hearing on countering China’s influence operations in the United States tomorrow at 2:30 p.m.
Thanks for reading. See you tomorrow.