F5 SIRT - This Week in Security - July 8th - 16th, 2022 - Supply Chain, Infrastructure and DEF CON
Kyle Fox here with some news, this week we look at a couple of infrastructure issues and take note of the upcoming Hacker Summer Camp* taking place in Las Vegas.
* Not to be confused with ToorCamp, which took, place a couple weekends ago.
Rogers Outage Demonstrates How Fragile Infrastructure Can Be
Canadian telecom giant Rogers suffered an outage lasting about a day a few weeks ago, rending many connected systems unable to be used and large swaths of the Canadian telephone network unaccessable. The outage impacted data transit through Rogers IP network, cellular data and calls, in some places cable Television was impacted. As a large number of Interac and EMV card terminals use Rogers cellular data or businesses use Rogers broadband, this meant credit and debit cards were not able to be reliably used. The outage even caused 911 to become unavailable in large swaths of Canada.
The cause of the outage has been attributed to a routing update gone bad, making it the latest in major outages caused by things like BGP updates. This highlights both the lack of resiliency in major networks and the "bootstrap problem," wherein recovering from a major outage may be slow as connectivity to fix the causes of the outage is unavailable because of the outage.
Canadian regulator CRTC will be investigating the causes of the outage and stratagies for preventing another outage.
- Rogers network resuming after major outage hits millions of Canadians (Reuters)
- How a coding error caused Rogers outage that left millions without service (The Globe and Mail)
- Rogers blames massive outage on error during network update (CBC News)
DEF CON Is Not Cancelled, This Time
In a few weeks around thirty thousand hackers will converge on the newly built Caesars Forums event center in Las Vegas for 4 or more days of hacking and partying. This is the first full scale DEF CON since DEF CON 28 was cancelled in lieu of the virtual conference DEF CON Safe Mode.
DEF CON was founded in 1993 by hacker Dark Tangent as a going away party for a friend, but grew into a serious event attracting a steadily growing spectrum of hackers and hacker adjacent people. These days DEF CON typically has long lines for everything, art and musical performances all around, villages with specific focuses, vendors with interesting wares and nervous casino security.
I will be at DEF CON in the DEFCON Furs village, hopefully not spending the whole weekend soldering. Masks are required and some villages require vaccination.
Also Blackhat USA and BSides LV take place in the days before DEF CON.
Supply Chain Issues Continue Apace
While the software supply chain gets all the security press, we don't often talk about the hardware supply chain crisis and its impacts on security. Currently the supply chain for common electronic parts is... chunky. Some of the most commonly used chips like voltage regulators and some entire categories of LEDs are backlogged to the point where if you order today, you _might_ get them in 2023. This drives some manufacturers to look on the secondary market for these parts, which would allow bad actors to inject parts modified to do specific things into the part stream and perhaps backdoor hardware. More often the impact is parts that had previously failed QA are resold and result in end products being flaky.
So while you might be able to get that Raspberry Pi (Pico) RP2040 processor chip to make your thing, the massively popular AP2112 or MIC5504 voltage regulators won't become available till later next year. This has made #badgelife at DEF CON interesting this year.