Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.

Tony Sager, senior vice president and chief evangelist at the Center for Internet Security.

The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.

Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.

Brian Krebs (BK): Do you think Uncle Sam spends enough time focusing on the supply chain security problem? It seems like a pretty big threat, but also one that is really hard to counter.

Tony Sager (TS): The federal government has been worrying about this kind of problem for decades. In the 70s and 80s, the government was more dominant in the technology industry and didn’t have this massive internationalization of the technology supply chain.

But even then there were people who saw where this was all going, and there were some pretty big government programs to look into it.

BK: Right, the Trusted Foundry program I guess is a good example.

TS: Exactly. That was an attempt to help support a U.S.-based technology industry so that we had an indigenous place to work with, and where we have only cleared people and total control over the processes and parts.

BK: Why do you think more companies aren’t insisting on producing stuff through code and hardware foundries here in the U.S.?

TS: Like a lot of things in security, the economics always win. And eventually the cost differential for offshoring parts and labor overwhelmed attempts at managing that challenge.

BK: But certainly there are some areas of computer hardware and network design where you absolutely must have far greater integrity assurance?

TS: Right, and this is how they approach things at Sandia National Laboratories [one of three national nuclear security research and development laboratories]. One of the things they’ve looked at is this whole business of whether someone might sneak something into the design of a nuclear weapon.

The basic design principle has been to assume that one person in the process may have been subverted somehow, and the whole design philosophy is built around making sure that no one person gets to sign off on what goes into a particular process, and that there is never unobserved control over any one aspect of the system. So, there are a lot of technical and procedural controls there.

But the bottom line is that doing this is really much harder [for non-nuclear electronic components] because of all the offshoring now of electronic parts, as well as the software that runs on top of that hardware.

BK: So is the government basically only interested in supply chain security so long as it affects stuff they want to buy and use?


Big, bad, scary bug of the moment is CVE-2018-10933.

This is a serious flaw – in fact, it’s a very serious flaw – in a free software library called libssh.

The flaw is more than just serious – it’s scary, because it theoretically allows anyone to log into a server protected with libssh without entering a password at all.

It’s scary because ssh, or SSH as it is often written, is probably the most widely deployed remote access protocol in the world.

Almost all Unix and Linux servers use SSH for remote administration, and there are an awful lot of awfully large server farms out there, and so there’s an awful lot of SSH about.

SSH stands for secure shell, where the term shell is Unix-speak for a command prompt, the place where most Unix-style system administration functions are performed, whether manually by a logged-in human, or automatically via a logged-in script.

But SSH is used for much more than just shell logins because it creates what’s often called a secure tunnel – a general-purpose encrypted data channel between two computers on the internet.

Notable uses for SSH include secure file transfer between servers, and secure data synchronisation between data centres.

Security holes in SSH are therefore the stuff of nightmares for many sysadmins out there, and this one has certainly got the security newswires buzzing.

Here’s the good news.

By far the most commonly used SSH version out there is an open source product called OpenSSH, created and maintained by the security-conscious folks at OpenBSD.

OpenSSH is a completely separate implementation to libssh – they don’t include or rely on each other’s code.

Other well-known open source implementations of SSH include Dropbear (a stripped down version commonly used on routers and other IoT devices), libssh2 (it’s a different product to libssh, not merely a newer version) and PuTTY (widely used on Windows).

None of these projects have this bug either, so most of us can stand down from red alert.

The only really big, mainstream project we know of that uses libssh as its SSH server is Microsoft’s GitHub source code repository.

And the good news there is that the GitHub project [a] doesn’t actually call the buggy code in the libssh product and [b] has installed the patch anyway, just to set everyone’s minds at rest.

Another very widely used software tool that supports libssh is cURL, a command-line web data transfer tool that is shipped on every Mac, included in almost every Linux distro, and widely used for automating uploads and downloads on IoT devices.

But cURL doesn’t include SSH by default; isn’t usually used on servers to process incoming connections; and anyway cURL uses libssh2 as its first choice if you need SSH support.

The bad news

The bad news is that any server that is listening out for incoming SSH connections using libssh is at considerable risk of unauthorised access.

The bug is comically bad, and in very simple terms it goes like this.

When logging in, the client is supposed to chat to the server along these lines…


   Client and server: [...a careful cryptographic dance is done by 
                          both sides to verify login credentials...]


…and then both sides can begin to send data to and fro.

But the bug means a client can just talk to a libssh server like this…


…and then both sides can begin to send data to and fro.

In other words, if the client tells the server that authentication is complete, rather than the other way around, the server happily believes it.

No password requested or required.

What to do?

  • If you have any software product that includes or uses libssh, download and install the latest libssh version at once.
  • If you use product that has libssh built in, rather than supplied as a shared library or DLL, you will need an updated version of the app itself.
  • If you aren’t sure, consult the product’s documentation or online community.


Kaspersky Lab security researchers have analyzed another exploit tool that was supposedly stolen from the National Security Agency-linked Equation Group.

Dubbed DarkPulsar, the tool is an administrative plugin, part of the NSA-linked exploits that the Shadow Brokers group made public in March 2017, specifically the DanderSpritz and FuzzBunch frameworks.

Part of FuzzBunch’s ImplantConfig category, which includes plugins for the post-exploitation stage, DarkPulsar was designed for controlling a passive backdoor named ‘sipauth32.tsp’, which provides remote control of compromised machines.

The DarkPulsar module includes support for a variety of commands, including Burn, RawShellcode, UpgradeImplant, and PingPong, which are meant to remove the implant, run arbitrary code, upgrade the implant, and check if the backdoor is installed on a remote machine, respectively. Other supported commands are EDFStagedUpload, DisableSecurity, and EnableSecurity.

Kaspersky Lab has determined that the DarkPulsar backdoor, which targets both 32-bit and 64-bit systems, was used on 50 victims located in Russia, Iran and Egypt, and that it typically infected machines running Windows Server 2003/2008. The victims are in the nuclear energy, telecommunications, IT, aerospace and R&D sectors.

The security researchers believe that the victims were the targets of a long-term espionage campaign. The backdoor not only includes an advanced mechanism of persistence, but also functionality to bypass the need to enter a valid username and password during authentication. It also encapsulates its traffic into legitimate protocols.

The infection campaign is believed to have stopped after the exploits were made public, but the backdoor likely remained on some of the compromised machines. The malware, however, can only be used by the real DarkPulsar managers, as it requires the private RSA key which pairs to the public key embedded in the backdoor.

“We found around 50 victims, but believe that the figure was much higher when the Fuzzbunch and DanderSpritz frameworks were actively used. We think so because of the DanderSpritz interface, which allows many victims to be managed at the same time,” Kaspersky Lab says.

The DarkPulsar administrative interface functions under the principle of “one command – one launch” and is a plugin of the FuzzBunch framework, which was designed to manage parameters and coordinate different components.

The researchers note that the framework for controlling infected machines is, in fact, DanderSpritz, which uses a plugin called PeedleCheap to configure implants and connect to infected machines to enable post-exploitation features.

Through DarkPulsar, a strong connection between DanderSpritz and FuzzBunch emerges. The backdoor is used to deploy the more functional PeddleCheap implant onto the victim machines, via PCDllLauncher, which apparently stands for ‘PeddleCheap DLL Launcher’.

Thus, the researchers concluded that FuzzBunch and DanderSpritz are designed not only to be flexible, but also to extend functionality and compatibility with other tools.

“Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims,” Kaspersky concludes.


Pentagon – Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.

The Pentagon revealed that the Defense Department travel records suffered a data breach that compromised the personal information and credit card data of U.S. military and civilian personnel.

The data breach could have happened some months ago and could have affected as many as 30,000 workers. The security breach was notified to the leaders on October 4.

“According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.” reads thepost published by the Associated Press.

“The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified information was compromised.”

Lt. Col. Joseph Buccino, a Pentagon spokesman, declared the Defense is still investigating the incident, the security breach affected a still unidentified commercial vendor that provided service to Defense Department.

“It’s important to understand that this was a breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel, said Buccino.

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” said the statement, adding that affected individuals will be informed in the coming days and fraud protection services will be provided to them.

The department is not identifying the vendor for security reason, it is still under contract, but the department “has taken steps to have the vendor cease performance under its contracts.”