The challenges of cyber security present has already been stated in simple terms: Beware of e-mails from places you do not know, and you must not submit documents to a fraudulent page. But too many, the most destructive ones are undermining this belief and raising a self-deprecating question: What if the legitimate tools and programs on your network are compromised at the source?
This most subtle and common method is known as “selling weapons for sale,” a method by which an enemy enters a bad number or other malicious item into a reliable program or weapon. By tricking a single seller, spies or hackers can seize their distribution channels to turn any activity they sell, any software they produce, even tools they send to customers, into Trojan horses. With a single entry point, it can create a way to connect with customers of other companies, sometimes hundreds or even thousands of those affected.
“Chain attacks are dangerous because they are difficult to deal with, and because they are clearly dependent on the environment,” said Nick Weaver, a security researcher at UC Berkeley’s International Computer Science Institute. “You trust every seller whose number is on your machine, and you depend on each vendor. “
The risk of a commodity threat was highlighted last December, when it was revealed that Russian terrorists – who later became known to be working for a foreign spy in the country, called SVR – were robbed the company SolarWinds and planted a bad number in its IT Orion management tool, allowing up to 18,000 network users using the app worldwide. The SVR used the method to drill the networks of at least nine U.S. agencies, including NASA, the State department, the Defense department, and the Justice department.
But while the spy work was amazing, SolarWinds was no exception. The recent industrial revolution has affected companies around the world for years, both long ago and since Russia launched a strong campaign. Just last month, it was revealed where The hacker hacked the tool to support a program sold by a company called CodeCov which gave hackers the opportunity to connect with hundreds of people. A The Chinese burglary group Barium launched at least six trips for the past five years, hiding a bad number in the Asus computer maker program as well as in cleaning hard drive CCleaner. In 2017 the The Russian pirates called the Sandworm, a former GRU militant in the country, hijacked Ukraine’s MEDoc technology programs and used them to launch self-control, destructive code called NotPetya, which ultimately cost $ 10 billion worldwide – the cheapest destruction in history.
Instead, the chain attack was first shown nearly forty years ago, when Ken Thompson, one of the founders of the Unix system, wanted to see if he could hide the back room for Unix’s entry-level operations. Thompson didn’t just plant a nasty piece that gave him the ability to get into any system. He designed a pen – a tool for converting a number from a readable, actionable program – that set the back door when it was designed. Then he went a little bit and destroyed the joint that written the manufacturer, that even the user trigger code would not contain confusing identifiers. “These attitudes are obvious,” Thompson said he wrote in an article describing his show in 1984. “You can’t believe the number you didn’t make yourself. (Especially the number of companies that employ people like me.)”