Gualtiero Boffi, Dreamstime.com
Promo Gualtiero Boffi Dreamstime com L 61848674 5fe39ac6f296b

Unhappy Holiday Hacking

Dec. 23, 2020
Compromised U.S. agencies and companies should trigger a security wake-up call this holiday season.

Hacking in the Holidays was a positive take on the word “hacking,” with a few holiday suggestions for engineers. Unfortunately, though, the term is associated with a lot of bad connotations. It’s been used in most of the headlines talking about the suspected Russian hacking of U.S. government sites as well as major corporations. It’s interesting that the topic was all over the internet for a week or two, but has since subsided into the background news noise.

While security has fallen from the top of the news feeds, hopefully it hasn’t been banished to the bit bucket for programmers, developers, and managers who have to design and create IoT and IIoT solutions that have flooded the consumer and industrial space, with more to come.

The latest hack involved SolarWinds, which provides IT, network, and database management services. Specifically, its Orion Platform was attacked, and nefarious code was subsequently incorporated into an update that was distributed automatically to hundreds of companies and organizations. This allowed the attackers to gain access to systems using the Orion Platform. The evidence points to Russian involvement, and there’s evidence that a second group was targeting SolarWinds.

There are two aspects that developers need to consider. The first is the scope. The second is the dependency. These attacks are significant due to the number of companies involved. Typical hacks of a single company may expose information about thousands or millions of people, which is bad enough. However, these attacks exposed multiple companies and thus exposed many more to the attackers. This includes assets that are often more critical than a credit-card number, although that can be devastating to an individual.

The dependency is about the level of trust given by a company to a third party. In this case, companies essentially exposed their internal systems via automatic updates. The challenge is that the updates were designed to help manage and protect the system.

The attacker’s approach is typical of a malicious actor. Find a hole. Exploit it and keep quiet, enabling subsequent infiltration and further damage. They essentially bypassed other protections, such as firewalls, by piggybacking on a good actor that was compromised.

The challenge these days is that companies depend on a hierarchy of software and firms providing the underpinnings of a system from the boot code through the operating system to end applications. IoT has exacerbated this issue—the communication stacks are extremely complex, and it’s critical to secure them.

At least these days, most companies are attempting to incorporate security through all layers. Unfortunately, programmers tend to discount or ignore security, especially in the open-source community that’s developing more and more software. Hacks on the npm ecosystem of JavaScript libraries caused a furor in the past because of the dependencies of so many applications. Even the accounts of the public repositories can be an issue.

This isn’t to say that developers should stay away from using these tools; rather, security needs to be layered and part of their design process. Bypassing a protection is bad, but it should not always be catastrophic. Using a single protection method like a firewall or secure boot must be avoided. And obtaining all your protections from one source isn’t a good idea either.

It’s totally impractical to build an IoT solution by yourself, regardless of the size of your company. Pick your partners carefully and make your security as robust as possible. Hopefully the next holiday season will be better.

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form. 

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below. 

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.  

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence. 

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!