I read (can't remember if it was in the original piece or someones opinion about it) that they subcontract to smaller players when they have increased demands and not enough capacity to go around. So not Foxconn.
Honest question: how would they be able to tell? I don't know how enterprise network security works, but given that a lot of them are hacked to begin with, or host stuff, how wold they know? I assume they have automatic systems in place; how do they tell nefarious connections from normal activity?
It really depends. and for that I will water it down not because I dont think anyone will get it but because its easier for me to do with all the thoughts swimming in my head.
The traffic is probably encrypted.
This is fair and means that your right they wouldnt be able to "see" that it went to
www.china.com
However.
Its the practice that makes me so sceptical and there are many sides and moving parts to that.
1: These are high profile companies (makes sense for a supply chain attack right?) like
google alot of carrier grade companies customize the BIOS of these servers.
2: These companies arent just "ISPs" they are TRANSPORT providers they peer (move) traffic between sub sea cables and route between carrier (ISP) networks.
3: Systems that get dropped into this type of environment are stringently tested they do not just buy servers and switches and throw up a new data center equipment buildouts just to handle a small area in say your city cost millions in planning and architecting.
4: Suppose even if it were true and even if the data were encrypted, the server itself does not do routing. supermicro does not make
Cisco 9508 core network racks. These servers probably cover a multitude of pourposes and might even be just a small server part of a much larger node or cluster that actually holds data. This is important because security is on everyones mind in the network/admin field right now. These servers are behind managmeent VLANs and are only permitted access to specific things.
With that said. The job of any carrier is to transport packets. It is a common misconception that a "good ISP" will protect me from bad guys are bad things. (maybe not at TPU but you would be surprised) that is not the case. A carrier network moves traffic lots of it. Whats important about this though is that rightly so, they would not "block" this traffic from going to any country its that if it originates on the "servers" it probably wont get to see the light of day.
Like I said while carriers do not generally employ any kind of blocking on the carrier level these servers are protected assets. They are only allowed to communicate with this or that network, they are also only accessible via specified VLANs and OOB (out of band) management systems.
The calls home would never connect. They wouldnt be allowed to get a public route.
This is where it starts to tie together. You see wireshark network monitoring edge firewalls and controlled routes deal with too much traffic to see this kind of thing. The operators are human. Thats exactly why I dont trust it though. Because its the SERVERs that are "compromised" and its the SERVERs that WOULD get caught. The internal core servers will trigger alerts and logs before any core router tells the night, switch operator that you are going to a porn site.
I am not saying I am smarter then these people. I am just saying the way this story sounds does not add up to best practice. My concentration is in security and thats not how this works. The amended article mentions people that worked for the CIA checked it and stated the way they discovered the bug is sound.
Ok but who was it?
Why isn't Sepio releasing the documents?
Why was supermicro only given 24 hours to respond when the industry (security and bug) generally mandated 90 days before public release?
How come the most guarded global network carriers did not see illegitimate traffic trying to transverse there network?
In situations like this you have to be on guard. There is no story to be had in the security industry, only facts. Without a picture and documentation it is NOT real.
That still makes no sense. That data has to want to GO somewhere. even encrypted it is attempting to transport to some IP address or polling DNS for a domain that isnt supermicro. There is an infinitesimally small chance this wouldnt be seen. Show me the logs.
Anyway thanks for asking. It's always good to want to know a bit more. Would love to see how it pans out. If true the tech behind it is amazing, or gross negligence of some of the biggest tech companies on the planet. Should be a hell of a ride or lastly its all BS. Should be a fun ride.
.
