back to article Industry piles in on North Korea for sustained rampage on software supply chains

The national cybersecurity organizations of the UK and the Republic of Korea (ROK) have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks.  South Korea's National Intelligence Service (NIS) and the UK's National Cyber Security Centre (NCSC) said they put out …

  1. elsergiovolador Silver badge

    Industry

    While this is a problem, I think the industry is more to blame.

    Thieves gonna steal, burglars gonna break in and you can cry your eyeballs out, you will not get rid of the problem.

    That is just how the world is build.

    So industry, rather than paying engineers properly and hiring competent people and upskilling those lacking, they want someone else to deal with it, without paying a penny.

    Then you have products with holes like swiss cheese and when someone manages to hack it, they run like headless chickens.

    Buy hey, manager has pocketed very nice bonus for downscaling security and bumping the profits and he is already in Caribbean feet up, taking a break before another gig at another company looking to maximise profit.

    1. Throatwarbler Mangrove Silver badge
      Flame

      Re: Industry

      Victim blaming! Drink!

      Imagine a world in which it was necessary to put steel plates over your doors and windows and to defend your home and business from highly funded and sophisticated attackers at every turn, where the price of doing business was having not just security guards but elite defenders skilled in analyzing and protecting against every sort of physical intrusion, whether brute force or subtle infiltration.

      In fact, as luck would have it, a gang of thieves has broken into a couple of businesses near me and uprooted the ATMs, which were bolted to the floor, in order to crack them open and take the money inside. I suppose, by your reasoning, those business owners deserve everything they got and, indeed, should be driven through the streets in humiliation and deprived of their livelihoods altogether, just because what they thought were reasonable security precautions turned out to be insufficient.

      In reality, businesses face a rapidly evolving threat landscape, one in which adversaries have huge resources andessentially infinite time in which to plan their attacks, and in which they only have to succeed in finding one weak point, whether human or technological, to gain a foothold in a network. For most businesses, good enough is good enough until it isn't, at which point it's very easy to apply hindsight and say what should have been done. Actually securing a business with a significant technology base against all possible threats is incredibly difficult, expensive, and time-consuming, and justifying those efforts when balanced against the core business can be challenging if the business has never been attacked.

      In short, I find your perspective naive and ignorant. I hope you are one day the victim of cyber-attack or, indeed, other crime, and instead of getting help, you are publicly shamed and humiliated.

      1. elsergiovolador Silver badge

        Re: Industry

        Imagine a world in which it was necessary to put steel plates over your doors and windows and to defend your home and business from highly funded and sophisticated attackers at every turn

        I think you are massively overestimating those people. Security at many businesses is an equivalent of leaving the backdoor open or having a key under a door mat and expensive stuff visible through the window.

        In fact, as luck would have it, a gang of thieves has broken into a couple of businesses near me and uprooted the ATMs, which were bolted to the floor, in order to crack them open and take the money inside

        This is false analogy. You can take all reasonable steps and still get done. What I am talking about is that most businesses don't take reasonable steps when it comes to IT security.

        Actually securing a business with a significant technology base against all possible threats is incredibly difficult, expensive, and time-consuming, and justifying those efforts when balanced against the core business can be challenging if the business has never been attacked.

        Yes and businesses think of this only after they get attacked.

        Plus, maybe if they started paying taxes, there would be some resources to help.

      2. LybsterRoy Silver badge

        Re: Industry

        You mean a world like this ....

        https://www.bbc.co.uk/news/av/world-us-canada-67506716

    2. RedGreen925

      Re: Industry

      "While this is a problem, I think the industry is more to blame.

      Thieves gonna steal, burglars gonna break in and you can cry your eyeballs out, you will not get rid of the problem.

      That is just how the world is build."

      Just what I was thinking and going to write. These morons in charge who seem to have no clue that when you leave the door wide open with sign that says "hey I am stupid come steal my shit" like you do when using that virus delivery system masquerading as an OS named Windows. Quite frankly they deserve everything the get and more as far as I am concerned for the just plain willful ignorance in using that piece of garbage which has had these problem for close to forty years but they keep using it, christ...

  2. Throatwarbler Mangrove Silver badge
    Thumb Down

    "What I am talking about is that most businesses don't take reasonable steps when it comes to IT security."

    I'm sure you can come with a citation or reference to justify this assertion, along with a concrete and robust definition of "reasonable."

    Here's a counter-example: a company I've been working with had some severe financial issues and were struggling to stay afloat at all. During that period, they had some staff turnover and had just hired a new IT manager when they got hit with ransomware and had to basically rebuild from scratch. What you are saying is that they deserved to be the victim of a criminal enterprise.

    We'll have to agree to disagree.

    1. elsergiovolador Silver badge

      I'm sure you can come with a citation or reference to justify this assertion, along with a concrete and robust definition of "reasonable."

      Look at job boards that offer pittance for IT roles (if company won't come up with even "better" idea to outsource security overseas) and occurrence of these events.

      Here's a counter-example: a company I've been working with had some severe financial issues and were struggling to stay afloat at all. During that period, they had some staff turnover and had just hired a new IT manager when they got hit with ransomware and had to basically rebuild from scratch. What you are saying is that they deserved to be the victim of a criminal enterprise.

      It's like an owner of a sinking vessel hired new captain hoping it will solve the issue. If someone goes hiking to mountains only with slippers and underwear and they get eaten by a bear, do they deserve to be a victim? You are using wrong frame for this problem.

      1. Throatwarbler Mangrove Silver badge
        Thumb Down

        I reject your premise that dealing with criminal activity is an inevitable part of doing business and that therefore should be regarded in the same category as storms or bears. The criminals performing these acts have agency and the basic ethical and legal obligations of civilized humans. They have the first accountability, which I notice you and the rest of the victim blamers here never mention. All the onus is put on the innocent targets, none on the actual criminals. All I can imagine is that you all have some kind of bizarre Stockholm Syndrome, where you've learned to empathize only with the wrong-doers and not with the people they've victimized.

        1. elsergiovolador Silver badge

          World is not Sims and if you venture out of the basement you may find there are people who care about ideals and there are people who don't and there is not much you can do about it. Crying and playing a victim is not going to make a difference.

          Businesses should take the real world into account and allocate resources and act accordingly. You can't skimp on security and then go to mommy government for help because those bad people stole your toys.

          Police these days can't even catch a crackhead breaking in to someone's shed.

          1. Throatwarbler Mangrove Silver badge
            Thumb Down

            Oh, don't get me wrong: I support people banding together to hire mercenaries to find the scumbags who create ransomware, etc. and feeding them their own fingers knuckle by knuckle as their families are made to watch. If I had the requisite skills, I would absolutely do it myself, but I would only make a hash of it.

        2. RedGreen925

          "I reject your premise that dealing with criminal activity"

          And I reject your rejection, it is a fact of life people have to deal with criminal activity all the time. At least they lock the doors and install alarms trying to protect their shit from the scum among us. These IT morons do not do none of that, but the security theater that has no effect, and continue to use the TOTAL cause of the problem that God damn piece of garbage called the Windows operating system. Until they get their shit together and use something with a secure design they deserve all the blame they get for BEING the problem by using that insecure garbage that allows all the criminal activity in the first place without trying to prevent it. It is not like they do not know this, it has been happening for literally DECADES.....

      2. LybsterRoy Silver badge

        -- Look at job boards that offer pittance for IT roles (if company won't come up with even "better" idea to outsource security overseas) and occurrence of these events. --

        I love the mindset that says "all you have to do is pay more". Doubling or tripling (or more) the salary will not suddenly generate more competent staff. It might help the training companies to churn out more people holding certificates that say they're brilliant but more likely it will just result in the genuinely competent staff moving to the better paid jobs as we board the reverse helter-skelter.

      3. LybsterRoy Silver badge

        -- If someone goes hiking to mountains only with slippers and underwear and they get eaten by a bear, do they deserve to be a victim? --

        YES because they should have been wearing an AK47 as well!

  3. Winkypop Silver badge

    Easy fix

    Just ask Donald Trump to call his great friend and have him stop all this crap.

    Surely the Great Orange One still has some sway.

    1. RedGreen925

      Re: Easy fix

      "Surely the Great Orange One still has some sway."

      He only had that among his fellow Repugnant Party members and other like minded nazi fascists. Anyone else treated him like the sick joke he was and still is. Except of course them spineless Democrats who cannot seem to actually call him out for the traitorous murdering bastard he is all day every day, for Christ sake grow a pair assholes and do something for a change. The amount of people he killed on the COVID bullshit alone, he did, is in the hundreds of thousands.

      1. FlamingDeath Silver badge

        Re: Easy fix

        You do realise that all of these political clowns are dancing because of the same bits of string being pulled by the same hidden hand.

        Left

        Right

        Stop going all goggly eyed, look at whats in the middle.

        You might as well grab your spear and shake it about, like the true tribalist you’re behaving like.

        Do you think these clown politicians give a shit about you?

  4. martinusher Silver badge

    Doesn't add up....but then it never does

    North Korea is typically portrayed as a backward bunch of half starved people living in a time warp (well, they certainly appear to be living in md-1950s USSR). Yet at every turn we're supposed to believe that a country that's isolated, that barely has an Internet presence, is brimming with super-sophisticated hackers capable of devising devastating attacks on Western infrastructure. Really? "Pull the Other One".

    I've no doubt that there's capability there, just as there is elsewhere, but experience has shown that when it comes to attacking enterprises the reason for this is invariably commercial. All you need is a country with half-decent Internet access with a relatively well educated but also relatively hungry population and you've got all you need for malware as a business. Scams have got so bad that Indian call centers will immediately drop the call if you challenge them. As other posters have pointed out, like banks get robbed "because that's where the money is" cyber attacks are also because there's value in those attacks and if you don't secure your valuables properly you're going to lose them. This isn't 'victim blaming' as someone rather sourly remarked, its just a fact of life -- if you live somewhere like I used to do where "if it wasn't nailed down it got stolen immediately and if it was nailed down then it just took a few minutes to rip it up" (that's Manchester, to you) then you know that taking precautions and still losing stuff is a fact of life.

  5. FlamingDeath Silver badge

    There is writing software the correct way.

    Then there is writing software the lazy way.

    Move fast, break things, get it to market, the infestors are screaming for their ROI. This is how things are done.

    Innovation they call it

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like