Skip to content

IT News

Our Cellphones Aren’t Safe

Great article by Cooper Quintin og the Electronic Frontier Foundation with one glaring omission. Even if the cell networks were 100% secure, the apps people install are an even larger source of malware and privacy leaks.

Quote

America’s cellular network is as vital to society as the highway system and power grids. Vulnerabilities in the mobile phone infrastructure threaten not only personal privacy and security, but also the country’s. According to intelligence reports, spies are eavesdropping on President Trump’s cellphone conversations and using fake cellular towers in Washington to intercept phone calls. Cellular communication infrastructure, the system at the heart of modern communication, commerce and governance, is woefully insecure. And we are doing nothing to fix it.

This should be at the top of our cybersecurity agenda, yet policymakers and industry leaders have been nearly silent on the issue. While government officials are looking the other way, an increasing number of companies are selling products that allow buyers to take advantage of these vulnerabilities.

Spying tools, which are becoming increasingly affordable, include cell-site simulators (commonly known by the brand name Stingray), which trick cellphones into connecting with them without the cellphone owners’ knowledge. Sophisticated programs can exploit vulnerabilities in the backbone of the global telephone system (known as Signaling System 7, or SS7) to track mobile users, intercept calls and text messages, and disrupt mobile communications.

These attacks have real financial consequences. In 2017, for example, criminals took advantage of SS7 weaknesses to carry out financial fraud by redirecting and intercepting text messages containing one-time passwords for bank customers in Germany. The criminals then used the passwords to steal money from the victims’ accounts.

How did we get here, and why is our cellular infrastructure so insecure?

The international mobile communications system is built on top of several layers of technology, parts of which are more than 40 years old. Some of these old technologies are insecure, others have never had a proper audit and many simply haven’t received the attention needed to secure them properly. The protocols that form the underpinnings of the mobile system weren’t built with security in mind.

SS7, invented in 1975, is still the protocol that allows telephone networks all over the world to talk to one another. It was built on the assumption that anyone who can connect to the network is a trusted network operator. When it was created, there were only 10 companies using SS7. Today, there are hundreds of companies all over the world connected to SS7, making it far more likely that credentials to the system will be leaked or sold. Anyone who can connect to the SS7 network can use it to track your location or eavesdrop on your phone calls. A more recent alternative to SS7 called Diameter suffers from many of the same problems.

Another protocol, GSM, invented in 1991, allows your cellphone to communicate with a cell tower to make and receive calls and transmit data. The older generation of GSM, known as 2G, doesn’t verify that the tower that your phone connects to is authentic, making it easy for anyone to use a cell-site simulator and impersonate a cell tower to obtain your location or eavesdrop on your communications.

Larger carriers have already begun dismantling their 2G systems, which is a good start, since later generations of GSM such as 3G, 4G and 5G solve many of its problems. Yet our phones all still support 2G and most have no way to disable it, making them susceptible to attacks. What’s more, research has shown that 3G, 4G, and even 5G have vulnerabilities that may allow new generations of cell-site simulators to continue working.

Nobody could have envisioned how deeply ingrained cellular technology would become in our society, or how easy and lucrative exploiting it would be. Companies from China, Russia, Israel and elsewhere are making cell-site simulators and providing access to the SS7 network at prices affordable even to the smallest criminal organizations. It is increasingly easy to build a cell-site simulator at home, for no more than the cost of a fast-food meal. Spies all over the world — as well as drug cartels — have realized the power of these technologies.
Editors’ Picks
Forget the Suburbs, It’s Country or Bust
Dorm Living for Professionals Comes to San Francisco
This Town Once Feared the 10-Story Waves. Then the Extreme Surfers Showed Up.

So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice to “be forthright with federal courts about the disruptive nature of cell-site simulators.” No response has ever been published.

The lack of action could be because it is a big task — there are hundreds of companies and international bodies involved in the cellular network. The other reason could be that intelligence and law enforcement agencies have a vested interest in exploiting these same vulnerabilities. But law enforcement has other effective tools that are unavailable to criminals and spies. For example, the police can work directly with phone companies, serving warrants and Title III wiretap orders. In the end, eliminating these vulnerabilities is just as valuable for law enforcement as it is for everyone else.

As it stands, there is no government agency that has the power, funding and mission to fix the problems. Large companies such as AT&T, Verizon, Google and Apple have not been public about their efforts, if any exist.

This needs to change. To start, companies need to stop supporting insecure technologies such as 2G, and government needs a mandate to buy devices solely from companies that have disabled 2G. Similarly, companies need to work with cybersecurity experts on a security standard for SS7. Government should buy services only from companies that can demonstrate that their networks meet this standard.

Finally, this problem can’t be solved by domestic regulation alone. The cellular communications system is international, and it will take an international effort to secure it.

We wouldn’t tolerate gaping potholes in our highways or sparking power lines. Securing our mobile infrastructure is just as imperative. Policymakers and industries around the world must work together to achieve this common goal.

Cooper Quintin is a senior staff technologist with the Electronic Frontier Foundation, where he investigates digital privacy and security threats to human-rights defenders, journalists and vulnerable populations.

Microsoft Issues Emergency Fix for IE Zero Day

Quote

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.

According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.

ZipRecruiter has been flying low: User email addresses exposed to unauthorised accounts

Quote

Looking for work? Spammers could well be looking for you

Lesson: use throw away emails if you must, but better, just say no to job search aggregators. Of course that may be impossible as many clueless employers use them to aggregate CV/Resumes, do initial screen, etc.

Tinder for job-seekers ZipRecruiter has copped to a data breach after the names and email addresses of job-seekers were flung to the wind in a permissions screw-up.

The company – which claims over seven million active job-seekers each month and 40 million job alert email subscribers – has been running since 2010 with operations in the US and UK. In 2012 it had helped 10,000 employers fill positions. By 2017 that number had exceeded one million.

But with impressive growth comes impressive growing pains, and a permissions cock-up at ZipRecruiter has meant that hopeful job-seekers, having uploaded their CV, have had their personal details shared in a way they might not have expected.

In the email, sent to those lucky users and seen by The Register, the company says:

On October 5th, we discovered that certain employer user accounts that were not intended to have access to the CV Database were able to obtain access to information including the first name, last name and email addresses of some job seekers who had submitted their CVs to our CV database.

Whoops!

The problem is with the part of ZipRecruiter’s site that allows an employer with permission to access the database of CVs to contact a candidate. Obviously, having admired the sheen of a turd buffed to a high gloss CV of a candidate, an employer will want to get in touch. To that end, ZipRecruiter provides a contact form, helpfully populated with the name and email address of the hopeful individual.

It appears that the Email Candidate form can also be accessed by users who have not ponied up the cash for access to the CV library. Those users can still search for job-seekers, but only see limited information depending on what a candidate has volunteered. This could be the candidate’s first name, last three employers and city and country.

But thanks to the permissions whoopsie, that unauthorised user could also potentially get to the candidate’s full name and email address.

ZipRecruiter professed itself “not certain of the purpose of the unauthorised access” but speculated with breathtaking insight that the information “could be utilised to send you spam or phishing emails”.

The company was quick to point out that the information accessed does not include any login credentials or financial information, and that its security team stomped on the bug 90 minutes after it was found. The ICO was notified on 9 October and the company has been picking through its records ever since, working out which users have had the spotlight of spammers shone on their details.

As for what to do, well, the company has told affected users:

The goal of this communication is not to alarm you or deter you from responding to potential employers; rather, we want you to be a little more vigilant when considering whether or not to respond to a potential communication, in light of the unauthorised access to your full name and email address.

So that’s alright then.

We contacted ZipRecruiter to find out how many users had been affected, but other than a slightly nasal recording telling us our call may be recorded before abruptly hanging up, the company has remained incommunicado. We can but hope ZipRecruiter is a tad more helpful when it comes to paying customers.

As for the UK’s Information Commissioner’s Office (ICO), a spokesperson told us: “ZipRecruiter, Inc has made us aware of an incident and we will consider the facts.”

Register reader Steve, who was one of the lucky job hunters to receive an “oopsie” email, observed: “It’s always so f*cking special to get pwned when you’re looking for work.”

It is indeed, Steve. It is indeed. ®

Dutch court rejects man’s request to be 20 years younger

Well although not exactly IT news, I wanted to post this. I sort of get it. As I read the article, I immediately thought of the rampant age discrimination in IT/ICT (as well as other industries). Sure, not all seniors have kept up, but many have and they have a tremendous amount to contribute. It is tragedy that they are kicked to the curb of Walmart greaters.

Yeah yeah – maybe Emile Ratelband is not the best example, but his bid does shed light on a deeply troubling subject, especially in the IT/ICT industry.

Quote

A Dutch court has rejected the request of a self-styled “positivity guru” to shave 20 years off his age, in a case that drew worldwide attention.

Last month Emile Ratelband asked the court in Arnhem to formally change his date of birth to make him 49. He said his official age did not reflect his emotional state and it was causing him to struggle to find work and love.

He claimed he did not feel 69 and said his request was consistent with other forms of personal transformation gaining acceptance around the world, such as the right to change name or gender.

In a written ruling on Monday, the court said Dutch law assigned rights and obligations based on age “such as the right to vote and the duty to attend school. If Mr Ratelband’s request was allowed, those age requirements would become meaningless.”

In a press statement, the court said: “Mr Ratelband is at liberty to feel 20 years younger than his real age and to act accordingly. But amending his date of birth would cause 20 years of records to vanish from the register of births, deaths, marriages and registered partnerships. This would have a variety of undesirable legal and societal implications.”

The court said it acknowledged “a trend in society for people to feel fit and healthy for longer, but did not regard that as a valid argument for amending a person’s date of birth”.

It said Ratelband failed to convince the court that he suffered from age discrimination, adding that “there are other alternatives available for challenging age discrimination, rather than amending a person’s date of birth”.

Ratelband was undeterred by the court’s rejection and vowed to appeal. “This is great!” he said. “The rejection of {the] court is great … because they give all kinds of angles where we can connect when we go in appeal.”

He said he was the first of “thousands of people who want to change their age”.

Break up Facebook (and while we’re at it, Google, Apple and Amazon)

Reich concludes “We must resurrect antitrust” – yes and we need to do that very fast.

Quote

Big tech has ushered in a second Gilded Age. We must relearn the lessons of the first, writes the former US labor secretary

Last week, the New York Times revealed that Facebook executives withheld evidence of Russian activity on their platform far longer than previously disclosed. They also employed a political opposition research firm to discredit critics.

There’s a larger story here.

America’s Gilded Age of the late 19th century began with a raft of innovations – railroads, steel production, oil extraction – but culminated in mammoth trusts owned by “robber barons” who used their wealth and power to drive out competitors and corrupt American politics.

We’re now in a second Gilded Age – ushered in by semiconductors, software and the internet – that has spawned a handful of giant hi-tech companies.

Facebook and Google dominate advertising. They’re the first stops for many Americans seeking news. Apple dominates smartphones and laptop computers. Amazon is now the first stop for a third of all American consumers seeking to buy anything.

“Amazon the first stop..” — The main reason is that they have allowed illegal predatory pricing to drive out competition. And Amazon is usually never a good deal. Check it out carefully: Prime products are always more expansion than elsewhere even on the Amazon site. With Prime you pay twice. Brilliant!

This consolidation at the heart of the American economy creates two big problems.

First, it stifles innovation. Contrary to the conventional view of a US economy bubbling with inventive small companies, the rate at which new job-creating businesses have formed in the United States has been halved since 2004, according to the census.

A major culprit: big tech’s sweeping patents, data, growing networks and dominant platforms have become formidable barriers to new entrants.

The second problem is political. These massive concentrations of economic power generate political clout that’s easily abused, as the New York Times investigation of Facebook reveals. How long will it be before Facebook uses its own data and platform against critics? Or before potential critics are silenced even by the possibility?

America responded to the Gilded Age’s abuses of corporate power with antitrust laws that allowed the government to break up the largest concentrations.

President Teddy Roosevelt went after the Northern Securities Company, a giant railroad trust financed by JP Morgan and John D Rockefeller, the nation’s two most powerful businessmen. The US supreme court backed Roosevelt and ordered the company dismantled.

In 1911, President William Howard Taft broke up Rockefeller’s sprawling Standard Oil empire.

It is time to use antitrust again. We should break up the hi-tech behemoths, or at least require they make their proprietary technology and data publicly available and share their platforms with smaller competitors.

There would be little cost to the economy, since these giant firms rely on innovation rather than economies of scale – and, as noted, they’re likely to be impeding innovation overall.

But is this politically feasible? Unlike the Teddy Roosevelt Republicans, Trump and his enablers in Congress have shown little appetite for antitrust enforcement.

Republicans rhapsodize about the “free market” but have no qualms about allowing big corporations to rig it at the expense of average people. Yet as the late Robert Pitofsky, former chairman of the Federal Trade Commission, once noted: “Antitrust is a deregulatory philosophy. If you’re going to let the free market work, you’d better protect the free market.”

But the Democrats, for their part, have shown no greater appetite for antitrust – especially when it comes to big tech.

In 2012, the staff of the FTC’s bureau of competition submitted to the commissioners a 160-page analysis of Google’s dominance in the search and related advertising markets, and recommended suing Google for conduct that “has resulted – and will result – in real harm to consumers and to innovation”.

But the commissioners, most of them Democratic appointees, chose not to pursue the case.

The Democrats’ recent “better deal” platform, which they unveiled a few months before the midterm election, included a proposal to attack corporate monopolies in industries as wide-ranging as airlines, eyeglasses and beer. But, notably, the proposal didn’t mention big tech.

Maybe the Democrats are reluctant to attack the industry because it has directed so much political funding to Democrats. In the 2018 midterms, the largest recipient of big tech’s largesse, ActBlue, a fundraising platform for progressive candidates, collected nearly $1bn, according to the Center for Responsive Politics.

As the New York Times investigation makes clear, political power can’t be separated from economic power. Both are prone to abuse.

Antitrust law was viewed as a means of preventing giant corporations from undermining democracy. “If we will not endure a king as a political power,” thundered Ohio’s Senator John Sherman, the sponsor of the nation’s first antitrust law in 1890, “we should not endure a king over the production, transportation and sale” of what the nation produced.

In the second Gilded Age as in the first, giant firms at the center of the American economy are distorting the market and our politics.

We must resurrect antitrust.

Anyone who knows me will hear me whine that no one takes IT Security seriously enough. The main reason is that there is no teeth in laws that cover breaches. That leads to organizations pinching pennies. Here is an article by Bruce Schneier that lays out the case. Will I stop whining — not yet.

Quote

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses. Infosec’s cool uncle says to hell with the carrot

Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties.

So said author and computer security guru Bruce Schneier, who argued during a panel discussion at the Aspen Cyber Summit this week that without regulation, there is little hope the companies hooking their products up to the internet will implement proper security protections.

“Looking at every other industry, we don’t get security unless it is done by the government,” Schneier said.

“I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”

Schneier went on to point out that, as it stands, companies have little reason to implement safeguards into their products, while consumers aren’t interested in reading up about appliance vendors’ security policies.

“I don’t think it is going to be the market,” Schneier argued. “I don’t think people are going to say I’m going to choose my refrigerator based on the number of unwanted features that are in the device.”

Schneier is not alone in his assessment either. Fellow panellist Johnson & Johnson CISO Marene Allison noted that manufacturers have nothing akin to a bill of materials for their IP stacks, so even if customers want to know how their products and data are secured, they’re left in the dark.

“Most of the stuff out there, even as a security professional, I have to ask myself, what do they mean?” Allison said.

That isn’t to say that this is simply a matter of manufacturers being careless. Even if vendors want to do right by data security, a number of logistical hurdles will arise both short and long term.

Allison and Schneier agreed that simply trying to port over the data security policies and practices from the IT sector won’t work, thanks to the dramatically different time scales that both industrial and consumer IoT appliances tend to have.

“Manufacturers do not change all the IT out every five years,” Allison noted. “You are looking at a factory having a 25- to 45-year lifespan.”

Support will also be an issue for IoT appliances, many of which go decades between replacement.

“The lifespan for consumer goods is much more than our phones and computers, this is a very different way of maintaining lifecycle,” Schneier said.

“We have no way of maintaining consumer software for 40 years.”

Ultimately, addressing the IoT security question may need to be spearheaded by the government, but, as the panelists noted, any long-term solution will require a shift in culture and perception from manufacturers, retailers and consumers.

Chinese Super Micro ‘spy chip’ story …

QUOTE

Chinese Super Micro ‘spy chip’ story gets even more strange as everyone doubles down
Bloomberg puts out related story while security experts cast doubt on research and quotes

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication.

On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by publishing a new, related story about how a “major US telecommunications company” discovered a similar hardware hack in components from the computer manufacturer at the center of the story, Super Micro.

That latest piece comes after one of the experts in the original story gave an interview in which he expressed his concern about the finished piece and questioned whether Bloomberg had done sufficient fact checking before publishing.

The new article also comes in the wake of a second, even stronger denial of the key elements of the story by Apple – sent to US Congress committees – as well as statements from the intelligence wings of both the UK and US governments that push the idea that Bloomberg may have made a serious reporting mistake.

With clear and increasingly firm stances that stand in complete opposition to one another, security experts remain undecided as to whether the story is largely correct and China did insert spy chips into Super Micro motherboards; or whether the journalists behind the story wrongly extrapolated information and ended up publishing something incorrect.

Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign.

Another expert, another report

In its most recent story, Bloomberg claims to have seen “documents, analysis and other evidence” of Chinese interference: in this case “manipulated hardware” stemming from Super Micro that was discovered in the network of a large US telecoms company and pulled out in August.

The source of that report is named: Yossi Appleboum, CEO of security specialists Sepio Systems. Appleboum claims to have discovered “unusual communications” coming from a Super Micro server that was part of a data center audit ordered by the unnamed company.

Physical inspection of that board revealed “an implant built into the server’s Ethernet connector,” Appleboum says. Bloomberg knows the company affected but has chosen not to name it because of a non-disclosure agreement signed between Sepio Systems and the company in question.

While Bloomberg notes that the Ethernet implant “is different from the one described in the Bloomberg Businessweek report last week,” it argues that it shares “key characteristics” including the fact that the alteration was made at a Super Micro factory and it was designed to be invisible while extracting data.

The conclusion that the impact was introduced at the factory in China was reached by Appleboum, he claims. But notably he goes on to state that “he was told by Western intelligence contacts that the device was made at a Super Micro subcontractor factory in Guangzhou, a port city in southeastern China.”

Appleboum make a series of other interesting statements, including that the Sepio team had seen similar variations of the implant in other motherboards made in China, and that he had been informed by intelligence agents from other countries that they had been tracking the manipulation of Super Micro hardware for some time.
You know nothing, DHS

Bloomberg used the report to push back against a statement from the US Department of Homeland Security (DHS) in which it said it had “no reason to doubt” denials of its spy-chip original story. Bloomberg insists that there was an FBI investigation of the issue, but that it was run by the organization’s “cyber and counterintelligence teams, and that DHS may not have been involved.”

In other words, Bloomberg – seemingly surprised by the forceful denials of its story – is arguing that only a small group of people were aware of the investigations it wrote about and so claims of inaccuracy may come from people who simply do not know about them.

….

All of which is to say: after five days of fierce scrutiny, no one is any the wiser as to whether the story is true or not. We will have to see what this week brings.

China back at hacking

Note to Trump – sometimes diplomacy is better than chest thumping.

QUOTE

The Obama-era cyber détente with China was nice, wasn’t it? Yeah well it’s obviously over now
Middle Kingdom is a rising threat once again – research

Infosec pros might have already noticed some familiar IP address ranges in their system logs – China has returned to the cyber-attack arena.

That’s the conclusion of threat intel outfit CrowdStrike, which released its midyear threat report this week (downloadable here with free registration). The firm’s Falcon OverWatch team said that from January to June, state actors were responsible for 48 per cent of intrusion cases, and China is climbing back up the charts.

CTO and co-founder Dmitri Alperovitch tweeted: “CrowdStrike can now confirm that China is back (after a big drop-off in activity in 2016) to being the predominant nation-state intrusion threat in terms of volume of activity against Western industry. MSS is now their #1 cyber actor.”

MSS refers to the Ministry of State Security, which will likely be even more motivated to digitally disrupt the US since a deputy division director was arrested in Belgium in April and extradited to face charges in America.

Alperovitch said that the 2015 Obama-era non-hacking pact had led to a decline in hostile activity, at least at the state level.

Alex Stamos, formerly CSO at Facebook, concurred with Alperovitch: “Most IR professionals I have spoken to believed that there was a real drop in commercially-motivated hacking from the Chinese after the deal.”

That was then. The increasing political hostility between China and the US (and countries like Australia which have followed the US’s lead) is reflected in the online world, CrowdStrike reckoned. “OverWatch data identifies China as the most prolific nation-state threat actor during the first half of 2018.”

Intrusions were attempted against “biotech, defence, mining, pharmaceutical, professional services, transportation, and more”, the report claimed.

The “Chinese threat” has been a CrowdStrike theme for some time: in September, Alperovitch made the same point to Fox Business in a TV interview. He said “every major sector of the economy is being targeted” by the Middle Kingdom.

“Primarily they’re focused on stealing intellectual property… in order to counteract in part the trade tariffs we’re putting into place on them.”

By comparison to the rising Chinese attack traffic, the report’s other key findings were relatively unremarkable: online crims are turning to crack networks to install cryptocurrency miners, with legal and insurance industries a favourite target; the biotech sector is a favoured target for industrial espionage; and criminal actors who once may have used less sophisticated tools are now adopting “tactics, techniques and procedures” learned from nation-state actors.

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

One needs to wonder about all those routers and firewalls from the majors that are produced in China.
Also, I think this will do more damage to “Brand China” than dubious tariffs.
And in case you missed it, Bloomberg’s original story “The Big Hack” (excellent read), can he had here

The discovery shows that China continues to sabotage critical technology components bound for America.

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That’s the problem with the Chinese supply chain,” he said.


The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.

….

The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI’s cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI’s most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations.

Appleboum said that he’s consulted with intelligence agencies outside the U.S. that have told him they’ve been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.
….
Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in such sabotage. The U.S. is known to have extensive programs to seed technology heading to foreign countries with spy implants, based on revelations from former CIA employee Edward Snowden. But China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.

Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio’s software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals — such as power consumption — that can indicate the presence of a covert piece of hardware.

In the case of the telecommunications company, Sepio’s technology detected that the tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.

In other words – by passing the firewall

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.

The goal of hardware implants is to establish a covert staging area within sensitive networks, and that’s what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client’s security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio’s team was not able to perform further analysis on the chip.

The threat from hardware implants “is very real,” said Sean Kanuck, who until 2016 was the top cyber official inside the Office of the Director of National Intelligence. He’s now director of future conflict and cyber security for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don’t.

“Manufacturers that overlook this concern are ignoring a potentially serious problem,” Kanuck said. “Capable cyber actors — like the Chinese intelligence and security services — can access the IT supply chain at multiple points to create advanced and persistent subversions.”

One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That’s why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

“For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits — we don’t know until we find some. It could be all over the place — it could be anything coming out of China. The unknown is what gets you and that’s where we are now. We don’t know the level of exploits within our own systems.”

Trump’s axing of cyber czar role has left gaping holes in US defence

Damning report shows Uncle Sam falling behind

Quote

Is this stupid or deliberate? I mean, more lax security makes it easier for others to hack and influence US opinion and elections.

A cybersecurity czar has been a long-established presence in US government – until recently. Against a rising tide of attacks on the nation’s infrastructure and election systems, Donald Trump eliminated the post through an executive order in May.

As if to highlight the deficiency of such a move, just two months later the US Government Accountability Office (GAO) told politicians that Uncle Sam had failed to implement 1,000 cyber protection recommendations from a list of 3,000 made since 2010 that it said are “urgent to protect the nation”. Further, 31 out of a total of 35 more recent priority recommendations were also not acted upon. That testimony was released in a report (PDF) this month.

In the infosec arms race, this does not make comfortable reading, particularly since the US cybersecurity coordinator post has been axed.

Despite progress in some areas such as identifying (if not yet filling) gaps in cybersecurity skills, the GAO reckoned that the security holes have left federal agencies’ information and systems “increasingly susceptible to the multitude of cyber-related threats”.

It told the Office of the President, the US Congress and federal agencies of all stripes to shape up and take cybersecurity seriously.

These omissions include having a more comprehensive cybersecurity strategy, better oversight, maintaining a qualified cybersecurity workforce, addressing security weaknesses in federal systems and information and enhancement of incident response efforts.

Nick Marinos, director of cybersecurity and data protection issues, and Gregory C Wilshusen, director of information security issues, signed off September’s report with a stark warning:

Until our recommendations are addressed and actions are taken to address the challenges we identified, the federal government, the national critical infrastructure, and the personal information of US citizens will be increasingly susceptible to the multitude of cyber-related threats that exist.

The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing as security threats continue to evolve and become more sophisticated. These risks include insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks.

The GAO also blasted the IT sector for compounding these risks: “IT systems are often riddled with security vulnerabilities – both known and unknown.”

The report said in 2017 more than 35,000 cybersecurity incidents at civilian agencies had been reported by the Office of Management and Budget to Congress. A breakdown of these figures revealed that 31 per cent of these attacks were listed as “other”, saying: “If an agency cannot identify the threat vector (or avenue of attack), it could be difficult for that agency to define more specific handling procedures to respond to the incident and take actions to minimize similar future attacks.”

Other incidences listed were improper usage (22 per cent), email/phishing (21 per cent), loss or theft of equipment (12 per cent), web site or web app origin based attacks (11 per cent).

Attacks cited include a March 2018 threat when the Mayor of Atlanta, Georgia, reported that the city was being victimised by a ransomware attack.

In March the Department of Justice indicted nine Iranians for conducting a “massive cyber security theft campaign” on behalf of the Islamic Revolutionary Guard Corps. That indictment alleged they stole more than 31TB of documents and data from more than 140 American universities, 30 US companies, and five federal government agencies.

The Russians were also called out for targeting critical systems in nuclear, energy, water and aviation.

But, of course, Trump is a little confused when it comes to Russia’s cyber-dabbling in the US.

You can argue the US government fell behind under the watch of the cyber czar and that action was needed, but that hardly necessitated the elimination of this central post.

The GAO testimony and this month’s report rightly questions whether the US was doing enough to protect its citizens and critical infrastructure. The answer seemed to be a “must try harder” – but that’s OK, because improvement can only come through such transparency and self-assessment.

Trump’s May decision and this report taken together suggest that if the West was already slipping behind in the cyber war, things can only get worse now that the supposed leader of the free world has deliberately, and carelessly, taken his eye off the ball on the home front.