News 
Market Data 
Discover
Replies to post #13304 on BlackBerry Limited (BB)
Genz2 Friday, 10/05/18 05:39:05 PM
Re: None 0
Post # 245434 of 245526
Chinese spy chips would be a ‘god-mode’ hack, experts say
https://www.theverge.com/2018/10/4/17937210/bloomberg-china-microchip-hack-supermicro-amazon-apple-servers
Chinese operatives allegedly poisoned the technical supply chain of major US companies, including Apple and Amazon by planting a microchip on their servers manufactured abroad, according to a Bloomberg report today. The story claims that one chip, which was reportedly planted on servers’ motherboards assembled for a company called Elemental by a separate company called Super Micro Computer, would allow attackers to covertly modify these servers, bypass software security checks, and, essentially, give the Chinese government a complete backdoor into these companies’ networks.
Affected companies are vigorously disputing the report, claiming they never discovered any malicious hardware or reported similar issues to the FBI. Even taking the Bloomberg report at its word, there are significant unanswered questions about how widely the chip was distributed and how the backdoor access was used.
But the mere idea of a malicious chip implant has already sent shock waves through the security world, which has traditionally focused on software attacks. Nicholas Weaver, a professor at Berkeley’s International Computer Science Institute described an alarming attack. “My initial reaction was ‘HOLY FUCKING SHIT’ [sic],” Weaver told The Verge. “This is a ‘god mode’ exploit in the system management subsystem.”
Security experts have warned for years that the hardware supply chain is at risk, especially considering that China has a monopoly on parts and manufacturing. Up until now, though, we haven’t seen a widespread attack on US companies, as Bloomberg claims to have found. There’s no real way to prevent a hardware attack like this, sources tell The Verge, unless the tech industry wants to drastically rethink how it gets its components and brings products to market.
Katie Moussouris, founder and CEO of Luta Security, says an attacker could use this kind of malicious implant to bypass all software protections, a doomsday scenario for defenders. “If you manage to put something in place in hardware, not only is it difficult to detect, it’s also something that can bypass even the most sophisticated software security measures,” Moussouris told The Verge.
The result requires an entirely new kind of defense, replacing code audits and bug-hunting with checks for physical interference at the hardware level. Jake Williams, the founder of Rendition Infosec, says it would be an entirely new approach for security teams. “We have a bigger fundamental problem,” Williams says, “which is that this stuff is wicked hard to detect and we don’t have tools to do that.”
In some ways, the attacks borrow techniques from jailbreaking, breaking the chain of trust between the hardware and the software instead of attacking the software itself. George Hotz, the legendary jailbreaker-turned-self-driving-entrepreneur, was skeptical of the Bloomberg story, but said a successful supply-chain attack would still be nearly impossible to mitigate with conventional security tools. “If you cannot trust your hardware, you cannot trust anything that the hardware checks,” Hotz says. “Fundamentally, there is no way to check for this in software.”
It’s hard to say how companies like Apple and Amazon could adapt to these new risks. On the hardware level, strange behavior would be like trying to detect a heart murmur. There might be small anomalies every so often, but none would immediately cause alarm. And researchers looking for bugs might not be much help, either. Even if they could get these parts from Supermicro, for example, they’d need enough money and enough supply to run tests. Once you crash or damage a piece of hardware, it’s impossible to start over again, which make conventional bug bounties hard to implement.
Instead, Moussouris says supply chain risks are a reality we have to accept. Companies have already made their compromise; in exchange for cheap parts, they take the supply chain risk.
“We’ve made choices to outsource the manufacturer of a lot of components in order to be able to get them to market and have them be a viable product,” she says. “Making sure that we understand that we’ve made these tradeoffs is the part that might be taking people by surprise.”
=================================================================
Hardware security with software security (TPM + Wave Endpoint Monitor) would work better against this backdoor (or APT) than software security alone. Software security alone as referenced in this article doesn't protect.
=================================================================
China inserts microchips into motherboards used by Apple, CIA, Amazon
https://www.scmagazine.com/home/news/china-infiltrates-supermicro-subcontractors-to-insert-microchips-into-motherboards-used-by-apple-cia-amazon/
A microchip planted by China on Supermicro motherboards used by organizations, including the CIA, the U.S. military, Amazon and Apple, left sensitive information vulnerable to hacking and underscores the importance of locking down the security of the supply chain whose vast tentacles reach out to touch organizations around the globe.
“It’s the equivalent of the Chinese putting their own Snowden in every agency and private company with elevated access and because it’s in hardware it be a nightmare to eradicate,” Brian Vecci, technical evangelist at Varonis, said, explaining that the hardcoded backdoor “gives an advanced threat persistent, privileged access to a variety of systems and data.”
It also pits not only government but private industry against nation-state actors. “The new and recent DHS alerts about the Chinese APT10 ‘RedLeaves’ cyberattack on cloud providers highlight the impossible problem faced by both enterprise and municipal government,” said CipherCloud CEO Pravin Kothari. “The impossible problem is that enterprise and government cannot face off against well-funded nation-state attackers or large scale organized crime. It is a ridiculous proposition to believe otherwise.”
Kothari called for the U.S. government “to step in and defend our internet infrastructure so that normal commerce and communications can continue unhindered.”
American authorities first began a classified investigation of the chips, believed to have been planted by the People’s Liberation Army (PLA), in 2015, according to Bloomberg/BusinessWeek, which broke the story after a multiyear investigative probe of its own.
The PLA inserted itself into the operations of subcontractors in China contributing to Supermicro’s motherboard and sneaked in the chips, which, among other things, can allow hackers to modify servers, insert code and gain access to information.
“These threat actors are playing a long game with pre-attacks like these that position themselves for devastating attacks down the road– they are testing their abilities and an organization’s vulnerabilities to see how far they can go,” said Vecci, who called the “attack…about as surprising as catching Cookie Monster with his hand in the cookie jar.”
What is surprising, he noted, “is that it has only taken decade or two for the digital world to become so inter-dependent – not just with hardware but with software — today many systems have so much code in common that any upstream compromise is a widespread threat.”
For years, the security industry has warned the supply chain is vulnerable to widespread and damaging attack.
“There are very real and devastating business impacts to supply chain attacks,” said Stephen Boyer, CTO and co-founder, BitSight:micro. “We saw this last year with the Nonpetya ransomware attack — which cost Maersk between $250 and $300 million — and now, with [the] Supermicro attack.”
Malcolm Harkins, chief security and trust officer at Cylance, noted that “unfortunately the only surprising element about this attack is that it’s taken so long to be uncovered in a report. Supply chain compromise has been a concern for a long time, and there are multiple nation states with endless motivations who make attacks of this scale a certainty rather than a probability.”
The latest incident is a wakeup call that organizations can’t afford to ignore. “The path ahead is to carefully vet the supply chain,” said Neelima Rustagi, senior director, product management at Demisto. “Unfortunately, foreign countries manufacture most of our chips and systems, so it’s going to be tricky to protect against motivated nation-state actors.”
Kothari said success would be more likely through a collaborative effort between the U.S. and other governments worldwide. “We must do this within the rule of law, put all of the evidence out there in the view of the global community, and enlist the support of our allies to ensure we are successful,” he said
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Key Features:
Easy security compliance
• Comports with NIST guidelines for BIOS integrity
Data protection
• Ensures that you can trust the integrity of your measurements for central analysis
• Real-time alerts for zero-day detection of APTs
• Get Windows 8 Malware protection now—WEM covers previous versions of Windows
Simplicity
• Uses standards-based security that’s in every PC you own
• Measurement notifications and reports can be customized for your processes and work flows
• Centralized, remote activation and management of your TPMs
• E-discover which PCs in your organization are enabled for endpoint monitoring
No compromises
• Ensure host integrity—without expensive hardware or excessive administrative overhead
