Slashdot Mirror
DHS Admits Knowledge of Infected Import Tech
smitty777 writes "Deputy Undersecretary Schaffer of the DHS National Protection and Programs Directorate confessed to being aware of foreign technology that had been imported with spyware, malware, and other security risks. According to the article, 'More worryingly, the hearing specifically mentioned hardware components as possibly being compromised — which raises the questions of whether, perhaps, something as innocuous as Flash memory or embedded RFID chips could be used by interested foreign parties.' These hearings were held on July 7th to 'examine the nature and extent of the current threat to America's infrastructure.'"
Spying on Americans is our business!
Is the hardware described EAL certified? If so, to what level? Maybe it's time to raise the bar a little bit for requirements?
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
Maybe they were looking for new ideas.
Is your mouse infected?
http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid/
Who will guard the guards?
Everybody else is doing it.
The DHS is in on it. Do you really think that the US Federal Government is out to protect its CITIZENS' rights?
I want to delete my account but Slashdot doesn't allow it.
Yeah, because nothing built in the good ol' USA would ever be compromised.
An attack like this could have a few purposes. The 2 that come to mind for me are: (1) growing a botnet to steal information from unsuspecting users (and other botnet type uses), or (2) having a specific target in-mind and using broad attacks and hope you penetrate the target.
The virus that hit the nuclear material processing plant in Iran was a piece of Malware that infected thousands and thousands of systems, but its ultimate goal was just a few machines. If these tainted components that enter the US have final targets that are "secure sites" in the US, this seems like a good attack medium.
The US relies heavily in component manufacturing overseas. There are multiple factories a blackhat could inject their malware into, and hope it gets to the final target.
This is especially true if its a government (China comes to mind) that wants information from US sites. The government could walk into a factory in China and tell the manufacturer to inject malware into their production.
Its not what it is, its something else.
Go watch the video of the hearing and listen to what Schaffer actually said. All he says is that he is aware of cases in which products have come into the US with vulnerabilities. He doesn't say a thing about it being done intentionally or that China is doing it or anyone else is doing it. The question was crappy and badly worded, too. 52 minute mark. http://www.youtube.com/watch?v=xFlgaJa4UVk
in fact, I think I recognize that. isn't that the computer history museum at the old SGI site in mtn view?
just seems strange to show a photo of a computer museum. if anything, those old computers would be more trustable now, compared to the complex 'dont know really what is entirely inside' boxes we have now. (I'm half serious).
--
"It is now safe to switch off your computer."
to me, the telling part was:
During questioning, Schaffer said that a whole-of-government effort would be required to combat security holes caused by malware and spyware making their way through America's electronics supply chain.
dunno. doesn't that look a bit like a plea for more (intrusive) government powers?
--
"It is now safe to switch off your computer."
This must be their version of operation Fast and Furious, but true to DHS tradition, they got it backward :-)
Infuriate left and right
Well, it'd be easier to catch impropriety here than in China or Taiwan. At least Wikileaks and myriad of other groups aren't afraid of releasing evidence of wrong doing committed by the US entities, and we have plenty of whistleblowers with public interest in mind to provide them the data. If we depend on China for supply, what leaks organisation will dare keep them in check? I suspect no one.
your thin skin doesn't make me a troll
sorry, one more followup.
this also irked me:
The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions.
conterfeit products.
ugh.
first of all, SONY comes to mind as a master rootkit installer. was this counterfeit? hardly! most recognizeable brand name, perhaps, in the world.
second, I would not trust brand names any more or less than 'counterfeit' brands. this does seem like a 'request' for more powers of search/seizure or whatever.
tell me I'm wrong. please.
--
"It is now safe to switch off your computer."
A while ago I bought this neat little toy from a wholesale shopping club, supposed to show the current and forecast local weather. The device was wireless, and came with a wireless broadcast device that plugged into your internet connection. While setting up the device it became clear that the wireless link was bidirectional, with information about the wireless device showing up on the controlling web page. While the company was based in the US, the device was manufactured in China.
This is exactly the sort of toy many executives would put on their desks at work, potentially providing wireless access behind their firewalls. Did the device have such functionality? No idea. Just in case, however, it is now plugged in to an uplink with nothing worth compromising.
The faulty ones, the fake ones, the overpriced ones, the wrongly labelled ones, everything is imported.
Did they think the infected ones would be manufactured locally?
On the other side of the coin, it could be his way of saying "Trying to prevent this is sort of thing is futile."
I would not trust brand names any more or less than 'counterfeit' brands.
Wise man. After all, even genuine Apple iPhones are manufactured in a factory in China. Who knows what's really in the circuits they're installing? Has Apple ever reverse-engineered the chips out of a production iPhone? Of course not, why would they.
It's a way of saying "Homeland Security is too hard for the Department of Homeland Security so get off our case."
So there are devices that execute code read from RFID?
I mean usually it is an ID. Not a program.
possibly being compromised
Hey Einstein, your anus is possibly constipated with yesterday's tacos.
Also, in today's breaking news:
The head of the Food and Drug Administration confessed to being aware that there are purveyors of ineffective quackery.
The head of the Federal Bureau of Investigation admitted that criminals exist in the United States
The chief of the Secret Service acknowledged that counterfeiters are, as we speak, illegally producing counterfeit copies of the nation's currency.
The head commissioner of the FTC sheepishly confirmed that there exist online stores that have no intention of delivering ordered items.
The chief of the Drug Enforcement Agency was cornered into saying that drugs considered illegal under U.S. law are regularly sold and consumed by citizens.
And lastly, the "Deputy Undersecretary Schaffer of the DHS National Protection and Programs Directorate confessed to being aware of foreign technology that had been imported with spyware, malware, and other security risks."
No $hit, Sherlock. They are a law enforcement agency. Such agencies exist because laws are being violated. We'd be pretty upset if they denied this was the case. Where is the story here?
Subsidizing has been tried before and it's a waste of money.
Unfortunately companies doesn't realize that offshoring construction in the long run is a bad idea because it doesn't develop their processes much and it drains the country from money. Automation of manufacturing processes will also mean that you have to get rid of employees but you will still keep the money circulation at home.
So in the end this means that the US and Europe are bound to lose if they can't cover for the trade deficit that appears. Combined with offshoring is also competence loss since a lot of competence comes from the living process.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
even genuine Apple iPhones are manufactured in a factory in China
Probably, in fact, the same factory that manufactures the clones...
Sent from your iPhone
Hint: between Obama and Darth Jar-Jar, one of them publicly admitted to committing war crimes during press conferences.
The conservatives and libertarians passed laws to give corporations tax breaks for shipping jobs overseas, and they have filibustered every attempt the Democrats made at ending the whole rewarding-companies-for-putting-Americans-out-of-work thing. Not only would this not "go down good with politicos", there's a fair chance that you'll be accused of being a traitor and experience the joy of being flooded with anonymous death threats from freepers and the like.
The Democrats on the other hand would be too busy apologizing to the Republicans for your existence and seeking new ways to appease them to bother considering your idea.
The faulty ones, the fake ones, the overpriced ones, the wrongly labelled ones, everything is imported.
And the working, reasonably prized, correctly labelled ones are imported, too.
The Tao of math: The numbers you can count are not the real numbers.
Like 3G USB sticks made by Huawei? They're poorly done in that it's so obvious they're spying on you but still what is going on as soon as you plug one of these into OS X is frightening.
> These hearings were held on July 7th to 'examine the nature and extent of the current threat to America's infrastructure ..
Would it be that certain vested interests are using national security as a pretext to shutdown foreign imports?
Pick one.
Welcome to the wonderful wild world of outsourcing.
Please do not read this sig. Thank you.
The problem with compromised hardware wouldn't have existed, or at least not on that scale, if it wasn't for the fact that devices are increasingly connected to the Internet. If it wasn't for that, you would have no way to control your compromised hardware. So at most you could make it defective at some level, or make it become defective after a set period of time. It's the equivalent of remote control bomb vs time bomb - the time bomb is essentially 'dumb', it can't be controlled. The point is you can't use the compromised hardware at the exact moment you need it. So compromised hardware isn't that sinister for standalone machines that are not connected in any way, or are connected to isolated networks.
This hearing is aimed at building support for more US based electronics manufacturing.
The government is mildly concerned that consumer electronics hardware is have mysterious circuits that US designers did not ask to be put in them.
The government is scared shitless that the same questionable electronics may end up in military hardware.
We must learn to live with our trousers down.