Slashdot Mirror
New Evidence of Hacked Supermicro Hardware Found in US Telecom: Bloomberg (bloomberg.com)
A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., Bloomberg reported Tuesday. From the report: The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China's intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015. Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum's nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector, a component that's used to attach network cables to the computer, Appleboum said.
Nope, nor have enough details been released that somebody could even start. There's speculation, but Bloomberg hasn't published anything that would let someone verify it on their own.
You do not have a moral or legal right to do absolutely anything you want.
Does Bloomberg?
-=This sig has nothing to do with my comment. Move along now=-
The public deserves the truth.
Security is complicated. On the one hand, perfect security is impossible. Your servers can be hacked, your data can be stolen, and your users can be phished.
However, there is another perspective that I think is equally important, if not moreso: It's not hopeless. The attackers are not omnipotent. They have 9-5 schedules, bureaucracies, budgets, and deadlines. If your system is protected well enough that your attackers' budget runs out, it will stay safe. From that perspective, security is just a matter of economics. Your security is bought by spending a little money and effort to drastically increase the effort the attackers need to spend.
An attacker embedding a custom chip in server hardware, then processing thousands of phone-home results is expensive for them, and unlikely to get a result. However, replacing your whole data center to use non-Supermicro servers is also expensive. Frankly, the whole thing probably isn't worth anybody's time.
Breaking into an internet-facing server with a default password is easy. There are lots of routers and firewalls out there with default credentials or hidden backdoor accounts. Exploiting one of those is ridiculously cheap for an attacker, and gets them far better results.
The notion of "the attacker is almighty" doesn't help improve overall security, because it silences discussion about how to actually improve security posture. Instead, we should set aside hardware concerns for now, and ask "What's the easiest way we can be attacked, and how can we fix it?", then make the fix, and repeat until your own budget runs out.
My skepticism is not about doubting China's ability. I'm sure China (or any nation or well-funded individual) could get hardware inserted into servers. What I'm skeptical of is whether China (or any nation or well-funded individual) would even bother with the expense and risk when they could send a phishing campaign instead.
You do not have a moral or legal right to do absolutely anything you want.
you have no ip worth stealing...why would they go after you?
nothing to see here - move along
Does anybody think the Chinese government deserves the benefit of the doubt?
Does Bloomberg?
Yes. Bloomberg is a center-right media outlet, and almost all of their profitable business is related to selling financial information to professionals. They make an industry-leading software product called Bloomberg Terminal that they use to disseminate this information.
I wouldn't trust them on political reporting, because they tend to give the perspective of a center-right business executive. But on general news that doesn't relate to their industry, they are nothing if not mainstream. They don't go for bombastic tabloid nonsense, it would tarnish their brand. Getting page views isn't the purpose of their public news service; enhancing their brand is the purpose.
Therefore, I would give Bloomberg the benefit of the doubt that they believe this information to be true, and to be of great import to purchasing and IT managers, in addition to investors and financial services providers. This is big enough that the insurance community is probably taking a lot of interest, too. They would never intentionally publish a false report that purported to be of great interest to the industries where they make their bread-and-butter; it would be all downside for them.
https://www.bloomberg.com/comp...
Don't worry about the PR there, just look at the bottom of the page under "Products" and "Industry Products" and you can understand why they are a trusted source on this; they'd lose a lot by being wrong. And they have a lot to lose.
>The US government is going to bury this at all costs
The US government would love a culture of suspicion of foreign built hardware to develop.
That's one plausible source of the story.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.