Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DHS Admits Knowledge of Infected Import Tech

Soulskill posted more than 3 years ago | from the mal-where? dept.

Security 59

smitty777 writes "Deputy Undersecretary Schaffer of the DHS National Protection and Programs Directorate confessed to being aware of foreign technology that had been imported with spyware, malware, and other security risks. According to the article, 'More worryingly, the hearing specifically mentioned hardware components as possibly being compromised — which raises the questions of whether, perhaps, something as innocuous as Flash memory or embedded RFID chips could be used by interested foreign parties.' These hearings were held on July 7th to 'examine the nature and extent of the current threat to America's infrastructure.'"

cancel ×

59 comments

Sorry! There are no comments related to the filter you selected.

Hey! (4, Insightful)

chemicaldave (1776600) | more than 3 years ago | (#36699574)

Spying on Americans is our business!

Re:Hey! (5, Funny)

liquidweaver (1988660) | more than 3 years ago | (#36699644)

Spying on Americans is our business!

Spy on us ? Why, that would indicate some amount of distrust. Why would the government distrust us? They are here to serve us, and our opinions are really important to them - we event vote for them for crying out loud. I sure know my vote counts, I see it all the time. Every big decision the government makes (you know, healthcare, civil liberties, where/when we go to war), a vote is called and we only do if the majority are game. I mean, this is a democracy, right? That's what we do. America - full of proud citizens whose relationship with their government is forged with a mutual respect and understanding.

Re:Hey! (-1, Troll)

DNS-and-BIND (461968) | more than 3 years ago | (#36700198)

Careful, citizen. Opposition to the President is racism. [cnn.com] You're not a racist, are you? Please check your skin tone in the mirror to make sure. If you are a racist, the only patriotic thing to do is to sign an organ donor card and drive your car off the freeway at 105mph.

Re:Hey! (4, Insightful)

hairyfeet (841228) | more than 3 years ago | (#36700304)

Uhhhh...did you READ what you linked to? Former pres Carter said comparing Obama to Hitler or saying they should have buried Obama when they buried Ted Kennedy is going too far and you know what? He is right. You want to say he is a shitty POTUS? Fine I agree with you as a matter of fact, but comparing him to one of the biggest mass murderers in history is not only ridiculous but an insult to all those that suffered to get rid of the Nazis in WWII. There is a difference between dissent and being a troll, and I think most of us would agree the Bushhitler and Obamahitler posters were just that, trolling.

As for TFA well surprise surprise to quote Gomer Pile, you send all the manufacturing overseas to a country that has been artificially lowering the value of ITS currency to make sure imports tank and exports rise, a not nice thing to do in the first place, and then you're shocked they may be doing other not nice things like pwning the gear they sell you? Can we get a DUH boys and girls? The very same country that was paying dirt farmers in Kosovo to dig up our crashed F117 so they could steal the tech, THAT country? Naaah, what makes you think they'd do anything naughty?

To paraphrase a line from one of my favorite movies "Why do you think they are so big? Its because they fucking steal, every idea that ain't nailed down" and what better way to steal ideas that put a bunch of backdoors, rootkits, and other nasties on the products that we are hooked on like crack?

Ah, the old "both sides are just as bad" argument (1)

Benfea (1365845) | more than 3 years ago | (#36702766)

Hint: between Obama and Darth Jar-Jar, one of them publicly admitted to committing war crimes during press conferences.

Re:Hey! (0)

Alaska Jack (679307) | more than 3 years ago | (#36701424)

Every big decision the government makes (you know, healthcare, civil liberties, where/when we go to war), a vote is called and we only do if the majority are game.

You're a little behind the times -- about 23 centuries or so.

It's called Mob Rule, and even the ancient Greeks came to understand that this was a bad idea.

It was one of the things the American founders were trying to avoid.

- aj

Re:Hey! (0)

Anonymous Coward | more than 3 years ago | (#36701558)

You're right, the founders of the U.S. knew that an inequal democracy was impossible. But while the Greeks tried to avoid mob rule by increasing equality, the founding fathers tried to avoid mob rule by decreasing democracy.

Re:Hey! (0)

Anonymous Coward | more than 3 years ago | (#36702610)

Sarcasm. Learn it.

Re:Hey! (1)

Rennt (582550) | more than 3 years ago | (#36703108)

I mean, this is a democracy, right?

Actually, no - it's not. A democratic republic sure, but that's a very different beast. It means you get to choose who rules, but not how they rule.

I get you were being sarcastic, but in a republic the Government would be fools if they didn't mistrust the People.

Re:Hey! (3, Insightful)

cayenne8 (626475) | more than 3 years ago | (#36699672)

Geez...who would have ever thought that moving all our manufacturing, especially of IT components offshore would have engendered these types of risks???

[rolls eyes]

Seems like now...setting up an expensive chip fabrication plant, all in the US, would be a profitable business venture...market to the US federal govt. only US made electronics, certified not to have foreign malware contained within? Not only would they buy the higher priced components, but would easily pay a premium on top of that for a nice profit.

It would go down good with politicos too...due to creating new US jobs.

Re:Hey! (5, Interesting)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36699904)

It would be even cheaper to buy a nice, respectable-looking pre-aged shell company [nevada-corporation.com] (complete with years of respectable history, in a state with corporate disclosure rules approximately as stiff as Somalia's... Add a lawyer as a corporate officer to gain attorney-client privilege for just a small additional fee!) and then sell counterfeit parts re-marked as True, Blue, All-American ones.

If you suffer the comparatively unlikely misfortune of getting caught, just fold the shell and buy another one! It's not like you are dealing pot or anything serious, so the risk of having the consequences make it past your corporate person and back to you personally are well worth the profit...

Re:Hey! (1)

Anonymous Coward | more than 3 years ago | (#36700116)

I think you are correct in assuming that US made government certified tech would not have foreign malware in it. It would only contain US government certified malware put there in place to spy on "the bad guys"

Go down good with politicos, are you nuts? (1)

Benfea (1365845) | more than 3 years ago | (#36702784)

The conservatives and libertarians passed laws to give corporations tax breaks for shipping jobs overseas, and they have filibustered every attempt the Democrats made at ending the whole rewarding-companies-for-putting-Americans-out-of-work thing. Not only would this not "go down good with politicos", there's a fair chance that you'll be accused of being a traitor and experience the joy of being flooded with anonymous death threats from freepers and the like.

The Democrats on the other hand would be too busy apologizing to the Republicans for your existence and seeking new ways to appease them to bother considering your idea.

Re:Hey! (1)

thoughtlover (83833) | more than 3 years ago | (#36755222)

Geez...who would have ever thought that moving all our manufacturing, especially of IT components offshore would have engendered these types of risks???

And you don't think that if we kept IT component fabrication here that the US government wouldn't be putting their spyware inside? At the rate our government is becoming less-transparent, I'd expect the spy agencies to do such a thing. I remember laughing at that old take-off of the Intel logo that said "Big Brother Inside". That's one reason that opensource hardware is such a cool idea.

Re:Hey! (2, Interesting)

arisvega (1414195) | more than 3 years ago | (#36699686)

confessed to being aware of foreign technology that had been imported with spyware

This is practically treason - mostly because of the position this individual occupies.

Re:Hey! (2)

Asic Eng (193332) | more than 3 years ago | (#36700274)

I don't quite follow that. As much as I dislike the whole concept of the DHS: of course he is aware of foreign technology being imported with spyware, it's his job to be aware of threats like that. It's not a new threat either [theregister.co.uk] .

It might potentially be treasonous not to do something about it - but he didn't admit to that, quite to the contrary he gave evidence to the actions they are taking and ought to take.

BTW is "interested foreign parties" our new code for "China"? Just curious.

Re:Hey! (1)

arisvega (1414195) | more than 3 years ago | (#36703374)

It might potentially be treasonous not to do something about it

I stand corrected, then - let us see whether he acts as far as his authority allows.

I do believe, though, that the right word is 'treacherous' =)

Re:Hey! (1)

thejynxed (831517) | more than 3 years ago | (#36730982)

China, India, and Israel. I've also heard Brazil has been getting caught red-handed at these types of actions lately.

Would EAL help? (0)

Anonymous Coward | more than 3 years ago | (#36699614)

Is the hardware described EAL certified? If so, to what level? Maybe it's time to raise the bar a little bit for requirements?

http://en.wikipedia.org/wiki/Evaluation_Assurance_Level [wikipedia.org]

Re:Would EAL help? (1)

Z00L00K (682162) | more than 3 years ago | (#36702514)

Set up a requirement that no hardware capable of storing data may be pre-installed or formatted and that it has to be formatted and loaded only from trusted sources.

Many USB sticks and external harddisks are sold pre-formatted and pre-installed. And computers too.

Then subsidize homegrown component manufacturing (0)

Anonymous Coward | more than 3 years ago | (#36699642)

Everybody else is doing it.

Re:Then subsidize homegrown component manufacturin (2)

JeremyR (6924) | more than 3 years ago | (#36699676)

Yeah, because nothing built in the good ol' USA would ever be compromised.

Re:Then subsidize homegrown component manufacturin (3, Interesting)

poity (465672) | more than 3 years ago | (#36699872)

Well, it'd be easier to catch impropriety here than in China or Taiwan. At least Wikileaks and myriad of other groups aren't afraid of releasing evidence of wrong doing committed by the US entities, and we have plenty of whistleblowers with public interest in mind to provide them the data. If we depend on China for supply, what leaks organisation will dare keep them in check? I suspect no one.

Re:Then subsidize homegrown component manufacturin (0)

Anonymous Coward | more than 3 years ago | (#36700118)

The faulty ones, the fake ones, the overpriced ones, the wrongly labelled ones, everything is imported.

Did they think the infected ones would be manufactured locally?

Re:Then subsidize homegrown component manufacturin (1)

maxwell demon (590494) | more than 3 years ago | (#36703358)

The faulty ones, the fake ones, the overpriced ones, the wrongly labelled ones, everything is imported.

And the working, reasonably prized, correctly labelled ones are imported, too.

Re:Then subsidize homegrown component manufacturin (1)

Z00L00K (682162) | more than 3 years ago | (#36702552)

Subsidizing has been tried before and it's a waste of money.

Unfortunately companies doesn't realize that offshoring construction in the long run is a bad idea because it doesn't develop their processes much and it drains the country from money. Automation of manufacturing processes will also mean that you have to get rid of employees but you will still keep the money circulation at home.

So in the end this means that the US and Europe are bound to lose if they can't cover for the trade deficit that appears. Combined with offshoring is also competence loss since a lot of competence comes from the living process.

In on it (1)

Gothmolly (148874) | more than 3 years ago | (#36699650)

The DHS is in on it. Do you really think that the US Federal Government is out to protect its CITIZENS' rights?

Re:In on it (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36699956)

But would the DHS want a situation where others have backdoors?

When you have broad legal rights to flash a warrant and a gun(or skip the warrant, if that is too much hassle) and get the access you want within your area of jurisdiction, insecure systems are not in your interest: you want highly secure systems that people are legally obligated to unlock at your request.

The legal right to demand access to a system is a monopoly. The ability to access a system by exploiting its bugs is a power shared with everybody who knows how to exploit them, a much longer list. Why would the entity with the monopoly over the legal right encourage its competitors by tolerating insecure systems?

Re:In on it (1)

TheGratefulNet (143330) | more than 3 years ago | (#36700012)

When you have broad legal rights to flash a warrant and a gun(or skip the warrant, if that is too much hassle) and get the access you want within your area of jurisdiction, insecure systems are not in your interest: you want highly secure systems that people are legally obligated to unlock at your request.

insightful, in the true sense of the word. (but I wish it wasn't this that you were so insightful about; this isn't exactly good news, really).

Sounds like the attack on Iran (1)

Necroman (61604) | more than 3 years ago | (#36699680)

An attack like this could have a few purposes. The 2 that come to mind for me are: (1) growing a botnet to steal information from unsuspecting users (and other botnet type uses), or (2) having a specific target in-mind and using broad attacks and hope you penetrate the target.

The virus that hit the nuclear material processing plant in Iran was a piece of Malware that infected thousands and thousands of systems, but its ultimate goal was just a few machines. If these tainted components that enter the US have final targets that are "secure sites" in the US, this seems like a good attack medium.

The US relies heavily in component manufacturing overseas. There are multiple factories a blackhat could inject their malware into, and hope it gets to the final target.

This is especially true if its a government (China comes to mind) that wants information from US sites. The government could walk into a factory in China and tell the manufacturer to inject malware into their production.

Re:Sounds like the attack on Iran (0)

Anonymous Coward | more than 3 years ago | (#36699706)

An attack like this could have a few purposes. The 2 that come to mind for me are: (1) growing a botnet to steal information from unsuspecting users (and other botnet type uses), or (2) having a specific target in-mind and using broad attacks and hope you penetrate the target.

The virus that hit the nuclear material processing plant in Iran was a piece of Malware that infected thousands and thousands of systems, but its ultimate goal was just a few machines. If these tainted components that enter the US have final targets that are "secure sites" in the US, this seems like a good attack medium.

The US relies heavily in component manufacturing overseas. There are multiple factories a blackhat could inject their malware into, and hope it gets to the final target.

This is especially true if its a government (China comes to mind) that wants information from US sites. The government could walk into a factory in China and tell the manufacturer to inject malware into their production.

lol.

Story is misleading (5, Informative)

Anonymous Coward | more than 3 years ago | (#36699722)

Go watch the video of the hearing and listen to what Schaffer actually said. All he says is that he is aware of cases in which products have come into the US with vulnerabilities. He doesn't say a thing about it being done intentionally or that China is doing it or anyone else is doing it. The question was crappy and badly worded, too. 52 minute mark. http://www.youtube.com/watch?v=xFlgaJa4UVk [youtube.com]

Re:Story is misleading (0)

Anonymous Coward | more than 3 years ago | (#36702758)

Throw a URI Fragment of the form #t=1h2m3s after a YouTube video link to have it start at that time when someone opens the link.

Link to the video at 52m mark [youtube.com] .

that photo - what's it got to do with anything? (2)

TheGratefulNet (143330) | more than 3 years ago | (#36699782)

in fact, I think I recognize that. isn't that the computer history museum at the old SGI site in mtn view?

just seems strange to show a photo of a computer museum. if anything, those old computers would be more trustable now, compared to the complex 'dont know really what is entirely inside' boxes we have now. (I'm half serious).

this is another pathetic attempt at a power-grab? (3, Interesting)

TheGratefulNet (143330) | more than 3 years ago | (#36699834)

to me, the telling part was:

During questioning, Schaffer said that a whole-of-government effort would be required to combat security holes caused by malware and spyware making their way through America's electronics supply chain.

dunno. doesn't that look a bit like a plea for more (intrusive) government powers?

Re:this is another pathetic attempt at a power-gra (3, Insightful)

TheGratefulNet (143330) | more than 3 years ago | (#36699976)

sorry, one more followup.

this also irked me:


The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions.

conterfeit products.

ugh.

first of all, SONY comes to mind as a master rootkit installer. was this counterfeit? hardly! most recognizeable brand name, perhaps, in the world.

second, I would not trust brand names any more or less than 'counterfeit' brands. this does seem like a 'request' for more powers of search/seizure or whatever.

tell me I'm wrong. please.

Re:this is another pathetic attempt at a power-gra (0)

Anonymous Coward | more than 3 years ago | (#36700212)

I would not trust brand names any more or less than 'counterfeit' brands.

Wise man. After all, even genuine Apple iPhones are manufactured in a factory in China. Who knows what's really in the circuits they're installing? Has Apple ever reverse-engineered the chips out of a production iPhone? Of course not, why would they.

Re:this is another pathetic attempt at a power-gra (1)

julesh (229690) | more than 3 years ago | (#36702708)

even genuine Apple iPhones are manufactured in a factory in China

Probably, in fact, the same factory that manufactures the clones...

Re:this is another pathetic attempt at a power-gra (2)

chemicaldave (1776600) | more than 3 years ago | (#36700202)

On the other side of the coin, it could be his way of saying "Trying to prevent this is sort of thing is futile."

Re:this is another pathetic attempt at a power-gra (0)

Anonymous Coward | more than 3 years ago | (#36700234)

It's a way of saying "Homeland Security is too hard for the Department of Homeland Security so get off our case."

Re:this is another pathetic attempt at a power-gra (0)

Anonymous Coward | more than 3 years ago | (#36743570)

We must learn to live with our trousers down.

Jealous of BATFE? (1)

A nonymous Coward (7548) | more than 3 years ago | (#36699842)

This must be their version of operation Fast and Furious, but true to DHS tradition, they got it backward :-)

weather device (1)

TheSHAD0W (258774) | more than 3 years ago | (#36700022)

A while ago I bought this neat little toy from a wholesale shopping club, supposed to show the current and forecast local weather. The device was wireless, and came with a wireless broadcast device that plugged into your internet connection. While setting up the device it became clear that the wireless link was bidirectional, with information about the wireless device showing up on the controlling web page. While the company was based in the US, the device was manufactured in China.

This is exactly the sort of toy many executives would put on their desks at work, potentially providing wireless access behind their firewalls. Did the device have such functionality? No idea. Just in case, however, it is now plugged in to an uplink with nothing worth compromising.

Re:weather device (1)

TheGratefulNet (143330) | more than 3 years ago | (#36700214)

doesn't this bring up the old notion of 'unknown code' or code that you can't verify?

systems are so complex, I doubt ANYONE could totally verify the typical desktop pc that we all have. maybe 20 years ago, individuals could actually audit and know everything that goes on inside. today, impossible. even whole teams can't know all that goes on inside, hw and sw, both. add in a network connection and, well, good luck!

if the DHS really cared about security, they'd be pushing for ALL open soruce hardware and software.

don't see that happening, though. pigs will fly, first.

Infected RFID tags (1)

zAPPzAPP (1207370) | more than 3 years ago | (#36700404)

So there are devices that execute code read from RFID?
I mean usually it is an ID. Not a program.

Re:Infected RFID tags (1)

Big Smirk (692056) | more than 3 years ago | (#36700980)

In fact, passive RFID chips are so small and dense (and designed in USA or Europe) there is no room for extra functionality. At best there would be a dozen or so extra transistors sprinkled around. When you are trying to make millions of devices, the more chips you can pack on a wafer yeilds more profit. Also, every extra transistor affects sensitivity.

Finally, these RFID tags are read by a reader. So in theory, one attack vector could be SQL injection. ID lengths are like 96 bits. Not a lot of room for a SQL inject attack.

Now most of these mass produced are built on old tech fabs in East Asia. As the technology matures the ID lengths get longer and longer to the point that one day there might be enough room for more. Right now, nothing to worry about.

Re:Infected RFID tags (0)

Anonymous Coward | more than 3 years ago | (#36703410)

It might be "infected" with something like "we have universal keys and can read/copy any of your ID cards" - sounds more dangerous now?

confess to being aware of what? (0)

Anonymous Coward | more than 3 years ago | (#36700720)

possibly being compromised

Hey Einstein, your anus is possibly constipated with yesterday's tacos.

In other news... (1)

sirwired (27582) | more than 3 years ago | (#36700782)

Also, in today's breaking news:

The head of the Food and Drug Administration confessed to being aware that there are purveyors of ineffective quackery.

The head of the Federal Bureau of Investigation admitted that criminals exist in the United States

The chief of the Secret Service acknowledged that counterfeiters are, as we speak, illegally producing counterfeit copies of the nation's currency.

The head commissioner of the FTC sheepishly confirmed that there exist online stores that have no intention of delivering ordered items.

The chief of the Drug Enforcement Agency was cornered into saying that drugs considered illegal under U.S. law are regularly sold and consumed by citizens.

And lastly, the "Deputy Undersecretary Schaffer of the DHS National Protection and Programs Directorate confessed to being aware of foreign technology that had been imported with spyware, malware, and other security risks."

No $hit, Sherlock. They are a law enforcement agency. Such agencies exist because laws are being violated. We'd be pretty upset if they denied this was the case. Where is the story here?

Re:In other news... (0)

Anonymous Coward | more than 3 years ago | (#36702364)

AT ABOUT 2AM SUNDAY MORNING....
A bunch of horses were running in circles around a photo development island in the middle of an asphault lot, when these horses were scanned for their RFID chips they registered as Gilette Track III, Mach 4, CPU ASSY AMD 001, CPU ASSY ACER 002, Relapse Records Contaminated VOl 7 CD, and even a few borders books skews, after the TSA xrayed and disected the horses it was found the horses did not contain any of the RFID items scanned. Officer Cheney said, "Just like witches those rotten horses are, if I had my way I would have tied them to a large rock, if they float they are guilty, I can't wait until I get to work off world with the death ray, it's going to be fun"

sgtet (-1)

Anonymous Coward | more than 3 years ago | (#36701598)

I really like this post, thanks.Four major U.S. professional league jerseys --nfl womens jerseys [wondernbajerseys.com]
Adapt Gender: Neutral / both men and women, Age: adult, for Movement: rugby clothing, fabrics: Cotton, Size: M, L, XL, XXL, season: spring, summer, autumn, winter, design: other, Color: White authentic nfl jerseys [wondernbajerseys.com]

Re:sgtet (0)

Anonymous Coward | more than 3 years ago | (#36702746)

Sent from your iPhone

What about state-sponsored spying devices? (0)

Anonymous Coward | more than 3 years ago | (#36703450)

Like 3G USB sticks made by Huawei? They're poorly done in that it's so obvious they're spying on you but still what is going on as soon as you plug one of these into OS X is frightening.

Re:What about state-sponsored spying devices? (0)

Anonymous Coward | more than 3 years ago | (#36703824)

> Like 3G USB sticks made by Huawei? They're poorly done in that it's so obvious they're spying on you but still what is going on as soon as you plug one of these into OS X is frightening ..

Like how is it done, tell more ...

current threat to America's infrastructure? (0)

Anonymous Coward | more than 3 years ago | (#36703792)

> These hearings were held on July 7th to 'examine the nature and extent of the current threat to America's infrastructure ..

Would it be that certain vested interests are using national security as a pretext to shutdown foreign imports?

Cheap or secure? (1)

gestalt_n_pepper (991155) | more than 3 years ago | (#36703874)

Pick one.

Welcome to the wonderful wild world of outsourcing.

Compromised hardware and the Internet (1)

satuon (1822492) | more than 3 years ago | (#36704364)

The problem with compromised hardware wouldn't have existed, or at least not on that scale, if it wasn't for the fact that devices are increasingly connected to the Internet. If it wasn't for that, you would have no way to control your compromised hardware. So at most you could make it defective at some level, or make it become defective after a set period of time. It's the equivalent of remote control bomb vs time bomb - the time bomb is essentially 'dumb', it can't be controlled. The point is you can't use the compromised hardware at the exact moment you need it. So compromised hardware isn't that sinister for standalone machines that are not connected in any way, or are connected to isolated networks.

aimed at getting more production here (0)

Anonymous Coward | more than 3 years ago | (#36704442)

This hearing is aimed at building support for more US based electronics manufacturing.

The government is mildly concerned that consumer electronics hardware is have mysterious circuits that US designers did not ask to be put in them.

The government is scared shitless that the same questionable electronics may end up in military hardware.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>