Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Android
    • Android
    • Apple
    • Applications
    • Cybersecurity
    • Development
    • Mobile
    • PC Hardware

    A Chip Off the Old Computer

    By
    Wayne Rash
    -
    October 6, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Bloomberg.SuperMicro.China.malware

      The story in Bloomberg Businessweek was lurid in the extreme. It read like an Ian Fleming novel, included stylized images of computer circuit boards and had pictures of a tiny chip. What happened, according to the story, was that Chinese hackers working for that nation’s military had found a way to insert a tiny surveillance chip on motherboards sold by Super Micro Computer to major U.S. companies and to the government.

      The computers containing those motherboards were sold to about 30 organizations, including Apple and Amazon, the story said. The story also alleged that those companies removed the affected computers and worked with the government in an elaborate investigation. All of the companies involved now say it’s not true and that it never happened.

      Whether the scheme went down as the report in Businessweek said it did is open to debate. A number of security experts find it unlikely and have suggested that such a plan had too many points of possible failure to be taken seriously. The idea that the Chinese government somehow managed to redesign the motherboards of these computers to accept this malware-laden chip and then to add the chips to the supply chain so that they were inserted into the build process strains credulity of the story.

      Special Tiny Chip Isn’t Even Necessary

      The process of redesigning and re-engineering a new motherboard is nontrivial. Ironically, the special tiny chip that makes up the story isn’t even necessary. Super Micro motherboards, like the motherboards from other companies, contain firmware on a memory chip that’s already on the motherboard. As the Russians found with their UEFI malware, you can put malware that does what the Chinese malware is said to do on that chip.

      Such an attack is a much cleaner, much more secure means of delivering infected hardware, and it’s harder to find. If the Chinese had wanted to infect Super Micro servers, embedding the malware in the memory with the firmware would have worked. Perhaps more important, this has been the practice anyway.

      Anthony James, vice president for cloud security for CipherCloud, points out that such attacks by China have been going on for years. “We ran into an attack that came out of China, called Zombie 0, that ran on a Chinese bar code scanner,” James said.

      James said the infected scanners were found at a customer site, and when new scanners were ordered, they exhibited the same behavior of sending information to China. He said that his team created some fake data to see just what the malware was up to.

      How to Defeat the Malware

      James added that if the Super Micro servers are indeed infected with Chinese surveillance malware, it can probably be defeated by segmenting the network that the servers are on so that they can’t receive instructions from their command and control servers and so that their communications can be tracked.

      But that’s not the real problem, despite the lurid description. The actual risks are both greater and less glamorous: The real risk is in the supply chain.

      “The fact still remains that IT supply-chain security has been a concern,” said Theresa Payton, CEO of Fortalice Solutions and the former CIO of the White House under President George W. Bush. “You have businesses and government in the same boat. But we have trouble managing the supply chain risk.”

      Payton said that as computers have become more sophisticated, and since they’ve become more global in their manufacturing, the supply chain has become more complex. “Supply chain security often falters where there’s supply chain complexity,” she said.

      Payton also said that when tensions rise, it’s not surprising to see a nation-state flex its muscles, and one way is to insert malware into systems that be useful later. But until they’re needed, they just lie in wait. She called such malware installations “sleeper side doors” that can be used as leverage when needed. “You could see why a nation-state would want this,” she said.

      Supply Chain Is the Most Important Environment

      The problem is that it’s hard to control the supply chain with the current level of security, and creating the secure environment might require some kind of trust and verify practice. But the question is: How do you accomplish that?

      This is an area where Congress needs to be engaged, to get hearings from the intelligence community and from law enforcement to develop new laws that help enable secure supply chains, according to Payton.

      Meanwhile, she suggests that businesses inspect their supply chains to make sure they’re secure and that they look for places where there might be a problem.

      But since it’s difficult to know for sure whether a server has a sleeper side door waiting inside, it’s important to assume it does. This includes proper network segmentation to keep command and control messages from getting in and to keep unauthorized data from getting out. In addition, CipherCloud’s James said, “You need access control lists on everything.”

      You also need to look for outbound communications to servers where you don’t have business and, most importantly, to encrypt your data. Those side doors don’t do the Chinese or anyone else any good if they can’t use the data.

      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a freelance writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×