Friday, March 21, 2008

How Safe are Computers from Hacking? National Security Risk

I have always felt we really didn't have good control of what we import from outside the country, not just computers, but everything. The early signs of this is the pet food industry importing food from China. What else shouold we be concerned about? Drugs? Food?


What it comes down to, we have to watch what is going on world wide and take an active role in weeding out those items that will effect us directly. Bottom line,


Counterfeit Chips Raise Big Hacking, Terror Threats, Experts Say (april 2008)


As more computer chips are made overseas, the risk of hardware tampering increases, from stealing consumer data to crashing government networks. But how real is the threat?


By Glenn Derene and Joe Pappalardo


This past January, two brothers from Texas, Michael and Robert Edman, appeared in court to face federal charges of selling counterfeit computer equipment to, among others, the Air Force, Marine Corps, Federal Aviation Administration, Department of Energy, numerous universities and defense contractors such as Lockheed Martin.


According to prosecutors, the pair, working largely out of Michael Edman's house in the rural town of Richmond, bought cheap network cards from a supplier in China. They also purchased labels and boxes carrying the logo of Cisco Systems, the U.S.-based hardware giant. Until a source in China tipped off the FBI, no one could tell that the parts were Cisco knockoffs rather than the real thing.


An attorney for the Edmans says that they, too, were victims—duped by overseas suppliers. But one thing is clear: The case is about a lot more than trademark infringement. Security experts warn that as supply chains become more global and more opaque, no one can be sure what parts are going into the computers that run, well, everything—from air traffic control towers to banks to weapons systems. Secretary of Homeland Security Michael Chertoff raised the issue recently at a briefing attended by /Popular Mechanics/ and others <http://www.popularmechanics.com/blogs/technology_news/4237823.html%3E.


"Increasingly when you buy computers they have components that originate ... all around the world," he said. "We need to look at ... how we assure that people are not embedding in very small components ... that can be triggered remotely."Software vulnerabilities and online scams receive plenty of public attention. Viruses, Trojan horses, spyware, phishing schemes that trick people into providing financial data—all have made headlines in recent years. The emerging hardware threat is different.


Imagine buying a computer, printer, monitor, router or other device in which malevolent instructions, or at least security loopholes, are etched permanently into the silicon. Individuals, companies and federal agencies could all be at risk from foreign governments or criminal enterprises. A computer chip built with a subtle error might allow an identity-theft ring to hack past the encryption used to connect customers with their banks. Flash memory hidden inside a corporation's networked printers could save an image file of every document it printed, then send out the information.


In a disturbing national-security scenario, overseas agents might be able to hard-wire instructions to bring down a Department of Defense system on a predetermined date or in response to an external trigger. In the time it took to bring the systems back online, a military assault could be underway.


Shadowy Threat


When a software problem is detected, thousands or millions of computers can be fixed within hours with a software patch. Discover a malevolent hardware component, however, and machines need to be fixed one by one by one. On a large network it could take months—if the problem were detected at all."There are a whole bunch of functions inside each chip that you have no direct access to," says Stephen Kent, chief information security scientist for BBN Technologies and a member of the Intelligence Science Board, which advises U.S. intelligence agencies. "We passed the point a long time ago when you could combinatorially test all the possible inputs for a complex chip. If somebody hid a function that, given the right inputs, could cause the chip to do something surprising, it's not clear how you could test for that."Such tampering wouldn't have to occur in a factory where computer components were built.


In fact, repair businesses and subcontractors may pose a greater danger. "A skilled and capable adversary could replace a chip on a circuit board with a very similar one," says John Pironti, a security expert for information technology consulting firm Getronics. "But this chip would have malicious instructions added to the programming." The strategy wouldn't be practical for running a broad identity-theft operation, but it might allow spies to focus an attack on a valuable corporate or government target—gaining access to equipment, then doctoring it with hidden functions.


However, not all experts agree that the risk is severe. After all, there's never been a report of a foreign country or criminal outfit using such technology to steal information or commit sabotage. (The United States did successfully conduct such a mission against the Soviet Union during the Cold War.)"It's certainly possible for the world's major espionage services to secretly plant vulnerabilities in our microprocessors, but the threat is overblown," says Bruce Schneier, chief technology officer of the data security company BT Counterpane. "Why would anyone go through the effort and take the risk, when there are thousands of vulnerabilities in our computers, networks and operating systems waiting to be discovered with only a few hours' work?"The National Security Agency and Defense Department aren't convinced.


There's no way to know if they are reacting to an imminent danger or simply swinging at shadows, but security professionals are scrambling to guard their electronics supply chains.


Building Chips in ChinaIn September 2007,


Intel broke ground on "Fab 68," a silicon-wafer fabricating plant in Dalian, China. The plant is Intel's first chip manufacturing facility in China, but the company already operates facilities for testing, as well as research and development, all over the world, from India to Costa Rica to Russia. Rival AMD is planning to build a fab in India. Several other American chipmakers, including Applied Materials and National Semiconductor, have facilities in China. In all, less than 25 percent of the world's chipmaking capacity is still located within the United States.


The companies that move offshore are trying to stay competitive in commercial markets. As a side effect of globalization, however, the Defense Department is finding itself with fewer domestic sources of the specialized chips—often outdated by Best Buy standards—that help run weapons platforms that range from advanced aircraft to missile guidance systems. These are the electronic components that might pose the most inviting target for a foreign power.


The NSA is trying to counter the threat with a program called Trusted Foundry Access that accredits companies that supply specialized electronics to government agencies. Ten companies have joined the program since 2004—the inaugural deal, with IBM, cost the government a reported $600 million. To participate, manufacturers need to take measures such as obtaining security clearances for staff members and quarantining computer design tools from the Internet. Further, "The facilities must be on-shore or in a closely allied country," says a Defense Department official involved with the program.


One potential flaw in the program is that it covers "just a slice of the life cycle," says Jim Gosler, a Sandia National Laboratories researcher who has spent time probing U.S. electronics systems to identify vulnerabilities. "You have to make sure the component stays trusted—they get out and about" once the equipment leaves the factory and goes into service.


More critically, even well-funded initiatives can't permanently withstand the forces pushing microchip production offshore. Ultimately, trying too hard to isolate American chip-making might simply help foreign-owned chip manufacturers challenge U.S. dominance in the field. "It's a pretty hairy situation to look out 10 or 15 years and have to ask, ‘Where are we going to get our technology?'" the Defense official says.


DARPA, the Defense Advanced Research Projects Agency, does have another plan. Through a new initiative called Trust in ICs (microchips are also called integrated circuits or ICs), the agency has contracted with Raytheon, MIT, Johns Hopkins University and others to find ways to protect chips from tampering and to detect vulnerabilities if they do occur. Ultimately, though, chips may be too complex to secure completely. "Even if you found something, you could never be confident you found "everything"," Gosler says. "That's the awful nature of this business."

No comments: