Apparently, we are facing one of the most hairy and complex scandals of recent years in the world of technology.
As we have already informed, the Bloomberg Businessweek He said recently that data centers operated by Apple, Amazon and many other US companies (about 30 in all) as well as US government agencies may have been the target of Chinese government surveillance.
The case has already had several developments, with a former Apple employee saying possible espionage, a former chief legal officer stating that none of this has happened, a security researcher finding the story beyond strange and new evidence coming up. Now one more.
US senators from both parties (Democrat and Republican) want more answers from Super Micro, the Chinese company that would have deployed microchip species on Ma's servers and other companies. Marco Rubio and Richard Blumenthal sent a letter to Super Micro CEO Charles Liang with basically eight questions, which we translate below:
- When did Super Micro learn about reports of malicious hardware and firmware components on its computers and hardware? Has Super Micro already encountered tampering with components or firmware targeting its products?
- Has Super Micro conducted an investigation into its supply chain to identify possible modifications or safety issues in its products? If you found adulteration, did you cut ties with these suppliers?
- If Super Micro found or became aware of unjustified hardware or firmware modification, has it taken steps to remove the tampered product from the supply chain?
- When the The information reported in February 2017 that Apple had found compromised firmware, did Super Micro conduct any investigation into possible supply chain infiltration, as Mr. Leng committed to doing so? If so, what were the results of this investigation?
- Has Super Micro cooperated with government agencies and agencies in the United States to address these reports? If tampering is found, will you provide a list of potentially affected customers to US authorities and provide information to customers?
- Has Super Micro enacted screening or auditing measures to evaluate your supply chain, and detect and mitigate any attempts to counterfeit products?
- If tampering is found, Super Micro evaluates that such tampering can be mitigated based on firmware updates, patches software, configuration changes or operating system defenses?
- Has the Chinese government requested access to confidential Super Micro safety information or has it sought to restrict Super Micro product safety information?
But the US Senate's questions did not end, no (more on that below).
NSA consultant questions Bloomberg
Meanwhile, Rob joyce (senior consultant for cybersecurity strategy at the NSA) basically said that evidence is lacking related to the two recent stories published by Bloomberg (from espionage at Apple, Amazon and others, and from manipulated hardware found on a major US telecom), and therefore openly requested that people with knowledge of the situation provide some assistance.
Joyce: Were befuddled about the Bloomberg article. Says he has great access to intel and hasnt found corroboration of the story last week or the new one on telcos, says there is great frustration in government about the stories.
– Dustin Volz (@dnvolz) October 10, 2018
Joyce stated that all of her industry contacts are “losing their minds” worried about this possibility of spying, but that no one has found anything at all.
FBI and Department of Homeland Security on Senate Homeland Security Committee
The director of the FBI, Christopher Wray, dodged questions in the US Senate that China's intelligence services may have used subcontractors to deploy malicious microchips on servers destined for major US companies, including Apple and Amazon.
To the Senate Homeland Security Committee, Wray said: “We have a very specific policy that applies to us as law enforcement agencies to neither confirm nor deny the existence of an investigation. I want to be careful that my comment is not interpreted as inferring, implying that there is an investigation.
As we know, according to Bloomberg (citing national security officials familiar with the matter), the FBI investigated the alleged infiltration into servers built by Super Micro and used by Apple, Amazon and others.
Republished Senator and committee chairman Ron Johnson said the story appears to be “a very good report” and questioned how he found it all out through the story. Bloomberg instead of contacting the government itself (in this case, the FBI), saying that if all this is true, he would like to see the FBI denying it.
Who also participated in the sabbath was the Secretary of Homeland Security, Kirstjen Nielsen, which basically repeated the position already given by the US Department of Homeland Security: "We have no reason to doubt what the companies said."
One more expert against Bloomberg
In the last article we did on the subject, we talked about the new evidence that came with the discovery that a major US telecommunications company has detected hardware handled by the same Super Micro on its network. The discovery was made by expert Yossi Appleboum, executive co-director of Sepio Systems (specializing in hardware security).
Just yesterday, in an interview with Patrick Kennedy ServeTheHome, server-focused site), Appleboum vented about the Bloomberg.
In a nutshell, Appleboum hinted that the vehicle is reporting all of this as a problem that only affects Super Micro, Apple, Amazon and a few others, when it is actually a much broader, intrinsic industry that has never received it. due attention.
In his work, Appleboum said he finds this kind of problem in different vendors, not just Super Micro products:
We found that not only on servers, in different variations, but the hardware handling on different interfaces, especially in relation to the network. We find in different network connected devices, even in switches Ethernet I'm talking about what are considered big American brands, many of them compromised by the same method.
That's why I think Super Micro has nothing to do with it. In many cases, by the way, not in manufacturing (which happens to manipulation), then in the supply chain.
People think of the supply chain in a very narrow sense between the manufacturer and the customer. Supply chain never ends. There are technicians, there are integrators, there are people who work on your premises. We have seen after installation, after the problem of attacks, that someone has exchanged something already installed. That's why Super Micro would have no idea what happens next in the supply chain.
We have a problem. The problem is the hardware supply chain. We are all dealing with what happened to Super Micro, whether Amazon knew it or not. That is not the main question for me. The main issue is that we have a problem. global. That's why I think Super Micro is suffering from the big companies. I'm talking about really big companies that know they have the same problem and they're kind of using the story right now to throw the Super Micro under the bus instead of going out and saying this is a global problem, (let's) fix it and find a solution.
Not wanting to jab for his company but already doing it, Appleboum said it is spending about $ 100 billion to protect against software-related attacks, but $ 0 to discover or prevent hardware attacks. "This is irresponsible and that's the problem we need to fix."
At exactly where in the chain this kind of problem most commonly happens, the expert said he has no numbers or statistics about how much of this happens in or after the manufacturing process, but that if he had to guess, he thinks most It happens later for a simple reason: if anyone does this in the manufacturing process, eventually some name comes up; if it happens later, it is much harder to find a person, a culprit.
For Appleboum, the innocent Super Micro and some are using it to dilute the story instead of mitigating the threat: "Dealing with this as a Super Micro problem will ruin the opportunity to face the reality we need to fix."
That is, we now have a hint of conspiracy to make everything more lively.
via Business Insider, AppleInsider, Bloomberg