Patch Lady – 31 days of paranoia – day 5

Topic

New Reply

Patch Lady here with paranoia of day 5.  And this one is a doosy… can you trust your hardware?  You’ve probably seen the headline about chips embedded
[See the full post at: Patch Lady – 31 days of paranoia – day 5]

Susan Bradley Patch Lady/Prudent patcher

6 users thanked author for this post.

Elly, deuce120, SueW, Fred, wdburt1, Nibbled To Death By Ducks

Reply | Quote

Replies

I think of myself as a reasonably progressive person that wants the best science and technology have to offer, along with enlightened policies, to be used to benefit the population at large.

But when a country does not make clothes for its own people, because the businesses that take care of clothing find it cheaper to get them from abroad to sell them here to us customers, who also get them cheaper as a result, and when the little engines that are critical to keep going our highly connected and computerized society: microchips, Pcs, network servers and more, are made also abroad because it is a good deal for our manufacturers to set up their factories there, that is where my enthusiasm stops. Certainly, in this case, this move to outsource production of high tech to their country has been great for the Chinese, as it has helped them modernized their country and give employment to so many there, while at the same time keeping the price of the finished product considerably lower than otherwise here. But the nature of their political system and perhaps the inevitable drift of international great powers relationships, make it likely that instead of just loving us for helping them build their country in this fashion, they end up giving back the, er, Greek present that is the reason for the discussion here and pretty much everywhere at the moment.

Things, truth be told, are still rather murky as to what exactly has happened. There are claims and counterclaims made with great assurance by the parties directly involved. Let us hope that, when things get sorted out, it turns out that the noise was much worse than the actual train crash. We’ll just better wait and see

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

wdburt1

Reply | Quote

Running monitoring tools on the affected machine may not reveal anything when it comes to hardware hacks. Instead, one would have to monitor the traffic from the affected machine on the next hop.

Reply | Quote

Where our understanding and mastery of all things technical are concerned, and the threats that they can pose, a moderate dose of scepticism is a good thing, an excessive dose of paranoia is not. We need to be fairly philosophical about these things, and sometimes the less we know the better!

Reply | Quote

https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/#more-45297  A good read there as well.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

In the Krebs’ article, with which I agree in general and as far as I am prepared to accept that it is written by someone who knows well things I have no idea of, the following is, nevertheless, something I understand and do not quite agree with:

“ Even if the U.S. government and Silicon Valley somehow mustered the funding and political will to do that, insisting that products sold to U.S. consumers or the U.S. government be made only with components made here in the U.S.A. would massively drive up the cost of all forms of technology. Consumers would almost certainly balk at buying these way more expensive devices. Years of experience has shown that consumers aren’t interested in paying a huge premium for security when a comparable product with the features they want is available much more cheaply.  ”

I do not agree because this is an example of someone building up a straw man to punch it down again (rhetorically speaking).

The main, if implicit, assumption this paragraph and others that follow rest on is that ALL servers and computing  devices (and since we are at it, why not also PCs, tablets and cellphones?) must be either manufactured only abroad or only in the USA — or only in any country where they are to be used.

In fact, I really doubt that it would bring a country’s economy to its knees to build just those that are to be used in ways that are very critical to national and public safety: controlling nuclear reactors in power plants, anyone? How about computers used to: control water processing and distribution plants, electric power production and distribution infrastructure, government and companies production and storage of sensitive documents, military installations and command and control systems? Is their price, should their price, and their price alone, be what ultimately determines where and from whom those computers are procured? Really?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Further to Brian Krebs’ article on supply-chain issues…

 
From: Weekly Threat Report 28th September 2018

 
Don’t yank my chain – the cyber threat to software supply chains

The continuing threat to the software supply chain is again in the spotlight following a new report by threat intelligence company Crowdstrike.

The NCSC defines the supply chain threat as “operations or activities that are designed to threaten the confidentiality, integrity or availability of communications, data or systems: and which use any part of the supply chain as an attack vector.”

A survey of senior IT Professionals by Crowdstrike has emphasised the ongoing scale of the problem: two-thirds of respondents reported that their organisation had been subject to a software supply chain attack. Given the often under-reported nature of cyber attacks, this is likely to have been an underestimate.

Awareness of the cyber threat generally by organisations, combined with continual investment and development of network defences, has meant that cyber actors will seek alternative ways of attacking organisations. The supply chain can sometimes be the weak link in cyber defence.

Another study of UK businesses by telecoms firm Beaming also highlights that attitudes to lax security procedures from suppliers can affect their ability to do further business. According to the study, a third of UK firms would stop using a supplier whose negligence caused a cyber security incident.[ii]

The findings in both these reports emphasise that supply chain attacks are not a threat that will go away, but will likely increase. They offer further evidence that good cyber security is essential not just for organisations but for their suppliers as well. Cyber security is a collective, all-round endeavour and these reports firmly underline that point.

NCSC has published a range of guidance on supply chain security which can be found here:
https://www.ncsc.gov.uk/guidance/a4-supply-chain
https://www.ncsc.gov.uk/guidance/supply-chain-security
https://www.ncsc.gov.uk/guidance/assessing-supply-chain-security

3 users thanked author for this post.

Elly, OscarCP, SueW

Reply | Quote

Back in 2006, I went to work for a US government branch that does things with radioactive material. However, I worked in a non-classified, very vanilla office that has nothing to do with such devices. The IT director (whom I respect and is a personal friend), ordered two new desktop computers for me and another new hire. She followed all of the government procurement regulations.

A few weeks after my PC arrived, she got a phone call from the HQ office, on “The Mall”, in Washington DC, asking her why the h**l she bought two Lenovo desktop computers. They demanded to know which IP addresses they had been assigned and reconfigured their firewalls to specifically lock down and monitor my IP address. As far as I know, they watched every packet that my PC sent. It did not help my worry to know that the US Government was certainly watching my machine, and that they were worried that the Chinese might have been capable of doing the same.

My current laptop is a Lenovo Thinkpad. It’s got an Intel I7 cpu. It has the Intel Management Engine, the Meltdown and Spectre flaws, and UEFI. If any government wants in, I’m sure that they can find some way pick a lock somewhere below Ring 0. There is no point in worrying about something I cannot control.

1 user thanked author for this post.

Bill C.

Reply | Quote

Learning is a lifelong process-or you don’t live long!

Am going to download and use Wireshark; my knowledge of networking could use a brush-up.

As to the tiny chips on Apples boards:

In the late 70’s I worked as a procurement agent for a govt. contractor buying 54LS (low power  chips.  One day I was surprised to see a Japanese vendor as “approved” for one chip.  This was a first, so I walked into my boss’s office to make sure it wasn’t a mistake, as back then everything in critical programs had to be from domestic sources.  He said, “Yep, it’s been approved by the govt.” I kinda scratched my head and said, “Well, fine, as long as continue to get along…” and went back to my cube.  I think I smelled neurons burning behind me.

Moral? This current situation was inevitable.  It’s been the way of the world since then regarding manufacturing.

Personally, I feel a strong urge to go live in the woods, hang from a tree by my knees and learn how to play the flute! 🙂

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

if it is only day 5, are we going to have enough tin foil hats to pass around?

1 user thanked author for this post.

SueW

Reply | Quote

Anonymous ( #222069 ) For your information, since you asked: yes, there will be enough tin hats and they are going to be those spiffy new models, the ones with little Chinese chips inside to make them work better.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Latka

Reply | Quote

It is true. There are loop holes in everything to monitor us and control us. Windows 10 is the worse offender of them all.

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

So, how’s that Equifax data breach “fix” working out for everyone?

Online or offline, it takes little more than a name, birthdate, and matching SS# to financially ruin or at least severely inconvenience a modern life. There are precautions to take but staying totally offline is not one of them, neither is going underground, literally or figuratively. It’s not nearly as bad as the days before photo ID, but criminals are rarely more than a step behind modern security.

Frankly, I never liked having a number, but we have to have some form of ID. When biometrics become worthless, well…

How’s that for paranoia?

Reply | Quote

Paranoia or Prescience? I vote prescience.

Reply | Quote

It would be nice if there was a single program that monitors net traffic that was easy to use  and even easier to understand. Like email encryption, if it requires more than two clicks to install, most will not install it and just accept that google, microsoft and everyone else in between is storing, mining and archiving every email we send. Sure not much noteworthy about Mom’s birthday but over time, a pretty good picture of a person can be put together just by who they communicate with and the mundane things they say to each other.

Wireshark is good at what it does and the price is right – What process is accessing the net, where it is sending the data to. However, it requires a lot more knowledge and finesse to figure out just what that data is that’s being sent.  Looking at the packets themselves is a mix of plain text and gobbledygook, none of which means much on their own.

For now, those without a degree from M.I.T. have to choose  between allowing a process net access or denying that process access – pretty much all or nothing. Granted some of the info being sent is nothing but ones and zeros. You have to have written the software to understand what it is sending but for the majority  of mundane processes it should be possible for the traffic monitors to clearly show in plain what data is being transferred and perhaps from this we might even be able to figure out why and if it is something we wish to share since we weren’t asked before hand.

Reply | Quote

Part of the problem of detecting occasional malicious traffic is that Microsoft is not transparent about routine telemetry which is used in Windows. If we can’t filter out the signals from normal Windows telemetry, detecting something which is not supposed to be happening just got much more difficult. Especially when the signals being sent back to the foreign country may be months apart. And when the chips themselves may be hidden beneath other chips in a different Motherboard layer.

Add to that rumors that our own NSA and other agencies may have been doing similar things with USB cables (“cottonmouth”) and who knows how else, and it does not surprise me that at least some tech companies were not able to detect this spying. And it further does not surprise me that the official government stance is “nothing to see here — move along”.

That said, I don’t think my life is interesting enough or financially valuable enough for anyone to want to spend money to inject spying technologies target at me into my own hardware. And even if they did, I have not that much to lose. They aren’t banging on my door and arresting me yet.

Read once, figure out if there’s anything simple I can do (like a BIOS update) and get back to my life. Such as it is.

-- rc primak

1 user thanked author for this post.

Fred

Reply | Quote

If Telemetry was confined to Microsoft I’d be happy.

1 user thanked author for this post.

rc primak

Reply | Quote

@rc-primak  hear hear

* _ ... _ *

Reply | Quote