security   522468

« earlier    

Brass Horn Comms Onion3g
Tor embedded in a SIM card? So I guess using a private APN to funnel tor traffic to their tor relay network gateways/bridges?
Tor  union  routing  SIM  data  card  hardware  electronics  devices  security  privacy  3G 
1 hour ago by asteroza
Another Bloomberg Story about Supply-Chain Hardware Attacks from China - Schneier on Security
Bloomberg has another story about hardware surveillance implants in equipment made in China. This implant is different from the one Bloomberg reported on last week. That story has been denied by pretty much everyone else, but Bloomberg is sticking by its story and its sources. (I linked to other commentary and analysis here.)
Again, I have no idea what's true. The story is plausible. The denials are about what you'd expect. My lone hesitation to believing this is not seeing a photo of the hardware implant. If these things were in servers all over the US, you'd think someone would have come up with a photograph by now.
EDITED TO ADD (10/12): Three more links worth reading.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
1 hour ago by rgl7194
TaoSecurity: Network Security Monitoring vs Supply Chain Backdoors
On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.” From the article:
Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.
Companies mentioned in the story deny the details, so this post does not debate the merit of the Bloomberg reporters’ claims. Rather, I prefer to discuss how a computer incident response team (CIRT) and a chief information security officer (CISO) should handle such a possibility. What should be done when hardware-level attacks enabling remote access via the network are possible?
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
1 hour ago by rgl7194
More commentary on China, Apple, and supply-chain hacking | Mac Virus
Following up the previous story Supply chain hacking: bull in a China shop? [updated]…
[Additional: Motherboard – The Cybersecurity World Is Debating WTF Is Going on With Bloomberg’s Chinese Microchip Stories]
Paul Ducklin for Sophos: Apple and Amazon hacked by China? Here’s what to do (even if it’s not true) – more useful than most of the commentary I’ve seen!
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
1 hour ago by rgl7194
Government Perspective on Supply Chain Security - Schneier on Security
This is an interesting interview with a former NSA employee about supply chain security. I consider this to be an insurmountable problem right now.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
1 hour ago by rgl7194
Bloomberg blunder highlights supply chain risks - Malwarebytes Labs | Malwarebytes Labs
Ooh boy! Talk about a back-and-forth, he said, she said story!
No, we’re not talking about that Supreme Court nomination. Rather, we’re talking about Supermicro. Supermicro manufacturers the type of computer hardware that is used by technology behemoths like Amazon and Apple, as well as government operations such as the Department of Defense and CIA facilities. And it was recently reported by Bloomberg that Chinese spies were able to infiltrate nearly 30 US companies by compromising Supermicro—and therefore our country’s technology supply chain.
If you’ve been trying to follow the story, it may feel a bit like this...
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
1 hour ago by rgl7194
Daring Fireball: 'Your Move, Bloomberg'
Washington Post media critic Erik Wemple:
Sources tell the Erik Wemple Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed. […]
The best journalism lends itself to reverse engineering. Though no news organization may ever match the recent New York Times investigation of Trump family finances, for instance, the newspaper published documents, cited sources and described entities with a public footprint. “Fear,” the recent book on the dysfunction of the Trump White House, starts with the story of a top official removing a trade document from the president’s desk, an account supported by an image of the purloined paper.
Bloomberg, on the other hand, gives readers virtually no road map for reproducing its scoop, which helps to explain why competitors have whiffed in their efforts to corroborate it. The relentlessness of the denials and doubts from companies and government officials obligate Bloomberg to add the sort of proof that will make believers of its skeptics. Assign more reporters to the story, re-interview sources, ask for photos and emails. Should it fail in this effort, it’ll need to retract the entire thing.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain  daring_fireball 
1 hour ago by rgl7194
Should Bloomberg retract? | Mac Virus
John Gruber cites Amazon Web Services CEO Andy Jassy’s tweet while considering Bloomberg’s decreasingly convincing insistence on the Apple/Amazon/etc. supply chain story: AWS CEO ANDY JASSY: ‘BLOOMBERG SHOULD RETRACT’
I have to agree: Bloomberg’s position is not looking very tenable.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
1 hour ago by rgl7194
Daring Fireball: AWS CEO Andy Jassy: 'Bloomberg Should Retract'
Amazon Web Services CEO Andy Jassy on Twitter:
@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.
If you want a taste of Bloomberg’s attitude toward Apple’s and Amazon’s protestations, check out this video from Bloomberg TV from the day after the story was originally published. Jordan Robertson, co-author of the story, says this:
In addition, there is no consumer data that is alleged to have been stolen. This attack was about long term access to sensitive networks. So by that logic, companies are not required to disclose this information, so there’s no advantage for these companies in confirming this reporting.
This shows their dismissive attitude toward Amazon’s and Apple’s strenuous, unambiguous denials. Rather than give them pause, they blew it off.
I would argue that Amazon and Apple have a tremendous amount to lose — their credibility. If they wanted to hide something, whether for publicity or national security reasons (or both), the way to do it without risking their credibility is not to comment at all. Both Amazon and Apple have instead vigorously denied the veracity of this story.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain  daring_fireball 
1 hour ago by rgl7194
Hackers breached into system that interacts with HealthCare.gov
Hackers breached into a computer system that interacts with HealthCare.gov, according to Centers for Medicare and Medicaid Services, attackers accessed to the sensitive personal data of some 75,000 people.
breaking  news  data  breach  centers  for  medicare  and  medicaid  services  hackng  healthcare.gov  pierluigi  paganini  security  affairs 
3 hours ago by SecurityFeed

« earlier    

related tags

2fa  3dprinting  3g  activedirectory  activism  affairs  algorithms  amazon  and  android  anonymous  apache  apple  application  article  authority  automobile  automotive  aws  beware  ble  blueteam  bluetooth  breach  breaking  browser  business  ca  card  centers  certificate  china  chip  cloud  cloudformation  coders-rights  computersecurity  crime  crypto  cryptography  cyberpunk  cybersecurity  cypherpunk  daring_fireball  data  democracy  dev  devices  devops  dewji  disk  dma  dns  economics  eff  elections  electronics  email  engadget  fail  firewall  for  fuzzing  generator  github  globeandmail  go  golang  google  guardduty  hack  hackaday  hacker  hacking  hackng  hardware  healthcare.gov  homeautomation  http  https  id  infosec  internet  ios  ipv6  jquery  laser  learning  linux  mac  macos  makamba  medicaid  medicare  minimalism  mobile  ncix  netsec  network  networking  news  nfc  opensource  openssh  owasp  paganini  password  patching  pentest  phishing  phone  php  pierluigi  ping  policing  policy  politics  post-quantum-crypto  postgresql  pqc  presentation  privacy  programming  proxy  public  quantum-computing  rails  resources  routing  s2n  scanner  server  services  sim  simplicity  smart-home  software  spectrum  spy  ssh  ssl  standards  storage  sudbury  supply_chain  surveillance  sysadmin  tanzania  tech  terraform  tesla  tls  tokumaru  tool  toolkit  tools  tor  tunnel  u2f  union  vibration  visualization  voting  vpn  vulnerability  web  webdev  windows  yohgaki 

Copy this bookmark:



description:


tags: