Sunday, 26 May, 2019

Evidence of Chinese spy chips found on USA telecoms giant's server

The evidence of hardware spying was spotted by a security expert The evidence of hardware spying was spotted by a security expert
Cecil Davis | 11 October, 2018, 12:38

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the U.S. government is still being fiercely argued over five days after publication. Apple and Amazon said they had found no evidence to corroborate the report.

A news report claiming a compromise of USA companies' supply chains by Chinese spies has triggered a thorough search in government and industry for evidence of the breach that has so far turned up nothing, according to a senior National Security Agency official, who expressed concern that the search was a distraction and potentially a waste of resources.

An unnamed US telecommunications giant discovered evidence of "manipulated hardware" supplied by Supemicro and removed the compromised device from its network, according to a Bloomberg report Tuesday, days after the company rejected a report that Chinese agents had compromised its devices. We are told the officials span both the Obama and Trump administrations.

Bloomberg News has received information from security research firm, Sepio Systems, that a prominent United States telecom has also fallen to the Chinese supply chain attack, adding another notch to the People Liberation Army's (PLA) belt.

FitzPatrick was interviewed on Risky Business, a podcast that features "news and in-depth commentary from security industry luminaries".

He says that almost every technical detail in the story appears to have come directly from conversations he had with one of the reporters, Jordan Robertson. "There are software, there are firmware approaches, and the approach that you're describing, it's not scalable, it's not logical, it's not how I would do it, or how anybody I know would do it". Because the compromise would be at the hardware rather than software level it would be very hard to detect. "I see a lot of details that I gave out of context".

Bloomberg claimed that its report is getting results, as security teams around the world are now "analyzing their servers and other hardware for modifications, a stark change from normal practices".

Last week, a bombshell Bloomberg report about "The Big Hack" detailing how Chinese spies reached nearly 30 U.S. companies, including Amazon and Apple, by compromising the U.S. technology supply chain, was issued strong denials by the likes of Apple, Amazon, the Federal Bureau of Investigation, and the U.S. Department of Homeland Security.

Roberts asks federal judges to handle Kavanaugh complaints
He pointed out that Murkowski won election as a write-in vote in 2010. "They're already planning to impeach Kavanaugh and Trump". Roberts took no action on them while Kavanaugh's nomination was pending.

Fitzpatrick even implies that the report may have painted him as an anonymous source at a different point in the story: something that, if true, would raise questions over how well-sourced the story really is.

The "grain of rice" size of the alleged chip implant raised red flags for multiple experts.

The criticism was still at full pitch on Tuesday morning when Bloomberg published its follow-up article. "I can buy them on Taobao for 1 yuan".

Yossi Appleboum, a former Israeli intelligence officer and co-CEO of Sepio Systems, told Bloomberg that his firm was hired to "scan several large data centers belonging to the telecommunications company".

What does this all mean in the end? Supermicro also challenged the details of the report, which claimed up to 30 companies that purchased its products were affected, including government contractors.

While Bloomberg notes that the Ethernet implant "is different from the one described in the Bloomberg Businessweek report last week", it argues that it shares "key characteristics" including the fact that the adjustment was made at a Super Micro factory and it was created to be invisible while extracting data.

FitzPatrick, for what it's worth, also speculated that he thinks this kind of confusion about the technical details could have tripped up either a source or the Bloomberg journalists.