DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools

DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools

www.fastcompany.com

A top Department of Homeland Security official has admitted to Congress that imported software and hardware components are being purposely spiked with security-compromising attack tools by unknown foreign parties. A top Department of Homeland Security (DHS) official has admitted on the record that electronics sold in the U.S. are being preloaded with spyware, malware, and security-compromising components by unknown foreign parties. In testimony before the House Oversight and Government Reform Committee, acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg S

(visit the link for the full news article)

The DHS and the Whitehouse have known about this and here is what the “ White House's Cyberspace Policy Review is a small acknowledgment that (follow link here) the Executive Branch knows something weird is happening in imported tech:
The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions.

A broad, holistic approach to risk management is required rather than a wholesale condemnation of foreign products and services. The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities.”
MSN has additional information:
technolog.msnbc.msn.com...
DHS National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz, “foreign-manufactured software or hardware components that had been purposely embedded with security risks.” These risks may include Flash memory or embedded RFID chips. RFID chips are the new ID’s that are now in many credit cards. A scarey thought is at what ever preordained time the hackers wish to attack, all credit cards with their hacked, spyware laden RFID’s empty those bank accounts into to their own off shore bank. Imagine if this is the way China wants the American taxpayer to pay off it’s debt. I’m not saying that China is the culprit here, but look at how much of our tech is manufactured there and in Taiwan ROC.
Rep. Jason Chaffetz, asked DHA Schaffer another question,” "Are you aware of any component software (or) hardware coming to the United States of America that already have security risks embedded into those components?
Schaffer paused for about 10 seconds before replying:
"I am aware that there have been instances where that has happened."
Here is the Youtube vid. The fireworks start at 51:47.
www.youtube.com...=55
Here’s my question for you. What’s in your wallet?


www.fastcompany.com
(visit the link for the full news article)

reply to post by Violater1


I recall reading of a low-cost imported Picture Frame which auto-scrolls your downloaded pics that was found to have unwanted ware from the manufacturer level. This was maybe two years ago. I don't recall if the product was being sold through Wal_Mort or tigerdirect.

When others are selling a product for $38-45.00 and you see a similar item for $16 that should be a red flag. Unless you are a trendy name / status junky, one usually gets what one pays for. Of course this in no way excuses unscrupulous practices. Buyer beware.

I wonder if there is a site/method to use to have a newly purchased product inspected prior to use. Kind of like how one may check out a website before visiting or buying there.

I also wonder if known hacked products are listed on a government consumer awareness website.

Originally posted by LargeFries
reply to post by Violater1

 

I recall reading of a low-cost imported Picture Frame which auto-scrolls your downloaded pics that was found to have unwanted ware from the manufacturer level. This was maybe two years ago. I don't recall if the product was being sold through Wal_Mort or tigerdirect.

When others are selling a product for $38-45.00 and you see a similar item for $16 that should be a red flag. Unless you are a trendy name / status junky, one usually gets what one pays for. Of course this in no way excuses unscrupulous practices. Buyer beware.

I wonder if there is a site/method to use to have a newly purchased product inspected prior to use. Kind of like how one may check out a website before visiting or buying there.

I also wonder if known hacked products are listed on a government consumer awareness website.

That's to much information for the consumer to handle, its why we have Lady Gaga and Justin Bieber or some random shooting spree blitzing the news and if that doesn't happen lets get some news out there regarding a possible threat from terrorists, duh news world, as we don't know that there will be always some wacked out dude who hates..um...oh i don't know..the u.s. or u.k. or france or greece or italy..i dont know.pick a nation and we will create the news to match the nation.

Wow, this could be a real game changer. With tactics like this in operation it does raise concerns about the underlying agenda with its implementation. The rumours with Windows and Mac having spyware have been around a while, so could this be another level to watch the watchers, a tool for economic warfare, leverage through blackmail or something else? With RFID compromised there is a large pool of data there.

Originally posted by LargeFries
reply to post by Violater1

 

I recall reading of a low-cost imported Picture Frame which auto-scrolls your downloaded pics that was found to have unwanted ware from the manufacturer level. This was maybe two years ago. I don't recall if the product was being sold through Wal_Mort or tigerdirect.

When others are selling a product for $38-45.00 and you see a similar item for $16 that should be a red flag. Unless you are a trendy name / status junky, one usually gets what one pays for. Of course this in no way excuses unscrupulous practices. Buyer beware.

I wonder if there is a site/method to use to have a newly purchased product inspected prior to use. Kind of like how one may check out a website before visiting or buying there.

I also wonder if known hacked products are listed on a government consumer awareness website.

I vaguely remember that story. It does make me wonder about all the electronic gear and memory products sold from Walmart.
S4U

Originally posted by kwakakev
Wow, this could be a real game changer. With tactics like this in operation it does raise concerns about the underlying agenda with its implementation. The rumours with Windows and Mac having spyware have been around a while, so could this be another level to watch the watchers, a tool for economic warfare, leverage through blackmail or something else? With RFID compromised there is a large pool of data there.

Indeed. This could be how they keep hacking into Sony.
S4U

reply to post by Violater1


I think there was another post on here about 40% of the guidance chips we ordered from China were defective and/or had back doors built in to hack the systems from out side the control units. Scary stuff tech war is defiantly here to stay. This is what happens when you allow capitalism prevail you don't know what you are even buying anymore lead in the toys, jacked up electronics that spy on you and the US being destroyed by the greed of it own company's exporting the work to PoS nations that we shouldn't even be working with to begin with. The Chinese worker on average make only $1.89 per hour that is inhumane IMO

what hog wash they know who is doing this hell i even no some of them SONY has been loading dvds and software with embedded root tools for years

Originally posted by ParanoidAmerican
reply to post by Violater1

 

I think there was another post on here about 40% of the guidance chips we ordered from China were defective and/or had back doors built in to hack the systems from out side the control units. Scary stuff tech war is defiantly here to stay. This is what happens when you allow capitalism prevail you don't know what you are even buying anymore lead in the toys, jacked up electronics that spy on you and the US being destroyed by the greed of it own company's exporting the work to PoS nations that we shouldn't even be working with to begin with. The Chinese worker on average make only $1.89 per hour that is inhumane IMO

edit on 9-7-2011 by ParanoidAmerican because: updated data

You do realize that China is not a capitalist state right? They are largely totalitarian secular communists. Second I have a feeling that your understanding of capitalism is way off mark. There is very little capitalism in the world today because we run on on DEBT ie: work we have not yet done. Capitalism implies that one has already produced something and is then utilizing it. Simple order of operations here.

Originally posted by Violater1These risks may include Flash memory or embedded RFID chips. RFID chips are the new ID’s that are now in many credit cards. A scarey thought is at what ever preordained time the hackers wish to attack, all credit cards with their hacked, spyware laden RFID’s empty those bank accounts into to their own off shore bank.

THAT part doesn't make any sense whatsoever, from several standpoints. One, "RFID" in credit cards doesn't have your account balance on it, nor can it influence your balance. That's all stored at the bank or credit issuer. The card's just used to provide an ID and account number. It doesn't initiate a transaction by itself. Two, credit card RFID is all passive, and short range, say 10cm or so. It's not like they're all going to fire off comm links to commie satellites and somehow pour money into China.

OTOH, what he's talking about is things like USB storage that come pre-spiked with hacker software from China, there was a serious infestation of LCD photo frames last year, which all came stuffed with crap.

The occasional USB drive has crap on it as well, we don't allow them in the SCIF here, and all the USB ports are physically removed from all the machines except mine, and it's sand boxed and mechanically locked so no one can use it but me, and nothing you install on it survives the next boot. It's getting to where we are having issues with USB disk drives as well, most manufacturers want to install unremovable auto-run roms that masquerade as CD drives. You can infest this sort of thing with crapware as well. I have to use a sandboxed system here in the lab to weed through the drives before I allow them to be hooked to any machine we own.

China is the main source of computer and electronics and is well known for government run hacking operations.

The thing about china doing it at a government level is they try to do it without any one ever finding out.

This means that a lot of this never causes any problems for the end users(problems cause the source to be looked for and removed.)

Imported or counterfeit software is another good way to pass on spyware.

Everyone needs a firewall program on there computer that monitors outgoing feed for hidden outgoing information packets.

The one i use was given to me by a government IT. (as far as i know its not sold on the market or open source.)

It has a confirm pop-up for outgoing email and and non-standard port attempts
also watches Internet Relay Chat Protocols for outgoing twitter or chat when you are not logged on a site using Internet Relay Chat Protocols.

A number of times over the years its caught "call home" attempts by malware, spyware or viruses before my antivirus program or anti malware program did its daily check or some really sneaky internet sites trying to ask for information that they should not have or need.

The biggest thing about this program is that no one can use my computer as a BOT as its blocks the Bot Herder from ever knowing he has got his malware into the computer. It can not phone home and say its there.

Originally posted by ANNED
China is the main source of computer and electronics and is well known for government run hacking operations.

The thing about china doing it at a government level is they try to do it without any one ever finding out.

This means that a lot of this never causes any problems for the end users(problems cause the source to be looked for and removed.)

Imported or counterfeit software is another good way to pass on spyware.

Everyone needs a firewall program on there computer that monitors outgoing feed for hidden outgoing information packets.

The one i use was given to me by a government IT. (as far as i know its not sold on the market or open source.)

It has a confirm pop-up for outgoing email and and non-standard port attempts
also watches Internet Relay Chat Protocols for outgoing twitter or chat when you are not logged on a site using Internet Relay Chat Protocols.

Where can I get a copy?

This has been happening for a while i bought a airpcap card nx and it took 12 weeks to ship overseas when i got it was stamped with au an d the tape on the dvd box was broken im not going to explain what im talking about but here are some examples.

disney dispaches trogans lol profile your kids at 2

antivirus.about.com...

bigw

www.photoimagingnews.com.au...

any one for ghostnet
blogs.computerworld.com...

reply to post by Violater1


Well - lets see what we have and how it adds up..

We get a ton of electronics and everything else manufactured in China now.

We know that In China, many younger military leaders view America as the ultimate enemy. Of course, that view isn't limited to the young.

We know that China engages in state sponsored hacking. Last year Google the latest victim of Chinese 'state-sponsored' cyberwar of course China gets all huffy if anyone points this out but - China warns Google over attack claims: Does it matter though?

Soooooo... How could it be any surprise that China is selling us hacked electronics?? Hacked by "Unknown parties" my webbed left foot.. they know exactly who is doing it - they just don't want to tick off China.

This isn't about hacking some stay-at-home mom who's looking up cooking recipes.

It's about corporate and gov't espionage and cyberterrorism.

It's hard to believe the US gov't just realized this.
They are the ones who invented tech espionage.

www.editinternational.com...

Great find OP

Originally posted by Bedlam

Originally posted by Violater1These risks may include Flash memory or embedded RFID chips. RFID chips are the new ID’s that are now in many credit cards. A scarey thought is at what ever preordained time the hackers wish to attack, all credit cards with their hacked, spyware laden RFID’s empty those bank accounts into to their own off shore bank.

THAT part doesn't make any sense whatsoever, from several standpoints. One, "RFID" in credit cards doesn't have your account balance on it, nor can it influence your balance. That's all stored at the bank or credit issuer. The card's just used to provide an ID and account number. It doesn't initiate a transaction by itself. Two, credit card RFID is all passive, and short range, say 10cm or so. It's not like they're all going to fire off comm links to commie satellites and somehow pour money into China.

OTOH, what he's talking about is things like USB storage that come pre-spiked with hacker software from China, there was a serious infestation of LCD photo frames last year, which all came stuffed with crap.

The occasional USB drive has crap on it as well, we don't allow them in the SCIF here, and all the USB ports are physically removed from all the machines except mine, and it's sand boxed and mechanically locked so no one can use it but me, and nothing you install on it survives the next boot. It's getting to where we are having issues with USB disk drives as well, most manufacturers want to install unremovable auto-run roms that masquerade as CD drives. You can infest this sort of thing with crapware as well. I have to use a sandboxed system here in the lab to weed through the drives before I allow them to be hooked to any machine we own.

tech hubby just said this could come into play with the new rage to use your cell phone AS your credit cards. All linked up and ready to go.

It's getting to where we are having issues with USB disk drives as well, most manufacturers want to install unremovable auto-run roms that masquerade as CD drives. You can infest this sort of thing with crapware as well. I have to use a sandboxed system here in the lab to weed through the drives before I allow them to be hooked to any machine we own.

It seems you are one of the few that realize that multifunction USB ports are one of the biggest threats to IT security there is (aside from using the Internet.) Policing the use of USB ports on a corporate or government scale is immensely challenging.

There was another post on ATS about a USB computer mouse with secretly embedded flash memory that copied code to the host system and then initiated commands. This stealth code execution was not caught by well known Anti virus packages (in a test environment.)

The best way to infiltrate a competing corporation today is through technology, not people. Corporate activities, communications, strategies and proprietary data is all electronically stored these days.

I believe that compromised peripherals have been on the market for years. Yet since their purpose is mainly for espionage - they are simply never discovered.

The thing about china doing it at a government level is they try to do it without any one ever finding out.
This means that a lot of this never causes any problems for the end users

I would like to emphasize this statement.

This is exactly what I was going to say . All the spyware and malware that targets consumer PCs are probably just a diversion for the gov't or corporate sponsored stealth code that no one ever notices.

reply to post by matito


You can do some amazing tricks with a 1394 port on many OS's, as well, in terms of copying out memory contents and looking for passwords and the like.

But as for USB, well, you can make hacked USB sticks that announce themselves as CDROMs or rotating hard drives, if your system allows autorun you can inject exploits that way as well. With some painful coding work, you could also likely have the USB stick let you write an executable file to it, then have it feed you back a far different executable when the OS reads the file into memory. We definitely did the former to someone during a security test - scatter some jiggered USB drives around a parking lot or drop them by the smokers' hole, and SOMEONE will carry one back in and stick it in their machine, guaranteed.

/sometimes the tiger team includes the innocent contractors

reply to post by Bedlam

You can do some amazing tricks with a 1394 port on many OS's, as well, in terms of copying out memory contents and looking for passwords and the like.

Yes! I failed to mention other mutifuction ports. USB is probably the most exploited due to it's popularity, yet that wouldn't rule out all the other vulnerable computer ports.

Then add on the fact that any device (printer, scanner, camera, flash drive, etc) can easily carry stealth code in it's built in memory.

Thanks for the example of how USB can be exploited...