2. Welcome, Shane | My Account | Log Out
White Papers | Web Seminars | Newsletters | eBooks
Big Data & Analytics
Data Management
MDM & Data Governance
Infrastructure
Info Strategy & Leadership
BI & Data Discovery
Mobility
web seminars &
white papers
resource
center
Ghosts in the Machine: Attacks May Come From
Inside Computers
by Shane Kite
AUG 19, 2009 5:15am ET
Print
Email
Reprints
Comment
Twitter
LinkedIn
Facebook
Google+The next wave of hacking into computers and stealing data will not be requests or code coming from remote
points across the Web, security experts are warning.
3. Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into
the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects
and intricate mapping of the chip itself, according to scientists and academics working with the National
Institute of Standards and Technology, the White House and the Financial Services Information Sharing and
Analysis Center in Dulles, Va.
Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts
say, because the microchips that run servers have millions to billions of transistors in them. Adding a few
hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and
escape notice.
"You can never really test every single combination on the chip. Testing a billion transistors would take a very
long time. It would be very difficult to detect hardware Trojans without having some idea of what you're
looking for to begin with," said Scott C. Smith, associate professor of electrical engineering at the University of
Arkansas, co-author of a 2007 paper which described a "Hardware Threat Modeling Concept for Trustable
Integrated Circuits."
Tweaking chips themselves will make them prone to manipulate data, shut down a critical function, or turn a
system into a bugged phone that steals and relays vital information, the experts say.
While fabricating a Trojan horse directly into the design of a microchip is a realm where few can play--foreign
intelligence services, for instance, or perhaps the most well-funded and sophisticated criminal organizations--
there are simpler ways to infiltrate hardware, they say. Attackers of financial systems could, for instance, attach
a tiny wireless modem to a shredder at a wire transfer firm, bug a bank card reader at a European grocery store,
or plant a chip in a projector at an overseas business conference that can infect an attached laptop with spyware.
To combat the threat, the National Institute of Standards and Technology (NIST), the federal government's
technical standards laboratory, is releasing in September an inter-agency report meant to serve as the first set of
best practices for government and industry to mitigate security risks to hardware included in the IT supply
chain.
Originally inspired by the Department of Defense and spy agencies concerned about protecting from hardware
tampering by foreign intelligence, the effort to promote awareness of the threat has filtered into the public
realm. NIST is rewriting an original set of 25 best practices based on lessons learned in a pilot program
underway with Defense. The Department of Homeland Security and Department of State are involved, as well,
parties interviewed for this story say.
The inter-agency report will be used to inform mandatory guidelines NIST expects to release by 2011, which
the federal government will be required follow to ensure its own supply chain security.
The best practices "can be used by financial services, the energy sector, health, all kinds of sectors," said
Marianne Swanson, NIST's senior advisor for information system security.
The key to mitigate hardware as a malware vector is to establish methods for evaluating trustworthiness of
equipment, suppliers and manufacturers, Swanson said. The military and intelligence agencies have done this
by establishing a "trusted access program," began in 2004, whereby organizations including the DoD and
National Security Agency only purchase circuitry from trusted foundries, like those run by IBM or Honeywell.
To be considered trusted, the chip fabrication facilities must be based in the U.S., owned and operated by U.S.
companies, and staffed with U.S. citizens with security clearances.
Right now, only government agencies use the trusted foundries; they currently lack the capacity to add
4. commercial, private-sector business. Because they are not outsourced, the programs are also expensive.
However, investment banks and private utilities joining the trusted foundry program via the chip and network
hardware manufacturers that serve them "will probably happen in the next 10 years or so," says Smith,
particularly if hardware hacking "becomes more prevalent, like software viruses have become."
What has experts worried is that much of commercial circuit-building is done by contractors overseas. So the
chance that bad actors can subvert the supply chain and add spyware into hardware has risen.
To get a sense of the potential problems, open up your laptop: Inside you'll find parts manufactured or supplied
from as many as 10 countries, which compete strategically and economically. Plus, as technology becomes
more and more miniaturized, so will its exploits. Economic or corporate espionage, while seldom talked about,
likely will escalate, the experts warm. Thus, financial firms should adjust their level of concern and awareness
as the vectors for exploits get more sophisticated.
Reported hardware security practices at financial firms seem spotty at best, according to a June survey by the
Financial Services Information Sharing and Analysis Center (FS-ISAC), a public-private group created by
presidential decree to protect operations of financial services firms, as critical infrastructure. The group sought
to measure the level of awareness that financial firms have regarding the importance of hardware security; the
report includes 16 best practices meant to mitigate hardware threats.
More than 55 percent of firms surveyed said they verified the sources of their hardware components delivered
to offices or loading docks by cross-checking the bill of lading with purchase orders. But fewer than 15 percent
inspected the boards inside their routers for tampering prior to functional testing. None of them weighed their
equipment. Although weighing wouldn't catch something as miniscule as microchip tampering, it might flag
hardware with unwanted equipment attached to it, like a wireless modem.
Physical inspection of hardware is recommended by FS-ISAC, a suggestion also included among NIST's best
upcoming practices, Swanson said.
Smith and his colleague Jia Di, an associate professor at University of Arkansas' department of computer
science and engineering, are working on a tool that could detect hardware sabotage in chip design. They are
building a system that aims to flag and warn of abnormalities found either in the circuit design software, or in
chip blueprints, based on a model that intends to identify and rank the most likely scenarios for circuit
manipulation.
Smith said the reason that they're basing the system on assessing the chip designs, versus testing the chip itself,
is because doing the former is the only feasible method that could successfully detect circuit exploits.
This is for two reasons: Because chip manufacturing is highly automated and follows explicitly the directions of
the design program. And because the transistors themselves are too many to actively and fully test.
Smith expects there will "be a big industry" for chip security tools in the next decade. "This will be part of the
chip design flow that will be running through malicious logic to make sure that nothing's been added onto your
chip before fabricating it."
Tamper-resistant chips are also coming to the commercial market. Pleasanton, Calif.-based CPU Tech has
offered the private sector since 2008 the Acalis CPU872 MultiCore chip, which the firm says protects from
hardware-based Trojans for high-performance processing within vital applications. It scatters separate parts of
the encryption key needed to boot the hardware across different pieces of the chip and also embeds memory
onto the chip, so vital data can't be accessed externally. Financial firms have expressed interest in purchasing
systems with the chip installed, said Robert Beanland, vice president of marketing for CPU Technology.
5. According to the Cyberspace Policy Review released by the White House in May, "documented examples exist
of unambiguous, deliberate subversions" of the IT supply chain. While counterfeit products have created "the
most visible" problems to date for hardware, the global nature of IT manufacturing has made subversion of
computers and networks through supply chain sabotage via subtle hardware or software manipulations, more
feasible.
Law enforcement in Europe uncovered a scam late last year whereby criminals had rigged credit card readers
installed at Tesco and other retail outlets there with what was essentially a tiny cell phone that was capturing all
the PINs from customers who used their cards on the readers in stores and sending the data through Pakistan;
though its ultimate destination remains unknown. Criminals often choose nations with porous security or
limited digital forensics practices to route their booty.
"What was interesting about this is that some portion of it really was a supply chain corruption," said Scott
Borg, director and chief economist (CEO) at the U.S. Cyber Consequences Unit (US-CCU), an independent,
non-profit research institute. Borg's work on securing IT supply chains was cited in the president's cyber policy
review.
Borg makes pains however to emphasize that the threat of hardware tampering occurring in the private sector
remains relatively low. "Malicious software is so much easier and cheaper to distribute," he says. Plus, the risk
is huge. "There's a serious danger that the whole world would stop buying electronics from your country if it
was shown that the supply chain was compromised. The main danger here is hardware bargain hunting."
Purchasing used routers from any source other than their branded manufacturer, say a Cisco or Juniper, for
instance, is considered risky because of the increased likelihood that the purchaser could receive counterfeit
parts. In a 2008 report detailing a scam involving counterfeit Cisco equipment made in China, the FBI warned
that the fake hardware could enable foreign agents to crack codes and bug secure networks.
This article can also be found at SecuritiesIndustry.com.
JOIN THE DISCUSSION
Comment
SEE MORE IN
Comments (0)
Be the first to comment on this post using the section below.
Add Your Comments:
6. Add your comments here.
Notify me when other readers comment on this article.
Click here to receive notifications without commenting
Most Read
Most Emailed
Big Data Platforms: How To Migrate From Relational Databases to NoSQL
Self Service: A Data Scientist Productivity Boost
Big Data Applications Drive NoSQL Adoption
Hadoop as a Service: 18 Cloud Options
Business Intelligence for the Other 80 Percent
Analytics
From Big Data to Big Decisions
Self Service: A Data Scientist Productivity Boost
Price and Revenue Optimization (PRO)
Business Intelligence for the Other 80 Percent
Business Intelligence
Can Workday's Analytics Reduce Employee Turnover?
Cloud-based Business Intelligence Goes Mainstream
Redefine BI to Unleash Big Data's Power
How Big Data Keeps United Healthcare Nimble
Customer Experience
7. Become Customer Obsessed Or Fail
Data-Driven Marketers: Mobile Is One Piece of the Story
Millennials and the Machines
How to Build Connected Customer Experiences
Open Source
Hortonworks Buys SequenceIQ for Hadoop in the Cloud
Big Data Applications Drive NoSQL Adoption
Apple Buys NoSQL Big Data Specialist
EMC: Can Data Lakes Create Big Data Splash?
Predictive Analytics
Business Analytics and Forecasting: Revisited
Big Data Pushes Deeper Into Oil and Gas
Messy Big Data Overwhelms Data Scientists
Predictive Analytics or Data Science?
Data Governance
Informatica Acquired for $5.3B Amid Big Data, Cloud Shifts
California to Hire Chief Data Officer (CDO)?
Net Neutrality Decision: What You Need to Know
Balancing Freedom and Control to Enable Governed Data Discovery
Data Integration
Public Opinion: Share My Health Data
Inside Google's Insurance Data Strategy
Healthcare Industry Explores Data Monetization
Update on the DATA Act
Data Management
Amazon Acquired NoSQL Data Migration Startup Amiato
Data Virtualization: The 13th Commandment
Close Your Quarterly Financials (Even Faster)
Public Opinion: Share My Health Data
HOME
About Us
Contact Us
Content Licensing
Advertise with Us
Customer Service
Feedback
My Account
8. Site Map
Privacy Policy
Editorial Submissions
sourcemedia
corporate site
banking
American Banker
Bank Technology News
American Banker Magazine
Credit Union Journal
MORTGAGES
National Mortgage News
PAYMENTS
PaymentsSource
Collections & Credit Risk
ISO & Agent
capital markets
Mergers & Acquisitions
Asset Securitization Report
Leveraged Finance News
Private Placement Letter
Traders Magazine
MUNICIPAL FINANCE
The Bond Buyer
accounting
Accounting Today
Tax Pro Today
HEALTHCARE & BENEFITS
Employee Benefit News
Employee Benefit Adviser