SlideShare ist ein Scribd-Unternehmen logo

ghostsinthemachine2

S
Shane Kite
1 von 9
Downloaden Sie, um offline zu lesen
Welcome, Shane | My Account | Log Out White Papers | Web Seminars | Newsletters | eBooks Big Data & Analytics Data Management MDM & Data Governance Infrastructure Info Strategy & Leadership BI & Data Discovery Mobility web seminars & white papers resource center Ghosts in the Machine: Attacks May Come From Inside Computers by Shane Kite AUG 19, 2009 5:15am ET Print Email Reprints Comment Twitter LinkedIn Facebook Google+The next wave of hacking into computers and stealing data will not be requests or code coming from remote points across the Web, security experts are warning.
Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects and intricate mapping of the chip itself, according to scientists and academics working with the National Institute of Standards and Technology, the White House and the Financial Services Information Sharing and Analysis Center in Dulles, Va. Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts say, because the microchips that run servers have millions to billions of transistors in them. Adding a few hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and escape notice. "You can never really test every single combination on the chip. Testing a billion transistors would take a very long time. It would be very difficult to detect hardware Trojans without having some idea of what you're looking for to begin with," said Scott C. Smith, associate professor of electrical engineering at the University of Arkansas, co-author of a 2007 paper which described a "Hardware Threat Modeling Concept for Trustable Integrated Circuits." Tweaking chips themselves will make them prone to manipulate data, shut down a critical function, or turn a system into a bugged phone that steals and relays vital information, the experts say. While fabricating a Trojan horse directly into the design of a microchip is a realm where few can play--foreign intelligence services, for instance, or perhaps the most well-funded and sophisticated criminal organizations-- there are simpler ways to infiltrate hardware, they say. Attackers of financial systems could, for instance, attach a tiny wireless modem to a shredder at a wire transfer firm, bug a bank card reader at a European grocery store, or plant a chip in a projector at an overseas business conference that can infect an attached laptop with spyware. To combat the threat, the National Institute of Standards and Technology (NIST), the federal government's technical standards laboratory, is releasing in September an inter-agency report meant to serve as the first set of best practices for government and industry to mitigate security risks to hardware included in the IT supply chain. Originally inspired by the Department of Defense and spy agencies concerned about protecting from hardware tampering by foreign intelligence, the effort to promote awareness of the threat has filtered into the public realm. NIST is rewriting an original set of 25 best practices based on lessons learned in a pilot program underway with Defense. The Department of Homeland Security and Department of State are involved, as well, parties interviewed for this story say. The inter-agency report will be used to inform mandatory guidelines NIST expects to release by 2011, which the federal government will be required follow to ensure its own supply chain security. The best practices "can be used by financial services, the energy sector, health, all kinds of sectors," said Marianne Swanson, NIST's senior advisor for information system security. The key to mitigate hardware as a malware vector is to establish methods for evaluating trustworthiness of equipment, suppliers and manufacturers, Swanson said. The military and intelligence agencies have done this by establishing a "trusted access program," began in 2004, whereby organizations including the DoD and National Security Agency only purchase circuitry from trusted foundries, like those run by IBM or Honeywell. To be considered trusted, the chip fabrication facilities must be based in the U.S., owned and operated by U.S. companies, and staffed with U.S. citizens with security clearances. Right now, only government agencies use the trusted foundries; they currently lack the capacity to add
commercial, private-sector business. Because they are not outsourced, the programs are also expensive. However, investment banks and private utilities joining the trusted foundry program via the chip and network hardware manufacturers that serve them "will probably happen in the next 10 years or so," says Smith, particularly if hardware hacking "becomes more prevalent, like software viruses have become." What has experts worried is that much of commercial circuit-building is done by contractors overseas. So the chance that bad actors can subvert the supply chain and add spyware into hardware has risen. To get a sense of the potential problems, open up your laptop: Inside you'll find parts manufactured or supplied from as many as 10 countries, which compete strategically and economically. Plus, as technology becomes more and more miniaturized, so will its exploits. Economic or corporate espionage, while seldom talked about, likely will escalate, the experts warm. Thus, financial firms should adjust their level of concern and awareness as the vectors for exploits get more sophisticated. Reported hardware security practices at financial firms seem spotty at best, according to a June survey by the Financial Services Information Sharing and Analysis Center (FS-ISAC), a public-private group created by presidential decree to protect operations of financial services firms, as critical infrastructure. The group sought to measure the level of awareness that financial firms have regarding the importance of hardware security; the report includes 16 best practices meant to mitigate hardware threats. More than 55 percent of firms surveyed said they verified the sources of their hardware components delivered to offices or loading docks by cross-checking the bill of lading with purchase orders. But fewer than 15 percent inspected the boards inside their routers for tampering prior to functional testing. None of them weighed their equipment. Although weighing wouldn't catch something as miniscule as microchip tampering, it might flag hardware with unwanted equipment attached to it, like a wireless modem. Physical inspection of hardware is recommended by FS-ISAC, a suggestion also included among NIST's best upcoming practices, Swanson said. Smith and his colleague Jia Di, an associate professor at University of Arkansas' department of computer science and engineering, are working on a tool that could detect hardware sabotage in chip design. They are building a system that aims to flag and warn of abnormalities found either in the circuit design software, or in chip blueprints, based on a model that intends to identify and rank the most likely scenarios for circuit manipulation. Smith said the reason that they're basing the system on assessing the chip designs, versus testing the chip itself, is because doing the former is the only feasible method that could successfully detect circuit exploits. This is for two reasons: Because chip manufacturing is highly automated and follows explicitly the directions of the design program. And because the transistors themselves are too many to actively and fully test. Smith expects there will "be a big industry" for chip security tools in the next decade. "This will be part of the chip design flow that will be running through malicious logic to make sure that nothing's been added onto your chip before fabricating it." Tamper-resistant chips are also coming to the commercial market. Pleasanton, Calif.-based CPU Tech has offered the private sector since 2008 the Acalis CPU872 MultiCore chip, which the firm says protects from hardware-based Trojans for high-performance processing within vital applications. It scatters separate parts of the encryption key needed to boot the hardware across different pieces of the chip and also embeds memory onto the chip, so vital data can't be accessed externally. Financial firms have expressed interest in purchasing systems with the chip installed, said Robert Beanland, vice president of marketing for CPU Technology.
According to the Cyberspace Policy Review released by the White House in May, "documented examples exist of unambiguous, deliberate subversions" of the IT supply chain. While counterfeit products have created "the most visible" problems to date for hardware, the global nature of IT manufacturing has made subversion of computers and networks through supply chain sabotage via subtle hardware or software manipulations, more feasible. Law enforcement in Europe uncovered a scam late last year whereby criminals had rigged credit card readers installed at Tesco and other retail outlets there with what was essentially a tiny cell phone that was capturing all the PINs from customers who used their cards on the readers in stores and sending the data through Pakistan; though its ultimate destination remains unknown. Criminals often choose nations with porous security or limited digital forensics practices to route their booty. "What was interesting about this is that some portion of it really was a supply chain corruption," said Scott Borg, director and chief economist (CEO) at the U.S. Cyber Consequences Unit (US-CCU), an independent, non-profit research institute. Borg's work on securing IT supply chains was cited in the president's cyber policy review. Borg makes pains however to emphasize that the threat of hardware tampering occurring in the private sector remains relatively low. "Malicious software is so much easier and cheaper to distribute," he says. Plus, the risk is huge. "There's a serious danger that the whole world would stop buying electronics from your country if it was shown that the supply chain was compromised. The main danger here is hardware bargain hunting." Purchasing used routers from any source other than their branded manufacturer, say a Cisco or Juniper, for instance, is considered risky because of the increased likelihood that the purchaser could receive counterfeit parts. In a 2008 report detailing a scam involving counterfeit Cisco equipment made in China, the FBI warned that the fake hardware could enable foreign agents to crack codes and bug secure networks. This article can also be found at SecuritiesIndustry.com. JOIN THE DISCUSSION Comment SEE MORE IN Comments (0) Be the first to comment on this post using the section below. Add Your Comments:
Add your comments here. Notify me when other readers comment on this article. Click here to receive notifications without commenting Most Read Most Emailed Big Data Platforms: How To Migrate From Relational Databases to NoSQL Self Service: A Data Scientist Productivity Boost Big Data Applications Drive NoSQL Adoption Hadoop as a Service: 18 Cloud Options Business Intelligence for the Other 80 Percent Analytics From Big Data to Big Decisions Self Service: A Data Scientist Productivity Boost Price and Revenue Optimization (PRO) Business Intelligence for the Other 80 Percent Business Intelligence Can Workday's Analytics Reduce Employee Turnover? Cloud-based Business Intelligence Goes Mainstream Redefine BI to Unleash Big Data's Power How Big Data Keeps United Healthcare Nimble Customer Experience
Become Customer Obsessed Or Fail Data-Driven Marketers: Mobile Is One Piece of the Story Millennials and the Machines How to Build Connected Customer Experiences Open Source Hortonworks Buys SequenceIQ for Hadoop in the Cloud Big Data Applications Drive NoSQL Adoption Apple Buys NoSQL Big Data Specialist EMC: Can Data Lakes Create Big Data Splash? Predictive Analytics Business Analytics and Forecasting: Revisited Big Data Pushes Deeper Into Oil and Gas Messy Big Data Overwhelms Data Scientists Predictive Analytics or Data Science? Data Governance Informatica Acquired for $5.3B Amid Big Data, Cloud Shifts California to Hire Chief Data Officer (CDO)? Net Neutrality Decision: What You Need to Know Balancing Freedom and Control to Enable Governed Data Discovery Data Integration Public Opinion: Share My Health Data Inside Google's Insurance Data Strategy Healthcare Industry Explores Data Monetization Update on the DATA Act Data Management Amazon Acquired NoSQL Data Migration Startup Amiato Data Virtualization: The 13th Commandment Close Your Quarterly Financials (Even Faster) Public Opinion: Share My Health Data HOME About Us Contact Us Content Licensing Advertise with Us Customer Service Feedback My Account
Site Map Privacy Policy Editorial Submissions sourcemedia corporate site banking American Banker Bank Technology News American Banker Magazine Credit Union Journal MORTGAGES National Mortgage News PAYMENTS PaymentsSource Collections & Credit Risk ISO & Agent capital markets Mergers & Acquisitions Asset Securitization Report Leveraged Finance News Private Placement Letter Traders Magazine MUNICIPAL FINANCE The Bond Buyer accounting Accounting Today Tax Pro Today HEALTHCARE & BENEFITS Employee Benefit News Employee Benefit Adviser
Health Data Management Insurance Networking News Information Management INVESTMENT ADVISORY Financial Planning On Wall Street Bank Investment Consultant Money Management Executive © 2015 SourceMedia. All rights reserved.

Empfohlen

A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaEMC
 
INSECURE Magazine - 42
INSECURE Magazine - 42INSECURE Magazine - 42
INSECURE Magazine - 42Felipe Prado
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enoughEMC
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomStanford GSB Corporate Governance Research Initiative
 
Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Javier Gonzalez
 

Empfohlen

A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco Security
 
Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaEMC
 
INSECURE Magazine - 42
INSECURE Magazine - 42INSECURE Magazine - 42
INSECURE Magazine - 42Felipe Prado
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enoughEMC
 
idg_secops-solutions
idg_secops-solutionsidg_secops-solutions
idg_secops-solutionsJonny Nässlander
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomStanford GSB Corporate Governance Research Initiative
 
Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Mobile malware and enterprise security v 1.2_0
Mobile malware and enterprise security v 1.2_0Javier Gonzalez
 
RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014EMC
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
Emerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyEmerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyChukwunonso Okoro, CFE, CAMS, CRISC
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shiftsmalvvv
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shiftsmalvvv
 
Insecure mag-33
Insecure mag-33Insecure mag-33
Insecure mag-33cheinyeanlim
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3NTT Innovation Institute Inc.
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES- Mark - Fullbright
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcMert Akın
 
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftCybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftIntellias
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
A6704d01
A6704d01A6704d01
A6704d01mudigonda
 
An Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketAn Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketEMC
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 
Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Renub Research
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
 

Weitere ähnliche Inhalte

Was ist angesagt?

RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014EMC
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia LunaAviva Spectrum™
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shiftsmalvvv
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shiftsmalvvv
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3NTT Innovation Institute Inc.
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcMert Akın
 
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftCybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftIntellias
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
An Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketAn Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketEMC
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019- Mark - Fullbright
 

Was ist angesagt? (20)

RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014RSA Monthly Online Fraud Report -- February 2014
RSA Monthly Online Fraud Report -- February 2014
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
 
Emerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business ReadyEmerging Threats to Digital Payments - Is Your Business Ready
Emerging Threats to Digital Payments - Is Your Business Ready
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
 
Rpt paradigm shifts
Rpt paradigm shiftsRpt paradigm shifts
Rpt paradigm shifts
 
Insecure mag-33
Insecure mag-33Insecure mag-33
Insecure mag-33
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i32015 Global Threat Intelligence Report Executive Summary | NTT i3
2015 Global Threat Intelligence Report Executive Summary | NTT i3
 
BLURRING BOUNDARIES
BLURRING BOUNDARIESBLURRING BOUNDARIES
BLURRING BOUNDARIES
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
 
As telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwcAs telcos go digital, cybersecurity risks intensify by pwc
As telcos go digital, cybersecurity risks intensify by pwc
 
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail TheftCybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
Cybersecurity Challenges in Retail 2020: How to Prevent Retail Theft
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage Devices
 
A6704d01
A6704d01A6704d01
A6704d01
 
An Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) MarketAn Overview and Competitive Analysis of the One-Time Password (OTP) Market
An Overview and Competitive Analysis of the One-Time Password (OTP) Market
 
ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019ISTR Internet Security Threat Report 2019
ISTR Internet Security Threat Report 2019
 

Ähnlich wie ghostsinthemachine2

Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Renub Research
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
 
Combating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCombating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCognizant
 
Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...
Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...
Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...Black Duck by Synopsys
 
Insecure magazine - 51
Insecure magazine - 51Insecure magazine - 51
Insecure magazine - 51Felipe Prado
 
Security In an IoT World
Security In an IoT WorldSecurity In an IoT World
Security In an IoT Worldsyrinxtech
 
Abney and Associates Security 2014 News: Big Returns from Big Data for Security
Abney and Associates Security 2014 News: Big Returns from Big Data for SecurityAbney and Associates Security 2014 News: Big Returns from Big Data for Security
Abney and Associates Security 2014 News: Big Returns from Big Data for Securitylewisfinn
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksBGA Cyber Security
 
Top 15 security predictions for 2017
Top 15 security predictions for 2017Top 15 security predictions for 2017
Top 15 security predictions for 2017Accelerate Tech
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Why computers will never be safe
Why computers will never be safeWhy computers will never be safe
Why computers will never be safeCAST
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop
 
Internet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeInternet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeMurray Security Services
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityMastel Indonesia
 

Ähnlich wie ghostsinthemachine2 (20)

Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
 
Combating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced AnalyticsCombating Cybersecurity Challenges with Advanced Analytics
Combating Cybersecurity Challenges with Advanced Analytics
 
Internet
InternetInternet
Internet
 
expert tips
expert tipsexpert tips
expert tips
 
Ten Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things SecurityTen Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things Security
 
Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...
Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...
Open Source Insight: Hospital, Medical Devices, Banking, and Automotive Cyber...
 
Insecure magazine - 51
Insecure magazine - 51Insecure magazine - 51
Insecure magazine - 51
 
Security In an IoT World
Security In an IoT WorldSecurity In an IoT World
Security In an IoT World
 
Abney and Associates Security 2014 News: Big Returns from Big Data for Security
Abney and Associates Security 2014 News: Big Returns from Big Data for SecurityAbney and Associates Security 2014 News: Big Returns from Big Data for Security
Abney and Associates Security 2014 News: Big Returns from Big Data for Security
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist Attacks
 
Top 15 security predictions for 2017
Top 15 security predictions for 2017Top 15 security predictions for 2017
Top 15 security predictions for 2017
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Cyber Crime is Wreaking Havoc
Cyber Crime is Wreaking HavocCyber Crime is Wreaking Havoc
Cyber Crime is Wreaking Havoc
 
Why computers will never be safe
Why computers will never be safeWhy computers will never be safe
Why computers will never be safe
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded Devices
 
Internet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber CrimeInternet of things, New Challenges in Cyber Crime
Internet of things, New Challenges in Cyber Crime
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber Security
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 

Mehr von Shane Kite

cincinnatimag2
cincinnatimag2cincinnatimag2
cincinnatimag2Shane Kite
 
seizetheconversation2
seizetheconversation2seizetheconversation2
seizetheconversation2Shane Kite
 
electricschoolbus
electricschoolbuselectricschoolbus
electricschoolbusShane Kite
 
supercomputerfinal
supercomputerfinalsupercomputerfinal
supercomputerfinalShane Kite
 
frankfurteditfinal
frankfurteditfinalfrankfurteditfinal
frankfurteditfinalShane Kite
 
greenmonsters2
greenmonsters2greenmonsters2
greenmonsters2Shane Kite
 
telecommuting2
telecommuting2telecommuting2
telecommuting2Shane Kite
 
reviews3optimized
reviews3optimizedreviews3optimized
reviews3optimizedShane Kite
 
reviewsOptimized
reviewsOptimizedreviewsOptimized
reviewsOptimizedShane Kite
 
Sean LennonOptimized
Sean LennonOptimizedSean LennonOptimized
Sean LennonOptimizedShane Kite
 

Mehr von Shane Kite (20)

stresstests
stresstestsstresstests
stresstests
 
cincinnatimag2
cincinnatimag2cincinnatimag2
cincinnatimag2
 
seizetheconversation2
seizetheconversation2seizetheconversation2
seizetheconversation2
 
electricschoolbus
electricschoolbuselectricschoolbus
electricschoolbus
 
mtvfinal
mtvfinalmtvfinal
mtvfinal
 
murano2
murano2murano2
murano2
 
gto3
gto3gto3
gto3
 
tokyo
tokyotokyo
tokyo
 
hdradio2
hdradio2hdradio2
hdradio2
 
supercomputerfinal
supercomputerfinalsupercomputerfinal
supercomputerfinal
 
frankfurteditfinal
frankfurteditfinalfrankfurteditfinal
frankfurteditfinal
 
greenmonsters2
greenmonsters2greenmonsters2
greenmonsters2
 
mentors2
mentors2mentors2
mentors2
 
zombies2
zombies2zombies2
zombies2
 
telecommuting2
telecommuting2telecommuting2
telecommuting2
 
disruptors2
disruptors2disruptors2
disruptors2
 
IIOMS
IIOMSIIOMS
IIOMS
 
reviews3optimized
reviews3optimizedreviews3optimized
reviews3optimized
 
reviewsOptimized
reviewsOptimizedreviewsOptimized
reviewsOptimized
 
Sean LennonOptimized
Sean LennonOptimizedSean LennonOptimized
Sean LennonOptimized
 

ghostsinthemachine2

  • 1.
  • 2. Welcome, Shane | My Account | Log Out White Papers | Web Seminars | Newsletters | eBooks Big Data & Analytics Data Management MDM & Data Governance Infrastructure Info Strategy & Leadership BI & Data Discovery Mobility web seminars & white papers resource center Ghosts in the Machine: Attacks May Come From Inside Computers by Shane Kite AUG 19, 2009 5:15am ET Print Email Reprints Comment Twitter LinkedIn Facebook Google+The next wave of hacking into computers and stealing data will not be requests or code coming from remote points across the Web, security experts are warning.
  • 3. Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects and intricate mapping of the chip itself, according to scientists and academics working with the National Institute of Standards and Technology, the White House and the Financial Services Information Sharing and Analysis Center in Dulles, Va. Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts say, because the microchips that run servers have millions to billions of transistors in them. Adding a few hundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes and escape notice. "You can never really test every single combination on the chip. Testing a billion transistors would take a very long time. It would be very difficult to detect hardware Trojans without having some idea of what you're looking for to begin with," said Scott C. Smith, associate professor of electrical engineering at the University of Arkansas, co-author of a 2007 paper which described a "Hardware Threat Modeling Concept for Trustable Integrated Circuits." Tweaking chips themselves will make them prone to manipulate data, shut down a critical function, or turn a system into a bugged phone that steals and relays vital information, the experts say. While fabricating a Trojan horse directly into the design of a microchip is a realm where few can play--foreign intelligence services, for instance, or perhaps the most well-funded and sophisticated criminal organizations-- there are simpler ways to infiltrate hardware, they say. Attackers of financial systems could, for instance, attach a tiny wireless modem to a shredder at a wire transfer firm, bug a bank card reader at a European grocery store, or plant a chip in a projector at an overseas business conference that can infect an attached laptop with spyware. To combat the threat, the National Institute of Standards and Technology (NIST), the federal government's technical standards laboratory, is releasing in September an inter-agency report meant to serve as the first set of best practices for government and industry to mitigate security risks to hardware included in the IT supply chain. Originally inspired by the Department of Defense and spy agencies concerned about protecting from hardware tampering by foreign intelligence, the effort to promote awareness of the threat has filtered into the public realm. NIST is rewriting an original set of 25 best practices based on lessons learned in a pilot program underway with Defense. The Department of Homeland Security and Department of State are involved, as well, parties interviewed for this story say. The inter-agency report will be used to inform mandatory guidelines NIST expects to release by 2011, which the federal government will be required follow to ensure its own supply chain security. The best practices "can be used by financial services, the energy sector, health, all kinds of sectors," said Marianne Swanson, NIST's senior advisor for information system security. The key to mitigate hardware as a malware vector is to establish methods for evaluating trustworthiness of equipment, suppliers and manufacturers, Swanson said. The military and intelligence agencies have done this by establishing a "trusted access program," began in 2004, whereby organizations including the DoD and National Security Agency only purchase circuitry from trusted foundries, like those run by IBM or Honeywell. To be considered trusted, the chip fabrication facilities must be based in the U.S., owned and operated by U.S. companies, and staffed with U.S. citizens with security clearances. Right now, only government agencies use the trusted foundries; they currently lack the capacity to add
  • 4. commercial, private-sector business. Because they are not outsourced, the programs are also expensive. However, investment banks and private utilities joining the trusted foundry program via the chip and network hardware manufacturers that serve them "will probably happen in the next 10 years or so," says Smith, particularly if hardware hacking "becomes more prevalent, like software viruses have become." What has experts worried is that much of commercial circuit-building is done by contractors overseas. So the chance that bad actors can subvert the supply chain and add spyware into hardware has risen. To get a sense of the potential problems, open up your laptop: Inside you'll find parts manufactured or supplied from as many as 10 countries, which compete strategically and economically. Plus, as technology becomes more and more miniaturized, so will its exploits. Economic or corporate espionage, while seldom talked about, likely will escalate, the experts warm. Thus, financial firms should adjust their level of concern and awareness as the vectors for exploits get more sophisticated. Reported hardware security practices at financial firms seem spotty at best, according to a June survey by the Financial Services Information Sharing and Analysis Center (FS-ISAC), a public-private group created by presidential decree to protect operations of financial services firms, as critical infrastructure. The group sought to measure the level of awareness that financial firms have regarding the importance of hardware security; the report includes 16 best practices meant to mitigate hardware threats. More than 55 percent of firms surveyed said they verified the sources of their hardware components delivered to offices or loading docks by cross-checking the bill of lading with purchase orders. But fewer than 15 percent inspected the boards inside their routers for tampering prior to functional testing. None of them weighed their equipment. Although weighing wouldn't catch something as miniscule as microchip tampering, it might flag hardware with unwanted equipment attached to it, like a wireless modem. Physical inspection of hardware is recommended by FS-ISAC, a suggestion also included among NIST's best upcoming practices, Swanson said. Smith and his colleague Jia Di, an associate professor at University of Arkansas' department of computer science and engineering, are working on a tool that could detect hardware sabotage in chip design. They are building a system that aims to flag and warn of abnormalities found either in the circuit design software, or in chip blueprints, based on a model that intends to identify and rank the most likely scenarios for circuit manipulation. Smith said the reason that they're basing the system on assessing the chip designs, versus testing the chip itself, is because doing the former is the only feasible method that could successfully detect circuit exploits. This is for two reasons: Because chip manufacturing is highly automated and follows explicitly the directions of the design program. And because the transistors themselves are too many to actively and fully test. Smith expects there will "be a big industry" for chip security tools in the next decade. "This will be part of the chip design flow that will be running through malicious logic to make sure that nothing's been added onto your chip before fabricating it." Tamper-resistant chips are also coming to the commercial market. Pleasanton, Calif.-based CPU Tech has offered the private sector since 2008 the Acalis CPU872 MultiCore chip, which the firm says protects from hardware-based Trojans for high-performance processing within vital applications. It scatters separate parts of the encryption key needed to boot the hardware across different pieces of the chip and also embeds memory onto the chip, so vital data can't be accessed externally. Financial firms have expressed interest in purchasing systems with the chip installed, said Robert Beanland, vice president of marketing for CPU Technology.
  • 5. According to the Cyberspace Policy Review released by the White House in May, "documented examples exist of unambiguous, deliberate subversions" of the IT supply chain. While counterfeit products have created "the most visible" problems to date for hardware, the global nature of IT manufacturing has made subversion of computers and networks through supply chain sabotage via subtle hardware or software manipulations, more feasible. Law enforcement in Europe uncovered a scam late last year whereby criminals had rigged credit card readers installed at Tesco and other retail outlets there with what was essentially a tiny cell phone that was capturing all the PINs from customers who used their cards on the readers in stores and sending the data through Pakistan; though its ultimate destination remains unknown. Criminals often choose nations with porous security or limited digital forensics practices to route their booty. "What was interesting about this is that some portion of it really was a supply chain corruption," said Scott Borg, director and chief economist (CEO) at the U.S. Cyber Consequences Unit (US-CCU), an independent, non-profit research institute. Borg's work on securing IT supply chains was cited in the president's cyber policy review. Borg makes pains however to emphasize that the threat of hardware tampering occurring in the private sector remains relatively low. "Malicious software is so much easier and cheaper to distribute," he says. Plus, the risk is huge. "There's a serious danger that the whole world would stop buying electronics from your country if it was shown that the supply chain was compromised. The main danger here is hardware bargain hunting." Purchasing used routers from any source other than their branded manufacturer, say a Cisco or Juniper, for instance, is considered risky because of the increased likelihood that the purchaser could receive counterfeit parts. In a 2008 report detailing a scam involving counterfeit Cisco equipment made in China, the FBI warned that the fake hardware could enable foreign agents to crack codes and bug secure networks. This article can also be found at SecuritiesIndustry.com. JOIN THE DISCUSSION Comment SEE MORE IN Comments (0) Be the first to comment on this post using the section below. Add Your Comments:
  • 6. Add your comments here. Notify me when other readers comment on this article. Click here to receive notifications without commenting Most Read Most Emailed Big Data Platforms: How To Migrate From Relational Databases to NoSQL Self Service: A Data Scientist Productivity Boost Big Data Applications Drive NoSQL Adoption Hadoop as a Service: 18 Cloud Options Business Intelligence for the Other 80 Percent Analytics From Big Data to Big Decisions Self Service: A Data Scientist Productivity Boost Price and Revenue Optimization (PRO) Business Intelligence for the Other 80 Percent Business Intelligence Can Workday's Analytics Reduce Employee Turnover? Cloud-based Business Intelligence Goes Mainstream Redefine BI to Unleash Big Data's Power How Big Data Keeps United Healthcare Nimble Customer Experience
  • 7. Become Customer Obsessed Or Fail Data-Driven Marketers: Mobile Is One Piece of the Story Millennials and the Machines How to Build Connected Customer Experiences Open Source Hortonworks Buys SequenceIQ for Hadoop in the Cloud Big Data Applications Drive NoSQL Adoption Apple Buys NoSQL Big Data Specialist EMC: Can Data Lakes Create Big Data Splash? Predictive Analytics Business Analytics and Forecasting: Revisited Big Data Pushes Deeper Into Oil and Gas Messy Big Data Overwhelms Data Scientists Predictive Analytics or Data Science? Data Governance Informatica Acquired for $5.3B Amid Big Data, Cloud Shifts California to Hire Chief Data Officer (CDO)? Net Neutrality Decision: What You Need to Know Balancing Freedom and Control to Enable Governed Data Discovery Data Integration Public Opinion: Share My Health Data Inside Google's Insurance Data Strategy Healthcare Industry Explores Data Monetization Update on the DATA Act Data Management Amazon Acquired NoSQL Data Migration Startup Amiato Data Virtualization: The 13th Commandment Close Your Quarterly Financials (Even Faster) Public Opinion: Share My Health Data HOME About Us Contact Us Content Licensing Advertise with Us Customer Service Feedback My Account
  • 8. Site Map Privacy Policy Editorial Submissions sourcemedia corporate site banking American Banker Bank Technology News American Banker Magazine Credit Union Journal MORTGAGES National Mortgage News PAYMENTS PaymentsSource Collections & Credit Risk ISO & Agent capital markets Mergers & Acquisitions Asset Securitization Report Leveraged Finance News Private Placement Letter Traders Magazine MUNICIPAL FINANCE The Bond Buyer accounting Accounting Today Tax Pro Today HEALTHCARE & BENEFITS Employee Benefit News Employee Benefit Adviser
  • 9. Health Data Management Insurance Networking News Information Management INVESTMENT ADVISORY Financial Planning On Wall Street Bank Investment Consultant Money Management Executive © 2015 SourceMedia. All rights reserved.