Archive for October, 2012

Concerns about Huawei Technologies continue to Rise

Posted in Breach, darkweb, Vulnerabilities with tags , , on October 16, 2012 by datasecurityblog

American businesses got a wakeup call this month from the House Intelligence Committee about everyday risk to their intellectual property and other confidential data. Let’s hope they heed the call.

Earlier this year, concerns began to emerge over a possibly overly intimate relationship between Huawei Technologies, a top maker of telecom equipment, and the Chinese military. The founder of Huawei, Ren Zhengfei, retired from the Chinese military in 1984, and started the company three years later.

The CBS News program 60 Minutes offered a good account of the congressional investigation into the potential a national security threat posed by Huawei. But that story is partial.

Here’s a more complete version.

Late in 2011, the U.S. Commerce Department released an unusual statement banning Networking equipment-maker Huawei from use in a nationwide emergency network, with no clear reason given. Huawei’s US-based spokesman criticized the announcement as “ungrounded.”

This was the first in a chain of events culminating in a report this month by the House Permanent Select Committee on Intelligence, concluding that Huawei is a threat to US security, and a threat to the intellectual property of U.S. companies.

Huawei responded with an unusual open letter to the U.S. government. They denied charges of poor data security. Huawei asked for a full investigation into the security of Huawei equipment.

This was a very odd request, in my view. Governments are almost always laggards when it comes to data security; they are reactive, not proactive. They’re effectively incapable of independent evaluation.

Perhaps Huawei management, steeped in the Chinese Communist Party culture, did not understand the traditionally adversarial relationship in the U. S. between results-focused businesses and politically focused government bureaucracies.

The House Permanent Select Committee on Intelligence started hearings and an investigation in response to Huawei’s request.

Meanwhile, in the EU, a security researcher who uses hacker handle “FX,” started testing the “front door” security of Huawei equipment. A German national, FX demonstrated the results of his research this summer at the annual DefCon security conference that’s held in Las Vegas each year.

Huawei’s competitors — Cisco, HP, Alcatel-Lucent, and others — routinely send security experts to this show, and others like it, to learn from such demonstrations, and to cultivate relationships with independent security researchers.

In this cooperative spirit, ethical security researchers follow the practice called “responsible disclosure.” They will not release a road map to attack a system without first contacting the company that made the equipment. The practice gives a company the time to correct the flaws, and issue a fix.

Huawei is not a company with a visible presence in the security community, and did not receive this courtesy.

In his presentation, FX demonstrated security flaws and holes so numerous, that he said there was no reason for Huawei to build in electronic back doors. With some penetration skills, an attacker could silently compromise the Huawei devices. When FX was asked if he followed responsible disclosure of his research, he said he could not locate any appropriate Huawei personnel for responsible disclosure.

On October 8, The House Committee released a 60-page report describing the threat posed by Chinese networking companies. The report states that, “China has the means, opportunity and motive to use telecommunications companies for malicious purposes,” and, “…[B]ased on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.”

Strictly as an aside, I’ve been told that unnamed sources in the Pentagon have told reporters that Huawei could add electronic “back doors” that allow eavesdropping on emails, phone calls, faxes, and confidential files that are commonly transmitted via a “secured connection.” If reporters were informed, they were given a teaspoon full of information scooped from a barrel, doled out sparingly either out of caution, or out of ignorance. (Most likely caution, since Pentagon personnel are also regular DefCon attendees.)

All of this should raise more general data security alarms than the activities of just one company. Let’s hope American business hears the wakeup call.

No matter where a company or a government buys its IT equipment, due diligence by the buyer is critical. The takeaway for you is to check on the following:

1. Which labs and testers have tested the equipment and software for security and resistance to penetration attacks?

2. Is the manufacturer of equipment encouraging the community of security researcher to find and report security flaws?

3. What is the track record of responses to flaws that are uncovered by the security community?

4. Does the company admit errors, or does it spend its energy on statements that the flaws are only possible in “rare cases,” or only show up “in a controlled laboratory.”

5. How fast does the company act to correct flaws and alert customers

Until Huawei’s concern for security matches that of its competitor, the comment from researcher FX this summer remains true, “I would not put any of this [Huawei] equipment on my network.”

NOTE: This column was written by Ira Victor for the private NNN newsletter, and is posted here for the benefit of CyberJungle Radio listeners.

October 8 2012, Episode 276, Show Notes

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on October 8, 2012 by datasecurityblog

Episode 276 of The CyberJungle is about 36 minutes long.  You can hear it by clicking on the flash player below. The interview with John Strand, begins at about the 22min mark.  You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 276 via the flash player:

Interview

John Strand InfoSec expert and Senior SANS Instructor. Find him here on PaulDotCom.com.

Tales From The Dark Web

Blitzkrieg-like bank takeover attacks coming?

Our Take on This Weeks News

*Congress: Chinese telecom firm Huawei a national security threat. The CyberJungle interview with FX following his Huawei security presentation,  at DefCon20 this summer. Listen here, starting at about the 14min mark.

‘FakeInstaller’ attacks Android users

Hotel locks breached with tool disguised as a marker

Wrap

Researchers SICK OF SPAM submit ridiculous article to mag

October 3 2012, Episode 275, Show Notes

Posted in Breach, Conference Coverage, Court Cases, criminal forensics, darkweb, Show Notes, The CyberJungle, Vulnerabilities with tags , , , , on October 3, 2012 by datasecurityblog

Episode 275 of The CyberJungle is about 26 minutes long.  You can hear it by clicking on the flash player below. The interview with Jack Daniel, begins at about the 15min mark.  You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show.

To listen to Episode 275 via the flash player:

Interview

Jack Daniel InfoSec Curmudgeon, Reluctant CISSP, and Amateur Blacksmith. Find him here on @jack_daniel, he works at Tenable Network Security.

Tales From The Dark Web

Even when PCs are locked down, modems and routers can still be compromised

Our Take on This Weeks News

98% of Android devices running old version of software

NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition

Appeals Court ruling on CP damages to victims

Wrap

FTC Case Results in $163 Million Judgment Against “Scareware” Marketer

Follow

Get every new post delivered to your Inbox.

Join 1,138 other followers