Archive for Intellectual Property Theft

Concerns about Huawei Technologies continue to Rise

Posted in Breach, darkweb, Vulnerabilities with tags , , on October 16, 2012 by Habeas Hard Drive

American businesses got a wakeup call this month from the House Intelligence Committee about everyday risk to their intellectual property and other confidential data. Let’s hope they heed the call.

Earlier this year, concerns began to emerge over a possibly overly intimate relationship between Huawei Technologies, a top maker of telecom equipment, and the Chinese military. The founder of Huawei, Ren Zhengfei, retired from the Chinese military in 1984, and started the company three years later.

The CBS News program 60 Minutes offered a good account of the congressional investigation into the potential a national security threat posed by Huawei. But that story is partial.

Here’s a more complete version.

Late in 2011, the U.S. Commerce Department released an unusual statement banning Networking equipment-maker Huawei from use in a nationwide emergency network, with no clear reason given. Huawei’s US-based spokesman criticized the announcement as “ungrounded.”

This was the first in a chain of events culminating in a report this month by the House Permanent Select Committee on Intelligence, concluding that Huawei is a threat to US security, and a threat to the intellectual property of U.S. companies.

Huawei responded with an unusual open letter to the U.S. government. They denied charges of poor data security. Huawei asked for a full investigation into the security of Huawei equipment.

This was a very odd request, in my view. Governments are almost always laggards when it comes to data security; they are reactive, not proactive. They’re effectively incapable of independent evaluation.

Perhaps Huawei management, steeped in the Chinese Communist Party culture, did not understand the traditionally adversarial relationship in the U. S. between results-focused businesses and politically focused government bureaucracies.

The House Permanent Select Committee on Intelligence started hearings and an investigation in response to Huawei’s request.

Meanwhile, in the EU, a security researcher who uses hacker handle “FX,” started testing the “front door” security of Huawei equipment. A German national, FX demonstrated the results of his research this summer at the annual DefCon security conference that’s held in Las Vegas each year.

Huawei’s competitors — Cisco, HP, Alcatel-Lucent, and others — routinely send security experts to this show, and others like it, to learn from such demonstrations, and to cultivate relationships with independent security researchers.

In this cooperative spirit, ethical security researchers follow the practice called “responsible disclosure.” They will not release a road map to attack a system without first contacting the company that made the equipment. The practice gives a company the time to correct the flaws, and issue a fix.

Huawei is not a company with a visible presence in the security community, and did not receive this courtesy.

In his presentation, FX demonstrated security flaws and holes so numerous, that he said there was no reason for Huawei to build in electronic back doors. With some penetration skills, an attacker could silently compromise the Huawei devices. When FX was asked if he followed responsible disclosure of his research, he said he could not locate any appropriate Huawei personnel for responsible disclosure.

On October 8, The House Committee released a 60-page report describing the threat posed by Chinese networking companies. The report states that, “China has the means, opportunity and motive to use telecommunications companies for malicious purposes,” and, “…[B]ased on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.”

Strictly as an aside, I’ve been told that unnamed sources in the Pentagon have told reporters that Huawei could add electronic “back doors” that allow eavesdropping on emails, phone calls, faxes, and confidential files that are commonly transmitted via a “secured connection.” If reporters were informed, they were given a teaspoon full of information scooped from a barrel, doled out sparingly either out of caution, or out of ignorance. (Most likely caution, since Pentagon personnel are also regular DefCon attendees.)

All of this should raise more general data security alarms than the activities of just one company. Let’s hope American business hears the wakeup call.

No matter where a company or a government buys its IT equipment, due diligence by the buyer is critical. The takeaway for you is to check on the following:

1. Which labs and testers have tested the equipment and software for security and resistance to penetration attacks?

2. Is the manufacturer of equipment encouraging the community of security researcher to find and report security flaws?

3. What is the track record of responses to flaws that are uncovered by the security community?

4. Does the company admit errors, or does it spend its energy on statements that the flaws are only possible in “rare cases,” or only show up “in a controlled laboratory.”

5. How fast does the company act to correct flaws and alert customers

Until Huawei’s concern for security matches that of its competitor, the comment from researcher FX this summer remains true, “I would not put any of this [Huawei] equipment on my network.”

NOTE: This column was written by Ira Victor for the private NNN newsletter, and is posted here for the benefit of CyberJungle Radio listeners.

March 1, 2011 – Episode 202

Posted in Breach, Court Cases, criminal forensics, darkweb, Legislation, Show Notes, The CyberJungle, Vulnerabilities, web server security with tags , , , , , , on March 1, 2011 by Habeas Hard Drive

Episode 202 of  The CyberJungle is about 33 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly– great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interview is about 8 minutes long and it starts at about the 18:25 mark.

To listen to Episode 202 via the flash player:

Interviews

Interview: Brett Kingstone, The author of The Real War Against America, on industrial espionage featuring Chinese spies paying American employees to steal intellectual property.

Tales From The Dark Web

Zues Trojan meets Crank Yankers in a social engineering scheme to drain bank accounts by phone

Our Take on The Week’s News

Police Department officer indicted on federal wire fraud and identity theft charges

London Stock Exchange and Morgan Stanley: Added to the list of financial services companies breached by cyber criminals

A woman in a child custody battle with her ex decided it might help if she had recordings of everything

Is that a RAT in your Mac, or have you just been pwnd?