Welcome, Shane | My Account | Log Out

White Papers | Web Seminars | Newsletters | eBooks

Big Data & AnalyticsData ManagementMDM & Data GovernanceInfrastructureInfo Strategy & LeadershipBI & Data DiscoveryMobilityweb seminars &white papersresourcecenter

Ghosts in the Machine: Attacks May Come FromInside Computersby Shane KiteAUG 19, 2009 5:15am ET

Print Email Reprints Comment Twitter LinkedIn Facebook Google+The next wave of hacking into computers and stealing data will not be requests or code coming from remote

points across the Web, security experts are warning.

Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded intothe silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspectsand intricate mapping of the chip itself, according to scientists and academics working with the NationalInstitute of Standards and Technology, the White House and the Financial Services Information Sharing andAnalysis Center in Dulles, Va.

Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these expertssay, because the microchips that run servers have millions to billions of transistors in them. Adding a fewhundred or even just tens of transistors can compromise an integrated circuit can serve attackers' purposes andescape notice.

"You can never really test every single combination on the chip. Testing a billion transistors would take a verylong time. It would be very difficult to detect hardware Trojans without having some idea of what you'relooking for to begin with," said Scott C. Smith, associate professor of electrical engineering at the University ofArkansas, co-author of a 2007 paper which described a "Hardware Threat Modeling Concept for TrustableIntegrated Circuits."

Tweaking chips themselves will make them prone to manipulate data, shut down a critical function, or turn asystem into a bugged phone that steals and relays vital information, the experts say.

While fabricating a Trojan horse directly into the design of a microchip is a realm where few can play--foreignintelligence services, for instance, or perhaps the most well-funded and sophisticated criminal organizations--there are simpler ways to infiltrate hardware, they say. Attackers of financial systems could, for instance, attacha tiny wireless modem to a shredder at a wire transfer firm, bug a bank card reader at a European grocery store,or plant a chip in a projector at an overseas business conference that can infect an attached laptop with spyware.

To combat the threat, the National Institute of Standards and Technology (NIST), the federal government'stechnical standards laboratory, is releasing in September an inter-agency report meant to serve as the first set ofbest practices for government and industry to mitigate security risks to hardware included in the IT supplychain.

Originally inspired by the Department of Defense and spy agencies concerned about protecting from hardwaretampering by foreign intelligence, the effort to promote awareness of the threat has filtered into the publicrealm. NIST is rewriting an original set of 25 best practices based on lessons learned in a pilot programunderway with Defense. The Department of Homeland Security and Department of State are involved, as well,parties interviewed for this story say.

The inter-agency report will be used to inform mandatory guidelines NIST expects to release by 2011, whichthe federal government will be required follow to ensure its own supply chain security.

The best practices "can be used by financial services, the energy sector, health, all kinds of sectors," saidMarianne Swanson, NIST's senior advisor for information system security.

The key to mitigate hardware as a malware vector is to establish methods for evaluating trustworthiness ofequipment, suppliers and manufacturers, Swanson said. The military and intelligence agencies have done thisby establishing a "trusted access program," began in 2004, whereby organizations including the DoD andNational Security Agency only purchase circuitry from trusted foundries, like those run by IBM or Honeywell.To be considered trusted, the chip fabrication facilities must be based in the U.S., owned and operated by U.S.companies, and staffed with U.S. citizens with security clearances.

Right now, only government agencies use the trusted foundries; they currently lack the capacity to add

commercial, private-sector business. Because they are not outsourced, the programs are also expensive.However, investment banks and private utilities joining the trusted foundry program via the chip and networkhardware manufacturers that serve them "will probably happen in the next 10 years or so," says Smith,particularly if hardware hacking "becomes more prevalent, like software viruses have become."

What has experts worried is that much of commercial circuit-building is done by contractors overseas. So thechance that bad actors can subvert the supply chain and add spyware into hardware has risen.

To get a sense of the potential problems, open up your laptop: Inside you'll find parts manufactured or suppliedfrom as many as 10 countries, which compete strategically and economically. Plus, as technology becomesmore and more miniaturized, so will its exploits. Economic or corporate espionage, while seldom talked about,likely will escalate, the experts warm. Thus, financial firms should adjust their level of concern and awarenessas the vectors for exploits get more sophisticated.

Reported hardware security practices at financial firms seem spotty at best, according to a June survey by theFinancial Services Information Sharing and Analysis Center (FS-ISAC), a public-private group created bypresidential decree to protect operations of financial services firms, as critical infrastructure. The group soughtto measure the level of awareness that financial firms have regarding the importance of hardware security; thereport includes 16 best practices meant to mitigate hardware threats.

More than 55 percent of firms surveyed said they verified the sources of their hardware components deliveredto offices or loading docks by cross-checking the bill of lading with purchase orders. But fewer than 15 percentinspected the boards inside their routers for tampering prior to functional testing. None of them weighed theirequipment. Although weighing wouldn't catch something as miniscule as microchip tampering, it might flaghardware with unwanted equipment attached to it, like a wireless modem.

Physical inspection of hardware is recommended by FS-ISAC, a suggestion also included among NIST's bestupcoming practices, Swanson said.

Smith and his colleague Jia Di, an associate professor at University of Arkansas' department of computerscience and engineering, are working on a tool that could detect hardware sabotage in chip design. They arebuilding a system that aims to flag and warn of abnormalities found either in the circuit design software, or inchip blueprints, based on a model that intends to identify and rank the most likely scenarios for circuitmanipulation.

Smith said the reason that they're basing the system on assessing the chip designs, versus testing the chip itself,is because doing the former is the only feasible method that could successfully detect circuit exploits.

This is for two reasons: Because chip manufacturing is highly automated and follows explicitly the directions ofthe design program. And because the transistors themselves are too many to actively and fully test.

Smith expects there will "be a big industry" for chip security tools in the next decade. "This will be part of thechip design flow that will be running through malicious logic to make sure that nothing's been added onto yourchip before fabricating it."

Tamper-resistant chips are also coming to the commercial market. Pleasanton, Calif.-based CPU Tech hasoffered the private sector since 2008 the Acalis CPU872 MultiCore chip, which the firm says protects fromhardware-based Trojans for high-performance processing within vital applications. It scatters separate parts ofthe encryption key needed to boot the hardware across different pieces of the chip and also embeds memoryonto the chip, so vital data can't be accessed externally. Financial firms have expressed interest in purchasingsystems with the chip installed, said Robert Beanland, vice president of marketing for CPU Technology.

According to the Cyberspace Policy Review released by the White House in May, "documented examples existof unambiguous, deliberate subversions" of the IT supply chain. While counterfeit products have created "themost visible" problems to date for hardware, the global nature of IT manufacturing has made subversion ofcomputers and networks through supply chain sabotage via subtle hardware or software manipulations, morefeasible.

Law enforcement in Europe uncovered a scam late last year whereby criminals had rigged credit card readersinstalled at Tesco and other retail outlets there with what was essentially a tiny cell phone that was capturing allthe PINs from customers who used their cards on the readers in stores and sending the data through Pakistan;though its ultimate destination remains unknown. Criminals often choose nations with porous security orlimited digital forensics practices to route their booty.

"What was interesting about this is that some portion of it really was a supply chain corruption," said ScottBorg, director and chief economist (CEO) at the U.S. Cyber Consequences Unit (US-CCU), an independent,non-profit research institute. Borg's work on securing IT supply chains was cited in the president's cyber policyreview.

Borg makes pains however to emphasize that the threat of hardware tampering occurring in the private sectorremains relatively low. "Malicious software is so much easier and cheaper to distribute," he says. Plus, the riskis huge. "There's a serious danger that the whole world would stop buying electronics from your country if itwas shown that the supply chain was compromised. The main danger here is hardware bargain hunting."

Purchasing used routers from any source other than their branded manufacturer, say a Cisco or Juniper, forinstance, is considered risky because of the increased likelihood that the purchaser could receive counterfeitparts. In a 2008 report detailing a scam involving counterfeit Cisco equipment made in China, the FBI warnedthat the fake hardware could enable foreign agents to crack codes and bug secure networks.

This article can also be found at SecuritiesIndustry.com.

JOIN THE DISCUSSIONComment

SEE MORE INComments (0)

Be the first to comment on this post using the section below.

Add Your Comments:

Add your comments here.

Notify me when other readers comment on this article. Click here to receive notifications without commenting

Most ReadMost Emailed

Big Data Platforms: How To Migrate From Relational Databases to NoSQLSelf Service: A Data Scientist Productivity BoostBig Data Applications Drive NoSQL AdoptionHadoop as a Service: 18 Cloud OptionsBusiness Intelligence for the Other 80 Percent

AnalyticsFrom Big Data to Big DecisionsSelf Service: A Data Scientist Productivity BoostPrice and Revenue Optimization (PRO)Business Intelligence for the Other 80 Percent

Business IntelligenceCan Workday's Analytics Reduce Employee Turnover?Cloud-based Business Intelligence Goes MainstreamRedefine BI to Unleash Big Data's PowerHow Big Data Keeps United Healthcare Nimble

Customer Experience

Become Customer Obsessed Or FailData-Driven Marketers: Mobile Is One Piece of the StoryMillennials and the MachinesHow to Build Connected Customer Experiences

Open SourceHortonworks Buys SequenceIQ for Hadoop in the CloudBig Data Applications Drive NoSQL AdoptionApple Buys NoSQL Big Data SpecialistEMC: Can Data Lakes Create Big Data Splash?

Predictive AnalyticsBusiness Analytics and Forecasting: RevisitedBig Data Pushes Deeper Into Oil and GasMessy Big Data Overwhelms Data ScientistsPredictive Analytics or Data Science?

Data GovernanceInformatica Acquired for $5.3B Amid Big Data, Cloud ShiftsCalifornia to Hire Chief Data Officer (CDO)?Net Neutrality Decision: What You Need to KnowBalancing Freedom and Control to Enable Governed Data Discovery

Data IntegrationPublic Opinion: Share My Health DataInside Google's Insurance Data StrategyHealthcare Industry Explores Data MonetizationUpdate on the DATA Act

Data ManagementAmazon Acquired NoSQL Data Migration Startup AmiatoData Virtualization: The 13th CommandmentClose Your Quarterly Financials (Even Faster)Public Opinion: Share My Health Data

HOMEAbout UsContact UsContent LicensingAdvertise with UsCustomer ServiceFeedbackMy Account

Site MapPrivacy PolicyEditorial Submissions

sourcemediacorporate site

bankingAmerican BankerBank Technology NewsAmerican Banker MagazineCredit Union Journal

MORTGAGESNational Mortgage News

PAYMENTSPaymentsSourceCollections & Credit RiskISO & Agent

capital marketsMergers & AcquisitionsAsset Securitization ReportLeveraged Finance NewsPrivate Placement LetterTraders Magazine

MUNICIPAL FINANCEThe Bond Buyer

accountingAccounting TodayTax Pro Today

HEALTHCARE & BENEFITSEmployee Benefit NewsEmployee Benefit Adviser

Health Data ManagementInsurance Networking NewsInformation Management

INVESTMENT ADVISORYFinancial PlanningOn Wall StreetBank Investment ConsultantMoney Management Executive

© 2015 SourceMedia. All rights reserved.