UK Cyber Security Agency Backs Apple, Amazon China Hack Denials (reuters.com) 56
An anonymous reader quotes a report from Reuters: Britain's national cyber security agency said on Friday it had no reason to doubt the assessments made by Apple and Amazon challenging a Bloomberg report that their systems contained malicious computer chips inserted by Chinese intelligence services. "We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple," said the National Cyber Security Centre, a unit of Britain's eavesdropping agency, GCHQ. AWS refers to Amazon Web Services, the company's cloud-computing unit.
"The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us," it said. Apple's recently retired general counsel, Bruce Sewell, told Reuters he called the FBI's then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer, a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips. "I got on the phone with him personally and said, 'Do you know anything about this?," Sewell said of his conversation with Baker. "He said, 'I've never heard of this, but give me 24 hours to make sure.' He called me back 24 hours later and said 'Nobody here knows what this story is about.'" The U.S. Department of Homeland Security said on Saturday that it too had no reason to doubt statements from companies that have denied the Bloomberg report.
"The Department of Homeland Security is aware of the media reports of a technology supply chain compromise," DHS said in a statement. "Like our partners in the UK, the National Cyber Security Center, at this time we have no reason to doubt the statements from the companies named in the story," it said.
"The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us," it said. Apple's recently retired general counsel, Bruce Sewell, told Reuters he called the FBI's then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer, a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips. "I got on the phone with him personally and said, 'Do you know anything about this?," Sewell said of his conversation with Baker. "He said, 'I've never heard of this, but give me 24 hours to make sure.' He called me back 24 hours later and said 'Nobody here knows what this story is about.'" The U.S. Department of Homeland Security said on Saturday that it too had no reason to doubt statements from companies that have denied the Bloomberg report.
"The Department of Homeland Security is aware of the media reports of a technology supply chain compromise," DHS said in a statement. "Like our partners in the UK, the National Cyber Security Center, at this time we have no reason to doubt the statements from the companies named in the story," it said.
They contain Xeon chips (Score:2, Informative)
Therefore, their systems have backdoors.
Re: (Score:3)
Re: (Score:2)
You know AMD has the exact same thing in their chips?
Re: (Score:3)
There ya cheeky cunt https://en.wikipedia.org/wiki/... [wikipedia.org]
The big short (Score:1)
Someone at Bloomberg shorting Supermicro stock?
Re: (Score:1)
It's become clear (Score:1)
This "Chinese cyber attack" is just a fake story planted by the Trump administration. It's the first step in blaming upcoming election rigging on China instead of our good friend Putin, who will be doing all he can to subvert the outcome.
Expect more manufactured evidence in the near future. Yellowcake anyone?
Re: (Score:2)
You're confusing issues here. Believe it or not, not everything is about Trump.
Now we have to assume any hostile country which *could* interfere with our elections would. The thing is nobody has produced any evidence that China has done so. We know for a fact that both psy-ops and hacking operations out of Russia have targeted US political systems. If evidence emerged that China was doing so we'd have to take it seriously, but all indications are that China remains focused on economic and technological
No, this IS a Trump related issue on that basis (Score:1)
"The thing is nobody has produced any evidence that China has done so" Yet Trump asserts it happened without evidence, continues to deny Putin meddled which directly put Trump in power. = Trump is beholden to Putin, period.
Re: (Score:2)
I'm not disputing that, but it has nothing to do with the chips in Apple's servers.
Re: (Score:2)
You're confusing issues here. Believe it or not, not everything is about Trump.
But that's what Trump keeps saying. You mean he's lying?
Re: It's become clear (Score:2)
Or, the Trump administration is trying to make Bloomberg look like fake news.
Careful wording (Score:4, Informative)
First - given the unusually specific, no-bones-about-it wording used by Apple in their denial, I believe their statement. Some of the other companies, though, seemed to be giving themselves a bit of maneuvering room.
But both the UK’s and US’s spy agency statements basically just say “we have seen no evidence as of yet”. It’s a very careful statement which doesn’t really mean much.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Not quite. The wording with PRISM denials was a bit more ambiguous, e.g. we have never given government agencies "direct" access to data, etc. Google stated "From time to time, people allege that we have created a government ‘back door‘ into our systems, but Google does not have a ‘back door’ for the government to access private user data." Yeah that's because Google didn't create the back door, the government did.
Here Apple and Amazon seem to be much more categorically denying su
Re: (Score:2)
It’s a very careful statement which doesn’t really mean much.
No it's not. It's a specific statement which means exactly what it says. You won't get outright denials from anyone as it would be stupid to deny this as it falls into the classic category of trying to prove a negative.
Can you prove a negative? Can you say right now that your computer doesn't have any malware on it? I'm sure you can say that you've not seen any evidence of malware, but can you *prove* it?
Need help from nerds (Score:5, Interesting)
I don't trust Bloomberg for technical issues like this.
Any ideas what I should be looking for?
Re:Need help from nerds (Score:5, Informative)
The chips were for inserting exploitable code/backdoors into firmware. There will be no "command and control" going on unless somebody targets your box.
6 pins... PIC chips were used for something similar 20 years ago for Playstations - inserting a sequence along a serial line. In this case, probably intercepting/modifying something on a JTAG line or an I2C bus. It might even be sophisticated enough to return the original bit of code it was meant to replace on a flash memory read (if done serially). It requires explicit knowledge of the hardware and software, and likely was enabled by insiders (as was the design that allowed them to install the chip)
Re: (Score:3)
Re:Need help from nerds (Score:5, Informative)
Without intimate knowledge on the circuit boards original design, it would be next to impossible to find anything differing from the original.
In other words you would need a before and after to compare with each other.
The SuperMicro systems you and I have were designed to be sold to the general public, so there's next to no way in hell SM will be giving out their board layout files.
That's part of the stories problem, it explicitly names a few huge cloud providers who ARE privy to such info.
Perhaps a more basic or even a special model, but Apple and Amazon make their own huge customization to those designs to send back to SM and essentially order millions of them to be made.
Bloomberg is claiming some of his anonymous sources are involved with those companies and designing their custom systems, so in those companies cases they do have a "before" cad file to start from.
The anonymous sources are making claims that the original custom cad file and the actual manufactured servers they order differ from each other by this one chip.
So unless you work at a company large enough to get this kind of treatment from manufacturers like super micro, there's no way for us to know. And if you are, go talk to your engineers, they likely already did this with numerous machines and beat you to the punch.
Super micro could know by comparing their cad files to what's being sold, presuming they aren't in on this officially. I'd say either option would destroy their reputation so badly however it's unlikely they would admit it even if they weren't involved but found out, and zero chance they would admit it if they were involved.
Re: (Score:2)
That why most more advance nations use collection methods to get data out that will never get seen on the "internet".
Re: (Score:3)
As others have stated, it's nothing you're likely to discover.
It would be absolutely silly to establish a nailed-up (or even periodic) command-and-control connection. Too easy to find.
It would likely do something at a per-determined time, after so many hours of operation, etc. to insure it passed all pre-installation checks. Maybe e.g. on the 2nd firmware update, add a little something "extra".
Curious if your servers have a separate Ethernet port for the management processor? If not, that's a major security
Re: (Score:2)
A) Yes, all our HP and SuperMicro Servers have a separate management port that we do not use. We don't have that many to manage.
In Other News (Score:1)
The ISIS news organization of Afghanistan vehemently agrees with the statements of the US corporations, saying: "Although we lack we capability of unobstructed travel to the said facilities where these systems have supposedly been installed and physical access to the affected systems boards, we see no reason not to vehemently agree with the statements made relating to this issue."