Foreign companies sold tampered technology to the U.S. government
November 8, 2012
It was recently discovered that a record number of technology products used by the U.S. military and dozens of other federal agencies are fake and have been tampered with.
The news is troubling and it actually opens up a whole slew of national security risks, from dud missiles to short-circuiting airplane parts, and then all the way to cyberespionage on a massive scale that has been never seen before.
Despite numerous laws designed to discourage counterfeiters and to crack down on them, suppliers labeled by the U.S. government as high risk are increasing their sales to federal agencies. Their presence in government's supply chain soared 63.2 percent since 2002, according to a new study released by IHS, a supply chain management consultancy.
Overall, government suppliers with the high-risk branding are known to engage in counterfeiting, wire fraud, product tampering and a long list of other illicit and illegal behaviors.
In 2011 alone, no less than 9,540 banned businesses were found to have sold technology the U.S. government. Roughly 10 percent of those incidents involved counterfeit parts or equipment.
"What keeps us up at night is the dynamic nature of this threat, because by the time we've figured out how to test for these counterfeits, they've figured out how to get around it," said Vivek Kamath, head of Raytheon's supply chain operations.
"It's literally on almost a daily basis that they change things around. The sophistication of the counterfeiting is amazing to us," he added.
The number of fake tech products floating around in the market quadrupled from 2009 to 2011, according to IHS, and they're sneaking into some high-profile places as well.
In September 2010, the Missile Defense Agency found that the memory in a high-altitude missile's mission computer was counterfeit. Fixing the issue cost $2.7 million. Had the bomb launched, it most likely would have failed, the agency said.
Two years earlier, the FBI seized no less than $76 million of counterfeit Cisco routers that the Bureau said could have provided Chinese hackers a backdoor into U.S. government networks.
A number of government agencies bought the routers from an authorized Cisco vendor, but that legitimate vendor purchased the routers from a high-risk Chinese supplier.
China continues to be the largest source for counterfeit and pirated goods found in the United States, accounting for 62 percent of the $178 million in products, with an estimated retail value of $1.1 billion that the U.S. Customs and Border Protection agency seized in 2011.
Some in Congress have pushed for a crackdown, but it's too little, too late says some observers. "Counterfeit parts pose an increasing risk to our national security, to the reliability of our weapons systems and to the safety of our men and women in uniform," said Senator John McCain, a Republican from Arizona.
There are lots of rules and systems that are already in place to protect the government's supply chain. The U.S. General Services Administration has a database of about 90,000 risky suppliers that government agencies are required to check against when ordering parts.
The key to the puzzle is getting people to use those resources. "Policies and procedures just aren't being followed," said Rory King, supply chain director at IHS, which provides supply chain management tools for the government and other clients.
"It's actually pretty simple to do-- it's just a matter of needing better education, awareness and training," he added.
The good news is that some U.S. government agencies are fighting back, and fighting back hard. For example, NASA is widely viewed as having taken a lead in anti-counterfeiting by completely vetting its suppliers, giving each a score to help its procurement officials pick the lowest-risk vendors.
The agency also requires its suppliers to show proof that they have various government and vendor certifications, and it resurveys its suppliers every three years.
Even after that, all of NASA's incoming parts are still inspected, nevertheless. Counterfeit parts aren't just a government issue. Consumer electronics topped the Homeland Security Department's pirated goods list last year-- the first time since 2004 that shoes weren't No. 1 on the top of the list.
They're popping up in every segment of the market, including wireless devices, PCs and even automobiles. Common issues include short-circuits, failures in unusually hot or cold temperatures, and systems that simply don't boot up.
That's bad news whether it's in a missile defense system or a medical respirator or just a simple cell phone. "There's an enormous amount of risk associated with counterfeit parts, not just to the men and women of our armed services, but for consumers as well," King said.
"Military and aerospace get the majority of attention, but if a counterfeit part were to escape into a minivan's braking system, you've got a huge issue on your hands," he added.
In other internet security news
According to a new study recently released, on average, hackers exploit security vulnerabilities in software for about ten to eleven months before the full details of the security issues surface to the public.
Researchers from Symantec say that these zero-day attacks, so called because they are launched well before security firms and industry vendors are even aware of the vulnerabilities per se, are more prevalent and more potent than previously believed.
Overall, zero-day exploits are often closely guarded secrets and the simple reason is that they can be very valuable to potential hackers. However, once the details of the exploited security flaws emerge in public, application developers and system admins alike can rapidly get to work to mitigate or halt the attacks dead in their tracks.
But in today's imperfect cyber world, this comes at a huge price-- it also tips off the world that these security vulnerabilities also exist in systems.
Case in point-- Leyla Bilge and Tudor Dumitras, both of Symantec Research Labs, identified no less than eighteen zero-day attacks between January 2008 and December 2011, and eleven of them were previously undetected.
"A typical zero-day attack lasts an average of about 312 days and, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to five orders of magnitude," the security researchers note.
The study is based on data from customers who had opted into Symantec's anti-virus telemetry service.
A paper on the research-- "Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World" was presented at the ACM Conference on Computer and Communications Security in Raleigh, North Carolina last week.
In other internet security news
U.S. federal police and the Department of Justice (DoJ) are increasingly gaining real-time access to Americans' social network accounts, such as Twitter, Facebook and Google+, but prior to obtaining search warrants, newly released documents reveal.
And the numbers are really dramatic-- live interception requests made by the U.S. Department of Justice to social-networking sites and email providers jumped over 80 percent from 2010 to 2011 alone, and the trend is rapidly increasing.
Documents the ACLU released yesterday reveal that U.S. federal police are using a 1986 law originally intended to tell police what phone numbers were dialed for far more invasive surveillance-- monitoring of whom specific social-network users communicate with, what IP addresses they're connecting from, and perhaps even likes and +1s.
The DoJ conducted 1,662 live intercepts on social networks and email providers last year, up from only 922 a year earlier, the reports demonstrate.
The ACLU hopes that the disclosure of the documents it sued to obtain under the Freedom of Information Act will persuade Congress to tighten up the requirements for police to intercept "noncontent" data -- a broad category that excludes e-mail messages and direct messages.
The current legal standard "allows the government to use these powerful surveillance tools with very little oversight in place to safeguard Americans' privacy," says Catherine Crump, an ACLU staff attorney.
And it could work. On September 25, Rep. Zoe Lofgren, D-Calif., introduced a new bill that would require police to get warrants to access Americans' email and track their mobile phones. But last week, senators delayed a vote on a similar bill after law enforcement groups vehemently objected to it.
The U.S. DoJ didn't immediately respond to questions about social-network surveillance. We'll update this story if we receive a response.
It still isn't clear on just how many of those 1,662 real-time intercepts last year -- which do require a judge's approval -- targeted social networks, and how many were aimed at email providers themselves.
Traditional phone intercepts remain far more frequent-- for example, the U.S. Marshals Service says that 409 of its noncontent intercepts were for internet service providers, while 14,568 were for telephone call data.
The largest number of them fell into the fugitive-finding category, including parole or probation violations. To perform noncontent intercepts on social networks, police must generally seek court authorization for a pen register or trap and trace order, both of which are terms borrowed from decades-old surveillance law.
They were originally designed to allow law enforcement to easily collect the phone numbers associated with incoming and outgoing calls, and were extended to the Internet by the Patriot Act eleven years ago.
However, the Patriot Act didn't make it any more difficult for law enforcement to ask for such an order. Police must merely claim their request is "relevant" to an ongoing investigation. A search warrant, by contrast, requires probable cause, and a live wiretap order is even more privacy-protective.
What's also unclear is what kind of real-time data police are seeking from social networks through these orders. It's clear that they can obtain the current IP address of a Facebook user, for instance, and the port number, which is increasingly important.
But it's less clear whether a "+1" or information about a user's circle of friends would be permitted. And the wording of that section of the Patriot Act is more broad than narrow. It says that police can demand all "routing" or "addressing" information that's transmitted through an Internet service or that's "likely to identify the source of a wire or electronic communication."
Christopher Soghoian, principal technologist with the ACLU's Speech, Privacy and Technology Project says "This is a very invasive surveillance technology. We don't even have a feel for how broadly it's currently being used, and that's only part of the issue."
In other internet security news
Virus and malware creators say they are now experimenting with Google's Go as a potential programming language for creating malware and viruses.
The Encriyoko Trojan uses components written in Go, a compiled language developed by Google. It first emerged from the company more than three years ago. Once installed on a Microsoft Windows PC, the Trojan attempts to use the 'Blowfish' algorithm to encrypt all files matching various criteria including particular document types and a range of file sizes.
The exact key used to encrypt the data is either pulled from a particular file on the D: drive or is randomly generated. This renders the information useless to its owner if the cipher key cannot be recovered.
"Restoration of the encrypted files will be difficult, if not impossible," Symantec warns about the Trojan. The malware is circulating in the wild, and disguises itself as a tool to root Samsung Galaxy smartphones - a process that would otherwise allow customized operating systems to be installed on the phones.
It's possible that the unknown virus writers are simply using a programming language they've taken a liking to. "Go could also be more resilient to reversing attempts by researchers as it isn't really mainstream for now. The latter may be more a perception by the coders than in reality."
It goes without saying that Google needs to look into this very rapidly in order to prevent the potential creation of viruses and other malware that could severy impede systems and then propagate itself to multiple networks.
In other internet security news
The U.K.'s Government Communications Headquarters (GCHQ), the actual nerve center for eavesdropping police in England, has launched a new initiative to better persuade tech-savvy British citizens to help defend their own country against potential hackers and cyber attackers.
Government officials at the GCHQ are going after cyber crooks aged 16 and over who are not already working in computer security and could possibly guard the country's networks against the hacking ambitions of hostile states, cyber criminals and so-called script kiddies.
But the GCHQ must first triumph in a 'Balancing the Defense' game. The participants will analyse a fake government network for possible paths of intrusion, help determine the potential threats they face and suggest new ways to defend them, all while taking into account the increasingly budget-concious that is the U.K.
The GCHQ will have just one week, starting on October 1st to be briefed on the scenario and submit its report. "We hope that this competition will uncover those who have the vital mix of technical ability and business awareness to make tough decisions in the best interest of an organization," said Joen Karl, the architect of the competition.
"At the GCHQ, we are really committed in finding and developing the new cyber security skills in the U.K. and these are the skills sets that employers including ourselves are most interested in," he added in a statement.
This latest test is part of the Cyber Security Challenge program, which was started in 2010. Winners of Balancing the Defense program will be invited onto the next stage of the program, a face-to-face competition that will further whittle down the candidates.
Another virtual competition will follow, after which the remaining contenders will get a real-life challenge with an Aston Martin Racing team and the IT infrastructure the crew relies on.
The final few will reach a Masterclass and Awards weekend in March, where a "range of career enhancing prizes" will be on offer. The GCHQ people didn't specifically say that any employment post was waiting for anyone, mentioning bursaries, university courses and internships instead.
The eavesdropping collective may be a bit embarrassed to admit how much one of their crack specialists would earn, since another of its competitions, Can You Crack It?, yielded a job with a starting salary of just £ 25,000.
Then again, a number of GCHQ's code-cracking conundrums have had hidden solutions within the main puzzle for top-notch spy wannabes to crack and stand out from the humdrum candidates.
In other internet security news
The court case against Wikileaks founder Julian Assange may be on the brink of collapse following various claims from the defense team that the central piece of evidence used in the case does not contain Assange’s real and required DNA to proceed any further.
But it gets more complicated than just that. According to various details that have emerged in a 100-page police report submitted *after* witnesses were interviewed and forensic evidence had been examined, the condom submitted for evidence by one of the key alleged sexual assault victims does not contain Assange’s DNA.
Assange’s legal team have alleged that the lack of conclusive DNA evidence suggests that fake evidence may have been submitted and is calling the entire process into question.
The reason why we are publishing this news story today is that it is widely expected that the U.S. government and other countries could bring to trial Assange for the many thousands of leaks to the internet of sensitive information that could endanger the national security of those countries, beginning with the United States.
The Swedish prosecutor’s office has yet to publicly comment on the sexual rape report. Assange currently remains in the Ecuadorian Embassy in London after being granted asylum as he fights against the claims and extradition to Sweden.
Meanwhile, in Australia, and as a symbolic show of support, leaders of an Aboriginal group issued a passport to Assange. The Indigenous Social Justice Association is fighting for sovereignty within Australia and claimed that it wanted to forge solidarity with Assange, who has been largely unsupported by the Australian government.
The said passport, which isn't valid according to Australian laws, was issued to Assange’s estranged father. We will keep you posted on this important case since it is one that has been highly publicized over the past eigthteen months or so, and one that is sure to gain a lot of momentum going forward.
You can link to the Internet Security web site as much as you like.