Architecture, Network security

SC World Congress: The danger of “value-added features”

October 13, 2009

The supply chain is now interlinked globally, so it's near impossible to trace the source of some components, said Verizon's Marcus Sachs at an opening session of SC World Congress.

Sachs, executive director for government affairs, national security policy at Verizon, and formerly a member of the CSIS Commission on Cyber Security for the 44th Presidency, began his talk by pointing out that an interesting problem in computer security arises because of the supply chain.

“Could a malicious actor poison the supply chain?” he asked the crowd at a morning session of SC Magazine's second annual SC World Congress, being held in New York. “Do we know where it came from?”

The world is globalized, he said, and is no longer isolated with an assurance that all components of electronic devices are manufactured in the United States, and therefore accompanied with at least some measure of trust. Rather, materials are manufactured all over the world now, and the United States is completely interlinked, Sachs said.

Though there's not necessarily anything wrong with that -- in fact, the United States has been doing this for decades -- the problem now is tracking the source, Sachs said. With a domestic distributor, a verifiable chain is available where inspectors can check a factory, for instance, for irregularities.

“Where it gets fishy” he said, “is when you have a product made overseas and it then goes through a distributor, like eBay, where it's not so easy to track or identify.”

This could be surplus equipment, such as laptops advertised at 20 percent off retail price. The product says brand new, but it's really not possible to verify what we are getting, Sachs said.

“We have no idea where it's coming from," he said.

This applies to source code as well.

"Where is Microsoft code written?" he asked. The answer: Not necessarily Redmond, Wash., where the software giant is based.

The problem with this development is that there can be trouble when ordering parts from unknown entities, Sachs said.

"I can go to GSA.gov and look at different vendors and order through a GSA-approved vendor," he said. "That vendor might pass off to a sub, who might pass off to another sub, etc. It looks like an approved purchase, but it might get poisoned somewhere down the chain because of where it was physically sourced."

The United States understand how to control physical shipping. What's missing is the virtual world.

“How do we apply that process to the new world of counterfeit software and hardware?" Sachs said. "Is there a way to detect a 'value-added' feature?"

By that, he meant software that may work as advertised, but could come with a keylogger trojan nembedded.

He presented as an example the fact that TomTom shipped a batch of GPS devices in October  2006 that included malware that could infect users' computers.

The past two Christmases, the SANS Internet Storm Center, where Sachs volunteers, was alerted to a digital photo frame that blue-screened computer customers when plugged into a USB port. The problem was traced back to Wal-Mart and Sam's Club. Wal-Mart's IT team got involved and traced the supply chain to a distributor in Alabama. They were then able to determine that the devices were made in China.

So what can be done? One of the solutions Sachs proposed involved the need to educate people on social differences. One piece of good news is that the U.S. government recognizes this is a problem, he said.

“We can't shut down the factories overseas,” he said, so therefore the solution requires collaboration. Sachs predicted that as soon the spotlight on health care reform quiets down, security will again be the focus of legislation.

prestitial ad