Attacks/Breaches
11/20/2008
06:11 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

China Targets U.S. Computers For Espionage, Report Warns

The 2008 Annual Report to Congress urges tighter computer security measures to prevent data loss or corruption.

The USCC report also warned about the risks posed by IT hardware manufactured abroad.

"The global supply chain for telecommunications items introduces another vulnerability to U.S. computers and networks," the report says. "Components in these computers and networks are manufactured overseas -- many of them in China. At least in theory, this equipment is vulnerable to tampering by Chinese security services, such as implanting malicious code that could be remotely activated on command and place U.S. systems or the data they contain at risk of destruction or manipulation. In a recent incident, hundreds of counterfeit routers made in China were discovered being used throughout the Department of Defense. This suggests that at least in part, Defense Department computer systems and networks may be vulnerable to malicious action that could destroy or manipulate information they contain."

Such concerns have been circulating for years in government security circles. But action may be at hand. On Tuesday, civilian and defense procurement groups published a notice in the Federal Register seeking comment on whether federal acquisition rules should be revised to require that "contractors selling information technology (IT) products (including computer hardware and software) represent that such products are authentic."

In February, the FBI announced that its ongoing anti-counterfeiting campaign had resulted in more than 400 seizures of fake Cisco equipment worth more than $76 million. A five-page FBI PowerPoint presentation dated Jan. 11, 2008, summarizes some of the agency's findings in its investigation of fake Cisco gear. It notes that fake hardware is vulnerable to supply chain subversion and attack, and could allow others to access to systems meant to be secure.

For more security insights, InformationWeek has published its 2008 Strategic Security Survey. Download the report here (registration required).

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.