Chinese Spy Chips and Supermicro: I can’t imagine that the article would be made up when two of the largest companies can come after you. It’s career suicide to say the least. I can imagine that heads will roll and some side company or something will be made scapegoat. Something like that. Definitely a huge risk to have traceable espionage. Even if it is a barely detectable chip the more boards it is in the bigger the change it gets found out at some time statistically.

Chinese Spy Chips and Supermicro: 

I can’t imagine that the article would be made up when two of the largest companies can come after you. 

It’s career suicide to say the least. 

I can imagine that heads will roll and some side company or something will be made scapegoat. 

Something like that.  Definitely a huge risk to have traceable espionage. 

Even if it is a barely detectable chip the more boards it is in the bigger the change it gets found out at some time statistically.

Hide replies
Jason H. 

If there is a conspiracy behind, a report job position is not a big sacrifice
tijl deconynck 

interesting perspective.
Liz Brooks 

As this is concerning our National Security. You don’t think people that discovered this don’t know which agencies to call with their evidences since 2015?

Comments on Chinese spy chips: Communism is a tool employed by the top NWO globalists. These psychopaths love communism and socialism because it gives them nearly cart-blanch to do pretty much whatever they want. They did it to Russia, and they did it to China.

Comments on Chinese spy chips: 

Communism is a tool employed by the top NWO globalists.  These psychopaths love communism and socialism because it gives them nearly cart-blanch to do pretty much whatever they want.  They did it to Russia, and they did it to China. 

If you think the Chinese government is “behind” this then you need to do a rethink.  America was hijacked by the same psycho organization decades ago, and the American people have been unwitting tools used by these psychos to commit mischief and mayhem all over the globe.  Remember Bush Jr.’s comment “this would be easier if it were a dictatorship”?  This wasn’t hyperbole, he was being transparent.  

These chips are not a china against America thing … they are a NWO globalist thing against national sovereignty thing.  

The Chinese people are poised to be used by the NWO just like America was.  This has always been the plan … we are just now waking up to it and just a bit too soon for comfort, and the NWO is panicking.  This is why they have been desperate to destroy Trump and the American people who are actively working to restore the republic.

Apple Cut Ties With Supplier Super Micro Computer Over Server Security Concerns

Apple Cut Ties With Supplier Super Micro Computer Over Server Security Concerns

Apple cut ties with server supplier Super Micro Computer in 2016 after unearthing a potential security vulnerability in at least one of its data center servers, reports The Information.

The vulnerability in the server, which was part of Apple’s technical infrastructure powering its web-based services, was discovered in the early months of 2016. According to Super Micro senior vice president of technology Tau Leng, Apple ended its business relationship with Super Micro Computer shortly after uncovering the security issue.


Leng’s account of the incident makes it sound like Apple received bad firmware from an FTP site hosted by Super Micro that may have been infiltrated, which may have compromised the server.

According to Leng, when Apple was asked to provide the version number of the firmware it had downloaded after experiencing issues, Apple provided an invalid number. After that, Apple refused to provide more information to Super Micro.

Mr. Leng said Super Micro regularly provides firmware updates that data center customers like Apple can download from a private “FTP” site, hosted by Super Micro. He said the firmware updates come from outside chip manufacturers–in this case, a networking chip maker that he declined to name.

Sources who spoke to The Information said servers that handled Siri requests and App Store search functionality may have been compromised, but an Apple spokesperson said Apple did not receive bad firmware nor was any customer data stolen.

“Apple is deeply committed to protecting the privacy and security of our customers and the data we store,” the spokesperson told The Information. “We are constantly monitoring for any attacks on our systems, working closely with vendors and regularly checking equipment for malware.”

It’s not quite clear what caused the vulnerability that led to the end of the agreement between Super Micro and Apple, but Apple has since moved on to other server suppliers, increasing orders from ZT and purchasing servers from Inspur.

Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials Officials: Not saying Bloomberg was wrong, we just believe biz saying Bloomberg was wrong

Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials

Officials: Not saying Bloomberg was wrong, we just believe biz saying Bloomberg was wrong

UPDATED UK spymasters and US Homeland Security officials have supported Western tech companies’ denials that Chinese agents were able to smuggle hidden surveillance chips into Super Micro servers.

Mainstream media megastructure Bloomberg reported last week that Beijing’s military intelligence pressured or bribed a Chinese manufacturing subcontractor of US-based Super Micro to include a small secret spy chip in the server maker’s motherboards. The supposedly grain-of-rice-sized chips were inserted to give China a backdoor into the computers, allowing data to be silently altered or stolen from afar by the Chinese government, Bloomberg’s numerous sources claimed.

Hacker screen

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

READ MORE

Among the 30 or so organizations that apparently received these bugged machines, ranging from a major bank to US government contractors, were Apple and Amazon, according to Bloomberg’s sources. Rather than run the usual “we do not comment on rumor or speculation, especially regarding national security” lines via spokespeople, Apple, Amazon, and Super Micro issued scathing rebuttals, denying the wiretapped servers ever existed nor were ever shipped nor were ever received. They also denied holding internal investigations with the FBI.

The companies have since been backed by security agencies of two key Five Eyes nations, the UK and America. Crucially, the agencies stopped short of saying Bloomberg got it wrong – they’re just agreeing with those who claim Bloomberg got it wrong.

Britain’s National Cyber Security Center – part of spying nerve-center GCHQ – kicked off the weekend by saying: “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS [Amazon Web Services] and Apple. The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”

Then on Saturday, Uncle Sam’s Department of Homeland Securityconcurred in no uncertain terms:

Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.

If that was a shot, then here’s a chaser: Reuters reporting that Apple and the FBI’s top lawyers having no idea what Bloomberg was on about:

Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc, a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.

“I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”

Infosec pros have also started criticizing Bloomberg for the lack of hard data and technical information to support the story, beyond its 17 anonymous sources. One particularly annoying thing is that the graphics used in the blockbuster article – depicting the spy chip and its placement on the board – look to be purely illustrative, making it difficult to verify the claims or even check if a server motherboard has one of Beijing’s bugs.

Top software vulnerability hunter Tavis Ormandy, of Google’s Project Zero,summed up the difficulty of believing anonymous sources versus on-the-record denials: “We can’t prove [the spy chip] doesn’t exist any more than we can prove sasquatch doesn’t exist. This is starting to feel like chemtrail territory.”

On the one hand, you have Bloomberg, which has rigorous and extremely high editorial standards: article errors requiring corrections can be career-ending. It is bonkers to think it would have screwed up a story this huge.

On the other hand, we have unusually direct denials from tech companies – the kind that if found to be lies would fall foul of securities fraud laws – and now government officials supporting those rebuttals. If tech giants and governments had spent a little less energy spinning their way out of sticky situations in the past, their statements could be taken a little more seriously.

Ultimately, at least more people are now aware of supply chain security, an area that deserves extra scrutiny. ®

Updated to add

Apple has doubled down on its denial of Bloomberg’s Super Micro spy chip bombshell in a letter this week to the US House and Senate commerce committees. Specifically, it’s addressed to the House Committee on Commerce, Science and Transportation, and the Senate Committee on Energy and Commerce.

Signed by VP for information security George Stathakopoulos, the missive provides a more detailed rebuttal of the story than Cupertino offered in its public statement last week.

Stathakopoulos wrote: “In the end, our internal investigations contradict every consequential assertion made in the article – some of which, we note, were based on a single anonymous source.

“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server”, the letter added, and as for the FBI, Apple asserted that it didn’t contact the Feds, and the Feds didn’t contact Apple.

The letter also made the point that if the chips were exfiltrating data, they would need to communicate with the outside world.

“In the situation Bloomberg describes, the so-called compromised servers were allegedly making outbound connections. Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found.”

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors

Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors

BMC software updates to check code signatures after researchers hit red alert

hacker

A Reg vulture reacting to the vulnerability

Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers.

Security biz Eclypsium today said a weakness in the mechanism for updating a BMC’s firmware could be abused by an attacker to install and run malicious code that would be extremely difficult to remove.

A BMC is typically installed directly onto the motherboard of a server where it is able to directly control and manage the various hardware components of the server independent of the host and guest operating systems. It can also repair, alter, or reinstall the system software, and is remotely controlled over a network or dedicated channel by an administrator. It allows IT staff to manage, configure, and power cycle boxes from afar, which is handy for people looking after warehouses of machines.

Because BMCs operate at such a low level, they are also valuable targets for hackers.

In this case, Eclypsium says the firmware update code in Supermicro’s BMCs don’t bother to cryptographically verify whether or not the downloaded upgrade was issued by the manufacturer, leaving them vulnerable to tampering. The bug could be exploited to execute code that would then be able to withstand OS-level antivirus tools and reinstalls.

To do this, an attacker already on the data center network, or otherwise able to access the controllers, would need to intercept the firmware download, meddle with it, and pass it on to the hardware that will then blindly install it. Alternatively, a miscreant able to eavesdrop on and fiddle with internet traffic feeding into an organization could tamper with the IT team’s BMC firmware downloads, which again would be accepted by the controller.

“We found that the BMC code responsible for processing and applying firmware updates does not perform cryptographic signature verification on the provided firmware image before accepting the update and committing it to non-volatile storage,” says Eclypsium.

“This effectively allows the attacker to load modified code onto the BMC.”

Two execs in a server room. Has to have happened some time heh. Photo by Shutterstock

Can we talk about the little backdoors in data center servers, please?

READ MORE

In addition to running malware code beneath the OS level, the researchers said the flaw could also be used to permanently brick the BMC or even the entire server. Even worse, a potential attack wouldn’t even necessarily require physical access to the server itself.

“Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the admin password for the BMC,” Eclypsium warned.

“This requires access to the systems management network, which should be isolated and protected from the production network. However, the implicit trust of management networks and interfaces may generate a false sense of security, leading to otherwise-diligent administrators practicing password reuse for convenience.”

Fortunately, Eclypsium says it has already reported the bug to Supermicro, who responded by adding signature verification to the firmware update tool, effectively plugging this vulnerability. Admins are being advised to get in touch with their Supermicro security contacts to get the fix in place. ®

Sponsored: Following Bottomline’s journey to the Hybrid Cloud