Tuesday, January 19, 2010

The recent episode of hacking against Google and other US companies highlights an emerging problem: supply chain security. Since US consumers, corporations, and the military import most of their electronic gadgets from overseas, it is highly advantageous for hackers to plant viruses and sleeper exploits into the gadgets themselves or their components sometime during the production/distribution cycle.

A year ago, Insignia digital picture frames were pulled from shelves and online sites after Best Buy learned they could be carrying a virus. Also reported to be infected then were digital frames from Advanced Design System, Digital Spectrum, and Castleton. But digital frames aren't the only electronic items found to carry a hidden payload. Other malware-infected devices have included MP3-playing sunglasses, a flip video camera, and Maxtor external hard drives, according to the SANS Internet Storm Center.*

Products and components are now "intelligent". That is, by design their behavior changes over the lifetime of the system, e.g. by hosting or executing new software. The old supply chain security and quality control took care of material or structural defects. The new one should learn how to deal with threats that are much more intelligent and fluid.

* I remember an episode from my work at a Fortune 500 corporation when I had to re-image a new laptop. I did a clean install, but the first thorough virus scan of the system revealed a backdoor trojan that came "pre-packaged" on an official corporate OS distribution disc.

tags: security, information, control, system, evolution, computers, google

No comments: