The N.Y. Times headline on May 9, 2008 read, "F.B.I. Says the Military Had Bogus Computer Gear". This headline did not make me feel comfortable. The idea that the equipment, mainly Cisco knockoffs, have been employed in government networks should alarm not only the network operations staff, but the security people as well.
The N.Y. Times headline on May 9, 2008 read, "F.B.I. Says the Military Had Bogus Computer Gear". This headline did not make me feel comfortable. The idea that the equipment, mainly Cisco knockoffs, have been employed in government networks should alarm not only the network operations staff, but the security people as well.The Alliance for Gray Market and Counterfeit Abatement and a KPMG white paper believe that 1 in 10 IT products sold are counterfeit. Using this number, then there is about $100 billion of counterfeit IT product out there.
A counterfeit product is the manufacturing and/or selling of unauthorized copies of merchandise. In the case of high technology, counterfeit products may include individual components, whole parts, finished product, packaging, documentation, software. The cartons and boxes that finished goods are shipped in can be counterfeit.
Counterfeit products are initially sold through tightly-held broker networks established by the counterfeiter. Many times counterfeit products will then enter the gray market, thereby causing confusion. This leads to a higher risk that the distributor, channel and end users may be subject to purchasing and receiving non-genuine goods.
The N.Y. Times article stated, "Counterfeit products are a routine threat for the electronics industry. However, the more sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or a network router and allowing attackers clandestine access or control, was raised again recently by the Pentagon and the FBI."
"The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States."
A total of 36 search warrants were executed, from a two year investigation. The FBI said this resulted in the discovery of 3,500 counterfeit Cisco network components with an estimated retail value of more than $3.5 million.
Cisco has investigated the counterfeit products, but could not find any back door to breach security. In my opinion this statement should have ended with "at this time". Cisco believes that the counterfeit products makers were after money, not aiming to break security. The cost of a real model 1721 router for the government is $1,375. The counterfeit router sold for $234. If it's that cheap then it must be made cheaply. See my next blog for the penalties for buying cheap.
The idea of breaking security by embedding code on the chips has already been demonstrated by a group of computer scientists at the University of Illinois. They presented a conference paper that detailed how the scientists modified a Sun Microsystems SPARC processor by altering the data on the chip. This chip has nearly 1.8 million circuits and is used in automated manufacturing. How do you detect a small number of added functions in such a chip?
Think of the security vulnerability this way. Would it not then be easy to cause traffic flow problems or even jamming the operation of a network? Could packets be sent to the wrong destination? How about gaining unauthorized access to computers?
The N.Y. Times article also provided a link to the internal FBI Powerpoint presentation, "FBI Fears Chinese Hackers Have Back Door into US Government & Military," which was leaked to the website Above Top Secret. There is a map of all the locations in the U.S. where the FBI discovered the counterfeit IT equipment.
The counterfeit Cisco equipment included:
The Powerpoint presentation pointed out that Cisco Gold and Silver partners were the ones that purchased the counterfeit equipment. The partners then sold the counterfeit equipment to the government and defense contractors. Unfortunately, Cisco's brand protection does not coordinate with Cisco's government sales, exacerbating the problem. Cisco sells indirectly through five major distributors, two of which, Comstar and Immix, sell to the government though GSA contracts. The only exceptions for direct sales are for highly specialized equipment sales such as to intelligence community agencies and large telecom providers. The typical enterprise also buys their Cisco equipment through distributors.
The FBI presentation cited multiple cases of how the counterfeit IT products entered the food chain. eBay is one of the common distribution methods. Reputable distibutors were also fooled and sold the counterfeit equipment. Check out the list of distributors mentioned in the FBI presentation. Read my next blog, "The Counterfeit Network: Penalties and Prevention" for ways to detect and prevent your vulnerability to counterfeit IT products.
The Powerpoint presentation pointed out that Cisco Gold and Silver partners were the ones that purchased the counterfeit equipment. The partners then sold the counterfeit equipment to the government and defense contractors. Unfortunately, Cisco's brand protection does not coordinate with Cisco's government sales, exacerbating the problem. Cisco sells indirectly through five major distributors, two of which, Comstar and Immix, sell to the government though GSA contracts. The only exceptions for direct sales are for highly specialized equipment sales such as to intelligence community agencies and large telecom providers. The typical enterprise also buys their Cisco equipment through distributors.
The FBI presentation cited multiple cases of how the counterfeit IT products entered the food chain. eBay is one of the common distribution methods. Reputable distibutors were also fooled and sold the counterfeit equipment. Check out the list of distributors mentioned in the FBI presentation. Read my next blog, "The Counterfeit Network: Penalties and Prevention" for ways to detect and prevent your vulnerability to counterfeit IT products.
