Cisco posts kit to empty houses to dodge NSA chop shops
Kit sent to SmallCo of Nowheresville to avoid NSA interception profiles
Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says.
The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers.
The interception campaign was revealed last May.
Speaking at a Cisco Live press panel in Melbourne today, Stewart says the Borg will ship to fake identities for its most sensitive customers, in the hope that the NSA's interceptions are targeted.
"We ship [boxes] to an address that's has nothing to do with the customer, and then you have no idea who ultimately it is going to," Stewart says.
"When customers are truly worried ... it causes other issues to make [interception] more difficult in that [agencies] don't quite know where that router is going so its very hard to target - you'd have to target all of them. There is always going to be inherent risk."
Stewart says some customers drive up to a distributor and pick up hardware at the door.
He says nothing could guarantee protection against the NSA, however. "If you had a machine in an airtight area ... I stop the controls by which I mitigate risk when I ship it," he says, adding that hardware technologies can make malicious tampering "incredibly hard".
Cisco has poked around its routers for possible spy chips, but to date has not found anything because it necessarily does not know what NSA taps may look like, according to Stewart.
After the hacking campaign Borg boss John Chambers wrote a letter to US President Barack Obama saying the spying would undermine the global tech industry.
Fellow panelist Mike Burgess, chief security officer for Australia's dominant telco Telstra, says the carrier is confident it will be able to secure the swelling pools of data the nation's government will force it to collect under soon-to-be-enacted data retention laws.
The former officer with Australian sigint agency the Defence Signals Directorate said the swelling data pools will turn companies into honeypots for hackers, and staff with access to the databases as prime targets for phishing campaigns.
He was unsure how much data retention will cost the telco, but insisted that it will impose a monetary overhead and rejected claims it can be covered without much expense under existing security controls.
The impending overheads prompted telcos to write to Federal Attorney General George Brandis and Communications Minister Malcolm Turnbull requesting government coin.
Stewart points out that hacking groups are likely with sufficient time and effort be successful at targeting systems such as data retention databases.
"If a truly dedicated team is coming after you for a very long period of time, then the probability of them succeeding goes up," he says.
Telcos should not focus on the financial cost of protecting those databases and instead ensure that acceptable risk levels are met, he says. Checkbox compliance should be all but binned. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust