Cisco posts kit to empty houses to dodge NSA chop shops

Kit sent to SmallCo of Nowheresville to avoid NSA interception profiles


Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says.

The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers.

The interception campaign was revealed last May.

Speaking at a Cisco Live press panel in Melbourne today, Stewart says the Borg will ship to fake identities for its most sensitive customers, in the hope that the NSA's interceptions are targeted.

"We ship [boxes] to an address that's has nothing to do with the customer, and then you have no idea who ultimately it is going to," Stewart says.

"When customers are truly worried ... it causes other issues to make [interception] more difficult in that [agencies] don't quite know where that router is going so its very hard to target - you'd have to target all of them. There is always going to be inherent risk."

Stewart says some customers drive up to a distributor and pick up hardware at the door.

He says nothing could guarantee protection against the NSA, however. "If you had a machine in an airtight area ... I stop the controls by which I mitigate risk when I ship it," he says, adding that hardware technologies can make malicious tampering "incredibly hard".

Cisco has poked around its routers for possible spy chips, but to date has not found anything because it necessarily does not know what NSA taps may look like, according to Stewart.

After the hacking campaign Borg boss John Chambers wrote a letter to US President Barack Obama saying the spying would undermine the global tech industry.

Data retention

Fellow panelist Mike Burgess, chief security officer for Australia's dominant telco Telstra, says the carrier is confident it will be able to secure the swelling pools of data the nation's government will force it to collect under soon-to-be-enacted data retention laws.

The former officer with Australian sigint agency the Defence Signals Directorate said the swelling data pools will turn companies into honeypots for hackers, and staff with access to the databases as prime targets for phishing campaigns.

He was unsure how much data retention will cost the telco, but insisted that it will impose a monetary overhead and rejected claims it can be covered without much expense under existing security controls.

The impending overheads prompted telcos to write to Federal Attorney General George Brandis and Communications Minister Malcolm Turnbull requesting government coin.

Stewart points out that hacking groups are likely with sufficient time and effort be successful at targeting systems such as data retention databases.

"If a truly dedicated team is coming after you for a very long period of time, then the probability of them succeeding goes up," he says.

Telcos should not focus on the financial cost of protecting those databases and instead ensure that acceptable risk levels are met, he says. Checkbox compliance should be all but binned. ®


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022