Huawei has established itself as a solid provider of ICT infrastructure technologies across consumer, carrier and enterprise markets worldwide. CIOs and IT leaders should utilize this research to familiarize themselves with Huawei’s “all-cloud” strategy and ecosystem development….
Gartner subscribers can access this research by clicking here.
http://arstechnica.com/information-technology/2015/02/how-hackers-could-attack-hard-drives-to-create-a-pervasive-backdoor/ By Sean Gallagher Ars Technica Feb 18, 2015 News that a hacking group within or associated with the National Security Agency compromised the firmware of hard drive controllers from a number of manufacturers as part of a 14-year cyber-espionage campaign has led some to believe that the manufacturers were somehow complicit in the hacking—either by providing source code to controller firmware or other technical support. But it’s long been established that hard drive controllers can be relatively easily reverse-engineered without any help from manufacturers—at least, without intentional help. Despite keeping hardware controller chip information closed, hard drive manufacturers’ use of standard debugging interfaces makes it relatively simple to dump their firmware and figure out how it works—even inserting malicious code that can trigger specific behaviors when files are accessed. Reverse-engineering it to the point of creating a stable alternative set of firmware for multiple vendors’ hard disk controllers that also includes persistent malware, however, is a significant feat of software development that only the most well-funded attacker could likely pull off on the scale that the “Equation group” achieved. Hard drive controller boards are essentially small embedded computers unto themselves—they have onboard memory, Flash ROM storage, and a controller chip that is essentially a custom CPU (usually based on the ARM architecture). They also generally have diagnostic serial ports, or other interfaces on the board, including some based on the JTAG board debugging interface. Using software such as Open On Chip Debugger (OpenOCD), you can even dump the “bootstrap” firmware from the controller and analyze it with an ARM disassembler. […]
http://www.wired.com/2015/02/americas-cyber-espionage-project-isnt-defense-waging-war By Kevin Poulsen Threat Level Wired.com 02.18.15 “What we really need is a Manhattan Project for cybersecurity.” It’s a sentiment that swells up every few years in the wake of some huge computer intrusion—most recently the Sony and Anthem hacks. The invocation of the legendary program that spawned the atomic bomb is telling. The Manhattan Project is America’s go-to shorthand for our deep conviction that if we gather the smartest scientists together and give them billions of dollars and a sense of urgency, we can achieve what otherwise would be impossible. A Google search on “cyber Manhattan Project” brings up results from as far back as 1997—it’s second only to “electronic Pearl Harbor” in computer-themed World War II allusions. In a much-circulated post on Medium last month, futurist Marc Goodman sets out what such a project would accomplish. “This Manhattan Project would help generate the associated tools we need to protect ourselves, including more robust, secure, and privacy-enhanced operating systems,” Goodman writes. “Through its research, it would also design and produce software and hardware that were self-healing and vastly more resistant to attack and resilient to failure than anything available today.” These arguments have so far not swayed a sitting American president. Sure, President Obama mentioned cybersecurity at the State of the Union, but his proposal not only doesn’t boost security research and development, it potentially criminalizes it. At the White House’s cybersecurity summit last week, Obama told Silicon Valley bigwigs that he understood the hacking problem well—“We all know what we need to do. We have to build stronger defenses and disrupt more attacks”—but his prescription this time was a tepid executive order aimed at improving information sharing between the government and industry. Those hoping for something more Rooseveltian must have been disappointed. On Monday, we finally learned the truth of it. America already has a computer security Manhattan Project. We’ve had it since at least 2001. Like the original, it has been highly classified, spawned huge technological advances in secret, and drawn some of the best minds in the country. We didn’t recognize it before because the project is not aimed at defense, as advocates hoped. Instead, like the original, America’s cyber Manhattan Project is purely offensive. […]
http://www.intelligentutility.com/article/15/01/what-every-utility-should-know-about-new-physical-security-standard By William E. Reiter intelligentutility.com Jan 29, 2015 On April 16, 2013, an incident in San Jose, California, led to development of a new physical security standard for owners and operators of transmission stations and substations. In the 2013 incident, a sniper attack on a Pacific Gas & Electric transmission substation knocked out 17 large transformers that powered Silicon Valley. The sniper attack served as a dramatic wake-up call for the industry and raised fears regarding the vulnerability of the nation’s power grid to terrorist attack. The more than 160,000 transmission line miles that comprise the U.S. power grid are designed to handle natural and man-made disasters, as well as fluctuations in demand; but what about physical attack? As a result of the San Jose assault, the Federal Energy Regulatory Commission (FERC) in April 2014 required the North America Energy Reliability Corporation (NERC) to establish Critical Infrastructure Protection (CIP) standards to “address physical security risks and vulnerabilities related to the reliable operation” of the bulk power system. NERC developed and issued what is now commonly referred to as CIP-014-1. This is a physical security standard that has a stated purpose to identify and protect transmissions stations and transmission substations and their associated primary control centers that—if rendered inoperable or damaged as a result of a physical attack—could result in uncontrolled separation or cascading within an interconnection. […]