[SCADASEC] Fw: Re: Counterfeit Cisco Gear and the damage caused by EBay's system

[Bob Radvanovsky]

This was cross-posted on the American Bar Association's Information Security Committee (ISC) mailing list.

PLEASE take it for what it is...a 'rant'.  But...this is from a non-SCADA, non-technical individual's perspective, too.  THAT is what makes it so interesting...

I have *removed* the email addresses to provide some level of privacy to those who posted on the other mailing list.

Enjoy.

-rad

----- Original Message -----
From: xxx
To: xxx
Subject: Re: Counterfeit Cisco Gear and the damage caused by EBay's system


> After I catch up on my e-mails (and my sleep), I will post some hopefully
> interesting observations from the IEEE Homeland Security conference in
> Waltham, MA, Monday and Tuesday, but this subject came up in my session
> concerning the SCADA infrastructure and the various security problems it
> presents. 
> 
> When someone asked what could be done about the problem, I said that I would
> like to see ALL hardware that was at all security-relevant, certainly
> including routers and similar gear, be sealed and tamper-evident in
> accordance with FIPS 140-2 Level 3 physical security standards, even for
> non-crypto gear.  
> 
> We no longer replace tubes, individual transistors, or even daughter boards
> in most cases.  It simply isn't economical -- by the time the equipment
> fails, it is generally obsolete.  (An exception might be made for power
> supplies and disk drives.)
> 
> So seal the entire unit in epoxy, and be done with it.
> 
> Then, inside the unit, include a small security processor such as the SPYRUS
> Rosetta Micro (about 5mmx6mm), which can be programmed by the ON-SHORE
> manufacturer to contain a highly secure private key and a matching public
> key, preferably at least ECC P-256 for speed and strength, but RSA-1024
> would better than nothing.  Then a standard type of challenge and response
> protocol can be used to validate the authenticity of the unit.
> 
> <DEFANGED_Warning -- technological/economic/political rant ahead!>
> 
> Of course, from a domestic security perspective, if the unit is manufactured
> in China, regardless of where it might have been designed, then it is hardly
> worth worrying about counterfeiting, as the security damage is potentially
> baked-in from the beginning. This is perhaps THE most serious consequence of
> globalization, and one that perhaps even exceeds the criticality of the
> issue of the loss of jobs due to off-shoring, and the subsequent balance of
> payments problems when we import the same goods that used to be manufactured
> here in the U.S.  The recent case where a rather nasty virus was shipped in
> Maxtor/Seagate drives that would phone home to some IP address in China was
> instructive, whether or not it was done at the behest of the Chinese
> Government -- it could equally have been done by the Russian "mafia."
> 
> Then we borrow the money back from China that we just paid them for what
> used to be our goods, so that we can purchase oil from other off-shore
> sources, virtually all of them despotic and many our current or at least
> potential enemies.  In the meantime, the value of the dollar vs. other
> currencies has declined substantially due to the trade imbalance, so it
> isn't terribly surprising that the cost of gas has nearly doubled over the
> last year or so.  But it doesn't appear that ANY of the Presidential
> candidates understand economics even at this superficial level, or else they
> don't want to discuss the hard realities.
> 
> Instead, the news media worries about whether someone wears a flag pin in
> their lapel, and whether saving 18 cents a gallon by waiving the Federal gas
> tax would make a significant difference.  I came back through
> Minneapolis/St. Paul and talked to a number of people there, people who
> clearly remembered the I-35 bridge collapse.  They were were certainly far
> from willing to starve the Federal Highway Administration of already
> inadequate funds -- some projects actually deserve to be funded, and even
> have their funding increased, even if it results in an unpopular tax
> increase.  And as a driver who frequents I-880, Rt. 101, and I-80 rather
> often, I completely agree.  But no one is willing to say such things
> publically.  To put things into perspective, the cost of gasoline in Sweden
> is 13 crowns, or about $2 PER LITER, or more than $8 per gallon! And both
> the 12 ounce Starbucks coffee and the 16 oz water bottle I bought in the
> airport today cost about $24 a gallon!  Proposing to save 18 cents per
> gallon for a couple of months this summer, at the cost of further starving
> our crumbling infrastructure is the most fragrant form of election-year
> pandering I have ever heard, and both Sen. McCain and Sen. Clinton ought to
> roundly criticized, IMHO.  But people will probably say, "See, both the
> Republican and Democrats agree that it is a good idea!"
> 
> To give the devil his due, one of the things that the conference made
> abundantly clear is that the policy and funding problems involved with
> serious technical issues, including Cyber Security, are FAR more difficult
> to solve than the technology problems.  Maybe you have to reach a certain
> age, or a least a certain rung on the Peter Principle ladder to begin to
> recognize this.
> 
> However, if some of the senior people are obviously clueless about the
> technical problems, and continue to mumble about "gap analysis" rather than
> establishing funding priorities (as was dramatically the case of the last
> minute stand-in for John Marburger, the President's Science Advisor, who is
> undergoing a second round of chemotherapy for non-Hodgkin's lymphoma and
> couldn't attend.)  Whoever she was, she stood up and essentially read off
> the entire Federal Government organization chart in the area of Science of
> Technology, complete with all of the committee acronyms, sans any viewgraphs
> at all. It amounted to a hour-long, content-free briefing. She was given a
> polite round of applause, but should really have been booed off the stage,
> in the opinion of most of the people I talked to.
> 
> The most cogent question from the audience was something to the effect, "So
> you are spending $8 billion to protect against a nuclear missile launch.
> How much are you proposing to spend to defend against all of these other
> threats, all of which seem to be far more likely?"  There was no answer at
> all -- mumble, mumble, gap analysis, next administration, blah, blah, blah.
> 
> "Hell of a job, Brownie!"
> 
> Bob
> 
> > From: xxx
> > Reply-To: xxx
> > Date: Tue, 13 May 2008 19:35:29 -0400
> > To: xxx
> > Subject: FW: Counterfeit Cisco Gear and the damage caused by EBay's system
> > 
> > Larry raises a good point.  Moreover, to the extent that counterfeit gear
> > might contain counterfeit code, might that not present er, um, a security
> > vulnerability?  Or does counterfeit mean a type of "gray" market? Or truly
> > manufactured by "not-Cisco"?
> > 
> > S
> > 
> >  
> > 
> > -----Original Message-----
> > From: xxx
> > Sent: Tuesday, May 13, 2008 7:29 PM
> > To: xxx
> > Subject: FW: Counterfeit Cisco Gear and the damage caused by EBay's system
> > 
> > By serial numbers does he mean MAC addresses? MAC addresses are
> universally
> > unique and the addresses are parceled out by the IEEE to companies.
> Perhaps
> > it's worth asking the IEEE
> > 
> > Larry Seltzer
> > eWEEK.com Security Center Editor
> > http://security.eweek.com/
> > http://blogs.pcmag.com/securitywatch/
> > Contributing Editor, PC Magazine
> > larry.seltzer at ziffdavisenterprise.com
> > 
> > 
> > -----Original Message-----
> > From: xxx On
> > Sent: Tuesday, May 13, 2008 6:26 PM
> > To: xxx
> > Subject: Re: Counterfeit Cisco Gear and the damage caused by EBay's system
> > 
> > I'm not sure how this would work. Do we assume that the fake routers do
> not
> > have a serial number that is the same as a genuine one? Why would the
> > builders of fake routers not fake a serial number too?
> > 
> > Does the manufacturer know who has the router with each serial number?
> > Assume that registration works for most, so in most cases the manufacturer
> > knows who is the first purchaser. What happens when the first purchaser
> > sells?  Does the manufacturer find out? What happens when the first,
> second
> > or subsequent purchaser sells on e-Bay or other public site? What does a
> > publicly-accessible database of genuine serial numbers tell a potential
> > purchaser except that the manufacturer once sold a genuine router (or
> > whatever) with that serial number?  Is that likely to be sufficiently
> > helpful, given that the one on sale may be a fake with a genuine number?
> > 
> > Are you putting on the manufacturer the expense and trouble of maintaining
> a
> > permanent provenance system for all its equipment?  Is the problem of
> fakes
> > so serious, and the absence of other methods of checking for fakes so
> > obvious, as to justify the expense, which of course will be passed on to
> > customers?
> > 
> > or would the database of genuine serial numbers just be a guide for
> builders
> > of the fakes, to tell them what numbers to put on their own products?
> > 
> > One doubts that such a system could be imposed by law, but manufacturers
> > that thought it was worthwhile could run such a system themselves, and
> hope
> > that their customers thought it valuable enough to pay the extra price for
> > it.  Does the first purchaser benefit from it, though? Maybe by having a
> > clearer resale potential, since there (may/will) be a way for a buyer to
> > know the router/equipment is real, and thus be willing to pay more for it,
> > rather than a discount because it might be fake.
> > 
> > 
> > 
> > John G
> > 
> > John D. Gregory
> > General Counsel, Policy Division
> > Ministry of the Attorney General (Ontario) 720 Bay Street, Toronto ON
> Canada
> > M5G 2K1
> > (416) 326-2503   fax (416) 326-2699
> > john.d.gregory [at] ontario.ca
> > ........................................................................
> > ...
> > OPINIONS ARE PERSONAL NOT OFFICIAL
> > ........................................................................
> > ....
> > 
> >