US Corporations Hacked by China

[detroitm2]

Its rather terrifying that this went so long without being noticed. Kind of a long read, but worth it.

https://www.bloomberg.com/news/featu...-top-companies

[GoneIn4Secs]

Diane feinstien had a chinese spy working as her driver for 24 years, Hillary had her emails server setup so chinese govt could hack into her emails real time!

Iit not that it went 'unnoticed', it was by design, gisnts corporations liek apple /google openly work for chinese govt

There are traitors in govt and business who sell out and sold out to global interests

There arent mistakes at this level without someone giving the green light

[IanMan]

I was aware of this a few years ago and our government has been for quite a while too. Why it is just now being made public is beyond me. No, I'm not a conspiracy theorist.
Yes, I know what I am talking about and have seen actual proof of this. Also, it isn't just the US to be spied on.

Here is what I know because of my line of work. Apple and Amazon have probably been aware of this for quite some time. Our government has known this for quite a while too. This has been going on for years. I'm going to leave a lot of details out of this explanation for certain reasons. We have all sorts of groups of people in the military, that do certain things, which require certain briefings. Before certain briefings or missions take place, all equipment that is used for said briefings gets analyzed, taken apart, put back together, and then used for the mission, (i.e. TV's, laptops, phones, etc.). A brand new Samsung TV, straight out of the box was purchased for a certain task to show images on. Said TV was taken apart and screened only to find that once it was going to be used, the TV would discreetly connect to the first open unsecured wifi connection and transmit all images that were displayed to an undisclosed location. This is a civilian, out of the box TV, not something that was hacked at the last moment. Imagine if our information for a serious situation was just carelessly transmitted for another government to see. Scary stuff.

[zx10guy]

Issues of supply chain interception has been a real problem for a lot longer than what has been cited in this article. Those that have worked in IT at some capacity for the Federal government have known this is a major risk for at least a couple of decades. This is why pretty much all Federal agencies require hardware sold to them be TAA compliant where the equipment has been substantially "transformed" in a country deemed friendly to the US. There's also BAA compliance where the equipment has been US made.

Cisco got hit by counterfeit parts that were injected into legitimate supply chains. This came to light back in 2008.

https://www.infoworld.com/article/26...isco-gear.html

The public knowledge of this was premature as someone leaked the FBI slide deck going over their investigation into the problem. This pushed the FBI to move a lot sooner on entities/individuals they have been watching. The slide deck is still hosted here:

http://www.andovercg.com/datasheets/...08-01-11-a.pps

Looking through the slide deck, there is a picture of the WIC T1 WAN card used in Cisco ISR routers. I've personally worked with these cards. Without the FBI comparison of the genuine and counterfeit cards, I would have no idea which was real or genuine. The fakes were that good. The only tip off of why Cisco started to look into this issue was a spike in component failures.

The Bloomberg article also cited two companies Huawei and ZTE. Huawei was caught copying code Cisco used in their IOS software. Huawei has also been under tight scrutiny by many western nations for their close ties to Chinese Intelligence. This threat is such a concern where Australia banned the use of Huawei equipment in the major refresh of their telecom systems. The US Feds stepped in when they found out Sprint was going to purchase Huawei equipment.

This is the consequence of us freely allowing a hostile country to manufacture most of the electronics we use to save a few bucks.

[c1pher]

Quote:

Originally Posted by zx10guy

Issues of supply chain interception has been a real problem for a lot longer than what has been cited in this article. Those that have worked in IT at some capacity for the Federal government have known this is a major risk for at least a couple of decades. This is why pretty much all Federal agencies require hardware sold to them be TAA compliant where the equipment has been substantially "transformed" in a country deemed friendly to the US. There's also BAA compliance where the equipment has been US made.

Cisco got hit by counterfeit parts that were injected into legitimate supply chains. This came to light back in 2008.

https://www.infoworld.com/article/26...isco-gear.html

The public knowledge of this was premature as someone leaked the FBI slide deck going over their investigation into the problem. This pushed the FBI to move a lot sooner on entities/individuals they have been watching. The slide deck is still hosted here:

http://www.andovercg.com/datasheets/...08-01-11-a.pps

Looking through the slide deck, there is a picture of the WIC T1 WAN card used in Cisco ISR routers. I've personally worked with these cards. Without the FBI comparison of the genuine and counterfeit cards, I would have no idea which was real or genuine. The fakes were that good. The only tip off of why Cisco started to look into this issue was a spike in component failures.

The Bloomberg article also cited two companies Huawei and ZTE. Huawei was caught copying code Cisco used in their IOS software. Huawei has also been under tight scrutiny by many western nations for their close ties to Chinese Intelligence. This threat is such a concern where Australia banned the use of Huawei equipment in the major refresh of their telecom systems. The US Feds stepped in when they found out Sprint was going to purchase Huawei equipment.

This is the consequence of us freely allowing a hostile country to manufacture most of the electronics we use to save a few bucks.

TAA compliance is misleading reassurance.

[zx10guy]

Quote:

Originally Posted by MGM135is

TAA compliance is misleading reassurance.

It's something and better than nothing. Systems...especially in highly secure environments would still have to go through scanning and meeting various requirements specific to the agency such as STIG, JTIC, Common Criteria, etc. TAA is just a baseline/starting point.

[c1pher]

Quote:

Originally Posted by zx10guy

It's something and better than nothing. Systems...especially in highly secure environments would still have to go through scanning and meeting various requirements specific to the agency such as STIG, JTIC, Common Criteria, etc. TAA is just a baseline/starting point.

STIGs are great in a largely homogeneous environment like the USG but don’t work as well in regular industry. JTIC certifications mainly focus on operational testing. Yes you get an ATO after completing DIACAP or RMF, but those are checklists and we all know checklists don’t mean security. Case in point is AWS GovCloud has an ATO, is FEDRAMP accredited etc, and the Chinese purportedly could still do their thing.

I do agree with you that doing something is better than doing nothing, but we aren’t doing enough to understand what, exactly, network or IT equipment is doing and the explosion of IoT has only exponentially exacerbated the problem.