Huawei Telecom Gear Much More Vulnerable to Hackers Than Rivals’ Equipment – WSJ

“Reminds me of  the 1990’s Microsoft Windows/Internet Explorer Security Issues, Not Stuxnet”

-Mayo615

Source: Huawei Telecom Gear Much More Vulnerable to Hackers Than Rivals’ Equipment, Report Says – WSJ

A detailed report, prepared by Finite State, a Columbus, Ohio-based cybersecurity firm, concludes that Huawei telecom switching gear is far more vulnerable to hacking than other vendors’ hardware due to firmware flaws and inadvertent “back doors” that were discovered. The report has been circulated widely among cybersecurity experts in the U.S. and UK, and it is considered credible. The report stops short of concluding that Huawei deliberately inserted the flaws to enable espionage, as it appears more likely that these are flaws that are due to undetected software development errors. The Trump Administration has nevertheless seized on the report to claim evidence of Chinese espionage intent. The report’s conclusions do offer sound evidence that Huawei gear should not be inserted into telecom systems until these errors are removed.  This reminds me of the time when Microsoft Internet Explorer and Windows were suspected of being serious security risks for having so many security holes.

Huawei Enterprise Network Switch

From the Wall Street Journal:

WASHINGTON—Telecommunications gear made by China’s Huawei Technologies Co. is far more likely to contain flaws that could be leveraged by hackers for malicious use than equipment from rival companies, according to new research by cybersecurity experts that top U.S. officials said appeared credible.

Over half of the nearly 10,000 firmware images encoded into more than 500 variations of enterprise network-equipment devices tested by the researchers contained at least one such exploitable vulnerability, the researchers found. Firmware is the software that powers the hardware components of a computer.

The tests were compiled in a new report that has been submitted in recent weeks to senior officials in multiple government agencies in the U.S. and the U.K., as well as to lawmakers. The report is notable both for its findings and because it is circulating widely among Trump administration officials who said it further validated their policy decisions toward Huawei.

“This report supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers,” said a White House official who reviewed the findings. “Huawei does not disclose this covert access to customers nor local governments. This covert access enables Huawei to record information and modify databases on those local systems.”

The report, reviewed by The Wall Street Journal, was prepared by Finite State, a Columbus, Ohio-based cybersecurity firm.

While the report documents what it calls extensive cybersecurity flaws found in Huawei gear and a pattern of poor security decisions purportedly made by the firm’s engineers, it stops short of accusing the company of deliberately building weaknesses into its products. It also didn’t directly address U.S. claims that Huawei likely conducts electronic espionage for the Chinese government, which Huawei has long denied.

A Huawei official said the company welcomed independent research that could help improve the security of its products but added he couldn’t comment on specifics in the Finite State report because it wasn’t shared in full with the company.

“Without any details, we cannot comment on the professionalism and robustness of the analysis,” the Huawei official said.

Based in Shenzhen, Huawei is the world’s largest telecommunications equipment provider and a leader in next-generation 5G wireless technology.

Huawei has emerged as a central fixture in the growing rift between the U.S. and China over technology, especially with the approach of 5G cellular technology.

The Commerce Department in May cited national-security concerns when it added the telecommunications giant to its “entity list,” which prevents companies from supplying U.S.-origin technology to Huawei without U.S. government approval.

Finite State Chief Executive Matt Wyckhouse co-founded the firm in 2017, after spending nearly 13 years at nearby Battelle, a private, nonprofit applied-science and technology firm that does work in the private and public sectors.

Mr. Wyckhouse, a computer scientist who worked in Battelle’s national security division handling defense and intelligence-community contracts, said Finite State did the work pro-bono and not on behalf of any government. He also said he felt the best way to make policy makers aware of the issues was to make his firm’s research available to the public. He plans to publish it this week.

“We want 5G to be secure,” Mr. Wyckhouse said.

Finite State said it used proprietary, automated systems to analyze more than 1.5 million unique files embedded within nearly 10,000 firmware images supporting 558 products within Huawei’s enterprise-networking product lines.

The company said the rate of vulnerabilities found in Huawei equipment was far higher than the average found in devices manufactured by its rivals, and that 55% of firmware images tested contained at least one vulnerability—which the authors described as a “potential backdoor”— that could allow an attacker with knowledge of the firmware and a corresponding cryptographic key to log into the device.

The report includes a case study comparing one of Huawei’s high-end network switches against similar devices from Arista Networks andJuniper Networks Inc. It found that Huawei’s device had higher risk factors in six of nine categories, generally by a substantial margin.

“In our experience, across the board, these are the highest numbers we have ever seen,” Mr. Wyckhouse said.

In one instance in the case study, Huawei’s network switch registered a 91% risk percentile for the number of credentials with hard-coded default passwords compared against all of Finite State’s entire firmware data set.

By comparison, the risk level for Arista and Juniper was rated at 0%.

Chris Krebs, the top cybersecurity official at the Department of Homeland Security, said Finite State’s research added to existing concerns about Huawei equipment and the conclusion that the company hasn’t shown the intent or capability to improve its security practices.

“With Huawei having not demonstrated the technical proficiency or the commitment to build, deploy, and maintain trustworthy and secure equipment, magnified by the Chinese government’s potential to influence or compel a company like Huawei to do its bidding, we find it an unacceptable risk to use Huawei equipment today and in the future,” Mr. Krebs said.

White House officials who reviewed the Finite State report said the findings revealed flagrant violations of standard protocols. They said the report’s findings also suggested Huawei may be purposely designing its products to include weaknesses.

For example, some of the vulnerabilities found are well-known cybersecurity problems that aren’t difficult to avoid. Of the devices tested, 29% had at least one default username and password encoded into the firmware which could allow malicious actors easy access to those devices if the credentials were left unchanged, according to the report.

A particularly unusual finding was that security problems became quantifiably worse in at least one instance for users who patched a network switch with an updated version of firmware compared with the two-year-old version being replaced. Patches are intended to reduce cybersecurity weaknesses, but a comparison of the two versions found the newer one performed worse across seven of nine categories measured.

“For years, Huawei has essentially dared the international community to identify the security vulnerabilities that have so often been alleged regarding the use of the company’s products,” said Michael Wessel, a member of the U.S.-China Economic and Security Review Commission, a bipartisan panel that makes recommendations to Congress. “It’s hard to see the range and depth of the vulnerabilities identified by Finite State to be anything other than intentional.”

The U.K.’s National Cyber Security Centre also reviewed the Finite State research, people familiar with the matter said, and found it broadly aligned with the technical analysis in the agency’s own report, published in March. The U.K. report accused Huawei of repeatedly failing to address known security flaws in its products and admonished the firm for failing to demonstrate a commitment to fixing them.

A 2012 U.S. government review of security risks associated with Huawei didn’t find clear evidence that the company was being used by China as a tool for espionage, but concluded its gear presented cybersecurity risks due to the presence of many vulnerabilities that could be leveraged by hackers.

Rep. Mike Gallagher, (R., Wis.), said the report highlights the urgency for members of Congress and others to stop Huawei from taking over the global telecommunications supply chain.

“I’ve long thought we should treat Huawei as an appendage of the Chinese Communist Party,” said Mr. Gallagher, who earlier this year introduced legislation targeting Chinese telecommunications firms. “But even I was taken aback by the scale of the security flaws within Huawei’s network architecture as revealed by the report.”

What Happens Now That Julian Assange is Implicated in Russian Espionage?

Assange In Possession of Documents Obtained By Russian Intelligence.

Assange Could Lose Ecuadorian Diplomatic Protection and Risk Arrest by United States

The next Bradley Manning?

Lost today in the extraordinary news frenzy surrounding the release of a video tape of Donald Trump making unprecedented lewd and obscene comments about women, was Barak Obama’s announcement that the United States officially and publicly accuses Russia of espionage in the hacking of the Democratic National Committee, and stealing documents, now in the possession of Wikileaks.  Some may recall Julian Assange’s video interview with Bill Maher on HBO’s Real Time with Bill Maher about a month ago on this topic.  It seems clear from the Bill Maher interview that Assange is on a jihad against the DNC because Clinton wanted to prosecute him. He has no altruistic motives — it is personal. We have a foreigner trying to influence U.S elections using documents stolen by Russia.

Last week, Assange said that Wikileaks will release more DNC documents by the end of October.  But as I pondered Obama’s announcement today, it dawned on me that the United States surely now considers the documents in Assange’s and Wikileaks possession to have been obtained as result of Russian espionage against the United States.  This puts Assange in much more serious jeopardy than an alleged rape in Sweden.  Its seems highly probable to me that the United States will now criminally pursue Assange for being an accomplice to espionage against the United States.  Should this happen, the Ecuadorian government would abandon Assange, not wishing to damage relations with the U.S.,  and Assange would be quickly arrested by the British government and extradited to the United States.

Assange must have figured all this out, and is tonight trying to deal with the consequences of now being in a position similar to that of Chelsea (Bradley) Manning, now serving a long sentence in a federal penitentiary.

U.S. Says Russia Directed Hacks to Influence Elections

Reblogged from THE NEW YORK TIMES

By DAVID E. SANGER and CHARLIE SAVAGE   OCT. 7, 2016

President Obama in the Rose Garden on Wednesday. CreditAl Drago/The New York Times

WASHINGTON — The Obama administration on Friday formally accused the Russian government of stealing and disclosing emails from theDemocratic National Committee and from a range of prominent individuals and institutions, immediately raising the issue of whether President Obama would seek sanctions or other retaliation for the cyberattacks.

In a joint statement from the director of national intelligence, James Clapper Jr., and the Department of Homeland Security, the government said the leaked emails that have appeared on a variety of websites were “intended to interfere with the U.S. election process.” The emails were posted on the WikiLeaks site and newer ones under the namesDCLeaks.com and Guccifer 2.0.

“We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities,” the statement said. It did not name President Vladimir V. Putin, but that appeared to be the intention.

For weeks, aides to Mr. Obama have been debating a variety of possible responses to the Russia action, including targeted economic sanctions and authorizing covert action against the computer servers in Russia and elsewhere that have been traced as the origin of the attacks.

The statement said that the recent “scanning and probing” of election systems “in most cases originated from servers operated by a Russian company,” but did not say the Russian government was responsible for those probes.

The president’s aides have also been debating whether to publicly attribute the attacks to Russia. Mr. Obama had decided against taking that stance in other cases where cyber techniques were used to steal tens of thousands of emails from the unclassified system of the State Department, the White House and the Joint Chiefs of Staff.

As recently as Wednesday, the director of the National Security Agency, Adm. Michael S. Rogers, refused to accuse the Russians of the cyberattack, even while talking at length about how to secure the American election system from foreign data manipulation and information warfare.

The administration’s announcement came only hours after Secretary of State John Kerry called for the Russian and Syrian governments to face a formal war-crimes investigation for attacking civilians in Aleppo and other parts of Syria. Taken together, the two moves mark a sharp escalation in Washington’s many confrontations with Moscow this year.

With little more than a month to go before the presidential election, Mr. Obama was under pressure to act now on the hacking, according to a senior administration official, who spoke on the condition of anonymity to discuss internal White House deliberations. The timing of Friday’s announcement was decided in part because a declaration closer to Election Day would appear to be political in nature, the official said.

The subject came up in the first presidential debate, with Hillary Clinton, the Democratic nominee and a former Secretary of State, blaming Russia for the attacks. Her Republican rival, Donald J. Trump, said there was no evidence that Russia was responsible, suggesting that the Chinese could be behind it, or it “could be somebody sitting on their bed that weighs 400 pounds.”

The question now is how Mr. Obama might respond without setting off an escalating cyberconflict. One possibility is that the announcement itself — an effort to “name and shame” — will deter further action.

The identification of Russia was hardly a surprise: In late July, American intelligence officials told The New York Times that they had “high confidence” that the Russian government was behind the hack of the Democratic National Committee.

The hack led to the resignation of Representative Debbie Wasserman Schultz, Democrat of Florida, as chairwoman of the committee, after the leaks suggested the committee had favored Mrs. Clinton in the nominating fight over Senator Bernie Sanders of Vermont.