US Government Seeks to Stave Off Malicious Foreign-Sourced Microchips

Article first published as US Government Seeks to Stave Off Malicious Foreign-Sourced Microchips on Technorati.

Photo courtesy Andres Rueda

The Intelligence Advanced Research Projects Activity (IARPA) is initiating the Trusted Integrated Chips (TIC) Program partly due to the discovery last year that the US Navy purchased 59,000 counterfeit microchips produced in China. It is believed that these microchips, which are used in critical military and defense systems, could be spiked with malicious circuitry or back-doors. The new program will help ensure that microchips produced overseas (where higher yields and more efficient production costs are achieved) are safe.

IARPA is soliciting feedback on how to protect the microchips that are used in missile control and other critical military and defense systems. One of the techniques mentioned is "obfuscation," where "the intent of digital and analog functions and their associated building blocks are disguised." Another solution mentioned by Wired/Danger Room is to divide the front/back-end-of-line processing where the more sensitive features of a microchip are finished off at a secure, trusted facility. The security of foreign-sourced microchips is more important now than ever as technology is integrated more into such military applications as aerial drones, robots and missile control systems. (Sources:  Washington Post, Wired)

Stuxnet: Anatomy of a Computer Virus

A clever new scam employing an automated phone call and confirmation number

Here's a scam that could explode as malicious hackers leverage social engineering techniques to surreptitiously obtain your approval to perpetrate fraud under your (or your organization's) name. It was discovered in use at restaurants in Michigan, but could easily be applied to any organization.

Here's how the scam works (from Public Intelligence):

"The restaurant receives a phone call from someone claiming to be from the Health Department who provides the restaurant with a five-digit confirmation number. Then, the caller informs the restaurant they will receive an automated call later that day where they will need to enter the five-digit confirmation number in order to schedule an inspection. If the restaurant enters the confirmation number on that subsequent phone call, the fraud is successful and the scammer has been able to open an account not tied to their own personal phone number. The process enables the scammer to satisfy the verification controls of Craigslist, eBay or a similar web-based service, and to advertise and sell merchandise under an account connected to the restaurant."