Tuesday, April 22, 2008

Foreign Used Gear

Slashdot had an interesting post this morning. In it, they discussed used gear coming into the country from foreign nations; and the security implications of that used gear. One article talked specifically mentioned the security of getting gear that may have been "reprogrammed" to do other task than what the product was initially intended; and some of those tasks could be nefarious.

A second article displayed the slides (and included a link to the original PowerPoint presentation) that showed fears that the FBI believes foreign hackers may have planted back doors into governmental networks using used gear.

This is something I've always wondered about, but on a more personal level. When I wanted to experiment with linux on a laptop, I searched eBay for a laptop that was not to pricey (and met my specs) such that I would not have a problem if my experimentation failed. Or had bad results. However, I knew that once I got linux up and running, I would be using the laptop quite a bit. I found plenty of laptops. And being a paranoid security professional, I assumed that hard drives were not wiped. Most of these laptops (if not all) came preloaded with Windows XP. And, while some of the descriptions said that the computer had been "reformatted, with the operating system reinstalled," what's to say that small malicious software wasn't also loaded. Maybe that software phoned home with interesting information from the new owner. Yes, I was installing linux, so I wasn't too worried. (Note: I purchased a new hard drive and swapped out the one that came with the laptop.) But the general public probably doesn't follow that tactic.

I suppose the same thing could be said for phones bought second hand. How about DVRs with malicious software pre-installed. Unfortunately, the drawback is that a fiscally responsible person or corporation gets pushed into the arena of only buying new gear. And sometimes that doesn't make sense/cents.

No comments:

Post a Comment