Answer to #3 is SuperMicro. This morning Charles finds himself up s___creek
without a paddle. Question is were they setup by a component supplier or is
there someone compromised inside SMCI?
--
------------------------------
Jeff Johnson
Co-Founder
Aeon Computing

***@aeoncomputing.com
www.aeoncomputing.com
t: 858-412-3810 x1001 f: 858-412-3845
m: 619-204-9061

4170 Morena Boulevard, Suite C - San Diego, CA 92117

High-Performance Computing / Lustre Filesystems / Scale-out Storage

1. Everyone has Supermicro stuff somewhere (important note that the attack
could have been any brand with majority share so replace with
$popularvendor)
2. Supermicro makes embedded boards too
3. It is safe to assume the worst at all times and run a honeypot on vlan1
and limit new outbound connections. This is true of software and hardware.

Key snippet:
"The illicit chips could do all this because they were connected to the
baseboard management controller, a kind of superchip that administrators
use to remotely log in to problematic servers, giving them access to the
most sensitive code even on machines that have crashed or are turned off."

My take-away:
This will only impact systems where there is a route between the wider
world and the IPMI ports on your servers. That's an extremely terrible
practice anyhow since IPMI isn't the most secure protocol, so the
solution should be to cordon off your IPMI network to a separate,
non-network-attached switch or leave it disconnected entirely if you
don't administer your machines in that way. If you've properly secured
that network you should be sufficiently guarded at least from an outside
intruder having levers into your system. Rogue chips on your boards
could of course always impact the system at some future date in a
pre-programmed way, but I know of no way to guard against that kind of
an attack short of vetting each and every board under suspicion on a
chip-by-chip basis.

Best,

ellis

--
Ellis H. Wilson III, Ph.D.
www.ellisv3.com
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf

I don't know, that Bloomberg piece seems to be lacking specific
technical details to be really credible. There's quite a lot of
skepticism being raised about those claims, and the Apple denial was
pretty adamant.

It sure seems all possible, but is it likely? To have dealt with my
share of issues with those manufacturers' BMC firmwares, I'd tend to
think they're quite busy making regular and documented functionality
properly work, before they can add almost-invisible chips that can
magically "alter the operating system’s core so it could accept
modifications [and] also contact computers controlled by the attackers
in search of further instructions and code".

So I'm wondering how much of this is non-technical journalists just
discovering what a BMC is.

Not saying that it's not true, but the whole story seriously needs
more technical details, other than what "former US intelligence
officials" said.

Cheers,

If the extra chip was added to the original design I wonder how hard it
would be to cut it back out again? Admittedly if this amounts to much
more than "crush it with a pair of needlenose pliers" or "place a
soldering iron on it for 20 seconds" it would be impractical and likely
not economical to repair these motherboards. Removing it with a hot air
workstation (it must be surface mounted) would likely restore the
motherboard to its original design, but doing so without damaging any of
the surrounding components on a typical tightly packed motherboard might
be very difficult.

This also suggests that manufacturers are going to have to start
carefully auditing products coming in from overseas factories to verify
that they have not diverged in unexpected ways. That is going to be
really hard because while this was actually an extra component, the
obvious next step is to add the function to an existing chip, so the
board would not appear externally to be any different. To find that
sort of change they would have to cut open the chip packages and review
the chips in an EM. And the counter measure would be to only sprinkle
in a few contaminated chips instead of installing them everywhere.

On balance this seems like an excellent reason to ban the importation of
"must be trusted" components from China. (Makes me wonder about
products from that new Foxconn plant in Wisconsin too.) For once the
Trump administration could call "national security" when implementing a
policy like that and actually have a good case.

Regards,

David Mathog
***@caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/li

And news directly from Supermicro
https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm

That is a tiny capacitor that sits on your motherboard with a very thin glue. You practically need a microscope to move one, and there are hundreds of them on each board. So which one is it? Maybe you can just scrape it off.
Buy there is another problem: OEM. That means an outside builder, Supermicro perhaps built your motherboard.
And, why tell this story 3 years later?
Buy in the subject of removing it, a capacitor reads a tiny stream of electricity and opens its hate at a determined voltage, correct? That sets off another capacitor and so on until what exactly happens?

On October 4, 2018, at 7:08 PM, John Hearns via Beowulf <***@beowulf.org> wrote:

Thankyou to James Cuff for linking to The Register's article :
https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) v

So two weeks on and it looks like this wasn't real, and I've read somewhere
(though I can't find the reference now) that this isn't the first time for the
person who wrote that article. A lot of people wrote about how this sort
of attack doesn't really make sense, there are far easier ways to do this
sort of thing (nobbled BMC firmware probably being one of the easiest)
and without the problems of possibly thousands of SM boxes trying to
ping back to a CnC server to set off alarms in a host of companies.

This sums it up nicely..

https://twitter.com/SwiftOnSecurity/status/1053102057245286401

Two weeks since Bloomberg claimed Supermicro servers were backdoored by Chinese spying chips.
No Evidence Whatsoever shows these claims real.
All companies angrily deny it to Congress.
Senior US intelligence including Rob Joyce refute it.
It’s time.
It’s over.
This is not true.