While the idea of software viruses\u00a0is by no means new to those who work with computers, a new vector of attack seems to be developing in the form of hardware shipped from the manufacturer that is already infected with malware. In the past few weeks, a set of digital peripherals, particularly USB picture frames and IPods, have been found to contain one or more malicious executables. With such a method of delivery, it seems that the security industry may need to rethink what can and cannot be considered secure.<\/p>\n
\u00a0http:\/\/www.cnn.com\/2008\/TECH\/ptech\/03\/13\/factory.installed.virus.ap\/index.html?iref=mpstoryview<\/a><\/p>\n \u00a0<\/p>\n \u00a0Though the article indicates that actions have been taken against the manufacturers of the devices identified as being compromised, the impact of the incident will likely be far broader. Traditionally, the idea of trusted computing has relied on the fact that hardware is implicitly\u00a0trusted\u00a0upon arrival from the\u00a0vendor. Only after exposure to a user or network\u00a0does it seem possible for the hardware to be in some way compromised, and thus, if the user and network are secure, so too should the hardware.<\/p>\n \u00a0In this case, such a model no longer appears valid. If the hardware from the manufacturer is infected, the safeguards afforded by proper user behavior and network protection are greatly reduced. Indeed, if extended beyond peripherals to internal computer components such as motherboards or network cards, such a threat would undermine a fundamental methodology\u00a0in computer security of starting with trusted components and building on top of them secure OS and application layers. If the very hardware on which such software runs is corrupt, no trusted foundation can exist upon which to expand.<\/p>\n \u00a0Unfortunately, it seems unlikely that this problem will be solved before becoming more serious. Unless stores begin to feel an economic impact from consumer concerns, vendors with two, three, or more levels of seperation between themselves and the customer will have little incentive to prevent such security breaches.<\/p>\n \u00a0Max A, David W, Travis M<\/p>\n","protected":false},"excerpt":{"rendered":" While the idea of software viruses\u00a0is by no means new to those who work with computers, a new vector of attack seems to be developing in the form of hardware shipped from the manufacturer that is already infected with malware. … Continue reading