Former CIA boss says aware of evidence Huawei spying for China

(Reuters) - The former head of the U.S. Central Intelligence Agency said he is aware of hard evidence that Huawei Technologies Co Ltd has spied for the Chinese government, the Australian Financial Review newspaper reported on Friday.
Michael Hayden, also the former head of the U.S. National Security Agency (NSA), said in an interview with the paper that Huawei had "shared with the Chinese state intimate and extensive knowledge of the foreign telecommunications systems it is involved with".
"I think that goes without saying," he was quoted as saying.
The newspaper reported Hayden said intelligence agencies have hard evidence of spying activity by the world's No. 2 telecoms equipment maker. It did not detail that evidence.
Huawei, founded in 1987 by former People's Liberation Army officer Ren Zhengfei, has repeatedly denied being linked to the Chinese government or military or receiving financial support from either.
Hayden is a director of Motorola Solutions, which provides radios, smart tags, barcode scanners and safety products. Huawei and Motorola Solutions Inc (MSI.N) had previously been engaged in intellectual property disputes for a number of years.
Huawei Global Cyber Security Officer John Suffolk described the comments made by Hayden as "tired, unsubstantiated defamatory remarks" and challenged him and other critics to present any evidence publicly.
"Huawei meets the communication needs of more than a third of the planet and our customers have the right to know what these unsubstantiated concerns are," Suffolk said in a statement emailed to Reuters. "It's time to put up or shut up."
The report came a day after Britain announced it would review security at a cyber centre in southern England run by Huawei to ensure that the British telecommunications network is protected.
In October 2012, the U.S. House of Representatives' Intelligence Committee urged American firms to stop doing business with Huawei and ZTE Corp. (000063.SZ) (0763.HK), warning that China could use equipment made by the companies to spy on certain communications and threaten vital systems through computerised links.
The Australian government has barred Huawei from involvement in the building of its A$37.4 billion National Broadband Network.

Microsoft Hacked: Joins Apple, Facebook, Twitter

                Add Microsoft to the list of leading technology companies that have recently seen their employees' computers get hacked after they visited a third-party website devoted to iOS development.

According to a Friday "Recent Cyberattacks" blog post from Matt Thomlinson, general manager for trustworthy computing security at Microsoft, the company "recently experienced a similar security intrusion" to the attacks that penetrated the networks of Apple and Facebook.






"Consistent with our security response practices, we chose not to make a statement during the initial information gathering process," said Thomlinson. "During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing."
[ Worried about the Chinese, Russians, hacktivists or cybercrime gangs infiltrating your network? Don't Blame China For Security Hacks, Blame Yourself. ]
Thomlinson's short statement squares with what's already known about the attacks, based on previously issued public comments from Apple, Facebook and Twitter. Namely, in what's called a watering-hole attack, whoever launched these attacks first compromised the popular iPhoneDevSDK website, without tipping off the website's administrator, and then used the site to launch drive-by attacks against anyone who visited. The attacks, which targeted a zero-day vulnerability in the Java browser plug-in that's since been patched by Oracle, were obviously quite effective, because they affected OS X systems at Apple, Facebook, Microsoft and Twitter.
Microsoft's public statement also suggests that many more than just those four businesses may have been successfully compromised by attackers.
What were attackers seeking? One likely answer is that they were simply trawling for any customer data or proprietary company information that would have resale value on the black market, for example to better customize phishing attacks.
But Sean Sullivan, security advisor at F-Secure Labs, has also warned that the attackers may have had their eye on adding backdoor code -- that executes after a time delay -- into mobile iOS apps under development. "Apple and Google's app stores don't review source code, [they] just run the apps," said Sullivan via email. So, thinking like an attacker: "I would inject code that only enables itself in certain circumstances and at certain times (and build a botnet that way)," he said.
Accordingly, Sullivan recommends that all security managers review their employees' website-visiting logs to see if anyone visited iPhoneDevSDK, as well as review their mobile application code bases to look for unauthorized changes. In addition, any businesses -- and especially smaller organizations -- that thought they weren't a target should put a security plan to place to mitigate future zero-day attacks that target their developers. "They should be more proactive (paranoid) in the first place," Sullivan said. "Small startups probably mix work and play. They shouldn't. Buy your developers an additional laptop for just work."
Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)