Feeds:
Posts
Comments

Archive for the ‘Hacking’ Category

The denials, now from the aforementioned Chinese schools (Shanghai Jiaotong University and Lanxiang Vocational School), are expected, but without foundation given the proof uncovered by Joe Stewart, a malware specialist with SecureWorks.

Mr. Stewart reverse-engineered code from the Hydraq trojan and, according to the NY Times, ‘determined the main program used in the attack contained a module based on an unusual algorithm from a Chinese technical paper that has been published exclusively on Chinese-language Web sites.’

For a much more detailed analysis beyond the scope of the Times article, jump to the original SecureWorks blog post by Mr. Stewart where he explains the basis of his conclusions about the unusual CRC algorithm.  As he says, “This information strongly indicates the Aurora codebase originated with someone who is comfortable reading simplified Chinese…In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase…”

I had fun hypothesizing about the evil genius of backdoors inside the source code of pirated copies of Windows (take the tin hat off now!), but this argument concludes that  someone or some group (PLA?) in the PRC is behind this.  As Mr. Stewart recognizes, this could still be the work of others, intent on blaming the Chinese government, but he refers to Occam’s Razor and its classic argument that the simplest explanation is probably the best one.

On the other hand, the counter argument, and some compelling evidence, has been raised in this blog piece.

To play the Devil’s Advocate for a moment;  say the U.S. government was behind this, to throw suspicion on the PRC for political and economic reasons, and to fight-back against the “persistent campaign of “espionage-by-malware” emanating from the People’s Republic of China (PRC)”, as Mr. Stewart describes it, who would be helping the U.S.?

As I stated before, maybe we’re doing it or maybe others are doing it for us.  If we’re doing it, we’re doing it directly or using inside assets.  If someone else is doing it for us – who?  My money is on the Israelis.  Israel has plenty of sharp coders and the Mossad is quite capable, as recent news has shown.  And, they’ve done this before.  If not Israel, what other nation would be likely to help the U.S.?  England,  Canada or Australia probably.

Then there’s the voice that says, ‘everyone’s doing it, so why worry?’ Sadly, all too true…  Most likely, we’ll never really know the answer.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

An excellent article in the N.Y. Times on February 18th stated that two Chinese schools, the Shanghai Jiaotong University and the Lanxiang Vocational School were involved in the recent online attacks against Google and dozens of other U.S. corporations.  These conclusions come from research by various security researchers, the NSA, and U.S. defense contractors.

There are multiple possibilities to consider here and more detailed information is required before making any final conclusions.  One the one hand, it appears to be obvious ~ yes, it’s the Chinese government/military working with or sponsoring patriotic student hacking activities.

On the other hand, perhaps not.  An important part of the covert Intelligence function and process is the dissemination of dis-information for various reasons, be they political, economic, strategic, etc.,  As the Times article speculates, this may be a false-flag intelligence operation led by another nation-state.

To do this successfully, you need insiders who work for you who can plant the trail of ‘bread crumbs’ that lead back to the source of origin or you need outsiders who can co-opt internal resources to make it look like the attacks came from the schools.  For the latter, you’d need to control individual servers or a botnet from within China to do the attacks, with just enough hard-to-find, but incriminating and hard-to-spoof pieces of evidence to prove the assertion.

Think about who might do this, why and how?

Image courtesy of scienceblogs.com


If you put the tinfoil conspiracy theory hat on, is it possible that pirated copies of Microsoft Windows could be involved?  That’ would be almost too perfect.  A completely new twist on the meaning of Trojan Horse!  The news that there was a completely undiscovered flaw in IE6 that was used for the attacks is plausible, but is it probable?  Are we talking undiscovered, or simply unrevealed?

I’m not a forensics expert or CS grad, so am more than curious about how you’d prove, absolutely, that the attacks came from specific machines, not just IP addresses.  We can’t use the Evil bit to solve this conundrum.

It’s interesting to speculate about all this and it certainly will be interesting to follow.  Will we ever know the Truth or just read stories; it’s like an Information Security version of the Allegory of the Cave

Later friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

I’ve been following the news about the Google hacks and ‘Operation Aurora‘ as McAfee called it, for a while.  There’s a plethora of online articles about this and why China would do this, which the PRC government denies pro forma.  It’s about nationalistic young Chinese and about PRC government, economic and military strategic interests.

An excellent source of discussion has been The Dark Visitor website, focused on Chinese hackers and also the SecurityMetrics.org mailing list.

From that, I learned the term Advanced Persistent Threat (APT), used by Mandiant and their M-unition blog.  One of the best comments came from Richard Bejtlich’s TaoSecurity blog; Richard explained what APT is and why it is dangerous.

The long and the short of it is that, in this case, the PRC will use any means whatsoever to obtain information to their advantage.  The usual resource constraints of time, money and people simply don’t matter, nor do ethics as we think of them.  Some have stated that these attacks against Google, Adobe, and according to McAfee, 32 other companies in the technology, financial and defense sectors, are only about malware and the quest for money.

In a sense, this argument is correct, but the financial motivation is different.  Yes, it’s about money because money is about power and the ability, long-term, of the PRC government to retain it against the tide of capitalist democracy.  In other words, as long as the PRC leaders can keep growing their economy, their entrepreneurial class makes money,  and the middle-class gets something, they’ll continue to stay in power.  They have a very vested interest in this odd form of trickle-down economics ~ political survival long enough to ensure their continued relevance and Chinese economic dominance sooner than later this century.

So, if it means the theft of intellectual property, commercial secrets, software, whatever from wherever, that is what China will do, and as their leaders see it, must do, if they are to not just catch-up, but succeed.  As the Mandiant M-unition blog puts it:

“No target is too small, or too obscure, or too well-defended. No organization is too large, too well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone…

…The APT’s goals are twofold:

  • to steal information to achieve economic, political and strategic advantage.
  • to establish and maintain an occupying force in their target’s environment, a force they can call on at any time…”

It used to be French and Russian intelligence organs we worried about, as far as stealing corporate secrets went.  APT is a whole ‘nother ball game, without umpires and a playbook available to one side only.  Expect other nation-state actors to play the same game; it’s similar to the whack-a-mole the West is playing with Iran over nuclear weapons development where they deny everything vehemently while building enrichment centrifuges as quickly as possible.

The 800-lb Dragon has been around for thousands of years and is feeling re-born and contentious.  Witness the lashing-out and dissing of the West at the Copenhagen Climate summit, criticism of U.S arms sales to Taiwan, the Dalai Lama’s upcoming meeting with President Obama and China’s growing assertiveness in other areas.

Some have commented that criticizing China on this is racist; that opinion is disingenuous and is meant to deflect honest inquiry.  APT isn’t about race; it’s about the means, intentions and long-term motivations of an adversary ~ even one who tries not to seem adversarial, is a key trading partner, owns your debt, etc.,

APT, from China and other actors, will not go away.  This is the new reality and we’d all better begin to pay attention and think how to combat it.  That means working to understand the psychology behind it.  APT crosses the domains of information security, economics, psychology, politics, sociology and more.  It is ultimately about the maintenance of power, its true raison d’etre.

Read Full Post »

Following this story, ShadowServer has an excellent write-up on the self-destructing nature of this botnet.  Interesting pieces of information:

  • The botnet size is around 200,000
  • Most of the compromised machines are in South Korea, although computers in four other countries were used
  • The botnet appeared virtually overnight
  • Compromised machines are set to begin overwriting essential files on their hard drives today, July 10, 2009

Cyberwar, according to the Rand Corporation, is about “disrupting or destroying information and communications systems”.

The term cyberwar has been ballyhoo’d by the media although it’s been in use for years along with ‘Netwar’; latest news from South Korean intelligence organs is that a North Korean Lab 110 was responsible.  If so, previous stories about a North Korean ‘Hacking Academy’ have substance, and with all it’s connotations, it is disturbing this  happened so quickly with specific geographic localization in origin and targeting.

From a Disaster Recovery/Business Continuity perspective, the advantages of distributed web hosting by providers such as Akamai is significant in mitigating DDoS attacks.

From a historical perspective, that approach was basically the original raison d’etre of the Internet when first conceived by DARPA and then ARPANET.  Protection from communications loss after nuclear attack by using distributed node computing.

This may be an early phase of a cyberwar campaign; it is at least an experiment of sorts, complete with the lab cleanup phase.   Pay attention to this story as more information becomes available ~ there will be applicable lessons for multiple perspectives.

Later…

Read Full Post »

I’ve been following the media interest in the recent and ongoing DDoS attacks against South Korean and U.S. government websites.  The alleged perpetrator is North Korea, but proving it absolutely will be difficult.  The current word is that a 100K node botnet was involved, with computers located in South Korea, China and the U.S.

John Bambenek from the SANS.org Internet Storm Center commented that ISPs and end-users bear partial responsibility for allowing/having un-patched systems, thereby enabling botnets.

While ISPs can do more to filter traffic to end-users,  part of the problem from the end-users in Asia is the prevalence of pirated copies of Windows XP & Vista, unable to use Windows Update for automated patching.

From the standpoint of information warfare, what might this mean?  A few things to consider as possibilities:

  1. It may or may not be North Korea.  It could easily be the Chinese military using North Korea as a proxy, knowing that we have little leverage against them, and using this attack as a ‘proof-of-concept’ for the future.  Test and refine after analyzing the response.
  2. If it is the Chinese military, what is their motivation other than tactical and strategic preparation?  Given the level of Chinese government ownership of U.S. debt, hurting our economy, for example, by disrupting the power grid, works against their economic interests, unless they deem it necessary in the future.
  3. If it is North Korea, what do they hope to accomplish?  The attacks didn’t take-down either the South Korean or U.S. governments, just a few websites overall.  Simple braggadocio or ‘testing-the-waters‘, like their missile launches and nuclear program?
  4. Could this be an exercise the U.S. government/military commissioned?  This scenario isn’t far-fetched and falls within the realm of FUD.  If your goal is to increase spending and awareness of information security in government, having a ‘straw man‘ somewhere else is useful.  Especially if they are known to be belligerent, rant frequently against us, and their ‘great leader’ appears somewhat psychotic.  A very convenient bogeyman.  The compromised targets were government agency websites including the U.S. Treasury and Federal Trade Commission, while the Pentagon and White House were unaffected.  Make smoke and noise, but no fire.
  5. Botnets are comparatively easy to rent for a specific time and purpose, in this case a DDoS against US. and South Korean government websites.  Conceivably, they may also be virtualized.  Think about cloud-level botnets available on-demand.

The story linked to above says that code is being analyzed by experts and foreign language-fluent investigators are roaming Internet chat rooms, looking for braggarts.  A strategy I’d expect to continue any dissemination of disinformation campaign would be to plant ‘talkers’ in the appropriate IRC channels; this furthers the promotion of the straw-man function and lends credence to the originating purpose.

Events may be exactly what they are purported to be, or something else entirely.  As information security professionals, think about the possibilities and motivations of any adversary’s  actions, beyond the obvious and easy answer.

Food for thought, and more to chew on later…

Cheers.

Read Full Post »

I was quite fortunate to attend this year’s RSA Conference.   I applied for, and was awarded one of the 24 ISC2.org scholarships to attend, so with that support, it was off to San Francisco for the week.

Like my last two years at RSA, what a fabulous experience it is!  If you aren’t a good networker though, it can be intimidating; the size of Moscone Center and the scope of it all are a bit of a head-rush.

I spent my time mostly between the Professional Development and Hacker Techniques sessions, with some time at the Innovation Sandbox, Crypto Commons and Peer2Peer sessions.

At the Innovation Sandbox, I ran into Dr. Hugh Thompson before his whiteboard session.  Hugh has opened the closing keynotes the past few years with his hilarious and informative ‘The Hugh Thompson Show‘.  After the IS presentations by innovative new companies, I saw him again and chatted him up.  We agreed to get together later in the week and cognate together, visit, hang, etc.,  Hugh was very gracious and gave me an hour of his time, sharing career growth insights, humorous anecdotes, and some ‘wisdom of the ages’.  We also LinkedIn.

I also ran into some of the local Seattle area security folks, which was cool, including David Matthews (City of Seattle), Frank Simorjay (Microsoft), and Dan Kaminsky from IOActive.

My favorite session presentation was Ed Skoudis and Johannes UllrichThe Seven Most Dangerous New Attack Techniques, and What’s Coming Next‘.  ‘Pass-the-Hash, Super-flexible Pivoting, Wireless from compromised client into corporate, Problems with SSL, and VoIP systems among others.  I can’t wait to listen to the session recordings because it was SRO in the room and hard to take notes from the balcony…

I ran into Ed again at the CodeBreakers Bash and we chatted for a bit.  He’s always very approachable and open.  In 2004, I took his Incident handling and hacker Techniques course from the SANS Institute and loved it.

I spent some good time cruising the exhibition floor during lunchtime, vast and crowded.  The swag was tempting, but too much to tote back, so ‘travel lightly’ is always good advice at trade shows…  I did visit with some nice recruiters and focused a bit on GRC software vendors.

The first full day of the conference, it was 93 degrees Fahrenheit outside!  To quote from ‘Young Frankenstein‘ , that’s ‘Abby-Normal‘ for S.F. in April

Some have said that this year, RSA lacked sustenance.  I enjoyed it though.  The opening keynotes were a bit humdrum compared to past years, except for the Cryptographers Panel and Lieutenant General Keith B. Alexander from the NSA.  Melissa Hathaway on Wednesday looked at her notes and talked to us like we were members of the Press Corps – the general reaction I heard was like, ‘Lady, we’re smart security geeks, not journalists.  We don’t need to know that the Administration has been planning to do stuff, just tell US what it is!’ Yawners.

James Bamford’s talk on the NSA was very good.

The opening number rocked!

NB – open the keynote webcast page, then select Opening Ceremony, View Video Webcast, Opening Ceremony Performance

Read Full Post »