Sophisticated, Targeted Breakins Uncovered

Ichabod writes "Sophisticated computer criminals stole data from Unisys, Booz Allen, L-3 Communications, Hewlett Packard, and Hughes Network Systems. It sounds like they used a combination of social hacking and undetected low-profile malware (reportedly NTOS.exe) to steal and encrypt sensitive data, and compromised Yahoo accounts to store and retrieve it. An international investigation appears imminent. And yes, unfortunately Reuters calls the criminals 'hackers,' further besmirching the once-revered title."

Another day another break-in

Security is only as good as it's implementation. These articles seem to get the same responses everytime. I would love to see /. act like a think-tank sometime and really come up with some solutions.

Re:Another day another break-in

[ringfinger]

According to the article, they used social engineering by "seducing employees with fake job-listings". This is interesting because it targets those employees that are most disgruntled. Offer them a chance at another job and they'll give you a username/password that probably is the same one they're using to access the corporate account system.

I agree, we should somehow pool our collective knowledge and accumulate it somewhere. There's an idea for /. to pull it back up on par with digg.

The only thing I find strange..

[i8myh8]

..is that they'd use Yahoo! Mail to retrieve the data. Gmail offers more space. Hrm. Poorly researched.

Re:The only thing I find strange..

[jojoba_oil]

Actually, the so-called hackers thought that "Do No Evil" was a command to those using Google's services. As such they went elsewhere.

In all seriousness, I'd be willing to bet that they used compromised Yahoo! accounts for a few reasons: yahoo users are generally less computer-savvy (read: easier to compromise), they probably use gmail accounts themselves so they didn't want to draw attention there, and google has been rumored before to keep e-mails even after being deleted from the account.

frequency

[HomelessInLaJolla]

The article is rather light on details. My first thought is to wonder how, after all this time, they finally managed to figure out that their systems were compromised.

My second thought is to wonder if it's even true or if this is just spin-hype for Trend.

My third thought is to objectively note that this is probably not an isolated incident. If this particular incident is this big then, in all likelihood, there are hundreds or even thousands of other compromised systems which haven't been diagnosed.

My fourth thought is "Haha!"

Re:frequency

[pegr]

You want details? This trojan appears to be a variant of this nasty little bugger. (Warning: pdf). The link is to a detailed technical report on how it works, what it does, and how to decrypt data it encrypted. It was authored by Secure Science Corporation back in November of 2006.

Give it up

[IndustrialComplex]

I don't think you have to worry about the term 'hacker' being besmirched any more. It, like several other terms have entered the mainstream vernacular. If you really care about the terminology that much, invent a new term for what was the original 'hacking'. It is far too late to close the barn door on the hacker misconception.

Re:Give it up

[Jack+Pallance]

I guess you could say, this issue needs more than a "Band-Aid" for a solution.

Get it?

Band-Aid!!

(OK, It was a term that used to be used exclusively to mean a specific brand, but has now changed its meaning over time to mean something broader. I don't know why I even try with you people...)

DoT is on the list..

[dotpavan]

and "A Department of Transportation spokeswoman said the agency couldn't find any indication of a security breach." awesome!

"to steal and encrypt sensitive data"

[InvisblePinkUnicorn]

See, hackers get a bad rap. These folks were kind enough to encrypt the sensitive data they found, so that no outside parties could get a look at personal records.

If you have a problem with the term hacker

[pembo13]

contact the editors about it politely.

Social engineering

[athloi]

At least in the old days, we used to call it "social engineering" and hacking meant any kind of programming outside the obvious. That included getting machines to fork over security credentials, but that meaning was a subset of the broader term, which meant both a cheesy quick fix ("what a hack!") and a dancelike circumnavigation of inherent limitations to produce a semi-elegant but sturdy fix ("kernel hackers drink coffee black").

Better writeup at WaPo

[wiredog]

The Security Fix Blog

Re:No, it was never that way

[sconeu]

Yes. See the Jargon file. The term "hacker" has a long and distinguished history, before it was hijacked by the asshats who are "crackers".

Don't use windows on Secure networks.

[LWATCDR]

I know the pro windows crowd will jump up and down but I hope they will hear me out.
1. Windows is the most popular OS on the planet. Just for shear number of systems it is most hacked.
2. Windows is harder to lock down than most other OSs. That is often because software expects to be running with admin rights.

I am trying to figure out how no one noticed these programs trying to make connections to the outside world. My guess is that they where not expecting a Trojan. Heck we got hit by a worm at my office. It didn't get through our firewall at all. Somebody brought a notebook in and connected it to our network.
It only infected three machines but it was a good cheap lesson for us.

Not Sophisticated At All

[neoshroom]

"What is most worrying is that this particular sample of malware wasn't recognized by existing antivirus software. It was able to slip through enterprise defenses," said Yankee Group security analyst Andrew Jaquith, who learned of the breach from Morris. "This is a serious threat. It shows how sophisticated hackers have become," Haro said.

This is not sophistication.

1. Take any virus/trojan that is recognized by antivirus software.
2. Put it through an executable compression package to make its code vary from what it used to be on the hard drive or in memory.
3. Viola! Your malware is now stealthed from any antivirus program.

Either that was rather simple or I am a seriously dangerous hacker.

From Webster

[Shihar]

Main Entry: hacker
Pronunciation: 'ha-k&r
Function: noun
1 : one that hacks
2 : a person who is inexperienced or unskilled at a particular activity
3 : an expert at programming and solving problems with a computer
4 : a person who illegally gains access to and sometimes tampers with information in a computer system

I am pretty damn sure that the thieves in question meet both #3 and #4, hence they are 'hackers'. I probably would not waste time bothering Reuters to complaining that not all hackers are evil. They used the word correctly.

Everybody's happy!

[ingo23]

From the article:

A Department of Transportation spokeswoman said the agency couldn't find any indication of a security breach.

See, it's a win-win situation - the criminals did everything smoothly without leaving a trace, and at DoT it looks like nothing happened!

Use of "hacker"

[Matt+Perry]

Reuters calls the criminals 'hackers,' further besmirching the once-revered title.

Get over it. Seriously. This romanticism for some obscure meaning of a word being understood by the general public is really getting tiresome. Words can have multiple meanings depending on the context and hacker is no different. We just have to live with it. There's no way to change the meaning of the word in the public consciousness without some type of huge marketing campaign. Saying you are a Perl hacker is going to be interpreted the way you want by the audience you are targeting with that phrase. If someone thinks you are breaking the security of Perl then they probably don't know what Perl is and aren't the audience for your use of that word. Likewise, when I talk about forking and killing children I'm not talking about murdering babies (contrary to what the marketing woman thought, whose office was near my cube, when she reported me and my co-worker to HR 10 years ago).

Re:No, it was never that way

[fenodyree]

Asshats!

Now there is a title. Hackers gone, White Hat never made it. Enter Asshat.
Today I asshatted a Big Corp's main server, so I emailed their admin to fix the hole. I am such an Asshat.

Re:wow

[cecille]

Gah, not to get into a huge flame war here, but I seriously don't understand why there's this association of liking/using windows and being some kind of computer moron.

Let me put it right out in the open here - I like and use Windows. In fact, I'd wager that a large number of /. people do, and either downplay it or deny it. Now I'm not saying that unix type OS's don't have their place - I use solaris and linux at work for coding and my servers generally run openBSD. BUT I want my personal box to be as easy and hassle free as possible so I run windows and only windows. I don't consider myself to be a windows victim and it's not a choice I made just because that's what came with the box. Say what you want about bloatware, but it's nice to buy a piece of hardware and have it just work. It's nice to install a program without having to recompile the kernel. It's nice to have a box I can actually buy decent games for. And no...I haven't reinstalled every two weeks since I bought it and yes, it is still working and not overflowing with disease and spyware.

Look, I'm not trying to defend every aspect of the OS - clearly there are some issues. But as I get older and more impatient, I'm starting to see windows as the more attractive option simply because there are some things that they got very, very right. Namely the fact that they put so much emphasis on usability.

Anyway, my long winded point is that not all windows users are stupid or just stumbled upon windows by accident. I know it's fun to bash things senselessly, but let's grab a little perspective here. Windows is not the devil, it's just not perfect. Nothing is.

Re:Already known. Just not implemented.

[Kadin2048]

The problem is that this, like most other effective security schemes, is expensive.

Companies won't implement more security than is cost-effective. Their decision making process is going to be driven directly by the perceived odds of being broken-into, times the cost of a possible breakin. They're not going to spend more money than that.

I doubt there are really going to be any serious (multi-million or -billion dollar) consequences for any of the companies involved. Maybe a few people will get fired and some new procedures will get written into some document that nobody reads, but there's not going to be a major bloodletting. (These companies run the government, in the most literal sense.)

When you see a F500 company absolutely taken to the cleaners -- totally bankrupted -- due to an IT-security mishap, then you'll see real security implemented. But until then it's just going to be a lot of after-the-fact patching-up and good 'ol "security theater." And a lot of blaming the messenger. That's always cheap.