Aurora Attack — Resistance Is Futile, Pretty Much

eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."

Who clicked on the PDF?

[symbolset]

Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

Re:Who clicked on the PDF?

Target corporation: Unemployed geeks in their mothers' basements.

Damn. This attack is going to wipe the IT industry out...

Re:Who clicked on the PDF?

[biryokumaru]

Major attack preventer: Google docs PDF reader.

Re:Who clicked on the PDF?

[EvanED]

Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

This is Slashdot. Who clicks on the article links?

On a serious note, the Link Alert extension for Firefox will put an icon following links that go to a PDF file. (I know that the /. editors kindly put "(PDF)" after it, but to be honest I tuned it out, and if I felt like reading TFA would have just clicked.)

Re:Who clicked on the PDF?

[PsychoSlashDot]

Absolutely. It's kind of funny because it was over five years ago that Microsoft "got it" and started reducing the attack surface in their operating systems. Non-essential services were disabled by default for instance.

Now, in 2010 the web experience "requires" a browser, Flash, Adobe Reader, Java run-time, and potentially a slew of other plug-ins. Everything from WinZip to the Google Toolbar has a service running in the background to update it periodically, and there's a push for unrelated shit to be bundled with what we try to install. Download managers are becoming increasingly the norm, with Adobe burying their direct link to Reader and Flash one link further from the "Click Here to Download" link the same week they patched an exploit in it.

We need to re-think how we compute. Less is more. Pick a standard such as HTML5 and stick to it. No plugins. (Beyond page-agnostic browser functionality add-ons like Ad-Block Plus.) No background services, no download managers, no web-extending formats. If a stock browser less than three years old can't render it, it isn't the web. If it isn't the web, we don't code for it. JPG, PNG, and a handful of standardized other formats can be direct linked-to.

That's not the panacea... it won't solve it all. But going the way we're going is the wrong direction. Let's try less crap on our machines that might be vulnerable.

Re:Who clicked on the PDF?

MS has yet to seriously get it. IE with all patches STILL GETS OWNED without the user needing to click on anything. Just load up an attack page and poof.

Re:Who clicked on the PDF?

[symbolset]

It's kind of funny because it was over five years ago that Microsoft "got it" and started reducing the attack surface in their operating systems.

Practicing your Monologue on slasdot, Jay? You know normal people aren't going to get this joke.

Non-essential services were disabled by default for instance.

Stop it! You're killing me!

Re:Who clicked on the PDF?

Please provide evidence. Not in the form of an attack page, obviously, but a cite.

Re:Who clicked on the PDF?

[adolf]

You left out GIF. The patents are expired, and it is a free standard.

[Yes, I know that PNG does the same things as GIF, only better. Except, that it can't do animations. And simple animations, though often annoying, can be very useful, especially in a world like you suggest in which Flash does not exist. See? And though HTML5 + Ogg Theora fills some of the gap, lossy compression like that sucks for technical drawings, whereas lossless formats can do very well. Of course, there's MNG, which is similar to PNG but with animations in mind...which is cool and all, except nobody uses it.)

Re:Who clicked on the PDF?

I'd go further. We need a new paradigm in computing.

We assume the CPU is safe. We assume the OS is safe. We assume installed software is safe.

Why do we carry on with those assumptions, when they are plainly false. Why not design and engineer future CPU's, OS's and software assuming they are unsafe?

Re:Who clicked on the PDF?

[fast+turtle]

They're already working on it. It's called Pallidin (Trusted Computing Platform). In otherwords: it's WebTV all over again.

Re:Who clicked on the PDF?

I don't have a service for every thing I've installed to update it, because, like any decent OS, the system package manger handles all that in one central, elegant, secure, and user-friendly system called 'apt'.

Practice safe computing. Use a 'buntu.

Re:Who clicked on the PDF?

[Adriax]

We're averaging about 2 a week so far this year at work, mostly vundo but some koobface and others just identified as generic trojans. I have verified via their histories that the only pages visited were major news, weather, and portal sites (fox news, msn, cnn, weather.com, they skim the articles without heading off to other sites).
350 person government office with all microsoft updates pushed to clients after a 1 week research period, and Symantec with latest definitions enforced on all clients via login scripts.

Unfortunately for us we are forced to use IE for a couple required pages, though I am working on getting a suitable deployment of firefox ready with IEtab and adblock plus preinstalled.

Re:Who clicked on the PDF?

[Machtyn]

What about PDFXViewer. Besides being highly convenient for editing PDF doc's, could also be a way to prevent hijacks? (I don't know, I'm asking.)

Re:Who clicked on the PDF?

[dynamo52]

Not planning on staying current? I ask because IE tab is no longer supported.

Re:Who clicked on the PDF?

Major attack preventer: Google docs PDF reader.

I may be putting a big foot in my mouth but here's the question: If you preview it using as suggested the google reader aren't you still loading that into memory? Isn't that simply making it harder to gain attack to the machine in question? What about using a different viewer altogether like foxit/adobe/etc? Is the security risk the pdf or the software that's running it? I'd also be curious to know the effectiveness of these pdf attacks on linux hosts.

Although not feasible for the work environment (or is it?) there are probably many users out there who now surf through virtual machines. It makes me wonder if perhaps we'll see locked down user terminals with virtual machines configured for personal use.

I'm in no way affiliated to any of those companies i'm just curious: Are pdfs truly the security risk the parent made them out to be? Thanks ahead of time for helping to shed some light on the subject.

S.

Re:Who clicked on the PDF?

[GigaplexNZ]

If a stock browser less than three years old can't render it, it isn't the web. If it isn't the web, we don't code for it.

That sounds a bit like a chicken and the egg problem. If we don't currently support it, we won't ever support it.

Re:Who clicked on the PDF?

[Korin43]

There's always APNG. It's only supported by Firefox and Opera, but if someone put it in Webkit it could be useful.

Re:Who clicked on the PDF?

[Lorens]

Look at capability operating systems like CapROS, interfaces like CapDesk or plash, or the Polaris system newly released by HP (haven't had the time to look at it yet). Basically, in a capability system, every single process is sandboxed in an intuitive way. You the user have big rights, but you do not by default delegate those rights to a program when you launch a program. By default you only want to give it some RAM, a window to communicate with you, and probably a read-only or a read-write version of a file - so that's what the prcess gets as parameters. No blocks as such, just no system calls available other than read/write to parameter n.

Re:Who clicked on the PDF?

Because in Windows you can't run hijackthis and clean the crap in like 30 seconds? or Use Tea Timer (Fuck if it's bloated lately)to stop any installer to hooking into the start up? I mean, I use Madriva almost everyday and I enjoy the experience but theres tools to not get owned by crap on windows, Lucky You that don't have to use any Adobe CS try to install any CS from CS2 and up and experience TEH EPIC BLOATZ, Tea Timer saves the day at install time. BTW *buntu is Crap, use a real distro.

I think you post proves that an incompetent windows user can be an incompetent linux user.

Re:Who clicked on the PDF?

[DocHoncho]

Ah hahahaha hahaha aHhaa**cough**ahahhahaa

And you know what else we need? A pony. Lots of ponies.

Re:Who clicked on the PDF?

[c-reus]

yeah, let's put DRM in CPU, OS and in installed software! It's the only way to be sure.
</sarcasm>

Re:Who clicked on the PDF?

That is easily fixed - as a user just enable Flash, Jave, etc. "on demand". Most web sites I frequent (mostly news, etc.) work just fine without.
Now, we can't expect that from all user out there. However, Google should expect that from their employees. After all, they are supposed to be the best and brightest, no?

Re:Who clicked on the PDF?

[Mattsson]

A major infection-vector for Vundo is MSN Messenger (Or Live, or whatever MS has renamed it to recently) and other IM-applications.
If you allow your users to use such applications, you might consider withdrawing that privilege if Vundo is a regular problem.

Re:Who clicked on the PDF?

[AndGodSed]

UH, to visit an attack page you still need to click on something.

Re:Who clicked on the PDF?

No background services[...]
-> if you take off all the useless shit working in background you'd then have a hard time justifying why anyone still needs to buy a 3GHz Dual-Core with 4Gigs of RAM for the basic desktop use (browsing / word & spreadsheet processing)...

Re:Who clicked on the PDF?

[AndGodSed]

I think you post proves that an incompetent windows user can be an incompetent linux user.

I second this part. The main point of failure with computer security is the user, and the main point of failure with the user is lack of training, or unwillingness to apply common sense when behind the keyboard. Hands up all of you have had had at least one user who insisted on clicking links or running every funny program or opening every bloody email attachment or (god forbid but it happens) have sent money to that nigerian prince or even "updated" their banking details on that site in that link.

You can make the system as safe as possible, but the point of failure will need to be addressed and I submit that is nearly impossible, if not entirely impossible.

Re:Who clicked on the PDF?

Totally agree, Adobe should be focusing on security rather than so many features. I mean if I want to have a meeting and present a document, I'll do it though the video conference software that already has this option.

Flash should be secure, and it's constantly showing me that it is not. I know you can get flash blockers, so you have the option to run (at least). Why not offer a cut down flash version that only allows you to play movies and has no vunerabilities?

Re:Who clicked on the PDF?

[LukePH]

What about APNG, also not very well supported (yet?), but much more so then MNG. Yeah I know it's also basically unusable because of the lack of support, but just had to mention it.

Re:Who clicked on the PDF?

[hey!]

I disagree. What we need to do is compartmentalize.

Why do you have to use the same system to browse the corporate intranet over VPN and handle personal web browsing? Each of these activities should take place on a different virtual machine on a different virtual network. Then you watch the virtual/host interfaces like a hawk.

This is not an airtight strategy -- there is no such thing. What it does is buys time and spreads the footprint of the attack.

It's not entirely convenient. But you can focus your security attention on mechanisms you use to move data between different security universes.
Companies seriously interested in security also really need a solid cryptographic infrastructure, including two factor security with a hardware component, and revocable trust. That's not convenient either.

Re:Who clicked on the PDF?

JavaScript + [ SVG | PNG ] already cover simple animations fairly well. This has been known for a while.

Re:Who clicked on the PDF?

Major attack vector: Internet Explorer. Security company publishes intrusion analysis in HTML format. If you clicked it, you may be part of the problem.

Formats (especially open standards) and applications are not the same thing.

Re:Who clicked on the PDF?

[GameboyRMH]

PDF exploits attack vulnerabilities in Adobe Reader. You'll be safe with another non-vulnerability-laden PDF reader like Foxit, evince, etc. Later versions of Ubuntu (Karmic and I think Jaunty) even come with an AppArmor profile for evince.

Re:Who clicked on the PDF?

[GameboyRMH]

Plus using Adobe Reader is even worse than using IE these days, from a security standpoint. Adobe Reader, Flash and IE are the top infection vectors right now. Using an alternative browser with something to block flash content from loading willy-nilly, (Firefox w/ Flashblock for example), and an alternative PDF reader is the very least you can do to keep a Windows machine from becoming a virus farm.

Re:Who clicked on the PDF?

[GameboyRMH]

Are you sure they're not infecting via a Flash exploit? Those work in Firefox too. Oh and they're coming through the ads (and require no user action), that's how users pick them up without going anywhere suspicious.

Re:Who clicked on the PDF?

[Blakey+Rat]

Now, in 2010 the web experience "requires" a browser, Flash, Adobe Reader, Java run-time,

In what strange alternate reality does the web require Java in 2010?

Is Bill Joy President of the United States in your reality?

Re:Who clicked on the PDF?

[fysdt]

Sounds like advertising to me.. :)

1. Google gets attacked
2. Switch to Google Docs for reading PDF's
3. ...
4. PROFIT!?

Re:Who clicked on the PDF?

[PsychoSlashDot]

Now, in 2010 the web experience "requires" a browser, Flash, Adobe Reader, Java run-time,

In what strange alternate reality does the web require Java in 2010?

Is Bill Joy President of the United States in your reality?

There are plenty of "web apps" that are actually Java apps, or Java that runs in the middle of a web page. I've got customers in multiple different demographics that have these. Most of them tend to be hosted internally on their Intranet but the point remains. "The web" is the web, be it inside the firewall or out.

Ad hominem much?

Sounds like resistance is easy.

[Kludge]

Just don't use MS Windows.

Re:Sounds like resistance is easy.

[Wingman+5]

Yea, because there is no way to get rootkited or other vulnerabilities on Linux system.

Hey, I wonder where the term "rootkit" originated?

Re:Sounds like resistance is easy.

[sopssa]

This is especially true because these are highly targeted attacks. Unlike other malware, these don't go where the majority of users are - they go against what the target company is using and have a reason to spend the extra time on it.

Re:Sounds like resistance is easy.

[MichaelSmith]

the best practices corporate IT departments have been following for years are ineffective against the attacks

Well obviously. Antivirus protects against old, common vectors. But if a company ran (say) ubuntu or (more likely) macos an attacker could still craft an attack against them, as long as they had information on the systems being used.

Re:Sounds like resistance is easy.

Because there are tons of other options when developing a corporate network.

Re:Sounds like resistance is easy.

[MichaelSmith]

But it sounds like the attackers were able to make assumptions about the target information systems by using knowledge of standard IS practices. Avoiding those practices may introduce a handy layer of obscurity.

Insisting on crypto all the way to the clients may help as well.

Re:Sounds like resistance is easy.

[bersl2]

Don't think of it as obscurity. Think of it more as diversity.

Re:Sounds like resistance is easy.

[Runaway1956]

Yes, BUT - what are the primary vectors again? Adobe stands head and shoulders above the crowd of other vectors. What Adobe do you find on the average *nix machine? Of my machines, two have Adobe Flash - the others have Gnash. Given just a little more motivation to move away from Adobe completely, I would rip their Flash programs out of the two machines that run it now.

Admittedly, Adobe runs in some places that Gnash doesn't do so well on - but do I really NEED flash to watch something on Youtube? Of course not. I can download the video, convert it, and watch it in VLC, Mplayer, or any number of other applications - none of which have been shown to be serious attack vectors.

Go ahead - root me. What are you waiting for? You want the details of my operating system? HA! I'm not that easy to social engineer!

Re:Sounds like resistance is easy.

[sumdumass]

I'm not sure there is a situation of a Linux web browser vulnerability that allow malicious websites to install software that will allow the attacker to gain access and escalate privileges.

Sure, rootkits are a real threat but the ease of this operation wouldn't have been there would it? I mean if all I have to do to get a foot in the door is to create a malicious website and provoke someone into visiting it, it's a little more easier then gaining access to the machines in the first place and installing software undetected.

Of course all this goes out the window if they tricked someone into opening an Email attachment saying "I love you" or something. Well, MS has even fixed that problem but you get the general idea, trick the user into running a program of some sort. However, most Linux servers do not run users in the traditional sense... Maybe I'm just naive or something, but it doesn't seem as easy with Linux and the Futile part would not have been mentioned without windows server being part of the mix.

Re:Sounds like resistance is easy.

Yes, there is a tendency here toward self congratulation. From what little I understand about these attacks, if linux variants had been major targets, they probably would have been taken down as well. These guys are pros. We don't get hit so much because we are a smaller target. (With tongue in cheek) we should be grateful to Redmond for being such nasty ghouls - if they weren't, we'd have a lot more trouble than we do.

Re:Sounds like resistance is easy.

No your wrong, it all started with Zuse Z3 back in 1941 Germany :P

Re:Sounds like resistance is easy.

[Wingman+5]

Go ahead - root me. What are you waiting for? You want the details of my operating system? HA! I'm not that easy to social engineer!

Thats why I don't root you, I root your receptionist to get the proverbial foot in the door. "Hi this is John from IT, we found a virus on your workstation I just emailed you the program to remove it, just open it and it will solve the issue"

Re:Sounds like resistance is easy.

[phantomfive]

You do realize that the existence of a rootkit for a system in no way implies a vulnerability for a system, right? A rootkit isn't something that 'grants you root', it's a tool to help you hide your tracks once you are already root. Wikipedia has a good page about it.

That said, the easiest way to get your linux box rooted (do you see the difference between getting your box rooted and a rootkit?) is to use a weak ssh password. I don't know how common privilege escalation vulnerabilities are, but I've seen them work in the past.

Re:Sounds like resistance is easy.

[grcumb]

[I]f a company ran (say) ubuntu or (more likely) macos an attacker could still craft an attack against them, as long as they had information on the systems being used.

Agreed. These guys know what they're about, and they're willing to invest patience and resources in their attacks.

That said, reducing the number of attack vectors is a useful and productive exercise. As Schneier loves to point out, the real goal of the security process is to make breaking in cost more than it's worth to the attacker. In this particular case, that puts the cost pretty high indeed. But choosing a more secure OS and simplifying the exposed systems would help a lot.

The next step would be to reduce the reward derived from a successful attack: a strong auditing process.

This is rarely considered, except in high-security scenarios, but really, the only really viable defense against this kind of assault is to recognise when you're being attacked (most companies probably never did) and then to take steps to reduce its effectiveness. You'd need to watch who's talking to whom, and who's accessing what data. The cost in man-hours would be significant, but the alternative is to accept that before long there's going to be a Chinese knock-off of your product on the market, competing with yours at a fraction of the price.

The final step is the least likely: Actively counter-attack. Infiltrate and/or disable the attacker's machines, feed them false information (costing them money as they try to track the source of the failure), and even use official channels (as Google as done) to try to slow them down or take greater pains to conceal themselves.

Re:Sounds like resistance is easy.

"Of course not. I can download the video, convert it, and watch it in VLC, Mplayer, or any number of other applications - none of which have been shown to be serious attack vectors."

Are you seriously going through all those steps to watch someone get hit in the balls with a football? You're going to turn a 1 second click of a play button on an embedded video into a 30 minute exercise? Are you _kidding_ me?

Re:Sounds like resistance is easy.

[Sycraft-fu]

Yep. I do find it funny how many Linux types will advocate Linux more or less as a "security through obscurity" thing. "Oh use Linux because all these attacks target Windows!" Ok, well if everyone took your advice and switched to Linux, they'd target Linux instead.

The correct answer for security is, regardless of the system you use, assume it is vulnerable. Assume you can be attacked (because you can). Then take steps to remediate it. Have defense in depth, have layers of security so if one fails others still exist. Keep your security up to date and able to deal with current threats. Do this, and it doesn't really matter what OS you run, you are as safe as you can be.

You have to look at it like with physical security, where there is no such thing as perfect security. There is no system that cannot be broken or bypassed in some way. All you can do is make it good enough to ward off any threats for long enough to detect and stop the threats. There is not a single step you can take to keep thing safe, including moving your location.

That is sort of what is being talked about here. It would be like moving from the city out to a sparse area. Ok, that probably will reduce attacks however if that's your solution for security, you've done nothing. You are just hoping you don't get attacked, you haven't done anything to actually deal with the attacks. Same deal with switching OSes. Just saying "Oh well use Linux," doesn't really help. Sure there are less attacks over all for it, but that doesn't mean anything. If you still implement bad security practices (like having users run as root and having weak passwords) then you've done nothing for real security. You are just hoping that by being less visible you won't get attacked, you've no ability to actually deal with an attack.

So choose your OS based on which one works the best for what you do. Then take steps to properly secure it, because the proactive security measures are what really keep you safe, not the OS. It is perfectly possible to have an extremely secure Windows network, and an extremely insecure Linux network.

Re:Sounds like resistance is easy.

[Nazlfrag]

Well it's neither. If your intent is to stop a specific attack with this modus operandi then not running Active Directory or Windows would be a sensible thing to do. Not that that negates all attacks, but it would negate the specific one outlined in TFS.

Re:Sounds like resistance is easy.

[GravityStar]

In the attack, the privilege escalation is _on the network_, not locally. An attacker of this type doesn't need local root privileges on a desktop pc, they want privileges on the servers.

The attack might then upload your private SSH key. Either they brute-force the password of the key on a cluster, or they analyze every document you have access to for words that could be the password. Maybe they replace the link you have on your desktop to SSH with a link to a SSH binary of their own.

Having local user privileges and lots of patience is sufficient to eventually crack a network wide open. And it will work with Linux too.

Re:Sounds like resistance is easy.

Thats why I don't root you, I root your receptionist to get the proverbial foot in the door.

Yeah, I rooted his receptionist. All. Night. Long.
And it's more than a 'proverbial' foot, baby.

Re:Sounds like resistance is easy.

Did it ever occur to you that when he said "Just don't use MS Windows" he was implying that you should use VMS? But then again there are all those SYSTEMkits out there.

Re:Sounds like resistance is easy.

[colourmyeyes]

I'm guessing you're a troll, but I do this. Well not exactly, you don't need to convert anything.

Open a youtube video, let it buffer, go into /tmp and there's the file. Just do "mplayer file" and watch it. I do this because the flash player crashed a lot (x86_64 Linux) and mplayer is smoother.

Re:Sounds like resistance is easy.

[devent]

Yep. I do find it funny how many Linux types will advocate Linux more or less as a "security through obscurity" thing. "Oh use Linux because all these attacks target Windows!" Ok, well if everyone took your advice and switched to Linux, they'd target Linux instead.

Which Linux do you mean? Do you mean Ubuntu, Debian, Fedora, Suse, RedHat, CentOS, Arch, Gentoo, etc. Do you mean Linux 2.6.30, 2.6.18, 2.6.31, 2.6.32, 2.6.33, etc?

You see, Windows is not only an easy target because everybody using Windows but because everybody using the same Windows. If we assume that the users are all updating their OS, we over 70% are using WindowsXP SP3.

With Linux you have diversity and it is that diversity that makes Linux a very difficult target for Viruses and Trojans. (In addition to the usual advantages in a Linux environment, like package manager, better security policy, etc.)

Re:Sounds like resistance is easy.

Being less vulnerable is a layer of defense. It really is that simple. All of these attacks targeted inherent problems in the Windows platform, and Unix / Linux has problems to be certain, but they are not the same depth or scope of the issues inside of Windows. I'd suggest you read some of the architectural information available that discusses the level of shite inside the Windows core libraries, kernel etc.

If Linux is a standard steel door and Windows is a wooden door neither is useful against a cutting torch or a myriad of other tools, however that does not invalidate the fact that the steel door is more secure. Its just not as secure as a steel door with cameras, sensors, alarms and an armed guard.

Re:Sounds like resistance is easy.

[Bert64]

However, due to basic design flaws (rather than implementation bugs that will get patched), a windows and active directory based network is much easier to crack than environments based on other platforms...

Plenty of reading on the web, but start with http://www.crest-approved.org/Pages/conf/windowsauth.pdf (use google to convert it to html if you're concerned about pdf vulns).

Re:Sounds like resistance is easy.

[Bert64]

Which is why a monoculture is so bad... Attackers don't need information on the systems being used, they can just assume that their victims are running windows.
If they had to recon their target first to find out what they're running and devise attack methodologies for multiple platforms the attacks would be massively more difficult and less common.

Re:Sounds like resistance is easy.

[tsm_sf]

"Please ignore the obvious grammatical mistakes, misused colloquialisms, and bizarre instructions. Just clicky."

Re:Sounds like resistance is easy.

[Yvanhoe]

Yeah, the title should be "if you use vulnerable software, resistance is futile". Duh. It looks like people are discovering what "vulnerable" means. They assume you are using a vulnerable browser, on a network with vulnerable servers. In that case, you are pretty much doomed anyway.

Re:Sounds like resistance is easy.

[jpate]

also there is youtube-dl.


Given the topic of the summary, anyone who clicked on that without double checking where it went should reflect on the consequences of clicking on links randomly.

Re:Sounds like resistance is easy.

[wvmarle]

Well the problem seems to be far more than just a pdf or a Windows vulnerability. Scariest part in the list from TFS:

5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.

The question I have now is: why is it so easy to crack those passwords? (apparently easier than tricking someone in giving their password or installing keyloggers: that means it's quite easy). I thought passwords were normally stored as one-way hashes, and those are really tough to crack.

Dictionary attacks of course are easy (just calculate the hashes of a dictionary and compare), but in this case I may assume that they were after sysadmin passwords which again I may assume are proper passwords, and not vulnerable to dictionary attach.

So like (all) successful attacks there must be an array of vulnerabilities in all the layers of security in those systems.

Getting into the single desktop as logged-in user shouldn't happen: vulnerability 1.

Getting into a single desktop as the logged-in user should not give you full control over that desktop. Vulnerability 2.

Getting full control over the desktop should not give you access to an AD server (in order to download that database). Vulnerability 3.

Downloading the (encrypted I may hope) AD password database should not give you the passwords: modern encryption technology is strong enough to prevent that for all practical reasons.

If I understand this sequence of events correctly there have to be at least four security vulnerabilities. Not just one. But four layers of security that have been punched open, and not once but apparently on large scale. That is a bad sign for overall security.

Re:Sounds like resistance is easy.

[couchslug]

"I root your receptionist to get the proverbial foot in the door. "

She is protected by Security through Fugliness. Root at own risk.

Re:Sounds like resistance is easy.

[Richard_at_work]

We did this in our business - created a vb app which popped up a dialog box saying 'You just breached the network terms of use.' and logged the currently logged in username and IP address to a database.

We then emailed that to everyone in the company, from an outside address (and specifically allowed it in the email filters to simulate a worst case scenario), and sat back and watched who clicked and who didn't. It was quite enlightening.

Re:Sounds like resistance is easy.

[iserlohn]

It's perfectly possible to walk on the moon as well. Now about the amount of effort to get there.....

Re:Sounds like resistance is easy.

[selven]

Yep. I do find it funny how many Linux types will advocate Linux more or less as a "security through obscurity" thing. "Oh use Linux because all these attacks target Windows!" Ok, well if everyone took your advice and switched to Linux, they'd target Linux instead.

"All my games only work on Windows"

"Well, if you all switch to Linux they'll write games for Linux instead."

The reason why this argument doesn't work is exactly the same as the reason why yours also doesn't.

Re:Sounds like resistance is easy.

[Redlite]

There is hardly any difference in security as far as all the standard distros of Linux go(Ubuntu, Debian, Fedora, Suse, RedHat, CentOS, Arch, Gentoo). And the kernel versions(2.6.30, 2.6.18, 2.6.31, 2.6.32, 2.6.33) are different from windows service packs and the individual security patches how? Linux could be targeted just as easily... if it was WORTH targeting.

Re:Sounds like resistance is easy.

[ascari]

More careful analysis of the exploit suggests a better mitigation strategy: "Don't use humans".

Re:Sounds like resistance is easy.

[garaged]

not only windows is way too easy to be attacked, the average windows admin knows what the MSCE tells them about security, most other sysadmins would know a lot about security, monitoring, the good practices that actually work, read security mail list and we can go on and on

Re:Sounds like resistance is easy.

[ascari]

One difference is that major Linux distros are "hardened" out of the box, through things such as app armor and SE Linux. On windows (and Mac) it's up to the end user to take care of these things and in many cases spend money to get it done. The end result is unhardened systems with protection that is not up to date.

Re:Sounds like resistance is easy.

One difference is that major Linux distros are "hardened" out of the box, through things such as app armor and SE Linux.

Easy to say that now, but once upon a time stock Linux systems were about as well secured as the goatse guy bending over to pick up the soap in a prison shower.

Re:Sounds like resistance is easy.

Hey, I wonder where the term "rootkit" originated?

Gardeners?

Re:Sounds like resistance is easy.

Yea, because there is no way to get rootkited or other vulnerabilities on Linux system.

Hey, I wonder where the term "rootkit" originated?

If you don't want to get slammed by hurricanes, don't live in Florida.

No one is saying Linux is invulnerable, but it's less of a target (ditto for OS X). So you're exposed to less risk, and have less shit to put up with from a security point of view.

Re:Sounds like resistance is easy.

[Redlite]

I wasn't referring to the difference between Linux and Windows, rather the differences between the major Linux distros. devent was implying that the diversity of Linux flavors available somehow made Linux more secure on the whole, which is simply false.

Re:Sounds like resistance is easy.

[ErroneousBee]

... From what little I understand about these attacks, if linux variants had been major targets, they probably would have been taken down as well...

Apparently by your own admission already we've gone from a definitely to a probably.

Security is not absolute, it is relative to the security of other potential targets. To not become a victim, a potential target needs to be higher risk, harder work, and lower return than other potential victims.

By running a Non-Windows OS, you make the risk higher, and the work harder.

The work is harder in several ways:

• The attacker has to expend resources learning your OS and its variants, instead of just targeting Windows.
• The attack window is smaller, the attacker has to spend longer waiting for a zero-day exploit to arrive, then has a shorter window in which to exploit it.
• Within the company, the IT will not homogenous, once you've taken the Secretaries Linux desktop, the LDAP server may well be Solaris or BSD, making the research a bigger task.

The risks are also higher, as security tools like nmap and msec come ready installed on Linux systems, and honeypots on the internal network are essentially free to set up.

Defenders of Windows often raise the Straw Man "If Linux becomes dominant it will be targeted" without seeing the corollary "Its better to be on Linux whilst Windows is dominant".

Re:Sounds like resistance is easy.

Yep. I do find it funny how many Linux types will advocate Linux more or less as a "security through obscurity" thing. "Oh use Linux because all these attacks target Windows!" Ok, well if everyone took your advice and switched to Linux, they'd target Linux instead.

"All my games only work on Windows"

"Well, if you all switch to Linux they'll write games for Linux instead."

The reason why this argument doesn't work is exactly the same as the reason why yours also doesn't.

Except neither argument is false! Just because few would bother to port existing games or malware if the was a mass exodus resulting in Linux becoming the new majority OS doesn't mean that new that game designers and malware programmers wouldn't start focusing on Linux. I mean it's not like there are a lot of people creating either for the Amiga OS these days...

Re:Sounds like resistance is easy.

[zman58]

"The correct answer for security is, regardless of the system you use, assume it is vulnerable." That may be true, but you need to take a step back and try to understand the risks associated with specific systems. Some systems are far more vulnerable than others. Maybe Windows is best suited for some specific tasks, but it is obviously not best suited for Network or Internet use. So go ahead and run your Windows system for a specific CAD or Game application, but avoid the high risk, network based activities on those systems--keep them mostly disconnected and never NEVER fire up IE. Currently, Linux is a far better choice for security. You can say what you want about doomsday future of Linux (if we all used it), but for now and the foreseeable future it is a no-brainier choice for Internet and network use over Windows. Every Windows system I have ever known eventually succumbed to some sort of malware or virus, even though security software was used extensively. The sheer cost and risks of maintaining a Windows environment in this space is unsurmountable--as many have found out the hard way through loss of business, data, money, etc. So to reduce risk, practice good security policy always and choose your systems carefully for what they are best at doing. In many many cases, Linux IS a great way to go and you can get there spending far less while reducing risk along the way. Can I help it if it just works better and does so at far less cost?

Re:Sounds like resistance is easy.

What you say is basically true, but... ever hear of defense in depth? How about risk analysis. Right now, the risk is greater if you run windows rather than linux. Yes, that could change. Yes, windows can be "secured". But just because those statements go with a "yes" doesn't mean they have *equivalent* security.

I manage network security where I work. I also do some forensics work. I gotta tell you, I don't care how "secured" you can make the windows box, I'd rather be downloading and clicking on malware/viruses (to select to copy elsewhere, to upload somewhere, etc.) in linux than windows -- because all of the ones I'm dealing with are windows malware. So, yes, in this environment, linux *is* more secure *because* the malware/viruses are targeting windows.

That said, it is no panacea, nor is using FireFox instead of IE. I'm still a bit burnt by the idiots developing FF who thought it would be a good idea to put a shell code parser into the URL decoder. This was a problem for FireFox on *linux* with no effect on FireFox on windows.

Taking basic steps to secure the operating system are essential regardless of the platform. Operating the system in a security promoting fashion is helpful. Choosing to use an operating system that is not targeted by 99.999% of the malware/viruses out there is just one more defense in a defense-in-depth posture.

Re:Sounds like resistance is easy.

[Yosho]

the easiest way to get your linux box rooted is to use a weak ssh password

Why is why, of course, you put in a delay between login attempts. If you cannot attempt to log in to an account more than once every five seconds, then even if your password is only six alphabet letters and you never change it (very weak, by any standard), then it could take almost 50 years to brute-force it.

Re:Sounds like resistance is easy.

[tnk1]

You are entirely correct, moving to a more rural area would reduce your chances of random attack, but only because there are fewer attackers willing to drive the distance to get to you, not because you are invulnerable to attack in the countryside. Indeed, an attacker willing to target you may have an easier time of actually killing you and getting away before he is discovered if you are in the countryside.

Having said that, there really is a true benefit for living in the countryside if you want to avoid attacks. It's like playing a game of poker or any other statistics based game. If you play the odds, you will generally end up the winner overall, if not in every hand. Again, this does not help you if your opponent knows your strategy and is willing to set up direct attacks on you personally, but protection based on statistics is real and beneficial if used properly.

The two real problems with this method of security are simply that a) it relies on attackers being indiscriminate in who they attack and b) the very promotion of a particular method of obscurity reduces the effectiveness of the obscurity.

The first problem is a serious one for most businesses. While being made part of a botnet is an annoying thing to have happen to your machines, it's not really crippling. What matters is when you are directly attacked for purposes of sabotage or espionage. Most obscurity simply folds like a house of cards under scrutiny and dedicated attackers are always willing to dig deep to pierce your smokescreens.

The second issue is one for the "Linux is more secure crowd". I liken that to the image that the countryside is statistically safer until everyone in the city moves to the country. The reason is not that the countryside in general is less safe, but rather because the countryside you moved to is now the city again. The more people promote Linux as safer due to having less attacks, the more people will use Linux, and the more people who use Linux, the more of the crackers will be interested in attacking Linux servers. So the obscurity is actually weakened by its standardization which in turn makes it useless as a method of generating mass appeal. By promoting obscurity, these pseudo-evangelists are unwittingly causing danger. The Linux advantage is *real* statistically at some small level of adoption, so it appears to be true, right up to the point where the demographics hit the point where it ceases to be true. After that point, inertia and pride on the part of these one-note evangelists will mean that Linux is as much of a danger as Windows is now because everyone is trained to believe Linux is simply more "secure", even if the point where that was true has been passed.

The reason that I bother with mentioning all of this is that it is important to give obscurity its due. It *does* work, but it has serious limits. If you don't acknowledge that, you will have people who see it working just fine every day who start to ignore because you aren't talking "common sense". Consider the natural laws of the universe. They work every day, out in the open. Nothing could be more evident then they are, but we still don't know how they work completely. This is obscurity, and if you think about it, it protected the secret of the wheel, gunpowder, computers and nuclear weapons from humans who have the same cranial capacity as we do for millions of years. Once targeted and unveiled, these formerly obscure secrets become almost obvious, but they were anything but that before. That's why science seems to not get its due sometimes: no one understands just how tough it is to break through "mere obscurity" to get answers that in hindsight now seem to be obvious.

I guess this is my way of perhaps indicating that while I agree that obscurity as a tactic is dangerous if used improperly, it should not be dismissed. While it is a poor argument for Linux adoption, but I actually think that "security through obscurity" is an extremely powerful tactic if used properly and the phrase should not be used as synonymous with "useless".

Re:Sounds like resistance is easy.

[sjames]

It would be harder to gain full privilege and harder to go undetected. It would then be harder to spread it to other systems. There would be a greater liklihood that diverse systems would have to be cracked. No OS is invulnerable and no infrastructure is invulnerable, but some OSes are less vulnerable than others and a diverse infrastructure is less vulnerable than a homogeneous one.

Re:Sounds like resistance is easy.

[Coren22]

You have the same situation in SAs in either environment, you have the security idiots in both places, and you have the ones that take security seriously in both places.

Re:Sounds like resistance is easy.

[selven]

The argument's truth depends on the scale. If you're a 10-man business, then it won't make a difference (unless the idealistic types haven't been kicked under the wheels of capitalism yet) but if you're the US government then it will.

Re:Sounds like resistance is easy.

[DrCode]

I do this too, because Flash on my netbook is really slow and doesn't have the nice kbd controls like mplayer. And you don't even have to wait until it's all buffered, as long as the download speed is greater than the speed of watching it.

Plus, if I want to keep it, I just drag-and-drop it into a different directory and rename it. I wonder if Windows users can do something similar, as I've been asked a couple of times.

Re: Sounds like resistance is easy.

[Blueeyes.1978]

Yea, because there is no way to get rootkited or other vulnerabilities on Linux system.

Kernel rootkits will not work on a 64bit Windows Visa or 7 system either, what is your point?

Re:Sounds like resistance is easy.

[Blueeyes.1978]

Yea, because there is no way to get rootkited or other vulnerabilities on Linux system.

Hey, I wonder where the term "rootkit" originated?

You can't run kernel level rootkits on Windows Vista or 7 x64 systems either and Linux has its fair share of vulnerabilities too. So what is your point?

Re:Sounds like resistance is easy.

[sglines]

Linux systems (and Unix systems before them) can most certainly get rooted. I had a Linux server (I was a mere contractor) get rooted about 4 years ago. It was pretty well locked down to outside penetration but unfortunately many of the inside PC users eventually knew the root password. For example the boss gave his secretary the root password so that she could login and start tape backup jobs - she stayed logged in as root for weeks at a time. We never did figure out how it was rooted but it clearly was and we had to regrove it and create web only interfaces (a limited Webmin account actually) for worker bees to do admin jobs.

oh for the love of ____!

[girlintraining]

Okay, I know an ex-pat who has moved to China and married. I have a much better understanding of the current state of technology and governmental oversight there than most here. Let's clear some things up:

The government closely monitors it citizens using every form of surveillance available in public places (which include the internet) to ensure that they are not acting in a fashion the government defines as "subversive". They aren't interested in international cyber-terrorism. They simply realize that they need to be where their citizens are to maintain the umbrella of surveillance. They're not trying to blow up power plants or destroy financial markets, or engage in other acts of cyber-terrorism. They are simply of the mindset that the internet lacks geographical boundaries, and hence treat it somewhat like international waters, and regularily patrol and conduct intrusions on remote systems for the purpose of effecting surveillance on its own citizens.

They are also interested in industrial espionage against specific high-value targets that have technology that China cannot replicate with its limited (though rapidly growing) infrastructure. China is very good at copying technology. It has very little ability (or desire) to innovate. They are focused primarily on a massive modernization program so as to set themselves up to compete with the EU, US, and south asian markets. Hong Kong is about the only ace they have up their sleeve right now there. So they conduct limited cyber attacks for the purpose of acquiring the information and designs to manufacture technologies that are highly intricate (such as microprocessor design).

This is not a statement on the validity of any sovereignty claims, or a moral judgement on China's state-sponsored activities on the global communications networks, merely an statement of their motivations.

Re:oh for the love of ____!

[VendettaMF]

Meanwhile I _am_ an expat, currently in China, and I can tell you your information is lacking in a few areas.

The Chinese government may not be out to detonate nuclear plants remotely (though you can be damn sure that when such abilities/openings are located that they are carefully filed against future need), but they are most certainly out to obtain every piece of hi-tech IP they can get hold of, as well as every bit of blackmail material, every bit of financial info and absolutely everything else they can find that will give them an edge in any arena over any and every other nation.

That's on top of all the internal monitoring of course.

Re:oh for the love of ____!

As some one who has worked in various places that are of extreme interest to China, I can honestly say that you have do not have a FUCKING clue of what you are talking about. All you are doing is talking out side of your mouth. The simple fact is, that China is spying in a large number of areas. And yes, some of it is very much targeting the WEST's vulnerable areas.

Re:oh for the love of ____!

Meanwhile I _am_ Chinese, currently in China, and I can tell you your information is lacking in a few areas.

The Chinese Government is your friend and only wants the best for you.

Re:oh for the love of ____!

Okay, I know an ex-pat who has moved to China and married.

It's refreshing to see such a rock-solid substantiation on Slashdot.

Re:oh for the love of ____!

They are also interested in industrial espionage against specific high-value targets that have technology that China cannot replicate with its limited (though rapidly growing) infrastructure. China is very good at copying technology. It has very little ability (or desire) to innovate.

For this point - this is how economies work by import replacement, which then causes modifications on that product they replaced, making a new product (a division of that work). To think that any economy over the course of human history simply invents something without anything before it (except maybe fire), ignores the way markets are. The USA did it and the Japanese did it and in turn rapidly expanded their economies and markets.

Re:oh for the love of ____!

There is nothing contradictory between your statement and a statement that China is marked by fascism, the panoptic state and low consideration for the propriety of others.

That IS the definition of a totalitarian state. Total surveillance in public, total surveillance of communication channels, and use of a variety of tiered methods against subversive elements.

It is also sufficient cause for putting a strangehold on Chinese international trade, including high tariffs. Why should a company that spends tens of millions developing a microprocessor and needs to recoup that cost in their prices have to compete with a Chinese company that got the plans for free?

Re:oh for the love of ____!

[BlueBoxSW.com]

Thanks for clarifying this. My understanding of the situation mirrored what you described, but it is nice to hear it from someone first-hand.

How do you see this playing out in, say, 10 years?

Will the communists back away from their firm grasp on the country?

Or will the US end up on a collision course with china?

Or will the US in 10 years have the same limits on freedom they have there?

And, do they still make people carry around those little red books?

Re:oh for the love of ____!

hahaha good one.

The Chinese government is out to take over the world. And for the time being, it's easy to be covert on the interwebz.

Re:oh for the love of ____!

[VendettaMF]

China's due some really serious shakeups in the next decade. The China of 10 years from now will be as different from current day China as current day China is from 1970's China. What will it actually be like? That's so far beyond my skills to figure that I couldn't even hazard a guess. Anyone here who cares to look can see the fuse fizzing, but as for where the bits will land... Who knows?

There are no communists in power in China, and have not been for quite some time. They have kept the title, but that's meaningless. China's government is Totalitarian Capitalist.

The red books are optional these days, unless you are Chinese, a Party member, in a significant government building and trying to impress someone. Foreigners with little red books are viewed with amusement at best, contempt and suspicion at worst.

China vs world (Us is only one player in many these days)... Unless the internal restructuring prevents it then expect to see current "Angry Letters" style face-offs continue and expand, but as for the possibility of actual physical or serious trade conflict? Not a chance. Even Bush wasn't stupid enough to countenance that.

Re:oh for the love of ____!

http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage

I think everyone's underestimating the Wests capabilities in technology, espionage and counterespionage honed during decades of Cold War paranoia.

Sure, the Chinese are targeting Western infrastructure, but in such a cludgy way that their efforts have made slashdot and every other blog.... not particularly good espionage really is it?

A quick search of ebay for ipod and nike reveals that yes, the chinese to blatantly rip stuff off as a matter of course. Any company that manufactures stuff there knows this. Other governments know this. I would wager that Chinese infrastructure is even more vulnerable than western infrastructure is, and has been infiltrated already.

Imagine in a future war if you knew that the enemies main offensive or defensive weapons had a massive flaw that you could pinpoint and take advantage of... game over.

Better the devil you know...

Re:oh for the love of ____!

Ah, you must know Friend Computer! We shall root out all commies and report them!
Um what color clearance do you have again?

Re:oh for the love of ____!

Meanwhile, I represent Chinese government. Now, if all you gentlemen would kindly border that black van outside your house...

Re:oh for the love of ____!

I vote parent's post for Slashdot footer quote.

Re:oh for the love of ____!

[Runaway1956]

Have you been keeping up with current events? The news on ACTA, for starters. Those school kids being spied on in Philadelphia via school mandated computers. Traffic light cameras. There is little doubt in my mind that the US is moving toward the same sort of round the clock surveillance that England and China enjoy right now. Law enforcement is pushing through a variety of rules, regulations, and even laws, permitting them to track citizens via mobile phone and other means, WITHOUT a warrant.

I definitely see an Orwellian future for the United States. Unless, of course, the citizens revolt against it. Unfortunately, the very citizens are subsidizing all of this surveillance. How many people do you know who have PAID FOR that GPS tracking that General Motors offers? Yes, PAID FOR some nice un-intrusive surveillance. Soon, the insurance companies will mandate that all vehicles have such surveillance, and we'll just roll over, and accept the edict.

Re:oh for the love of ____!

[vajorie]

Okay, I know an ex-pat who has moved to China and married. I have a much better understanding

Hey, nice to hear. I have this Black friend so I know Blacks. /yay

Re:oh for the love of ____!

China is marked by fascism

Actually fascism is the opposite of communism, but just as totalitarian. fascism is where the government is very small, and corporations run everything.

Re:oh for the love of ____!

[Nazlfrag]

I'm still not quite getting this government sponsored industrial enspionage. Can someone provide a CIA refrence?

Re:oh for the love of ____!

China almost doesn't need to do anything to acquire those IPs.

We hand them the schematic, artwork for the PCB, part list, and list of component vendors, firmware code, mechanical design, company logos and whenever we have products to be made and assembled in China. We are slowly outsourcing the design to them and teach them how to think for themselves while _PAYING_ them to do so.

Re:oh for the love of ____!

[Bert64]

Fascism doesn't necessarily require a small government, just that the government be controlled by corproate interests... In fact, a large totalitarian government is beneficial to a fascist state because it becomes easier to create conditions more favorable to business.

Re:oh for the love of ____!

The Chinese Government is your friend and only wants the best from you.

Fixed for you.

Re:oh for the love of ____!

[wvmarle]

The Chinese definitely have the desire to innovate, the ability is still lacking. I see lots of quite innovative products coming out of there (mostly toys and premium items), the problem is that in general they are not thought out well, or just don't work.

Back on topic: surveillance of their own people may be one thing, but being "in" foreign systems comes mighty handy in case of a war. Then you can use your existing secret log-ins to do serious cyber-damage to foreign computer systems, breaking communication channels the enemy thinks are safe, or simply listening in on enemy communication.

Re:oh for the love of ____!

Stay alert! Trust No one! Keep your laser handy.

Re:oh for the love of ____!

Meanwhile I __am__ currently

Re:oh for the love of ____!

Meanwhile I_am the Chinese Government, currently on vacation in Hawaii and I can tell you your information is lacking in a few area.

I just want to know "Why can't we all just get along?" Just do what I say and everything will be alright.

Even better, don't hire humans

[xzvf]

Humans are the biggest weakness in the chain. Don't hire them, or at least hire the most non-people types you can. Hire the non-team players and the ones that argue with everyone. When someone calls them and asks them to go to a web site, they'll say screw you and hang up.

Re:Even better, don't hire humans

Humans are the biggest weakness in the chain. Don't hire them

This.

Re:Even better, don't hire humans

[Opportunist]

Companies are way ahead of you. Hell, they'd even outsource their malware infections if ... erh... they even did that it seems...

Re:Even better, don't hire humans

[turing_m]

Hire the non-team players and the ones that argue with everyone.

It's not necessary to employ true arguers. You could easily get away with hiring those only capable of simple contradiction.

Re:Even better, don't hire humans

No you couldn't.

Re:Even better, don't hire humans

[SkeeZerD]

I disagree...can I have a job?

Re:Even better, don't hire humans

[turing_m]

Yes you could.

Re:Even better, don't hire humans

[Machtyn]

Actually, I've noticed a lot of "this" going around in the US and world economy.

Re:Even better, don't hire humans

[__aailob1448]

People like you are why I shouldn't be browsing slashdot at work. Don't say stuff that makes me laugh out loud, I'm supposed to be working.

Re:Even better, don't hire humans

I disagree...can I have a job?

No, because that's not a Monty Python reference, that's just a c-c-c-combo breaker. Quoting Monty Python is an intellectual process! Combo-breaking is just the automatic ruination of whatever meme the great-great-great-grandparent poster first put in play!

Re:Even better, don't hire humans

[sjames]

Hire people who can resist a candy bar!

Antivirus?

[TubeSteak]

"Attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies," [iSec founding partner Alex Stamos] told The Register. "The malware for each of these companies has been customized based on the versions of vulnerable software they're running, as well as what kind of anti-virus they're using. ...

Since when has anti-virus heuristics algorithms been at all useful against custom malware?

Even the script kiddies can find encrypters to take their cookie cutter programs and make them invisible to the majority of anti-virus programs.

Re:Antivirus?

[99BottlesOfBeerInMyF]

"The malware for each of these companies has been customized based on the versions of vulnerable software they're running, as well as what kind of anti-virus they're using. ...

Since when has anti-virus heuristics algorithms been at all useful against custom malware?

"The malware has been customized" implies they are picking malware or modifying malware, rather than writing it from scratch. AV programs often can catch new variants of old malware unless it has been remade to avoid detection in specific ways.

Auror

Anyone else read that as Auror Attack?

Re:Auror

Harry Potter. Are you 12 years old or what?

Re:Auror

Sadly, no.

Resistence is VERY easy

QUIT RUNNING WINDOWS. Look, if anybody runs windows on more than their client box (and many would argue even that is stupid), then you deserve what you get. The same set of idiots will design tanks and subs with picture windows.

So for this attack to work.

1. You must first find someone using windows who is prone to clicking things without thinking. - ok, I accept that.
2. Running a vulnerable browser - Still quite common, First security failure
3. Running windows - Still very plausible
4. Vulnerable to a privilege escalation exploit - Second security failure
5. With a network setup that is vulnerable to this kind of thing - Third security failure
5. Then "accessing" an AD server database - Fourth security failure
6. To be cracked - ok

So for this to work you have to have an insecure browser or other userland app that is easily exploitable (Acrobat), an OS with a privilege escalation flaw and A network that will let someone do things they probably shouldn't, an AD server that is crackable so that you can get at the DB.

IMHO that is a hell of a lot of failures by the various parties for this to work.

Re:So for this attack to work.

[Shikaku]

Your boss at work:

"Why can't I install programs on my own machine, I'm the boss for god's sake!"

He's admin of his own machine now on his corporate internet. Hilarity ensues.

Re:So for this attack to work.

[esocid]

Have you not ever worked in an office setting? Walk by your sysadmin's dungeon and mention something about clicking a link in some email you got, and sit back and watch the fireworks.

I can pretty much guarantee you that even in a tech setting, there will even be a handful of those people who still lack common, and/or tech, sense. This is exactly why certain places prevent their employees from installing software, running as admin, running off of flashdrives, or even discs.

Re:So for this attack to work.

1 = 2 = 3 = 4
5 = 5 (sic) = running active directory

Re:So for this attack to work.

And yet they all exist in the majority of all computing systems.

Re:So for this attack to work.

[k10quaint]

You just described most of corporate america with your six steps.

Step #1 is very very plausible. One develops a potential working relationship with the target company and crafts an email to contain an innocuous looking document or link requested by the target. The link/document contains the latest exploit that has not been patched. The email is not suspicious because who would attack a potential business partner after all. It is an exploit that is preferably zero day and not yet in the virus/malware databases. Also, a new shell for the attack could be devised from the original code to insure it would be unrecognizable.

Step #4 can be obviated by infecting an admin's computer, and if I was targeting a company with a zero day unknown exploit, I would aim it at their IT guys.

Step #5a all networks are vulnerable to this sort of exploit, especially if the exploit is unknown to scanners & filters.

Step #5b if you root an admin's box, you can piggy back on him next time he does maintenance on *every* server and device he maintains.

I am surprised the list was only 100 companies. I assume every S&P 500 company has been penetrated to some degree.

Re:So for this attack to work.

[Tracy+Reed]

And you have just described the business network (as opposed to production server network which is of course Linux and by definition far more secure) of pretty much every place I have ever worked.

Re:So for this attack to work.

[Opportunist]

Yeah, but try to push this past a boss' skull.

Human factor at work. He does not need admin privileges. Even the idea to give him an admin account so he could become admin if he for some reason needs to will get shot down (or simply ignored and the admin account becomes the standard account) because he must not be bothered with that whole "computer crap", it has to "just work".

If you warn about such scenarios you get belittled as scaredy-cat. That it is your effing job as his CISO to be such a scaredy-cat and prepare and defend against such scenarios will be brushed aside. Then why the heck did you hire me in the first place? Because you had to fill that position so you get some worthless toilet paper certificate? In that case, place someone else on that ejector seat, I'm not going to sit there while you dance around the big red "eject" button going "gee, what does this button do?"

Re:So for this attack to work.

[Sikmaz]

Point by point:
#2: Many of the attacks use Zero-day exploits that are not public knowledge.
#4: See #2
#5: If you have more than 1400 servers there will be some that are vulnerable and when that happens they get one door they need. Hopefully it is just some departmental webserver so the scope is small but they almost certainly now have at least the first foothold they need to grab some accounts and move from there if they don't have a Zero-day exploit they can use.
#5 (2nd #5?): What they get is the SAM database which is hashed using NTLM so it is vulnerable to rainbow table attacks.

So for it to work you just need:
1) An exploit not publicly known that allows remote code execution or elevation of privilege. There is at least 2-3 of these a month
2) Compromise a departmental webserver/app server and start working backwards.... Eventually you will get more and more accounts until you get something interesting. At the worst you have mapped a typical server and know your attack surface. Maybe they run Tivoli? So scan specific hosts for Tivoli vulnerabilities but do it slow so it isn't seen by IDS. If they run Symantec AV use the exploit that is out right now to get on a privileged system...

So obviously it isn't as hard as it first seemed and it isn't a matter of incompetence with large companies there are simply too many possible ways in. Your best defense is a layered one with a lot of monitoring of your logs and IDS sensors to watch for things that look unusual. Baseline your traffic so if you see a large upload over https to a server in a weird location you can flag it! It might be your SAM database going out the door...

tl:dr: In a large company there are a lot of ways to get in, if you think you are safe you are lying to yourself.

Re:So for this attack to work.

[Opportunist]

A lot of failures, and all of them are at work in most companies.

Vulnerable browser? A necessity, since most company-intern webpages are geared for IE (sometimes even an ancient version of IE because the adaptation for the quirks of newer versions take time), and of course programmed by the cheapest idiot who didn't test for any other browser. Let's be happy that it at least works with IE... if only with version 6.

Vulnerable to priv escalation? A given in most companies. You usually have the cheapest admins, and too few of them. You'd be amazed how much resistance you get for anything that could remotely increase security (and, unfortunately bundled with it, decreases comfort and ease of access). And you'd be amazed just how little the common Windows administrator knows about Windows in the first place.

Network vulnerable to this? A given as well. Security often ends at the company firewall. Behind it, inside the company, you'll rarely find any sensible segmentation or protection. It's actually very common that machines are fully accessable across the whole network.

Accessing AD server database? C'mon, do I have to go into detail? You don't think servers are any better protected against "inside jobs" as the rest of the network, do you?

Re:So for this attack to work.

[myowntrueself]

Your boss at work:

"Why can't I install programs on my own machine, I'm the boss for god's sake!"

If your boss has an iphone then you have them right there.

As much as I hate them for it, Apple have surely built a good argument for not allowing people complete control of devices they *own* but which they don't 'understand sufficiently well' or 'cannot be trusted' to protect properly.

I guess... try to get your boss to see you as Steve Jobs. Might not work but probably worth a shot.

Re:So for this attack to work.

[sumdumass]

I had that happen once at a financial site I administrate.

It ended with me asking the manager/owner to sign a paper specifically assuming all the liability from any breaches or security incidents stemming from his use of unapproved software. He then asked me to clarify what I was wanting and I told him about the different requirements placed on financial institutions and places that process credit card information (some by law and some by credit card companies and such). His accounting firm hit on both areas and after speaking with his corporate attorney, he decided not to indulge himself in anything not directly related to his work.

This could have ended with me losing my contract, however it showed that there was more of a reason then just being a dick for all the rules and restrictions. If someone else is having this problem, it might be an approach that could work with them. Just don't be a dick when asking for the release, instead say something like "I sure would feel better about this if I knew I wouldn't be held accountable for regulatory or liability problems created by the use of the software". Peak his interest before dropping the hammer so he knows something is at stake.

Re:So for this attack to work.

[FooAtWFU]

Psst. It's spelled 'pique' when you're doing it to interest. Spread the word.

Re:So for this attack to work.

[sumdumass]

Thanks.

I thought something looked wrong with using "Peak" but I couldn't for the life of me figure out why. Now I know.

Re:So for this attack to work.

[jon3k]

Boss's browser is configured to use Websense proxy (running on Linux actually, Websense Security Gateway). All traffic blocked at firewall, only Websense allowed out and only via destination port 80 and port 443 (and other specific allows for certains servers/apps to specific destination networks). Uncategorized sites are blocked in Websense. Cisco Botnet filtering installed on ASA's at the edge. Sourcefire IDS monitoring. Ironport e-mail gateways filtering spam. Trend anti-virus running on everything running Windows.

And most importantly - constant user training, re-training and reminders.

I'm sure I missed a few other security components I take for granted but that should be enough to cover it. I work for a medium sized health care company, nothing fancy.

Re:So for this attack to work.

Worst security flaw I have seen:
A remote win 2k3 terminal server that ran E2 (shop management) AND hosted its database. In order to run E2 on the same system that hosts the database you needed to be amin (this is what I was told). Girls in office would surf the web and click on anything that came in their inbox. system became infected and hours of downtime ensued. I explained the system was a horrible mess and needed to be changed immediately in order to ensure, boss says any downtime is unacceptable, the system needs to stay as-is. Never bothered to help them again. I could not understand how anyone with half a brain thought this was an acceptable setup.

Re:So for this attack to work.

1. You must first find someone using windows who is prone to clicking things without thinking. - ok, I accept that.
2. Running a vulnerable browser - Still quite common, First security failure
3. Running windows - Still very plausible
4. Vulnerable to a privilege escalation exploit - Second security failure
5. With a network setup that is vulnerable to this kind of thing - Third security failure
5. Then "accessing" an AD server database - Fourth security failure
6. To be cracked - ok

So for this to work you have to have an insecure browser or other userland app that is easily exploitable (Acrobat), an OS with a privilege escalation flaw and A network that will let someone do things they probably shouldn't, an AD server that is crackable so that you can get at the DB.

IMHO that is a hell of a lot of failures by the various parties for this to work.

I think you're missing the point. These are targeted attacks. They can take months to study most of the things you mention without ever raising the alarm. I've worked in information technology call centers for almost a decade. If you asked me to gain access to one of those machines (which in most cases have higher privileges than most) i think it wouldn't be too difficult. Given months to plan I have no doubt of it.

S

Re:So for this attack to work.

[Nazlfrag]

Just tell him you have a secret awesome technology that's even better than his work computer that only IT people know about but you know how to get him one for the 'right price'. Put a 007 sticker over the 'eee', a quick netBSD install + matrix desktop theme later and presto! You're 2 grand richer and the boss won't fuck up your toys.

Re:So for this attack to work.

[rts008]

...try to get your boss to see you as Steve Jobs.

I don't have any turtle neck sweaters, you insensitive clod!!!

Re:So for this attack to work.

[Bert64]

2, or a vulnerable plugin, or socially engineer a user of a fully patched browser (also a security flaw because the user needs the ability to execute arbitrary binaries)...
5/5a, active directory as a whole is vulnerable to these kind of attacks, due to design flaws rather than specific bugs that can easily be patched.
6, cracking windows passwords is easy once you have the hashes due to the encryption being extremely weak, and it cannot easily be replaced because the encryption algorithm is required for the network authentication processes (see design flaw)... However, you don't even need to crack the hashes, you can use the hashes as they are without cracking them (another design flaw)

aside from the various design flaws in windows, their marketing is the biggest flaw... windows is marketed as an "easy to use" server platform, where you don't need to hire expensive admins to run it. Now to keep a windows network barely functioning this is true, however to keep one as secure as possible (within the limits imposed by the various fundamental design flaws) you need a significant number of highly skilled staff and (often expensive) third party sotware.. MS would never admit this however, because that would be an admission that windows is about the most expensive platform to maintain across the board.
Most companies seem to buy in to the marketing and hire insufficient staff with insufficient skills, as a result you get huge gaps in their setup which can be exploited.

There is also the lockin issue, companies are often tied to old crufty proprietary apps that cannot be moved to more modern systems, for instance webapps tied to ie6. Had they done their research up front and understood the risks and the future pain it will cause, it's likely they never would have implemented such proprietary systems... However, most companies seem not to understand the risks of lockin and even today are implementing new proprietary applications that will tie them down again. Windows 7 may be "the most secure windows ever", but they said that about nt4 years ago too. In a few years time, windows 7 will be the insecure crufty legacy os thats a thorn in peoples side while ms is pushing everyone to upgrade to the new "more secure" version.

Re:So for this attack to work.

1. You must first find someone using windows who is prone to clicking things without thinking. - ok, I accept that.

You've already missed the point - the emails are targeted. We're not talking Nigerian scam here; think about a email from your boss regarding a project you've been working on...

2. Running a vulnerable browser - Still quite common, First security failure

All software has vulnerabilities. To think otherwise is incredibly naive.

3. Running windows - Still very plausible

Why is running windows a requirement? See "All software..." comment above.

4. Vulnerable to a privilege escalation exploit - Second security failure

See "All software..." comment above.

5. With a network setup that is vulnerable to this kind of thing - Third security failure

You mean, one that is connected to the Internet? Perhaps you are implying that there is some magic security box that would catch custom exploits for 0-day vulnerabilities delivered via email and/or http...

5. Then "accessing" an AD server database - Fourth security failure

Do you even know how AD works?

6. To be cracked - ok

You understand that passwords can be cracked. That's at least a start.

So for this to work you have to have an insecure browser or other userland app that is easily exploitable (Acrobat)

Why does the software need to be "easily" exploitable? You think the attackers need to wait for something to be posted to milw0rm?

an OS with a privilege escalation flaw

How rare do you think those are, exactly?

and A network that will let someone do things they probably shouldn't

Should I not be making HTTP and DNS requests? (hint: that's all (actually more than) the attack needs)

an AD server that is crackable so that you can get at the DB

All that's needed here is a way to get the administrator to log in to the owned host. Another post describes numerous ways to achieve this.

IMHO that is a hell of a lot of failures by the various parties for this to work.

I'm glad you're at least humble, since you don't know what you're talking about.

Binary whitelisting

Resistance is not so futile -- the use of binary whitelisting tools such as Bit9 (http://www.bit9.com/) combined with network packet analysis allows sysadmins to greatly reduce the chance of an initial infection, and virtually eliminates the chances of an infection spreading across multiple hosts.

How do we know THAT isn't compromised?

For all we know, the Chinese agent who hacked google.cn may have uploaded a trojan pdf reader extension.

Re:How do we know THAT isn't compromised?

in china, trojans are small. Because they have small dicks.

Re:How do we know THAT isn't compromised?

[jav1231]

That is so wrong!!!!!
Yes...I laughed...

Re:How do we know THAT isn't compromised?

That is so wong!

Re:oh for the love of ____!I'm assuming that becau

Meanwhile I _am_ an expat, currently in China, and I can tell you your information is lacking in a few areas.

What areas are those. Enquiring minds want to know. GP already covered industrial espionage so what have you got?

Number 5?

[DigiShaman]

5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.

HOW!!!?? Unless some boneheaded sysadmin granted a user with Domain Admin access, I don't see how this is even remotely possible. Someone with just plain Domain User access either authenticates, or doesn't. Is this article suggesting all local user names and passwords from a DC (domain controller) are locally cached prior to authentication?

Re:Number 5?

Browser exploit to get on the box.

Privilege escalate to LOCAL/Admin.

Grab the user's NT security token (metasploit), or keylog the password.

Enumerate machines (dsquery) to find out where Admin is logged in.

Log into that box.

Privelege escalate to Admin.

Steal his token.

You are now Enterprise Admin.

Re:Number 5?

[DigiShaman]

I follow steps 1 - 4. Regarding step 5 however...

Log into that box.

That user must be either a member of the Domain Admins group, or Local Administrators group of that PC. The later seems possible as there are many users that love to RDP into their own boxes from work over a VPN connection. Even then, only one user is allowed access unless it is a Terminal Server.

As for the NT security token. I know that when a user (regardless of membership) logs into a machine, the security credentials get cached. But from what I understand, you can't recover passwords from the local SAMS database unless the box is already rooted.

Re:Number 5?

[DigiShaman]

Sorry for the follow up post, but I think I now understand in a round about way. You have to be a member of the Domain Admins group to join a PC to the Domain. It's those Domain Admin credentials that get cached - per PC that's been previously joined. YIKES! So if a user is a member of the local Administrators group, he also has access to the local SAMS database. Root the box, and you might be able to recover the cached passwords from it.

Be sure to change your Domain Admins password often. Honestly, how many people often do that? More than they should really.

Re:Number 5?

[Opportunist]

Scenario: Boss has (local) admin privs on his machine. Because he's the boss (no, no sensible explanation following). Boss gets owned, keylogger gets installed. Boss' machine gets fucked up when he installs the latest and greatest must-have-boss-toy for his Blackberry, calls IT and goes to lunch.

IT comes, logs in with domain admin password...

Re:Number 5?

[dweller_below]

.. Root the box, and you might be able to recover the cached passwords from it.

Almost. The iSec paper mentioned, but didn't explain 'Pass The Hash' attacks. See the excellent SANS paper at: http://www.sans.org/reading_room/last.php

Bottom line is, the attacker doesn't need to get back to the passwords by cracking the hashes. The attacker can just directly use the hashes.

Being targetted by these guys is like standing in the middle of a crowd of pick-pockets. No matter what you do, they are going to get stuff. You are lucky get get out with your teeth.

Miles

Re:Number 5?

(GP here)

Alternately, if you can elevate to System privs, you can dump the hash. If the System privs are the same across the domain, the hash will be the same. Don't even need the password.

Google "pass the hash". You will bricks.

Re:Number 5?

cain&abel ...

Re:Number 5?

[holymartyr75]

This is not strictly on-topic, but default settings in Windows 2003 (don't know if 2008 or 2008 R2 fixed that) will let a domain _user_ join a computer to a domain.

Re:Number 5?

[jon3k]

The password complexity policy is domain wide - if you set it for your users (you did set it for your users, right?) then it applies to you as well.

Re:Number 5?

You don't need to crack the passwords, just the hashes from the database is fine.

Search "pass the hash".

Re:Number 5?

[CalTrumpet]

There are several methods of escalating to domain admin once you have Local Administrator access on a member workstation. It is our experience that most large Enterprise AD networks are vulnerable to at least one of these issues:

1. Crack a common local user with a shared password, like "MACHINENAME\ITAdmin". Alternatively, you can use an NTLM hash as a password equivalent with custom tools, like my colleague Jesse Burns demonstrated in 2005.

2. Crack the cached hash of a domain admin from the SECURITY hive. This hash is created by an interactive login to the machine, i.e. via the local keyboard or RDP. These hashes are not stored after remote RPC, SMB, etc...

3. Install a keystroke logger and wait for an interactive login by an Administrator. A good technique is to open an IT ticket as the victim, which often triggers an admin to remotely access the machine via RDP.

4. Wait for an automated process to touch the box with domain admin credentials. Common tools that do this are patch management systems, vulnerability scanners, software licensing compliance tools and event log aggregation systems. When the handshake for the network service begins (say over DCE RPC), the attacker rejects the Kerberos ticket and requests a downgrade to LanMan or NTLMv1. Either one of those protocols will allow an attacker to use a pre-computed time-memory trade-off to quickly recover the password (aka Rainbow Tables).

5. Wait for an automated "touch" and perform a pass-the-hash attack. This is possible on services that do not enforce at least "Packet Integrity" security. The admin and the victim machine legitimately exchange credentials, but the resulting authenticated connection can now be modified by the attacker. Again, see Burns 2005.

Re:Number 5?

Yes, they are. If you take a laptop offline that was a member of the domain in the office, you can login with any account that's been used prior when it was hooked into the LAN.

I am also pretty sure you can turn that 'feature' off with system policies.

Re:Number 5?

[Bert64]

And unless you installed some third party implementation, the password complexity option is crap.. Password1 or Password1! will get through just fine, and when you're forced to change your password then Password2 will work perfectly well.

Re:Number 5?

The easiest methods for getting a dump of a SAM:
- Replaced hard disks. Most companies have AD running on a mirrored pair. A 'degraded' disk (bad sectors, completely readable) is usually swapped out to a hardware maintenance supplier. Almost every company doing this under warranty allows disks to flow out the door without even a magnetic erase. Work for the vendor and collect the disks (as a lowly tech)
- Backups. Most backup systems are either not encrypted or the backup system has a application level account (not centrally managed) that allows access. These password are usually sh1t, like u=admin, p=admin. Many of thse systems (Legato Netbackup) have IP or cert based trust systems in place that allow any client machine to restore files back to itself without authentication, OR for you to setup a new backup server and backup from the clients. This allows you to just backup or restore the SAM.
- Physical access to most datacentres is weak. In particular after hours for 'trusted' vendors. Just place employees at cabling \ electrical contractor companies and wait for the bored IT worker to wander off to pee (which happens a lot in cold datacentres), then just rip disks out of DC and shove in new ones. Alerting systems will detect it, buy the immediate rebuild will just cast doubt on the array controller.
- You can tailgate in to most companies. I do it to other floors in my own company. It's far more effective to juggle a laptop, blackberry and notepad and a drink, then people will even kindly open the door for you. Provided you look like you know where you are going you won't be questioned. Carry a fluke and 'test' network ports. People will get used to you and assume you are from IT, or claim you are an IT auditor. Then just setup a laptop with wireshark, nmap, etc and start learning the lay of the land. To find vulnerabilities find the source of truth server where software packages are located. There are usually loads of retarded things there, like scripts with cleartext passwords and other goodies. If you claim to be an Auditor you are likely to get people volunteer things to you when you ask for the problem area's. Emails to operations management could even have them help you out 'reporting' on all the problems, exposing their soft underbelly. Ask for a copy of the risk register for the juicy stuff, and the password database for password strength ranking.
To social a branch, just call the office manager first to let him know that head office are sending IT people onsite for a few days each month to deal with problems. Then turn up a week later. Open arms baby. Branh offices are always unloved and normally not very bright. I've worked next to 20k in cash on a table at a bank out near the comms cabinet.
- If you can get your hands on an old PC on site (ask for a decommisioned one), not laptop, but PC with no drive encryption, you can probably easily ghost the disk and extract the admin password offsite. Return tomorrow with the password to every desktop in the fleet. Then net user "domain admins" /domain on that machine tomorrow and get the names of all the admins. If you find the cmdb (normally had the username same as the password you can quickly correlate the user with the computer without even an nmap finding the admin machine. Then just push in some valused in to their Run key to dump the sam to a public location.
- To be really sneaky just littler the workplace with $5 usb keys with pictures of topless models some of the jpg's however are actually 'corrupt' in reality they are exe's renamed. When you double click them they execute your backdoor code.

I could go on, but we all know all to well how easy this is, and I'm talking about going after the IT department itself. We know that every one of our companies is fairly well defended by layered firewalls, monthly patching, AV software and none of it counts for anything fr trivial on site attacks.

The users are used to giving away their credit card details for a danc

Re:Number 5?

[LeadSongDog]

The trick is to always have empty pockets when going into crowds. Just unplug the stuff that matters.

Re:Number 5?

[mranime]

http://technet.microsoft.com/en-us/library/cc780195(WS.10).aspx

By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.

This setting persists in Windows Server 2008 R2. Of course, you can always fix this via GPO on your domain controllers.

Re:Number 5?

You have to be a member of the Domain Admins group to join a PC to the Domain.

No, you don't. We have 40K PCs and only about 20 Domain Admins. The Field staff only have "Add Workstations To Domain" right.

Oldschool

This type of social engineering attack has been around for atleast 2 decades now. there are manny books about it, including mitnicks.
Windows exploits, spicificley owning a windows AD network via local privelege escalation, sniffing, buffer under/overflows and dumping hashes from the domain controller has been around for atleast 1 decade, the kind of thing I pulled off in highschool.
All they did here is put together very old puzzle peices with a little bit of stratigy.

when will pepole learn to stop using windows? when will people learn to start instituting strict mail policies on corprate networks?

Probably never.

This is not about technical security, this is about exploiting the victums way of thinking.
make money first, keep staff happy second. building a well oilded, tightley maintained business machine does not even come into consideration.

google has a corporate windows network?

[Punto]

and why would being inside china be any difference? the whole attack is remote, sounds like it can be done to any network from anywhere in the world. why would a chinese office be at higher risk?

Re:google has a corporate windows network?

[VendettaMF]

Because, by law, to have an office in China you must have Chinese employees in high-ranking positions.

If your company is of interest then you can be guaranteed of having at least two plants in the office. One to be the obvious pro-party red-book waving decoy, and the other to save them the time and effort of having to phish someone to start the attack.

Re:google has a corporate windows network?

@vendettaMF et al:
Speaking as one who did much business over many years in Asia, many years ago as a Fixer:
The West has been importing its demise for decades by training the best minds of many countries in the technologies and with the infrastructure that the "New" World could use without the bother and time to develop it - if ever. Right in the USA. anyone remember how the Japanes got the Zero Fighter? The USSSR got the Atomic Bomb? How Pakistan got it?

Of course China and other countries made and make, great use of Western facilities and our lack of experience in dealing with thousands of years of chicanery.
The great Western Threat is the manipulation of the System by our old Lords And Masters, the so called "400" , whose time has passed and whose methods are still in Trench Warfare, with no understanding of the modern equivalent of the aeroplane: instant communication and the death of actual capital...ism.

The concept of military threat is as outdated as the gunboats the USA is still building.

I'm not a nerd so most coding dscussion is way beyond me, but I am a good psychologist and we in the West ain't seen nothing yet.
WE ARE SIMPLY TOO YOUNG to have had the experience and the weaning process that the East has endured.
It is going to be a fascinating next ten years, but the USA won't be much involved in it, I fear.

Packet Filter

[nuckfuts]

If you don't expect/want traffic from China, configure your firewall to block IP addresses assigned to China.

Re:Packet Filter

[VendettaMF]

Heh, I am forbidden from seeing content on that site.
Shoulda seen that one coming...

Re:Packet Filter

[nuckfuts]

OK then, here's the list:

58.14.0.0/15 China 58.16.0.0/13 China 58.24.0.0/15 China 58.30.0.0/15 China 58.32.0.0/11 China 58.66.0.0/15 China 58.68.128.0/17 China 58.82.0.0/15 China 58.87.64.0/18 China 58.99.128.0/17 China 58.100.0.0/15 China 58.116.0.0/14 China 58.128.0.0/13 China 58.144.0.0/16 China 58.154.0.0/15 China 58.192.0.0/11 China 58.240.0.0/12 China 59.32.0.0/11 China 59.64.0.0/12 China 59.80.0.0/14 China 59.107.0.0/16 China 59.108.0.0/14 China 59.151.0.0/17 China 59.155.0.0/16 China 59.172.0.0/14 China 59.191.0.0/16 China 59.192.0.0/10 China 60.0.0.0/11 China 60.55.0.0/16 China 60.63.0.0/16 China 60.160.0.0/11 China 60.194.0.0/15 China 60.200.0.0/13 China 60.208.0.0/12 China 60.232.0.0/15 China 60.235.0.0/16 China 60.245.128.0/17 China 60.247.0.0/16 China 60.252.0.0/16 China 60.253.128.0/17 China 60.255.0.0/16 China 61.4.80.0/20 China 61.4.176.0/20 China 61.8.160.0/20 China 61.28.0.0/17 China 61.29.128.0/17 China 61.45.128.0/18 China 61.47.128.0/18 China 61.48.0.0/13 China 61.87.192.0/18 China 61.128.0.0/10 China 61.232.0.0/14 China 61.236.0.0/15 China 61.240.0.0/14 China 110.6.0.0/15 China 110.16.0.0/14 China 110.40.0.0/14 China 110.48.0.0/16 China 110.51.0.0/16 China 110.52.0.0/15 China 110.56.0.0/13 China 110.64.0.0/15 China 110.72.0.0/15 China 110.75.0.0/16 China 110.76.0.0/18 China 110.76.192.0/18 China 110.77.0.0/17 China 110.80.0.0/13 China 110.88.0.0/14 China 110.94.0.0/15 China 110.96.0.0/11 China 110.152.0.0/14 China 110.156.0.0/15 China 110.166.0.0/15 China 110.172.192.0/18 China 110.173.0.0/19 China 110.173.32.0/20 China 110.173.64.0/18 China 110.173.192.0/19 China 110.176.0.0/12 China 110.192.0.0/11 China 110.228.0.0/14 China 110.232.32.0/19 China 110.236.0.0/15 China 110.240.0.0/12 China 111.0.0.0/10 China 111.66.0.0/16 China 111.67.192.0/20 China 111.68.64.0/19 China 111.72.0.0/13 China 111.85.0.0/16 China 111.91.192.0/19 China 111.112.0.0/14 China 111.116.0.0/15 China 111.119.64.0/18 China 111.119.128.0/19 China 111.120.0.0/14 China 111.124.0.0/16 China 111.126.0.0/15 China 111.128.0.0/11 China 111.160.0.0/13 China 111.170.0.0/16 China 111.172.0.0/14 China 111.176.0.0/13 China 111.186.0.0/15 China 111.192.0.0/12 China 111.208.0.0/13 China 111.221.128.0/17 China 111.222.0.0/16 China 111.224.0.0/13 China 111.235.96.0/19 China 111.235.160.0/19 China 112.0.0.0/10 China 112.64.0.0/14 China 112.73.0.0/16 China 112.74.0.0/15 China 112.80.0.0/13 China 112.109.128.0/17 China 112.111.0.0/16 China 112.112.0.0/14 China 112.116.0.0/15 China 112.122.0.0/15 China 112.124.0.0/14 China 112.128.0.0/14 China 112.132.0.0/16 China 112.192.0.0/14 China 112.224.0.0/11 China 113.0.0.0/13 China 113.8.0.0/15 China 113.11.192.0/19 China 113.12.0.0/14 China 113.16.0.0/15 China 113.18.0.0/16 China 113.24.0.0/14 China 113.31.0.0/16 China 113.44.0.0/14 China 113.48.0.0/14 China 113.52.160.0/19 China 113.54.0.0/15 China 113.56.0.0/15 China 113.58.0.0/16 China 113.59.0.0/17 China 113.62.0.0/15 China 113.64.0.0/10 China 113.128.0.0/15 China 113.130.96.0/20 China 113.130.112.0/21 China 113.132.0.0/14 China 113.136.0.0/13 China 113.194.0.0/15 China 113.200.0.0/15 China 113.202.0.0/16 China 113.204.0.0/14 China 113.208.96.0/19 China 113.208.128.0/17 China 113.209.0.0/16 China 113.212.0.0/18 China 113.213.0.0/17 China 113.214.0.0/15 China 113.218.0.0/15 China 113.220.0.0/14 China 113.224.0.0/12 China 113.240.0.0/13 China 113.248.0.0/14 China 114.28.0.0/16 China 114.54.0.0/15 China 114.60.0.0/14 China 114.64.0.0/14 China 114.68.0.0/16 China 114.80.0.0/12 China 114.96.0.0/13 China 114.104.0.0/14 China 114.110.0.0/20 China 114.110.128.0/17 China 114.111.160.0/19 China 114.112.0.0/14 China 114.116.0.0/15 China 114.132.0.0/16 China 114.135.0.0/16 China 114.138.0.0/15 China 114.141.128.0/18 China 114.196.0.0/15 China 114.208.0.0/14 China 114.216.0.0/13 China 114.224.0.0/11 China 115.44.0.0/14 China 115.48.0.0/12 China 115.84.0.0/18 China 115.84

Re:Packet Filter

Dude, wall of text. How am I supposed to read this?

Re:Packet Filter

[nacturation]

Or, more succinctly: http://www.blockacountry.com/

Re:Packet Filter

[jon3k]

You really think they don't use compromised hosts elsewhere to mount these attacks? Guess where the LEAST likely source address an attack from China would probably come from? Right. APNIC address space in China.

Re:Packet Filter

[Xochil]

You won't be able to see it if you're in China or Korea and not using a VPN or proxy outside those two countries.

Re:Packet Filter

[Xochil]

That data on blockacountry.com is far from current. There are new IP blocks allocated/assigned to CN/KR 2-3 times a week. I just added one /11, one /12, one /13, two /14's, one /15, one /16, and one /17 for CN today alone.

Re:Packet Filter

[nacturation]

Good to know. Do you know or a more current reference? Other than doing individual whois lookups, of course. :)

Re:Packet Filter

[Xochil]

Yes, mine. ; )

http://www.okean.com/chinacidr.txt

Re:Packet Filter

[nacturation]

What do you know... we actually use that at work. Indirectly, anyways, through OpenBSD's gzipped mirror in conjunction with spamd.

Thanks for the work you put into it! Because of spamd (and lists like yours, Beck's traplist, and so on) we're wasting over 1100 hours of spammer time every day.

Though I wish that MacOS were safer,

[dr2chase]

The initial route of infection for all of the known attacks has been through exploiting flaws in Internet Explorer or Adobe Acrobat using content hosted on external servers.

My box has no IE, no Acrobat. I even use Skim instead of Preview. Flash is turned off by default in the browsers that I do use. Back when I worked for someone who needed to use Windows, we would delete IIS from the system, just to be careful.

On the other hand, if it's an skilled, targeted attack, I would expect a custom exploration of my particular software vulnerabilities.

Re:Though I wish that MacOS were safer,

On the other hand, if it's an skilled, targeted attack, I would expect a custom exploration of my particular software vulnerabilities.

You might need an hero to save you.

Re:Though I wish that MacOS were safer,

[Bert64]

You aren't worth the effort of exploiting...
You probably don't use that machine as a workstation in a significantly sized company/government department... And if you do, then attacking you is a waste of time because any such company will have plenty of windows machines floating around which will be a lot easier to exploit and likely hold all the data an attacker might want anyway.

Re:Though I wish that MacOS were safer,

[dr2chase]

Me personally? Probably not, but given that tricky targeted attacks have started, I assume a little paranoia never hurt. How about, assuming that the attackers are getting really clever now, one should always strive not to be the weakest link in the (security) chain.

And you also never know what the link might be. Work, no big deal (probably). There's also friends and family. If they're trying to get to someone you know, subverting your machine and sending a targeted email -- but with your credentials -- might be just the ticket.

Asymmetric Warfare

[sp3d2orbit]

I read a paper about a decade ago (which I found thanks to Slashdot) describing how China would "hypothetically" wage a war against the US and win without firing a shot. I can't find the paper any more, but it was written by four Chinese generals. Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault, a propaganda assault, and an electronic assault. If anyone knows the paper I would love to see it again -- I think it even got turned into a book.

One day, long from now, will people wonder why we didn't see the attack coming until it was way too late?

Re:Asymmetric Warfare

[advocate_one]

Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault,

and what's really depressing is our own corporations are falling over backwards (outsourcing production, relocating, sourcing goods from China) to help them all in the name of short term profit to make the next quarter's numbers look good. There is no level playing field. The Chinese are deliberately polluting their country and ruining their workers health in order to make their labour and processes so cheap that we can't compete.

Re:Asymmetric Warfare

The name of the paper is"Unrestricted War"and it did have turned into a book.It was written by two generals of the Chinese air force and very popular in the new leftists and nationists of China in the past decade.

SMBs and Cloud Computing

[sp3d2orbit]

The paper says that small and medium sized businesses are often targets and that they rarely have the resources to mitigate the attacks. Seems to me like this is a great reason to move to cloud computing. I would think 99% of businesses would be better off letting Google protect their servers than trying to find away around these attacks themselves.

Re:SMBs and Cloud Computing

[sumdumass]

I hope you weren't counting on a Funny mod because Google was a victim of this attack. IF you were, then I'm sorry that I walked around it. I do not think cloud computing would be the solution to something like this.

You see, they infiltrated the regular network before infiltrating the servers. Even cloud computing services wouldn't be looking for attacks from inside as it would appear once the workstations were compromised. They basically tricked users into giving them access or visiting a site that took advantage of an exploit to get access on the workstations. From there, it was almost like sitting in the offices that were supposed to be accessing the servers. This would work with or without cloud computing.

Re:SMBs and Cloud Computing

I would think 99% of businesses would be better off letting Google protect their servers than trying to find away around these attacks themselves.

Hunh? Didn't this all come to light because Google's ran afoul the exploit?

Read the article's last paragraph

I don't normally read the slashdot articles, but happened to read this one. Read the last paragraph, it is chilling.

DK

Unrestricted Warfare

That paper was this one hosted on Cryptome: Unrestricted Warfare
by Qiao Liang and Wang Xiangsui (Beijing: PLA Literature and Arts Publishing House, February 1999)
It is translated by the FBIS, the CIA's Foreign Broadcast Information Service, which collects and translates reports from around the globe.

but there are easier ways

Isn't google putting in backdoors to their apps per government requirements? Now bend over.

Oh brother..

[jav1231]

"We went to do business in a communist nation and they attacked our network, attempting to gain access and who knows what!?" As my teenaged daughter used to say, "Uh..Hello! Yeah!?" Which loosely translates to: And you're surprised?

Woo! Monoculture!

[copponex]

I'm sure that doesn't carry any risks!

But seriously, if Google were evil geniuses, they'd create hundreds of smaller data centers around the US, with different ecosystems of software security and virtualization and ip blocks, and then use them as a raid array to back up each other.

Damn I wish I had a billion bucks.

Custom Built

Well its obvious why all these attacks work in the first place, companies don't use custom built operating systems. Its a lot harder to attack anything when you have no idea what's what. Where everything is based on a single letter and number sequence to get things done such as f8 for internet, or q0 for delete, or r2 to set us up the bomb. Build it from scratch, write out any vulnerabilities or hell, just make sure everything important is on the corporate intranet and anything you might need to work on has to be copied to a separate intranet for VPN access to work from home, don't allow internet access :D

Chinese Patience

[IonOtter]

When I was in the military, we used to shred our secret documents to NSA specs, which is 0.8mm x 4mm. That's about the same width as the "i" in the subject, and about twice as long.

In 2002, we were informed that this was not small enough, and now had to run the shredded documents through the hammer mill, so everything would be reduced to powder.

They caught some folks rummaging at the local landfill, looking for the trash bags filled with end of week, end of month and end of year destruction.

Those people had stereo microscopes in their homes and apartments, and were reassembling the documents and crypto tapes, one tiny piece at a time.

The Chinese have existed as a nation for longer than any other civilization on the face of this planet, and they take the "long view" in such things.

Re:Chinese Patience

[VendettaMF]

> The Chinese have existed as a nation for longer than any other civilization on the face of this planet,
> and they take the "long view" in such things.

Thankfully both of these are incorrect to a lesser and greater degree respectively.

There may have been people living in the areas of land now referred to as China, but any links between historical cultures and thought and the modern morass are purely fictional.

And as anyone who has done business in/with China can tell you one of the biggest problems inherent to the nation is a complete inability to plan ahead or consider delayed benefits. None of the Chinese businesses I've worked in, nor the government bureaucracy I've suffered through, have ever included any possibility of passing up 10 bucks in their pocket right now in exchange for a thousand tomorrow.

We're dealing with a cultural mindset that would unhesitatingly slaughter the goose that laid the golden eggs, not in hopes of finding lots of eggs inside (that assumption requires some logical thought and deductive reasoning), but simply to take its feed and head for picking.

There is no concept of repeat business here. Any supplier who believes they can get away with it will supply a shipment of non-functional crap and pocket the single payment rather than even bother trying to set up monthly deliveries of functional goods.

The unstable legal system is partly at fault here. There is just no way in this culture to be sure that your products won't be outlawed/super-taxed next week. Money under the mattress is the only surety.

Re:Chinese Patience

[rjiy]

Absolutely the same story in India. Sometimes I wonder if _any_ place outside of the US really gets it. Anecdotally, even Europe seems similarly third world-ish. This is also the reason I think predictions of the US being eclipsed anytime this century are hogwash.

Re:Chinese Patience

I always found this shortsightedness endemic to laissez faire thinking.

Re:Chinese Patience

Same thing happened when the Iranians overtook the US Embassy in 1979. The students pieced the documents back together looking for identities of CIA informants and the like. An example of the reconstructed documents is in the National Security Archive at GWU.

Re:Chinese Patience

[phantomfive]

There is no concept of repeat business here. Any supplier who believes they can get away with it will supply a shipment of non-functional crap and pocket the single payment rather than even bother trying to set up monthly deliveries of functional goods.

Don't know about China, but I read about one guy in a similar situation in Belgrade, where at the time they sold gasoline for cars in open buckets on the side of the road. Some of the gas was high quality, and others was cheap and could ruin your car. This guy built a relationship with a 'supplier' (who was named Stevo, from Zemun), and paid him extra to make sure he always got him the high quality stuff.

Same thing in China, if you are willing to establish a good relationship with some suppliers, and make sure they get paid extra for their effort. If you aren't willing to pay extra, if you are stingy and try to wring the last cent out of your supplier, well, you get what you pay for.

Re:Chinese Patience

[Johnny+Mnemonic]

You can be sure that it was no accident that "they" "caught" the guys rummaging the trash. The confirmation is the followup, that included warrants to search the premises of them rummagers to find the microscopes.

Here's a couple of other things I would infer:
-you will never hear from the rummagers again.
-the NSA shredded some bogus intelligence and let the rummagers piece it together before busting them. There's nothing so good as catching someone being clever; their cleverness and effort deludes them into thinking that what they have is genuine.

Re:Chinese Patience

[In+hydraulis]

What makes you think the US is any different? We're talking about a nation that has offshored most of its manufactoring industry for the promise of a few cheap, possibly-functional trinkets.

If the Chinese cultural mindset "believes they can get away with [supplying a single] shipment of non-functional crap" it is because this approach is working for them. I wonder who their customers are.

Re:Chinese Patience

Goodness, you've just described the good 'ol USA.

Re:Chinese Patience

You are talking about businesses. The Chinese government has a different mindset. Chinese government officials are elected/chosen for 10 years or more. They have patience.

Re:Chinese Patience

If you take a longer view yourself, that's exactly what gpp was talking about. People _are_ taking a long view of things - in this case, they're looking ahead and seeing only instability.

Re:Chinese Patience

[Jedi+Alec]

Absolutely the same story in India. Sometimes I wonder if _any_ place outside of the US really gets it. Anecdotally, even Europe seems similarly third world-ish.

Care to elaborate on that? I've only lived here for a little over 30 years, here being europe, so I'm curious what said anecdote actually is.

Re:Chinese Patience

There was an interesting article in The Spectator recently that identified Russia's weak legal system as a significant problem.

In the absence of functional legal or law enforcement systems, people’s only real protection lies in a network of personal and professional relationships with powerful individuals.

Re:Chinese Patience

[Bert64]

I just shred with a generic desktop shredder, and then set fire to the resulting bundle of paper scraps.

Re:Chinese Patience

[turing_m]

Same thing happened when the Iranians overtook the US Embassy in 1979.

The difference was that the Iranians only had to piece together strip cut shredded documents. Not .8mmx4mm (level 6). From what I can tell, this is still the highest standard of shredding used in the USA. To piece that together requires completing a 19k piece jigsaw per page, something I tend to doubt that you are going to do by hand - each page is going to take longer than 30 days for a family to complete. http://www.worldslargestpuzzle.com/hof-010.html - that's what it took for a family to complete an actual jigsaw without having to use stereoscopic microscopes or use tweezers.

I would think it more likely that they would somehow scan the pieces in and have a computer algorithmically complete the puzzle. See here: http://www.brighthub.com/computing/enterprise-security/articles/882.aspx

The funny thing from the latter piece is that the most common form of document reconstruction is for the 1/4 inch strip shredded documents - the cheapest possible method of shredding. Why am I not surprised.

Re:Chinese Patience

[Osvaldo+Doederlein]

Still, like any stable dictatorship, China is able to pursue at least some general, strategic long-term plans. It's the advantage of rulers who don't have to worry that they're leaving the office in a few years, like in democracies where most presidents/governors/mayors won't bother to lay any eggs that will only hatch after their mandate is finished (especially when reelection is not allowed).

Re:Chinese Patience

And as anyone who has done business in/with China can tell you one of the biggest problems inherent to the nation is a complete inability to plan ahead or consider delayed benefits. None of the Chinese businesses I've worked in, nor the government bureaucracy I've suffered through, have ever included any possibility of passing up 10 bucks in their pocket right now in exchange for a thousand tomorrow.

We're dealing with a cultural mindset that would unhesitatingly slaughter the goose that laid the golden eggs, not in hopes of finding lots of eggs inside (that assumption requires some logical thought and deductive reasoning), but simply to take its feed and head for picking.

It's not the stupid people you have to worry about, but the smart ones.

And all it takes is one to ruin your day.

Re:Chinese Patience

[neppe+henk]

open bucket

gas

open bucket

gas

What?

(thatstupidfilterthatsaystoofewcharactersperlinewtf)

Re:Chinese Patience

[IonOtter]

To piece that together requires completing a 19k piece jigsaw per page, something I tend to doubt that you are going to do by hand...

Well, it depends on what you're after?

If you're after crypto tapes, they're only 8-level paper tape, usually made out of a very distinctive paper or plastic. And shredding machines drop their shred in layers, so all you had to do was carefully peel away the layers to find what you were looking for.

In retrospect, the flaw in the process wasn't mechanical, it was people; we should have been reaching into the bag of shred and mixing it up like a salad before dumping the whole bag into the rubbish bin. But when you've got several reams of paper and tapes to go through in a 12-hour watch, along with keeping everything running, shortcuts happen. Not to mention that shred that small is worse than packing peanuts, and gets absolutely EVERYWHERE!

Now that we use the hammermill, it's a moot point.

Re:Chinese Patience

[Blakey+Rat]

Don't know about China, but I read about one guy in a similar situation in Belgrade, where at the time they sold gasoline for cars in open buckets on the side of the road. Some of the gas was high quality, and others was cheap and could ruin your car. This guy built a relationship with a 'supplier' (who was named Stevo, from Zemun), and paid him extra to make sure he always got him the high quality stuff.

Ah! So that's what happened to Steve-O!

I'm guessing he was also drinking the gasoline.

Re:Chinese Patience

[phantomfive]

Apparently the vendors smoked, too. It might have been diesel fuel, which is much less flammable. Story from one of the best Balkan reporters, Misha Glenny, in his book McMafia.

Re:Chinese Patience

And if you burned the papers, they would read the smoke signals.

Re:Chinese Patience

In 2002, we were informed that this was not small enough, and now had to run the shredded documents through the hammer mill, so everything would be reduced to powder.

They caught some folks rummaging at the local landfill, looking for the trash bags filled with end of week, end of month and end of year destruction.

Any reason you didn't choose a simpler solution, like burning after shredding?

All the spy novels I've read (which of course are 100% historically accurate) have embassies & secret installations that burn after shredding.

Re:Chinese Patience

Why not simply burn the documents?
Trees can be planted to offset the carbon emissions.

I use a Mac

[ridgecritter]

with Preview as my pdf reader. I never use Acrobat. Does that move me out of the sight picture for this type of attack?

Re:I use a Mac

No, actually the malware toolkits have "addons" for Mac and Linux (Webkit based or PDf based like OS X), just that they cost more and nobody buys them (low share) but don't bring your smugness here, You can be owned the same as Joe Sixpack. And theres no decent AV or tool in MacWorld to save your ass once owned.

Thank god we all know that when that php script smells a Mac it refuses to gain key logging rights for that juicy bank accounts, um huh, carrying my wallet outside my pocket makes me invulnerable to robbers <sarcasm

Re:I use a Mac

[hmar]

A Mac user asked, seriously as far as I can tell, if his Mac's preview software is as vulnerable as Acrobat, and you accuse him of smugness. Why do the Mac haters have to automatically make assumptions about Mac users? This guy actually came about it without smugness, and yet you belittle him for it. You are infinitely more the elitist than the most hardcore of Mac fanboys, and you don't even realize it.

Useless filter.

[FooAtWFU]

And get 0wned by a zombie in Switzerland or Dubai or Schenectady or something.

Buzzwords

Whatever happened to using phrases like "confidence trick" instead of "social engineering"?

Re:Buzzwords

[Grail]

American egos happened.

"I got conned," versus, "I was the victim of a social engineering attack."

Being a victim isn't as embarrassing as being stupid.

My recommendation - Capability Based Security

[ka9dgx]

This problem was SOLVED by Dennis and Van Horn back in the 1960s, it's called capability based security. You can read more here: http://old.nabble.com/On-the-Spread-of-the-Capability-Approach-to5608409.html

The concept is simple, every process has a list of capabilities handed to it. It doesn't get to do anything not on the list.

It would be fairly easy to make sane default lists and still have a very usable computer.

Re:My recommendation - Capability Based Security

[azgard]

Yeah, I thought about this too, but I haven't read the paper. The problem I see is then you cannot have something like shell - where the capabilities required vary widely with what you just need to do.

Re:My recommendation - Capability Based Security

[ka9dgx]

Sure you could have a shell. You could leave it pretty much the way it is now, as far as the user is concerned. You let them choose what to feed to a program. The OS is responsible for enforcing the user's choices, they should be allowed to trash their machine if they so choose.

The difference is this would make it much more transparent, and you would KNOW you were feeding your system to a program, when you decided to do it.

Brace for impact.

[dweller_below]

I imagine most of us are saying: "Not a problem. I don't have anything China wants."

I wish. This is what hacking looks like now. If you haven't noticed, you haven't been paying attention.

We asked ourself, which 10 computers would cause us the greatest loss if they were compromised. When we took a hard look at their network traffic, we found an otherwise indetectable compromise. It appears to have been in place for at least 3 months. Just patiently listening and waiting.

You may want to try the same exercise.

Organized crime has demonstrated (http://www.ren-isac.net/alerts/banking-attacks_technical_201001.html) that patient, disciplined attacks yeild great monetary rewards.

The Chinese have demonstrated that patient, disciplined attacks are virtually unstoppable.

What more could any hacker want?

The most fragile secret is a successful economic model. Once it gets out, EVERYBODY copies it.

Learn how to defend yourself if you want to survive.

Miles

Oblig

[shivamib]

[...] dubbed 'Borgora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile.

I for one welcome our new Aurorean Overlords.

Now let's see this PDF fi

Summary omits crucial component: MICROSOFT WINDOWS

[toby]

Taggers take note.

Google, Linux, and virtual machines

[r00t]

If you preview it using as suggested the google reader aren't you still loading that into memory?

You're loading it into Google's memory. Google is using a non-Adobe program to generate HTML.

In theory the attacker could have a Google-specific 0-day exploit that pwns Google's server (probably custom unreleased software on Linux, so VERY hard) and then ships you some evil HTML. This is damn unlikely.

I'd also be curious to know the effectiveness of these pdf attacks on linux hosts.

Linux is a bit harder to attack, especially if 64-bit. It's possible to make Linux **MUCH** harder to attack, but we haven't bothered yet.

Although not feasible for the work environment (or is it?) there are probably many users out there who now surf through virtual machines.

I think you have that backwards, but this is rare in either case. In the business environment it's possible to get site licenses, firewalls to block non-VM browsing, and even competant IT support. Note: "possible". It's very uncommon, but possible.

Hardened Desktop - SELinux?

[mrmeval]

Currently I've been attempting to convert my Fedora system from SELinux working in targeted mode to strict mode. I found that numerous programs I'd like to run and that are provided will not work with SELinux without giving them permission to do insecure functions. So far several programs violate SELinux execmem rules when enforced. There is no way for a non-coder to fix this. One problem for a VLSI IDE I want to run is the TK interpreter 'wish'. Most of the others are 3D tools or games.

I will at some point weed out that garbage and run this in strict mode. This is a slow process.

alternative: no-nonsense sandboxing

[r00t]

Let's try less crap on our machines that might be vulnerable.

I can agree for performance and cross-platform issues, but proper sandboxing solves the attack surface problem.

Imagine a web browser that starts up a fresh new virtual PC for each web site, then deletes the machine when you leave the web site. The virtual machine could even run IE 6 on Windows XP without any service packs, and the entire world allowed to run Active X shit without prompting. The virtual PC can get pwned in a fraction of a second every time, and you just don't need to care. Firewalling on the host OS can restrict the guest OS to the intended web site, so you don't need to worry about being a botnet node.

Re:alternative: no-nonsense sandboxing

[garaged]

you dont need to run over virtual, the problem is the same, to avoid attack you need dns black lists, and to mitigate pwnaged avtivities you need internal monitoring, most of the problem would be avoided using non-windows OSs, the problem with windows is the sorry state of privileges on windows, and the average knowledge af windows admins, we say in México: the cheap comes expensive

Re:alternative: no-nonsense sandboxing

[karnal]

Actually, there's still an attack vector that would exist here. Credentials. Specifically, what some attackers would look for would be cool little tidbits of information:

1. Bank Account credentials
2. 401k/other "wealth" credentials
3. e-mail credentials

These could all be compromised even in a sandbox....

Re:alternative: no-nonsense sandboxing

[r00t]

The bank already has my bank account credentials. The bank can pwn the virtual PC all it wants, but that gets discarded when I leave their site. Any other site can pwn A DIFFERENT INSTANCE of the virtual PC, and that too gets discarded when I leave.

It's like a separate computer for each web site.

Re:alternative: no-nonsense sandboxing

[r00t]

DNS black lists will never catch up. It's already too late.

Re:alternative: no-nonsense sandboxing

[Coren22]

Let me guess, you still haven't upgraded from XP or were you one of those that turns of UAC because you don't like it?

UAC in Vista and 7 handles the privilege issue very well, try it out some time.

Re:alternative: no-nonsense sandboxing

[karnal]

Your bank is much stronger at security than mine. Mine doesn't require one time pads or anything that is at any point "random" for each session - just username and password.

Change my password frequently, but if it's compromised even once... *shudder*

Re:alternative: no-nonsense sandboxing

[r00t]

I think you misunderstand.

This is about possible/ideal/future web browser security.

If you've never used VMWare, give it a try. The "player" and "server" versions are free. Notice you you get a PC in a window on your desktop. In that window you can watch it boot up, BIOS and all. It runs its own copy of the OS. The "hard disk" lives in a file on your real computer.

Imagine if you used a web browser inside VMWare to go to your bank. Suppose you ONLY use it to visit the bank. Suppose you use a different VMWare instance for visiting a malware site. That's like having two extra computers, one for each site.

That would be totally effective if you did it for all web sites, but it would be too much effort. If the browser itself were to internally do this for you though, it could be easy to use. The browser could be designed so that you don't even need to be aware of the VMWare-style sandboxing.

Re:alternative: no-nonsense sandboxing

[gfim]

I know that nobody is looking at this two weeks later, but...

Why do you think that changing your password frequently would help? If the baddies get your password, the money's gone within a few minutes.

Social engineering

"The attacker socially engineers a victim, often in an overseas office, to visit a malicious website."

Hire people with a triple digit IQ...
"Why is the page blank?"
"Oh, the page I sent you won't work unless you load it in 'x' turn off 'y'"
"Ok"

Oh yea!

[Sepiraph]

Absolutely the same story in India. Sometimes I wonder if _any_ place outside of the US really gets it. Anecdotally, even Europe seems similarly third world-ish. This is also the reason I think predictions of the US being eclipsed anytime this century are hogwash.

Yea US gets it ... that's where it is at, 14 trillion dollars in debt, quantitative easing (aka printing money) to the rescue!

TCp is not the answer to this.

[leuk_he]

There are still the same vector of attack possible. e.g. if someone signs adobe an old PDF reader.exe as trusted, TCP is vulnerable immediately.

There really is no simple answer to this. The fact that everything is networked nowadays is not helping.

But all vector of attack can be made as hard as possible.

1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
Anwer -Train users.
  2. This website uses a browser vulnerability to load custom malware on the initial victim's machine.
Answer: minimize number of plugin, up to date browser, Put internet acces in a virualized separate part of the network
3. The malware calls out to a control server, likely identified by a dynamic DNS address.
Anser: kill those control servers!
4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
Answer: Should not be possible. A users should not get admin right.
5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
Answer: no answer possble, see 4.
6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
Answer: Check the VPN access logs AND Use second channel authorisation(token)
7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.'
Answer: Don't put all the eggs in one basket. A user should only be able to acces what he needs, not everything.

The attack name Aurora is being overloaded

[grandpa-geek]

Aurora was also the name of the "cybersecurity attack" on an electric generator that resulted in it bouncing up and down in a video on CNN a few years ago.

Actually, the cyber intrusion was stipulated and the remainder of the attack simulated by doing things with the generator that are known to cause serious problems.

Can't solve stupid.

[DarthVain]

I love how "Step #1" is social engineering. Which can be translated to simply, find some stupid sucker that you can convince to do something they shouldn't be doing.

You cannot solve stupid.

No amount of security will prevent intrusion if all you have to do is call up some idiot and get him to turn it off for you.

The only solution to this is A) Training, or B) Don't hire freaking idiots.

Difficulty is that idiots are usually cheap labour, and don't particularly care one way or another. One might argue you can still hire idiots, just don't give them access to anything critical. However it today's world that can mean pretty much any network access, which means why bother hiring them as they won't be able to do anything (or even less than before).

Sadly many times it is the older people closer to retirement, or the very young temporary workers who are most vulnerable. I have personally worked with some people that A) I wonder how they hell they got that job, and B) how the hell they can get ANY job not directly associated with shovels (not including managers). I think a good litmus test is if the jerk at Bestbuy or Futureshop can Con you, then slowly step away from my computer console, as you are a danger to yourself and others. I find it hard to believe someone could be found without raising suspicion in a company like Google, but I guess every corporate structure has its flaws.

It also takes a bit of a suspicious mind, critical thinking, and a dash of paranoia. Both my Dad and my Sister fell for that malware that you get by clicking on the website that makes it look like your desktop, and it has an error. It actually took me a few moments to realize that the "error" they were talking about was really that phishing website. I was at somewhat a loss at what to tell them when they asked me how to prevent this in the future. I couldn't exactly tell them not to be suckers. In the end just telling them to pay attention to what they are doing and to be very suspicious of any new website you do not trust.

(Firmly adjusts tinfoil hat with pride)

With the amount of jerks out there trying to screw with you, as amazing as it sounds, a tinfoil hat is your best defense. (I mean that figuratively, not literally, though it is fashionable...)

Does this mean ...

that Google must have had a corporate Windoze network and active directory ? That's Evil ! ;-)

Re:Summary omits crucial component: MICROSOFT WIND

LOL.. And linux has no vulnerabilities?

http://milw0rm.com/platforms/linux

Just last year there were DOZENS of kernel vulnerabilities on Linux and NT had almost none. Ofcource since you're part of the online linux cheer-leading squad you ignore facts.

Linux is an average Unix clone. Get used to it. Although, to be fair, I guess the "clone" part is redundant. Everything in the F/OSS world is a copy of existing successful proprietary products.

Regular hack...

[hesaigo999ca]

They described in steps, the regular hack that happens in everyday hacking.
I don't know what they were trying to single out, but most hacks start off with a vulnerability being exploited and then the
hacker tends to put into effect means to be able to reconnect using proper credentials.
Anyways, using a hole to then log on and create your own account for later seems pretty simple in terms of
common sense, but the rest of the way would be to describe how a hacker goes about deleting tracks left behind in order to avoid flagging that the server was compromised. This would show more the effort you need to put into a good hack session.

Yes and no

[chihowa]

You really think they don't use compromised hosts elsewhere to mount these attacks? Guess where the LEAST likely source address an attack from China would probably come from? Right. APNIC address space in China.

Yes and no.
 
While I'm sure a real attack would come from a compromised host somewhere else, I noticed that the bulk of the portscans and ssh auth attempts that my systems log are from these address blocks.
 
Maybe it's just kids screwing around or maybe they're gathering intel on systems they can use to conduct bigger attacks later. Either way, my systems see a whole lot less malicious traffic now that I've blocked China.

Wait wait wait...

You say you know what's going on in China because of someone who lives there? Someone who is, by your very admission, living in an Orwellian Panopticon of government lies and surveillance? Someone who is telling you the truth as he sees it, certainly, but why do you believe that the information he's gathered is itself true?

The government of China lies, and it steals information, and it kills its own people en masse...and yet you think it wouldn't sully itself with governmental espionage or industrial sabotage. All it wants, you say, is to steal information from foreign companies.

I'm glad we cleared that up.

Nearly fell for it

Wha... ? Oh ! W - i - n -.... Man! You had me going for a moment, there ! :)