Slashdot Mirror
Aurora Attack — Resistance Is Futile, Pretty Much
eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."
Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.
Help stamp out iliturcy.
Just don't use MS Windows.
Okay, I know an ex-pat who has moved to China and married. I have a much better understanding of the current state of technology and governmental oversight there than most here. Let's clear some things up:
The government closely monitors it citizens using every form of surveillance available in public places (which include the internet) to ensure that they are not acting in a fashion the government defines as "subversive". They aren't interested in international cyber-terrorism. They simply realize that they need to be where their citizens are to maintain the umbrella of surveillance. They're not trying to blow up power plants or destroy financial markets, or engage in other acts of cyber-terrorism. They are simply of the mindset that the internet lacks geographical boundaries, and hence treat it somewhat like international waters, and regularily patrol and conduct intrusions on remote systems for the purpose of effecting surveillance on its own citizens.
They are also interested in industrial espionage against specific high-value targets that have technology that China cannot replicate with its limited (though rapidly growing) infrastructure. China is very good at copying technology. It has very little ability (or desire) to innovate. They are focused primarily on a massive modernization program so as to set themselves up to compete with the EU, US, and south asian markets. Hong Kong is about the only ace they have up their sleeve right now there. So they conduct limited cyber attacks for the purpose of acquiring the information and designs to manufacture technologies that are highly intricate (such as microprocessor design).
This is not a statement on the validity of any sovereignty claims, or a moral judgement on China's state-sponsored activities on the global communications networks, merely an statement of their motivations.
#fuckbeta #iamslashdot #dicemustdie
Humans are the biggest weakness in the chain. Don't hire them, or at least hire the most non-people types you can. Hire the non-team players and the ones that argue with everyone. When someone calls them and asks them to go to a web site, they'll say screw you and hang up.
"Attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies," [iSec founding partner Alex Stamos] told The Register. "The malware for each of these companies has been customized based on the versions of vulnerable software they're running, as well as what kind of anti-virus they're using. ...
Since when has anti-virus heuristics algorithms been at all useful against custom malware?
Even the script kiddies can find encrypters to take their cookie cutter programs and make them invisible to the majority of anti-virus programs.
[Fuck Beta]
o0t!
QUIT RUNNING WINDOWS. Look, if anybody runs windows on more than their client box (and many would argue even that is stupid), then you deserve what you get. The same set of idiots will design tanks and subs with picture windows.
1. You must first find someone using windows who is prone to clicking things without thinking. - ok, I accept that.
2. Running a vulnerable browser - Still quite common, First security failure
3. Running windows - Still very plausible
4. Vulnerable to a privilege escalation exploit - Second security failure
5. With a network setup that is vulnerable to this kind of thing - Third security failure
5. Then "accessing" an AD server database - Fourth security failure
6. To be cracked - ok
So for this to work you have to have an insecure browser or other userland app that is easily exploitable (Acrobat), an OS with a privilege escalation flaw and A network that will let someone do things they probably shouldn't, an AD server that is crackable so that you can get at the DB.
IMHO that is a hell of a lot of failures by the various parties for this to work.
HOW!!!?? Unless some boneheaded sysadmin granted a user with Domain Admin access, I don't see how this is even remotely possible. Someone with just plain Domain User access either authenticates, or doesn't. Is this article suggesting all local user names and passwords from a DC (domain controller) are locally cached prior to authentication?
Life is not for the lazy.
This type of social engineering attack has been around for atleast 2 decades now. there are manny books about it, including mitnicks.
Windows exploits, spicificley owning a windows AD network via local privelege escalation, sniffing, buffer under/overflows and dumping hashes from the domain controller has been around for atleast 1 decade, the kind of thing I pulled off in highschool.
All they did here is put together very old puzzle peices with a little bit of stratigy.
when will pepole learn to stop using windows? when will people learn to start instituting strict mail policies on corprate networks?
Probably never.
This is not about technical security, this is about exploiting the victums way of thinking.
make money first, keep staff happy second. building a well oilded, tightley maintained business machine does not even come into consideration.
Because, by law, to have an office in China you must have Chinese employees in high-ranking positions.
If your company is of interest then you can be guaranteed of having at least two plants in the office. One to be the obvious pro-party red-book waving decoy, and the other to save them the time and effort of having to phish someone to start the attack.
kartune85 : Incapable of reason, observation or learning. A kind of dim, drab, flightless parrot.
If you don't expect/want traffic from China, configure your firewall to block IP addresses assigned to China.
in china, trojans are small. Because they have small dicks.
I read a paper about a decade ago (which I found thanks to Slashdot) describing how China would "hypothetically" wage a war against the US and win without firing a shot. I can't find the paper any more, but it was written by four Chinese generals. Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault, a propaganda assault, and an electronic assault. If anyone knows the paper I would love to see it again -- I think it even got turned into a book.
One day, long from now, will people wonder why we didn't see the attack coming until it was way too late?
The paper says that small and medium sized businesses are often targets and that they rarely have the resources to mitigate the attacks. Seems to me like this is a great reason to move to cloud computing. I would think 99% of businesses would be better off letting Google protect their servers than trying to find away around these attacks themselves.
That paper was this one hosted on Cryptome: Unrestricted Warfare
by Qiao Liang and Wang Xiangsui (Beijing: PLA Literature and Arts Publishing House, February 1999)
It is translated by the FBIS, the CIA's Foreign Broadcast Information Service, which collects and translates reports from around the globe.
"We went to do business in a communist nation and they attacked our network, attempting to gain access and who knows what!?" As my teenaged daughter used to say, "Uh..Hello! Yeah!?" Which loosely translates to: And you're surprised?
I'm sure that doesn't carry any risks!
But seriously, if Google were evil geniuses, they'd create hundreds of smaller data centers around the US, with different ecosystems of software security and virtualization and ip blocks, and then use them as a raid array to back up each other.
Damn I wish I had a billion bucks.
When I was in the military, we used to shred our secret documents to NSA specs, which is 0.8mm x 4mm. That's about the same width as the "i" in the subject, and about twice as long.
In 2002, we were informed that this was not small enough, and now had to run the shredded documents through the hammer mill, so everything would be reduced to powder.
They caught some folks rummaging at the local landfill, looking for the trash bags filled with end of week, end of month and end of year destruction.
Those people had stereo microscopes in their homes and apartments, and were reassembling the documents and crypto tapes, one tiny piece at a time.
The Chinese have existed as a nation for longer than any other civilization on the face of this planet, and they take the "long view" in such things.
[End Of Line]
And get 0wned by a zombie in Switzerland or Dubai or Schenectady or something.
The World Wide Web is dying. Soon, we shall have only the Internet.
I imagine most of us are saying: "Not a problem. I don't have anything China wants."
I wish. This is what hacking looks like now. If you haven't noticed, you haven't been paying attention.
We asked ourself, which 10 computers would cause us the greatest loss if they were compromised. When we took a hard look at their network traffic, we found an otherwise indetectable compromise. It appears to have been in place for at least 3 months. Just patiently listening and waiting.
You may want to try the same exercise.
Organized crime has demonstrated (http://www.ren-isac.net/alerts/banking-attacks_technical_201001.html) that patient, disciplined attacks yeild great monetary rewards.
The Chinese have demonstrated that patient, disciplined attacks are virtually unstoppable.
What more could any hacker want?
The most fragile secret is a successful economic model. Once it gets out, EVERYBODY copies it.
Learn how to defend yourself if you want to survive.
Miles
American egos happened.
"I got conned," versus, "I was the victim of a social engineering attack."
Being a victim isn't as embarrassing as being stupid.
If you preview it using as suggested the google reader aren't you still loading that into memory?
You're loading it into Google's memory. Google is using a non-Adobe program to generate HTML.
In theory the attacker could have a Google-specific 0-day exploit that pwns Google's server (probably custom unreleased software on Linux, so VERY hard) and then ships you some evil HTML. This is damn unlikely.
I'd also be curious to know the effectiveness of these pdf attacks on linux hosts.
Linux is a bit harder to attack, especially if 64-bit. It's possible to make Linux **MUCH** harder to attack, but we haven't bothered yet.
Although not feasible for the work environment (or is it?) there are probably many users out there who now surf through virtual machines.
I think you have that backwards, but this is rare in either case. In the business environment it's possible to get site licenses, firewalls to block non-VM browsing, and even competant IT support. Note: "possible". It's very uncommon, but possible.
Let's try less crap on our machines that might be vulnerable.
I can agree for performance and cross-platform issues, but proper sandboxing solves the attack surface problem.
Imagine a web browser that starts up a fresh new virtual PC for each web site, then deletes the machine when you leave the web site. The virtual machine could even run IE 6 on Windows XP without any service packs, and the entire world allowed to run Active X shit without prompting. The virtual PC can get pwned in a fraction of a second every time, and you just don't need to care. Firewalling on the host OS can restrict the guest OS to the intended web site, so you don't need to worry about being a botnet node.
Absolutely the same story in India. Sometimes I wonder if _any_ place outside of the US really gets it. Anecdotally, even Europe seems similarly third world-ish. This is also the reason I think predictions of the US being eclipsed anytime this century are hogwash.
Yea US gets it ... that's where it is at, 14 trillion dollars in debt, quantitative easing (aka printing money) to the rescue!
There are still the same vector of attack possible. e.g. if someone signs adobe an old PDF reader.exe as trusted, TCP is vulnerable immediately.
There really is no simple answer to this. The fact that everything is networked nowadays is not helping.
But all vector of attack can be made as hard as possible.
1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
Anwer -Train users.
2. This website uses a browser vulnerability to load custom malware on the initial victim's machine.
Answer: minimize number of plugin, up to date browser, Put internet acces in a virualized separate part of the network
3. The malware calls out to a control server, likely identified by a dynamic DNS address.
Anser: kill those control servers!
4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
Answer: Should not be possible. A users should not get admin right.
5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
Answer: no answer possble, see 4.
6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
Answer: Check the VPN access logs AND Use second channel authorisation(token)
7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.'
Answer: Don't put all the eggs in one basket. A user should only be able to acces what he needs, not everything.