Slashdot Mirror
Foreign Hackers Attack Canadian Government
An anonymous reader writes " According to the CBC: 'An unprecedented cyberattack on the Canadian government from China has given foreign hackers access to highly classified federal information, and forced at least two key departments off the internet, CBC News has learned. The attack, first detected in early January, left Canadian counter-espionage agents scrambling to determine how much sensitive government information may have been stolen and by whom.' It should be noted that the Auditor-General warned of this months ago and was ignored by everyone as she usually is. It should also be noted that public sentiment towards China is getting very, very testy."
Attacking every country for gains which are likely worth nothing. Great way to get yourself banned from the playground.
I was sort of half asleep on the drive home, but the radio made it sound like some moron installed a trojan (presumably hot_pic_of_me.jpg.exe), which then scraped internal networks (that should have had better access control, no doubt) for anything interesting. It was pretty vague but that's about what I picked up from it.
Sounds like amateur night anyhow. Maybe they've got HBGary running their security.
Sent from my PDP-11
What I can't seem to wrap my head around is why they would even have that kind of information on a computer that is open to the internet. Why on earth would you expose sensitive computers to the world for anyone to hack? It just doesn't make sense to me.
All the news of China's hacking attempts, compounded with the links many of those have to government, begs the question: "How far is too far?" When will the US (or the international community) hold China accountable and force them to stop these actions? The way I see it, what they are doing is worse than firing shells over a border. This could easily be a buildup for a larger attack, yet no one has done anything substantial yet.
"Going to war without the French is like going deer hunting without your accordion." ~General Norman Schwarzkopf
How it was done
In the world of cybercops, it is called "executive spear-phishing."
This is what you get if the executives you have are fishes, no matter (or even easier) if they look/behave like sharks.
Questions raise, answers kill. Raise questions to stay alive.
Define "sensitive". You have sensitive information on your own computer, yet you expose it to the internet too. At some point it will come down to convenience and efficiency. For some things, there's no way around it, unless you want to have every single conversation and do every single transaction in person.
which is totally what she said
I'll use whatever the government defines as sensitive.
The Chinese may have acquired... *dramatic pause* stealth mÃÃse technology!
That would probably be everything they do, including all email, which by necessity has to travel via the internet. There will of course be different levels of classification, and hopefully they'd encrypt the "more sensitive" stuff.. but really, even if there are good security policies in place, quite frankly a lot of people are idiots when it comes to using computers, and will make mistakes anyway. Mistakes like running a trojan, which makes a lot of security measures useless, if for example the trojan did keylogging, screengrabbing, etc..
which is totally what she said
What're you gonna loosen it with?
Divide a cake by zero. Is it still a cake?
What did the steal? Their recipe for maple syrup?
My tip for her would be to sensationalize this until people start paying attention. But I've never watched Canadian news, so I don't know if they're the same level of hyperbole (100%, plus or minus nothing at all, because it's 100% hyperbole).
There is no -1 Disagree.
"Public sentiment towards China is getting very, very testy" That sounds racist and jingoistic to you? You're kidding right? I mean, "China replacing all Canadian government documents with takeout menues" would at least sound somewhat racist. The Chinese hackers leaving a calling card in the form of an animated takeout box would too. And jingoistic, well "Oh, Canada uber alles, eh!" would sound jingoistic. Canadians marching in the street screaming, "Take off you pandas!" would be both racist and jingoistic.
This is probably a true story though. Chinese hackers have been very aggressive in the last couple of years. One suggestion I've heard was that China wants to test its limits, find vulnerable infrastructure, and so on.
This attack could have been EASILY avoided using 1 simple system: PGP digital signing. Give every government address a PGP key and set up a government public key repository. Any company doing work with the government has no excuse for not being able to do the same.
You then set up the email servers to block any email with attachments that isn't signed by a trusted key.
PGP signing (and even encryption in most cases) is so pathetically easy to set up, the fact that governments don't MANDATE it for internal use (and even external use for anything other than simple civilian inquiries) is absolutely unforgivable.
It just doesn't make sense to me... ... all from their day jobs ip
They like to look up Ford car parts, bathroom repair, fantasy football and correct wikipedia ect
Domestic spying is now "Benign Information Gathering"
http://en.wikipedia.org/wiki/SIPRNet I dont know about Canada but the US has theyre own worlwide network, completely separate from the WWW.
Well the first part is by and far true. We don't make enemies, hell we're the first ones the world runs to when they want mediators. Probably that whole, slow to anger, stubborn, type of thing. However, unlike in the US where shit hit the fan several times, over several things. And Americans went WTF, HOLY SHIT, CHINA...what the hell are you doing?
Canadians went...eh...okay. Dead? Nope. Carry on, government to do a better job. People as a whole here don't get angry quickly, over anything. And it takes a lot to push the general public over the edge on something. Either it has to have dire ramifications and is so fucked up for everyone(UBB is a fine example), or a lot of people have to die because of government stupidity(air india). People are getting pissed off at China here, it's taken a lot of really hard work to get people here angry. And that's saying something.
Om, nomnomnom...
They didnt say "public sentiments towards the Chinese." Its China, not hte Chinese. The government, not the people. You wouldnt be offended if your werent shortsighted.
There is a reason the people of China have to work their asses off just to get some decent internet http://en.wikipedia.org/wiki/Golden_Shield_Project
Why has stating facts, that mention a race, become racist lately? It getting ridiculous. http://en.wikipedia.org/wiki/Falun_Gong
It's not like data leaks/traffic/theft/espionage was invented the other day and doesn't happen all the time. All the ad-tracking businesses, credit bureau, embassies, corporations, are full of undercover info smuggling all the time. You just dont *see* it very often. If they steal your data, you steal their data. It's not even violent. Heck, if you weren't so busy with those tons of skeletons in your closet, you might even think it was fun.
Build your own energy sources from scratch. http://otherpower.com/
> This attack could have been EASILY avoided
> using 1 simple system: PGP digital signing.
The Canadian government is in the process of rolling out a digital signature system... unfortunately, it's Entrust rather than an open solution like PGP, and it looks like it's going to be cumbersome enough that it won't get used in situations it's not absolutely necessary for.
Because it's not based on open standards it can't be used for external communications which makes it rather infeasible to block all unencrypted attachments. Which would be a bad idea, anyways, given the small fraction of "protected" information on unclassified networks (i.e. ones which communicate with the outside world).
Log in or piss off.
I agre, that "very very testy" statement is ridiculous. I'm Canadian, and I am not very very testy at all. I also don't judge an entire nation based on the actions of a small group.
There seems to be no evidence either way, as all the routing info can be faked. Ask yourself who has most to gain? Who would gain most from the spin that China goes around hacking the Canadians? Who would like all their neighbours to sign up for some online neighborhood watch scheme for government snooping?
Korma: Good
Recently a Chinese national snuck into the country using an elaborate rubber mask. He was arrested and held as a security threat. Then, he was RELEASED, bypassing immigration entirely, and is going to Toronto where he's going to get employment. Public reaction to this nonsense IS getting testy, very testy. Nothing to do with jingoism at all.
That's possible, but with the number of Windows volume licenses in extraneous use, I'd bet that those machines aren't having such a difficult time being upgraded. It is known that China is aggressive in staging cyber attacks. We might not have absolute proof, and I mean "we" as in /. readers. I bet the U.S. and Canadian governments' own cyber warfare specialists have a fairly good idea of whether they're facing Chinese agents or dealing with zombies computers.
Right...... because no other news can possibly occur when the one news item that happens to annoy you is also being talked about.
We should believe this because the author wrote it in Courier New, making it look more like shell text, and highlighting his overall l33tn3ss.
they don't flaunt their nationalism, but its there and its quiet and its real
i see something concrete in response coming out of this as more likely than if europeans or americans were attacked
c'mon ottawa, do something. show that at least somebody has a backbone in response to these provocations. london or washington dc wouldn't, and didn't, do anything
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
We should nuke them. Oh wait we don't have any. America, mind if we borrow a few?
Either China is the next superpower whose superiority is backed by superb cyber offense capability, or one of these days their "victims" are gonna expose their hubris and gonna send them(China) back to IT stone age. Chinese were quick off the blocks as regards information warfare Add to that their military doctrine is about hiding their strength, obscurity et al. So if they are attacking and not bothering to hide, hmmm.. What are they upto?
> It should also be noted that public sentiment towards China is getting very, very testy.
I'm part of the public, and I know lots of other members of the public - I don't see anyones sentiment anywhere near "testy" about China.
Papers, tv news, radio ... I spend a good amount of time keeping up on them, and I don't think I've heard anything 'testy' about China expressed.
Given that that statement doesn't come from the article, I'm guessing either the submitter or editor added that. Either way, stop making shit up. We have Fox News/the Toronto Sun for that
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
'An unprecedented cyberattack on the Canadian government from China has given foreign hackers access to highly classified federal information
Find out who put this "highly classified federal information" on the Internet and charge him/her with gross negligence and clap him/her in jail for twenty years. Is sombody looking to bump up their federal budget this year?
...what kind of classified information does Canada have worth stealing? I could understand the US, which has its grubby little fingers in everything behind locked doors, but Canada?
What do I know, I'm just an idiot, right?
Probably they tried to hide it. It looks like this breach took a month to expose? You can't backdoor a system without having a backdoor, and with sufficient scrutiny that's going to show up.
Seriously China? Canada? What the hell did Canada ever do to you? What valuable information could they possibly have that you couldn't get by your regular, scheduled attacks on U.S. networks? Canada is like the cool, friendly kid in class, that everyone likes, and isn't a douchebag to anyone. Picking on them is like taking a piss on a puppy. You've just demonstrated yourselves to be a bunch of wankers, China.
Motorcycles, Robots, Space Gossip and More!
The anti-chinese xenophobia on this site has been obvious for years, but it just follow general western media trend.
Take a look at this 'minor' item from wikileak that only got half a page of text:
http://www.cbsnews.com/8301-503543_162-20027157-503543.html
If the spy ranking is changed, do you think it will not show up in front pages on all media?
I don't believe that China spy can attack into Canadian network, even i remark that all last governments attacks (French, NASA, ...) come from China, is really china so good in Hacking. I thought often that China network is used as transparent proxy to others gov.
If you look at the two departments within the Canadian Government that were specifically targeted they were the Treasury and Fiance.
How much do you want to bet that this has absolutely nothing to do with the Chinese government and more to do with your typical criminals phishing for finical information that they can use to score some dough. They deal with large sums of money, and have been criticized in the past for lax network security. Much harder to hit a commercial bank. That said I doubt the Chinese government has much desire to do anything about this sort of activity within its boarders.
I would argue and hope that Canada would be exerting pressure via China's desire for Canadian resources, particularly oil, to put a very abrupt stop to this sort of activity directed towards us. I would also hope that this is a wake up call for government to start paying serious attention to IT security.
Maybe i should elaborate, i used to work for the Canadian Government. The salaries that they offer computer programmers is about the same salary they offer to somebody whose job is to get and put away paper files. So about 2 times less than a code monkey would get in the private sector, and about 4-5 times less than a good programmer would receive. Seriously.
So what happens is most of the programmers and most of the programs get written in VB, yes pathetic i know. Security is virtually non-existant. I actually got let go the first time (got fired 3 times and quit once, gotta love their stupidity) because i was seen as a security threat because i knew more about the computers there than the fresh out of school computer grads. Not your normal grads, but the ones who got the degree because they thought that's where the money is and don't even own computers at home. Yes, tech admins who can't even assemble their own computers.
Non-techs can't even seem to follow the rule of locking their computers when not at their desks. They tried to be more secure by adding short expirations for passwords without the ability to recycle passwords and passwords having to be different for each system. So what happens? A plethora of yellow stickies on monitors with everybodies latest passwords.
Hell, when i was there the tech people couldn't even understand what a video card with digital output was, 'it's a computer so it's all digital right?'.
Besides, this is nothing special, this happened more than once every notable holiday where people send those stupid digital cards which have always been expressly forbidden. My guess is that the big story is 'China bad man!', and probably only because they've finally learned how to trace attacks one hop backwards.
It's all propaganda against China, because of course all these chinese hackers breaking into govts everywhere are too stupid to use a proxy. Geeks shouldn't fall for this type of propaganda, but the majority will. The question is, why all the propaganda against China? My slightly conspiratorial view is that it will make it so much easier for the states to default on everything it owes China, but i guess we'll see in a few years.
Ah, gotta love the stupidy of the canadian government. I remember when we bought some stupid search engine technology from the US gov't (that should have been a clue). Problem with the search engine, doesn't actually search documents, only meta-data. Problem with that, virtually no documents had meta-data. Absolutely useless for any of us who worked there, so everybody had their own link farms.
Security by Obscurity was there motto. The first time i got fired by them was because i pointed out holes in their security which they didn't want to address because it costs money to do that. Of course they had to rehire me once i went to the ombudsman and the union. I gave up trying to improve their computer security after they fired/rehired me for the third time.
Cyber mounties are a joke.
I actually got so disappointed by my fellow canadians allowing such bullshit to go on that i left the country.
Canadians may have a lot of heart and lay down their lives to protect freedom in every war out there (almost, so damn proud of Chretien basically telling Bush to shove his "you're either with us or against us" where the sun don't shine over Iraq), but they're also extremely naive and stupid when someone tells them to bend over you're going to enjoy this (basically all natural resource exports to the US)
Fine, anonymous coward, have it your way... It is impossible that China could be responsible for the cyber attacks against Canada. The peace-loving citizens of the great People's Republic of China could never do such a thing to our dear friends in the West with whom we enjoy a strong bond of friendship and belief in the one country-two policy system. If Chinese were responsible, they must surely have been corrupted by the decadent ways of the enemies of our peaceful nation in the West. There, better?
Because, obviously it cannot for a moment be likely that China could have done this, because FTA says we cannot know for sure, and because TFA says it, surely we must throw out past history. It must be 4chan.
Chinese Gov. is in a cold war with the west. Right now, it is about getting as much information AND tech as possible. It is time to move western nation govs on to a seperate network, and then create another network or two within EACH nation in which vital resources (power plants, trains, planes, etc) are on that. It is not enough to be a VPN. It must be a PHYSICALLY seperated network. Ideally, we will go back to building our own switches/routers for at least this area.
I prefer the "u" in honour as it seems to be missing these days.
Breaking News - NHL and OHL have suspended operations. It has not been determined if hockey will ever return.
"Action without philosophy is a lethal weapon; philosophy without action is worthless."
So basically, the Canadians have lost all access to their 'highly classified information' while foreigners can access it leisurely? What about foreigners in Canada? And Canadians who're abroad? Or are we to assume that the databases somehow knows whether there's a foreigner sitting at the computer or a Canadian?
Too many questions? :P
Geekism is your _only_ God!
If the enemies of a country have their secrets, can you still claim that their own people have no right to them?
NHL/OHL did that no one would bat an eye, we'd all just go watch more minor/junior/senior league games like we do now.
Om, nomnomnom...
I was going to list all the leagues but was too lazy... but I think Canadians would riot if hockey went away.
"Action without philosophy is a lethal weapon; philosophy without action is worthless."
I find it amusing that if this were an "entertainment" type story, you'd have the usual suspects doing the "it's not stealing!" semantics dance. "Unauthorized copying != theft!" After all, the canadians still have their documents, right?
If you were me, you'd be good lookin'. - six string samurai
I can understand Slashdot mentioning this hack attack on Canadian Government.
Mentioning it pays respect and shows appreciation for the Chinese l33t hacker skills required to pull something like this off.
But having others in this troll bad mouthing Chinese people and spreading "anti-CN spin" is not appropriate.
Try living in China as a programmer with all their culture and their social status situation for a year. From what I understand, the average monthly salary for a java programmer ranges from 2000RMB to 4000RMB. Now roughly divide that by 6 to see that in US or Canadian dollars(they are almost at par these days).
333.33$ to 666.67$ A MONTH. So as a moonlighting job or a day job, if someone offered you some bonus money for doing something "cool" for individual profit-motivated reasons and not nationalistic reasons, there is a definite temptation if you want to be able to afford a house(>300,000RMB) or a car(>150,000RMB) especially when you are a single programmer still living at home with your family because that is the tradition unless you are migrant worker coming in from extreme poverty which fires up the temptation these kinds of jobs even more.
I'm not justifying the hacking, but I can certainly appreciate the Chinese l33t's level of desperation to raise their social status and to raise they quality of life.
Essentially, like all other humans on this planet, they just want a job that provides them with dignity and with an acceptable level social status.
This is a tangent but it is related because of human dignity and acceptable level social status in Canada: Here in Canada we have unemployment insurance and social welfare, but many people would agree that it fails to provide citizens with dignity and certainly fails to provide citizens with an acceptable level of social status. Do you think people on welfare feel good about it? No, they would rather be given a real job opportunity that is good fit for them. The government's current action plan fails because the gov. treats people like numbers and sends them off generic template responses with no human feelings or empathy involved. The accountability isn't there either because the emails come from a generic "GOV CANADA" email and not from "Mrs. Smith from Action Plan Canada Downtown Toronto Office, with phone number 123.234.1234" to reach a real human to resolve an individual's job crisis at-hand. I find all of this Action Plan stuff false advertising and I would like my money back because it is tax payer money and I don't think I'm getting bang for my buck for UI/WELFARE/ACTION PLAN to be honest. As a result I would predict more of these events will occur not only from China but from within Canada as well.
Hurmm. But the Chinese would know that, wouldn't they? But then if you are gonna do something like this, there is risk involved. A school bully is rash, while a pro takes calculated risks. So which is China?
Paybacks will be sweet..... Don't just sit there! Hack 'em back! Get the best minds (if you still have them) together and devise a wake up call to the Chinese government. That's the only language they understand and it doesn't need any translation!