South Korea Backtracks On China As Source of Cyberattack

hackingbear writes "The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim. The Korea Communications Commission said that after 'detailed analysis,' the IP address used in the attack is the bank's internal IP address — which is, coincidentally identical to a Chinese ISP's address, among the 2^32 address space available."

Re:Well, where's my cyberwar then?

[SternisheFan]

Let me think. Was it... This guy?

http://www.theonion.com/articles/kim-jongun-privately-doubting-hes-crazy-enough-to,18374/

Hanlon's

[gmuslera]

The bank used public IP addresses (existing, used elsewhere) for their internal network? The one that designed that should be considered a bigger security threat that any current cyberattack.

BTW, the CNN editorial "Why cyber attacks threaten our freedom" is another piece of art of more or less the same magnitude. I'd say that is on a par with this one

Re:Hanlon's

[noh8rz10]

I thought all IP addresses are unique?

Re:Hanlon's

[cigawoot]

In an Intranet that isn't the case. However, the bank really failed if it wasn't using subnets allocated for private use...

Re:Hanlon's

[vagn]

I inherited a site with the internal network at 192.X.0.0/16 a long time ago (can't remember what X was). It was set up by some vendor's consultants, I believe. It only became a problem when we finally got a network connection to the outside. Re-IPing the whole site was considered risky by TBTB. The only downside was thsat 192.X/16 was closed to them, which didn't matter since there was nothing in that block at the time. So, maybe it's like that. How old is this bank?

Re:Hanlon's

[icebike]

They are supposed to be.
But read what gmusiera said in his first sentence.

For your internal address (inside your router, you typically use a Private Network Address from one of the common ranges specifically set aside for this per RFC 1819.

This bank instead chose a public address range that was not theirs and used that as their private range. You can get away with this in a NAT situation, because only YOUR OWN ROUTER knows about this.

But it is monumentally dumb to do this.
I've seen noob admins do this in the past just to avoid an RFC1819 address space internally, usually as a means to avoid a routing error that they didn't understand. Its never justified. And there are security implications and mind bogglingly hard to figure out routing errors if you have to actually deal with the real owner of the address space.

Re:Hanlon's

[PAjamian]

If it was 192.168.0.0/16 that's fine as it is reserved by RFC1918 for private use.

Re:Hanlon's

Nor really. Probably due to some organisational and political reason they exhausted all available private space... so they assigned some random block for private use. Not saying that it's good, but I can understand that.

Re:Hanlon's

[vagn]

Point is, we didn't care what network numbers we had internally. Then one day we had to connect to the outside. I'm pretty sure that was happening all over.

Re:Hanlon's

[icebike]

Define Exhausted all private Address space?

In just the 10 block alone there are 16,777,216. This bank isn't that big.

Re:Hanlon's

its RFC 1918...

They will grab your geek card on the way out.

Re:Hanlon's

[LordLimecat]

The bank used public IP addresses (existing, used elsewhere) for their internal network? The one that designed that should be considered a bigger security threat that any current cyberattack.

You realize that it is possible to firewall without NAT, right?

You realize that a number of very well secured places use public IPs internally right?

Re:Hanlon's

[icebike]

DOH! Can I get a pass for being lisdexic?

Re:Hanlon's

[LordLimecat]

I've seen noob admins do this in the past just to avoid an RFC1819 address space internally, usually as a means to avoid a routing error that they didn't understand. Its never justified.

Please explain why it is never justified to use a public IP internally.

What, exactly, do you suppose we're shooting for with IPv6?

Re:Hanlon's

[LordLimecat]

Thats nothing like whats describe here; while 192.X may not be assigned to you, traffic from the outside would not be able to directly address you since the ISP wont route that traffic to you.

You could merrily assign 1.2.3.0 / 24 to your home network and it would work just fine as long as you NAT, and noone would be able to directly route to you.

Re:Hanlon's

I think he means it's never justified to use someone elses public IP addresses in your internal network...

Re:Hanlon's

With IPV6 you would be using your own public address internally, perfectly legitimate and no problem. The problem here is using someone elses public address internally. Among the minor gotchas, it becomes hard for your internal users to reach that external site, should they ever need to.

Should you inadvertently start to advertise someone elses IP address to your ISP, they will probably and quite correctly shut you down.

anonymous CCNP!

Re:Hanlon's

I agree that it seems insane that a major bank would do this, however I've seen it in practice. A very major financial firm (who shall remain nameless) that I did some work for actually uses the public IP address range of the US dept. of defense as their internal IP space. It's never caused them any problems - since there's no need for them to connect to the US military, but it definitely left me and several colleagues scratching our heads when we first started looking at the network.

Re:Hanlon's

[lucm]

Saw the same thing once. I was setting up an intranet web server for a client (big telco in North America) and the IP address I was given was a public one. At first I figured they wanted to setup some kind of DMZ so I asked the network guy if they were planning on doing some kind of NAT but he said: no, it's internal only. Out of curiosity I ran a whois on the address and it belonged to an APNIC public block. I then noticed that my laptop was also getting an IP address in that range via DHCP.
I was not there long enough to rock the boat and I never had an explanation but I came up with two theories:
1) they bought a router on eBay, it came from China and was pre-configured with those IPs and they just went along with it.
2) they had to setup a VPN between offices and they kept having subnet addressing conflicts so they just randomly picked numbers for the LAN to be done with it.

This sounds silly but this kind of thing can definitely happen in heavily ITILized environment where nobody is looking at the big picture, they just focus on the tickets they have to close and sometimes things fall between two seats and nobody cares.

Re:Hanlon's

[Luckyo]

They may however need wide subnets for some administrative reason. IPs are rarely assigned on single basis inside a large corporate network. Usually they're split in blocks of various sizes which are given to various parts of the corporation.

In this case, corporation probably grew out of the old system at some point, and instead of having to reconfigure everything they just added a public block as a private one on their own intranet. It's not impossible, but it's definitely not the wisest approach.

Re:Hanlon's

[Spazmania]

Until a couple years ago, it was common practice to squat on 1.0.0.0/8 for internal use when 10.0.0.0/8 ran out. Then IANA allocated the space to APNIC which subsequently allocated most of it to China.

Re:Hanlon's

[gmuslera]

There are a lot of things that could go very wrong using public IPs (that are being used actually) for internal networks. You eventually could want to access or send mail to one of those public IPs. Or if you have an internal site, the public IP could be used to deploy a fake site so if you try to connect from outside (i.e. dropped vpn connection) or inside (i.e. proxy to access outside). Or you have a firewall that enables certain internal IPs to access a resource that could be accessed from outside too. This are just a few easy examples, but things usually go wrong in more imaginative ways.

Yes, it could be managed securely, but why take the risk if the right way to do things is just less complex than messing in that way with everything?

Re:Hanlon's

[ColdWetDog]

on

Re:Hanlon's

[TwineLogic]

Point is, PAjamian's comment went way over your head. If X=168, there was nothing wrong with the configuration. If you had trouble with it, that might be explained by this sequence of comments.

Re:Hanlon's

[gmuslera]

Ok, that make sense. Is not right, but at least didn't looked as a very bad idea some time ago, as some of those low ranges looked like internal networks for big companies (an actual list). But using the standard, meant for internet networks ranges, is more future proof.

Re:Hanlon's

[wvmarle]

That'd still show poor IT management. I can imagine you want to spare some addresses for potential future growth (making your subnets say 3-4 bits wider than necessary), but if you run out of a complete A-class network you're definitely doing something wrong.

Re:Hanlon's

[Luckyo]

Well, they mapped non-private addresses to intranet machines. So I think we're past the question "were they doing something wrong" here.

Re:Hanlon's

[thegarbz]

This thread is confusing a public IP as an IP that is supposed to be addressable to the internet with an IP address that is owned by yourself as a private entity.

There's no reason why you shouldn't be able to use a publicly addressable IP address internally. Many companies which own big blocks do just this. The problem is when you use in your own network an IP address owned by someone else. This causes obvious problems i.e. if I use 8.8.8.x in my internal network and isolate it at the router I will have problems hitting Google's DNS server.

Re:Hanlon's

[rwa2]

Yes, that, and I thought I saw on Fark a week ago that one of the supposed "cyberattacks" was just some internal machine with an outdated antivirus. But maybe it was just one of those snark-to-be-true headlines that happen to fluke sometimes.

But yeah, let's go to war over our own incompetence.

Re:Hanlon's

Which is why you configure your machines to use your company's DNS server.

Re:Hanlon's

[myowntrueself]

I recently worked at a very large telco in a developing country almost all of whose internal networks were NOT private RFC1918 addresses.
There were 3 blocks that they'd 'inherited' from the Korean company that had helped them get set up.
There were blocks like 10.100.0.0 or 10.200.0.0, there were blocks like 192.169.0.0, there were blocks like 193.168.0.0 so clearly this was being done by people who were GUESSING about network addresses.

The place was a gigantic retarded mess. And is one of the biggest telcos in the country.

Re:Hanlon's

puls neo to that

Re:Hanlon's

[mwvdlee]

Yes, we're all well aware that the Great Firewall of China is very well secured and uses public IP's internally.
If, on the other hand, you want to communicate with the outside world, it wouldn't work quite so well.

Re:Hanlon's

[dissy]

Before the big IPv4 crunch the start of 2011, there used to be a pretty big number of /8 blocks listed as "reserved" by ARIN, with a last modified date of 1975. Something like 30+ of them.

Quite a few people used such blocks as their internal addressing without ill effect up until the 2011 "IP crunch" when those blocks were finally allocated.

I have to admit I did the same for my tiny home network too.
From the mid 90s up until 2010 I was using the 42.x.x.x/8 space internally, however I did this with full knowledge about what I was doing. My router filtered ingress/egress on that route just as it does with the RFC1918 space, and with full knowledge I'd have to renumber if it ever became allocated, which happened at the end of 2010 (September or October, I can't remember. I was renumbered in June.)

But I would never have done this at a site managed or used by more than just myself.
At work for example I migrated us from the existing 182.168.1 space into 10.

One of the biggest advantages of doing this is when you deal with a bunch of VPNs all the time. It usually caused issues when your own network and the remote site had the same IP blocks.
192.168.[0/1].x and 10.x were the most popular networks in use to avoid, but even Cisco's VPN concentrators took over most or all of the less well known 172.16.x.x space.
The easiest solution was to avoid all of them.
This meant either purchsing your own public /20 or larger (only an option for ISPs) or use an unallocated since forever block.

ARINs rules for getting a public block were that you had to already have IP blocks from your two or more providers that are at least half that size, and at least half utilized. You must be BGP routed with two or more providers already, and once you get your ARIN space you have to return your current blocks to the ISPs that allocated them to you. A small /20 would cost $2500/year as well.
This is simply not something a home user could ever do.

The only time using public space caused problems was when done out of ignorance.
I've seen plenty of networks numbered in 192.x that was not 192.168 for example, unknowingly using public addresses. The same with 193.x.
Most of those sites also didn't bother with filtering those blocks at their border routers (some not even filtering RFC1918 space) which is probably the biggest mistake that would have a bite.

Re:Hanlon's

[datapharmer]

Not sure you understand rfc1918, as 10/8 is listed right there as private IP space at the top of page 3... I mean the others are wrong unless bainbridge island recently became it's own country, but let's not confuse things more than they need to be!

Re:Hanlon's

[cyfer2000]

or maybe a typo.

Re:Hanlon's

[chihowa]

For crying out loud. Could a bunch of computer geeks be any worse with consistent terminology??

gmuslera: When you say "public IP", you're talking about using someone else's assigned IP addresses internally with NAT.

LordLimecat was talking about not using NAT and using your own assigned IP addresses internally (securing your network with a firewall).

Reading this discussion, where everyone is using their own definitions for words and nobody is reading anyone else's post for comprehension, is like listening to politics!

Re:Hanlon's

[nanoflower]

Hmm, looking through that list I was struck by this: 47.0.0.0/8 Bell-Northern Research 1991-01 1989-01-06 Bell-Northern Research, now absorbed into Nortel. Since Nortel is no more what happens with this address range? It should go back into the address range available for public use but has that happened?

Re:Hanlon's

[LordLimecat]

Because when IPv6 comes out, all of your assumptions about "im safe if im non-routable" will go out the window along with NAT.

Why spend all these years growing complacent on something thats similar-to-but-isnt security, when you can just deploy security?

Re:Hanlon's

[LordLimecat]

I just re-read your post; as chihowa pointed out, I was NOT saying "use someone elses public IPs".

There are a number of organizations who have thousands of public IPs, and use them internally, without NAT. There is nothing inherently wrong with it, and it does not break the internet.

Obviously you would be correct that it is idiotic to use someone else's public IPs, in all but the most niche circumstances.

Re:Hanlon's

[LordLimecat]

If you're using your own public IPs, it works just fine.

Re:Hanlon's

[LordLimecat]

Perhaps I misunderstood parent, but he seemed to be making a blanket statement that the only acceptable internal IPs are RFC1918 addresses (which I assume he meant rather than the actual RFC1819, "Internet stream protocol").

I was not saying that it is ok to use other people's public IPs (which I have seen, and railed about for the reasons you say), I was simply stating that NAT is not a requirement for security or access to the internet. Incidentally, your ISP wont generally shut you down; if you are NATting, you will lose access to some IPs (as your LAN nodes will go local rather than thru the gateway for those IPs), and if you are not your ISP's routers will probably just discard your packets silently. I doubt your ISP would ever know nor care.

Re:Hanlon's

No you fucking idiot, you just don't use other people's IP Addresses for your private network. Why is this so hard to understand?

Re:Hanlon's

[myowntrueself]

Not sure you understand rfc1918, as 10/8 is listed right there as private IP space at the top of page 3... I mean the others are wrong unless bainbridge island recently became it's own country, but let's not confuse things more than they need to be!

yes sorry you are right about 10.100

Re:Hanlon's

[myowntrueself]

I went over the report I wrote, it was 100.10.0.0 that they were using as well as 100.20.0.0 etc

Re:Hanlon's

[dirtyhippie]

My guess would be that the machine that launched the attack was simply spoofing its IP.

Re:Hanlon's

[davydagger]

yes and no. sometimes on an internal network, they use private IPs, especially, with IPv4 exhaustion, they don't have an IP for every machine on the network, or they don't want most machines to be accessable directly from the outside. You can the use Network Addresss Translation(NAT), which has the router automaticly route incomming traffic to the right local IP.

example, on your home network, you only get one IP per house, and all computers use it. Locally your hom network uses 192.168.0.something, and some variant is used over and over by lots of computers

There are three address ranges specificly set asside for this, that aren't assigned on the outside internet. Of course you don't HAVE to use these, but if you don't, you can break things. Some people who like to think they are clever, like using random non-spec ranges because they think intruders will never guess them.(Here is a hint, it doesn't work like that, if they can break into your network, whatever tool they use, is going to give away whatever naming scheme you use, even if you don't have DHCP or any other automatic IP naming scheme.)

https://en.wikipedia.org/wiki/Private_network

192.168.x.x
172.16.x.x to 172.31.x.x
10.x.x.x

If your not using those ranges for private networks, your dumb, and you'll cause major issues.

Re:Hanlon's

[WuphonsReach]

Ours was 192.0.x.y. Took me about 5 years to finally get us swapped over to the 172.16.x.y - 172.31.x.y range. Seems like a lot of companies didn't grasp that only 192.168.x.y was valid for private use. The main reason we finally switched was that the old 254 address space was too small for our growing needs so we upgraded to a 2046 size address space.

Re:Hanlon's

[welshie]

er, IPv6 is already out. It's been out for years, and you don't have any of that silly NAT nonsense, and conflicting private address space. You just need to make sure that if you want to block incoming sessions, that you configure up a firewall that blocks incoming sessions by default, you'll get about the same half-baked security that NAT does for IPv4.

Re:Hanlon's

I thought all IP addresses are unique?

Well, kind of.
The more correct way to say it is: "All IP addresses should be unique within a single network."
Even that isn't fully correct, but generally speaking as long as you're talking about an internal network you can use whatever addressing scheme you want. The problems show up when you try to connect two networks which have conflicting address schemes. So most people use RFC1918 space for internal network addressing.

Re:Hanlon's

Well, they mapped non-private addresses to intranet machines. So I think we're past the question "were they doing something wrong" here.

You're assuming that's what they did. I find it more likely that whoever got into the network was spoofing addresses or just flat out tampering with log data, as opposed to them using non RFC1918 space for internal network purposes. Or perhaps that was actually part of the hack.

But no, there's nothing fundamentally wrong with using non RFC1918 space on a network which is never supposed to be able to reach the Public Internet. In fact, if you are careful to select address space which is not yours, not only will you be able to easily drop it at your network edge, but your ISP should also drop it automatically, as should their edge devices and Internet peers in the event it ever leaks out that far.

Re:Hanlon's

[Bacon+Bits]

You have no idea the number of technical people that cannot distinguish between NAT and a stateful firewall. They believe that the "obscurity" that NAT provides somehow provides actual security, rather than the fact that a NAT or PAT enabled router is necessarily operating as a stateful firewall and that is what's providing the security benefits of NAT. NAT appears secure and simple because the stateful firewall has a default allow for outgoing connections and default deny for incoming connections. NAT's security is simply a stateful firewall with sane defaults.

This, I fear, is the foremost reason that NAT will never, ever die. People think they can make their networks "secure" by configuring their external routers to lie to adjacent Internet routers. They think that this obscuring of reality somehow increases their security when it does not, and they fail to appreciate that NAT prevents any possibility of clean network fail-overs because the router has told the Internet that it's an endpoint node instead of a router so external devices drop the packets rather than route them to a secondary destination.

Re:Hanlon's

[gmuslera]

As someone else already pointed out, the problem started that way, the 1.0.0.0/8 was in used by one of those organizations/reserved, and in 2009 or 2010 was given to APNIC to mitigate the ipv4 exhaustion problem, so it started to be "someone's else public IP". So something that wasn't inherently wrong became wrong, because happened things that were outside your control.

Re:Hanlon's

[AK+Marc]

10.0.0.0/8 is for servers, 172.0.0.0/8 is for equipment (printers, routers, switches), and 192.0.0.0/8 is for users. Don't laugh, I've seen similar done in multi-billion dollar company.

Re:Hanlon's

[AK+Marc]

Yeah, but then what do you do when you work for a company with 192.168.0.0 merging with another company using the same range? Does it matter if they already both had 10.0.0.0 reserved and in use? It was painful, but NAT/DNS tricks can get you to map 172.16.0.0 for the other company's IPs (if you go to 192.168.1.12, you get your company's 192.168.1.12, if you go to 172.16.1.12, you get the other company's 192.168.1.12). It would have been easier if one of the two improperly used public addresses. As it is, I left soon after that, I don't think anyone there understood the voodoo it took to make that happen. The IT director couldn't spell NAT, and I was a contractor there because everyone reporting to him quit.

Re:Hanlon's

[AK+Marc]

Perhaps I misunderstood parent, but he seemed to be making a blanket statement that the only acceptable internal IPs are RFC1918 addresses (which I assume he meant rather than the actual RFC1819, "Internet stream protocol").

This isn't a technical whitepaper. Read it as if he's right, and I read it as "Don't use someone else's IPs, ever." If you need IP addresses, and don't own your own, then you use private addresses and NAT. Well, and you could probably get away with 169.254.0.0/16, it's not RFC 1918, but it is private. And I've seen a number of private networks running 1.0.0.0, or 192.0.0.0 or 172.0.0.0 improperly.

Re:Hanlon's

[AK+Marc]

DOD? I worked some place that used 192.0.0.0/8, and I remember huachuca.army.mil being one of the collisions, so I'd guess it was someone using the 192.168.0.0 RFC 1918 range with the wrong mask. I saw it done at a multi-billion-dollar company as well. The guy who did it was still there, though I didn't know it when I ran the fuck-up up the pole and pissed of the manager of IT operations (the guy who did it).

Re:Hanlon's

[AK+Marc]

Yeah, but I've worked more than one place where 192.1.0.0/16 or 192.100.0.0/16 was in use, so I thought he was implying it was x != 168, because if it was 168, it wasn't interesting.

Re:Hanlon's

[AK+Marc]

Yeah, but isn't it harder to hack a bank that uses 4.2.2.2 for their internal server address? You'll end up hacking a DNS server instead, right?

Re:Hanlon's

[AK+Marc]

You have no idea the number of technical people that cannot distinguish between NAT and a stateful firewall.

I remember when home routers were being sold as "firewalls" because they did NAT. There was no packet inspection, it was a firewall because it wouldn't forward packets in unless they looked like they belonged to a return for an outbound stream.

Re:Hanlon's

[icebike]

Yeah, but then what do you do when you work for a company with 192.168.0.0 merging with another company using the same range? Does it matter if they already both had 10.0.0.0 reserved and in use?

You are merging. Its time to do it right, as disruption is expected at this time.

Back in the day, this was a tough nut to crack, but not anymore. I've actually had to do this a few times in my day job.

If you have already NATed both sites (the most probable case), you simply look to your DHCP server, and manually fix any reservations that were made for things that need statics (an ever decreasing number of things these days), then simply revise the DHCP server to use a new range in 10.x.x. Do it at midnight and everybody will be moved by morning as leases expire. 10 is big enough that you can handle everything even with multiple DHCP servers handling different ranges all within 10, but a mask big enough to reach everyone.

If you were manually assigning statics at workstations you deserve all the pain that might inflict.

Its a lot easier nowadays, since most small routers will serve DHCP and people don't do the manual assignments any more because of the lack of a DHCP router. I remember well the days when disjoint agencies and offices were not on a common network, and each little office tended to have their own little network, often with no Wide Area Connection. People almost always manually assigned IPs in those days. It was a mess. (Alaska State government was a prime example. It took years for state network Admins to get little office on line.)

ntr

[shentino]

Who wants to bet that China instigated some North Korean pressure to back off?

Re:ntr

I agree. The story just suggests classless inter-domain routing.

I... don't understand this at all.

[Nanoda]

On my home network, I use the private 24-bit block 10.x.x.x, in case I buy more than 16 million devices. Is the article saying that they decided to map public IPs they didn't own to internal devices? Notwithstanding the confusion such cases like the above would cause, this bank could conceivably leak banking data out to that Chinese ISP!

All the articles I can find are equally uninformative.

Re:I... don't understand this at all.

[Narcocide]

Yes, you are right, whoever did this was not qualified to be setting up networks for their own personal use, much less production banking servers. Seems like the type of novice-level engineering mistake pretty typical of the hiring practices of the US IT industry lately, actually.

Why pay me 150$/hour when there is some teenager who will feel lucky to get the gig for 10$? This is why.

Re:I... don't understand this at all.

If I were to guess, the bank had an old assignment and used the addresses internally. Then they gave up the assignment and the addresses were reallocated to somebody in China, but the bank continued to use their assigned addresses internally.

Re:I... don't understand this at all.

[JASegler]

Unfortunately this isn't a huge shock to me. Back in the 90's I remember trying to hook up a fortune 500 company to the internet. They were using public IPs on their internal network.. They complained when I told them they had to readdress their network.. I even dug up the various RFCs, who owned the public blocks they were using, etc.

There was actually a discussion along the lines of will we ever need to communicate with those companies? i.e. can we just ignore the problem.. In the end the argument that those places using public IPs wouldn't be able to communicate properly with the reset of the network got things going in the right direction..

Re:I... don't understand this at all.

[rwyoder]

On my home network, I use the private 24-bit block 10.x.x.x, in case I buy more than 16 million devices. Is the article saying that they decided to map public IPs they didn't own to internal devices? Notwithstanding the confusion such cases like the above would cause, this bank could conceivably leak banking data out to that Chinese ISP!

All the articles I can find are equally uninformative.

At at previous job we found some idiot had done this. We didn't know this until troubleshooting a complaint of not being able to reach a certain portion of the Internet. It really isn't a security issue, because a corporate network will first route to it's internal networks, and only if the destination is not internal will it fall back to the default route to the Internet. The default route will always have a shorter mask, therefore it will be the last chosen. The biggest problem is that doing this stupid trick means you have blackholed a portion of the Internet from your own users.

Re:I... don't understand this at all.

[linatux]

"an internal IP address from one of the banks that was infected by the malicious code" - not a lot of detail there, but perhaps the malware changed the address? Perhaps crap firewall rules (or compromised hardware) mean that address was capable of being externally managed?

Re:I... don't understand this at all.

[icebike]

this bank could conceivably leak banking data out to that Chinese ISP!

This seems unlikely because their own router would prevent that, because it thinks those addresses are internal.
However, something arriving from the outside from the REAL owner of that range would appear as a martian source, and not all routers handle this properly. Some log it and let it thru, others reject it. Its a mess.

Re:I... don't understand this at all.

[whoever57]

I have seen this at a remote office of a former employer. I think they were using addresses that were allocated to Sun and I think that the reason they used those addresses was that Sun used them in their training. Somewhere in the 129.x.x.x range, if I am not mistaken.

Re:I... don't understand this at all.

[LordLimecat]

If they did not own the IPs, one of two things would have happened.

If they were NATting, it would function in most cases identically to using a private range. They would simply lose access to those IPs which they "hijacked". As their ISP would not route traffic to them, there would be no security threat and probably minor loss of functionality.

If they were not NATting, noone would be able to reach them, nor would they be able to reach anyone else. No security threat; their ISP simply would drop incoming (and potentially outgoing) traffic and return traffic would be routed to the proper IP owner.

Re:I... don't understand this at all.

[cheater512]

It is a very bad security risk (especially for a bank) if for some reason that router starts trying to send that data outside. A simple misconfiguration could do it easily.

Then all your secret internal bank data is being sent to the Chinese.

Re:I... don't understand this at all.

[tokencode]

I would no longer communicate with the rest of the network, I think they just used routable IPs internally...

Re: I... don't understand this at all.

Please keep reading about routing. You're off to a great start, but have a little more to go. You have no clue about the quantum leap you made that allowed an externally facing router somehow knowing about a subnet that is deeper than the DMZ accidentally leaking data over the Internet via a route that is not published on the Internet.

I.e. the Internet would not route packets anywhere if the source and destination subnets are the same, let alone try to help the packets get to their destination by ignoring the source subnet.

Re: I... don't understand this at all.

Why do you assume the source and destination subnets would be the same?
It is more than likely the bank uses different subnets internally.
Then someone might discover the "wrong" routing entry that causes connection issues with some outside hosts, removes it and suddenly you
1) lost connectivity between some parts of your bank
2) might end up sending a lot of internal traffic to the outside

Re:I... don't understand this at all.

Why pay me 150$/hour when there is some teenager who will feel lucky to get the gig for 10$? This is why.

If the teenager will fix the problem for less than 140$ it's still cheaper and the teenager will get experience in the process.

Re:I... don't understand this at all.

[chihowa]

It really isn't a security issue, because a corporate network will first route to it's internal networks, and only if the destination is not internal will it fall back to the default route to the Internet.

In this day of phones, laptops, and other devices that enter and leave the network, it could be a real security issue, too. Leaving the network with hard-coded IPs for internal bank systems may leave software on the laptop connecting to (or blindly sending data to) the real owners of the IP addresses. Rejoining the network with a screwed up routing table may lead to the same situation from inside the bank network.

Re:I... don't understand this at all.

[somersault]

When the problem has caused your business to lose work, or some other equally conceivable problem.. then it definitely hasn't cost less than $140.

In the worst case, your teenager might almost start a war with China.

Re:I... don't understand this at all.

[DigiShaman]

Your problem is that you're not looking at this short term. If a manager only plans on being employed for a few years (needs experience before jumping to the next job), he can take on the risk, save the company money and received praise all before shit hits the fan. That's because he would have already been long gone.

Mod SK up!

[AmiMoJo]

How Mani other countries would admit this instead of just continuing to blame the big bad boogyman?

Re:Mod SK up!

[Isaac+Remuant]

Yeah, but the problem is that every major news media out there has reported that it came from China and the awful ones (most) a) stated as a fact b) won't update the news because it doesn't have as much appeal.

Re:Mod SK up!

How about most of them if the other side is right across next door and is a major trade partner to boot?

China playing tricks to mess with Samsung's export to China would quickly become a huge pressure to SK politicians.

Re:Mod SK up!

It doesn't make sense to contend with a big, bad boogyman when the basis for the contention isn't real. All you'd gain is an opportunity to call them a big, bad boogyman. And since it would be baseless, the big, bad boogyman would have an *actual* point of contention with you.

Re:Mod SK up!

[DNS-and-BIND]

"Boogeyman" implies a threat that doesn't exist. China certainly is engaging in hacking and has a long track record of doing so. Are you a denialist?

Re:Mod SK up!

Go back to fox.

Re:Mod SK up!

[flyingfsck]

Yeah, this is probably also why the US military keeps complaining about Chinese hackers...

Re:Mod SK up!

[mwvdlee]

Do you deny that China was innocent in this particular attack? Are you a denialist?

Routable IPs on a LAN

[flyingfsck]

So who is the joker that configured that bank's system? They probably have many other issues.

Re:Routable IPs on a LAN

IT and software development in the banking industry is usually described as full of a terrifying number of holes.
The only surprises are every day that you don't hear of a security breach.

Re:Routable IPs on a LAN

[KGIII]

Now we need a superhero who goes and fixes issues like this. We can call him NATman.

Re:Routable IPs on a LAN

[mwvdlee]

Fighting the evil villain Mister MxyzIPtlk? (http://en.wikipedia.org/wiki/Mister_Mxyzptlk)

Re:Routable IPs on a LAN

[KGIII]

He should be easier to get rid of. Maybe make his Achilles Heal a tomato or something. He could also be attracted to Cheetos dust but that might make him too easy. His signature "move" could be altering the keyboard layout to Dvorak or something. Next we'll need an artist. Also a writer 'cause I suck at it.

It's the old babysitter crank call ghost story

[PolygamousRanchKid+]

You know, someone keeps calling her saying he will kill her? And then the police trace the call to find that it is coming from inside the house?

"Get out of the house, the calls are coming from upstairs!"

In this case, they have traced the attacks to be coming from IP address 127.0.0.1

Sounds like the SK's bank's IT administrators

aren't the sharpest knives in the hibachi.

What, they didn't recognize the source address of the attack to be either one of their own allocated addresses, or a NAT private use address? No wonder it was so easy to circumvent the bank's security.

That is what they call

Gangbamk Style.

Re:Correct

[cheater512]

Err wtf? There is no 2^64 address space and we have been moving to 2^128 for over a decade already.

Re:Well, where's my cyberwar then?

Yes. The next question of course is whether to go deep or wide. Heaps are devastated sometimes by going wide.

That's the most rediculous thing i've ever heard..

[GigaBurglar]

What.. are 17.8m raw reserved LAN IP addresses not enough? Hell.. I bet even the PR dept. in the US knows how to subnet. I'll just leave this here.. : http://www.youtube.com/watch?v=EYWZZlVlFb4

Highly risky

Korean Banks forces its customers to use ActiveX & IE6.

http://www.techdirt.com/articles/20120507/12295718818/south-korea-still-paying-price-embracing-internet-explorer-decade-ago.shtml
>At the end of the 1990s, Korea developed its own encryption technology, SEED, with the aim of securing e-commerce. Users must supply a digital certificate, protected by a personal password, for any online transaction in order to prove their identity. For Web sites to be able to verify the certificates, the technology requires users to install a Microsoft ActiveX plug-in.

http://seoulspace.co.kr/2010/03/09/ie6-no-more-not-in-korea/
>With all of this momentum against IE6, one would think that IE6 will soon become a problem of the past but in Korea, this is far from true. Internet Explorer holds over a 95% market share in Korea and many estimates peg market share for IE6 to be over 50%. Why the popularity of Internet Explorer in Korea? The main reason is Active-X. Many Web sites in Korea require Active-X whether you want to do online banking, shop online or even browse a social network. This means users have no choice but to use Internet Explorer.

Re:Well, where's my cyberwar then?

[noh8rz10]

come on, nobody really believes that this was a bank IT error, right? Obv the chinese struck a deal / strongarmed SK to throw its own under the bus.

Re:Well, where's my cyberwar then?

[Runaway1956]

Uhh - the article suggests that the attack has been traced to a bank's own IP address. That doesn't seem to suggest the bank's IT department made some stupid mistake. To me, it sounds like that bank's server was compromised, then used to make the attack. Further investigation of that machine may demonstrate that it was an inside job, done by someone with physical access to that machine. Or, that NK or China accessed the machine via the internet. At this point, it's anyone's guess.

Every Bank Should be using IP6

There is no reason at this stage why a bank shouldn't be using IP6 unless IP6 isn't adopted yet in South Korea by the ISP's. If they are confined to IPV4 addresses then they should be using NAT translation to the outside. I think some really dumb admin either used public IP's on his private network or they were too dumb to recognize that the reserved IP4 address space for LAN's was the orrginator of the attack. In either case this makes me think a run on the bank is necessary because I certainly wouldn't want to see them holding on to my money. They need to hire a couple of CCIE's to get their network right. Oh, by the way, interested in Previewing Windows 8 without Installing Over Your Desktop? Or interested in running a Test MSSQL Cluster on Free Virtualization? Or want to know What is Virtualization in Laymen's Terms? Or interested in a Good ESX Whitebox Setup for Experimental Use?

Misinformation?

I wonder if China got pissed off about being publicly implicated based on nothing more than an IP address (which means nothing) and put pressure on the SK government to put pressure on this Bank to change their story?

Re:Well, where's my cyberwar then?

[mwvdlee]

They traced it back to an internal IP that happened to be the same as some public IP.
Surely an IT department has to be rather stupid if they managed to do this

Wide subnets

[phorm]

Then maybe they should look at using something other than a /24. Usually this is just laziness, where it's easier/more-convenient to assign a /24 to every little unit. There is an advantage in that it's easier to read the addresses, but this comes at the drawback of using up private address-space much quicker.

Using public address-space for private subnets is just an overall terrible idea. A mis-configured firewall, change-over of gear with default settings, routing issue, or any number of things and you have the potential for either:
    a) A private machine ending up live on the internet
or
    b) Going out to a machine that's live on the internet instead of the internal machine

All it takes is a weak firewall rules and a machine without a gateway/route to the internal box and BLAMMO, suddenly traffic intended for the inside is headed out (and to China, no less).

Re:Wide subnets

[Luckyo]

I'm not the one making these decisions. I'm merely trying to figure out WHY someone would do something describe in the article.

Re:Piness Inyo AnYes

[dirtyhippie]

My Dear Friend, I have it on good authority that Natalie and her father had EVERYthing to do with your Internets.

Re:Well, where's my cyberwar then?

[noh8rz10]

my guess on this is NK, because of the ongoing hostilities. they are surprisingly advanced at cyber stuff. i think war will eventually happen, after which SK will have to absorb the impoverished north into a single country, and try to maintain their own standard of living!

Dumb hackers and IP where attacks originate

If someone is smart enough to pull an attack like this, I would hope they would be clever enough to hide the IP where the attack was originated. How hard could it be, really?

In the worst case scenario, they could always recruit Chinese students overseas to originate attacks from within universities, no?

why

[phorm]

Because they were lazy/incompetent?

Re:why

[Luckyo]

Thank you captain obvious! :D

It's not what you think.

[PiSkyHi]

As much as techies would love to believe that some other techie made a monumental error, it is more likely that this is a by-product of the attack. Either politically, to shift the blame or just plain and simple messing with network to make things harder to trace.

Re:Well, where's my cyberwar then?

[AK+Marc]

Heh, I remember when a company I worked for used 192.100.0.0 for an internal address. I remember huachuca.army.mil being the "real" owner of that, but checking now, they no longer are. I have no idea who shared the IP of our mail server, but it caused no end of trouble. I pointed out the problem, but he was the IT manager (under the CIO, so he wasn't top dog), so pissing him off by writing a paper on why it was a monumentally stupid thing (as part of a business case to re-IP servers, no easy task) managed to shorter my time there. So I can see how that could happen. If the email server had become compromised, I might have tracked it down to the US military attacking me.

But what was the IP? Were they improperly using a public address as private? Fire the guy who made that decision. Come on, who, in charge of setting IP addresses hasn't heard of rfc 1918?