South Korea Backtracks On China As Source of Cyberattack

hackingbear writes "The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim. The Korea Communications Commission said that after 'detailed analysis,' the IP address used in the attack is the bank's internal IP address — which is, coincidentally identical to a Chinese ISP's address, among the 2^32 address space available."

Hanlon's

[gmuslera]

The bank used public IP addresses (existing, used elsewhere) for their internal network? The one that designed that should be considered a bigger security threat that any current cyberattack.

BTW, the CNN editorial "Why cyber attacks threaten our freedom" is another piece of art of more or less the same magnitude. I'd say that is on a par with this one

Re:Hanlon's

[icebike]

They are supposed to be.
But read what gmusiera said in his first sentence.

For your internal address (inside your router, you typically use a Private Network Address from one of the common ranges specifically set aside for this per RFC 1819.

This bank instead chose a public address range that was not theirs and used that as their private range. You can get away with this in a NAT situation, because only YOUR OWN ROUTER knows about this.

But it is monumentally dumb to do this.
I've seen noob admins do this in the past just to avoid an RFC1819 address space internally, usually as a means to avoid a routing error that they didn't understand. Its never justified. And there are security implications and mind bogglingly hard to figure out routing errors if you have to actually deal with the real owner of the address space.

Re:Hanlon's

[icebike]

Define Exhausted all private Address space?

In just the 10 block alone there are 16,777,216. This bank isn't that big.

Re:Hanlon's

its RFC 1918...

They will grab your geek card on the way out.

Re:Hanlon's

I agree that it seems insane that a major bank would do this, however I've seen it in practice. A very major financial firm (who shall remain nameless) that I did some work for actually uses the public IP address range of the US dept. of defense as their internal IP space. It's never caused them any problems - since there's no need for them to connect to the US military, but it definitely left me and several colleagues scratching our heads when we first started looking at the network.

Re:Hanlon's

[Spazmania]

Until a couple years ago, it was common practice to squat on 1.0.0.0/8 for internal use when 10.0.0.0/8 ran out. Then IANA allocated the space to APNIC which subsequently allocated most of it to China.

I... don't understand this at all.

[Nanoda]

On my home network, I use the private 24-bit block 10.x.x.x, in case I buy more than 16 million devices. Is the article saying that they decided to map public IPs they didn't own to internal devices? Notwithstanding the confusion such cases like the above would cause, this bank could conceivably leak banking data out to that Chinese ISP!

All the articles I can find are equally uninformative.

Mod SK up!

[AmiMoJo]

How Mani other countries would admit this instead of just continuing to blame the big bad boogyman?