Slashdot Mirror
S. Korea Says Cyber Attack From North Wiped 48,700 Machines
wiredmikey writes "An official investigation into a major cyber attack on South Korean banks and broadcasters last month has determined that North Korea's military intelligence agency was responsible. An investigation into access records and the malware used in the attack pointed to the North's military Reconnaissance General Bureau as the source, the Korea Internet and Security Agency (KISA) said on Wednesday. To spread the malware, the attackers went through 49 different places in 10 countries including South Korea, the investigation found. The attacks used malware that can wipe the contents of a computer's hard disk (including Linux machines) and damaged 48,700 machines including PCs, ATMs, and servers."
Just makes me wonder what war is turning into. Instead of bombing cities, I can see nations targeting unprotected civilian computers in enemy nations. Massive destruction ensues, even though it's imprecise. In other words: bombing, but without all the mess.
Symantec has an analysis of the linux component. It relies on extracting a history of ssh connections from windows machines from an application called mRemote, an open source, multi-protocol remote connections manager.
When our name is on the back of your car, we're behind you all the way!
People, N. Korea has declared war. Time to make a backup...
Just think about all of those hours lost playing StarCraft.
In other news, the entire population of South Korea is now looking for that 1 StarCraft CD so they can install it on all their machines again.
This was my first reaction too. Who would have thought that a pudgy child dictator who hasn't even lost his baby fat yet could order a competent strike?
You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
victims deserved it
Uh huh. And if NK decides to shell another island or sink another boat, it will be entirely SK's fault for not making a powerful magic force field that can deflect artillery shells and torpedoes. Victims are always to blame, because they definitely cause their attackers to attack them, because of their weakness, right?
What, is your junior high school out on lunch break right now? Go outside and get some exercise, and quit wasting time building up an interior justification for the future bad shit you're going to do to other people when you get your own computer and stuff.
Don't disappoint your bird dog. Go to the range.
Wonder if North Korea was the original target, and the malware leaked out into the wild...
logic fails you. these cyber attacks are preventable by proper security practices - the internet is a hostile place and there is no excuse for laziness in security by IT people. Do you keep your money stacked on the sidewalk in front of your house overnight, or do you make some effort to keep thieves from easily snatching it? your attitude is the problem we in IT face
have her drive down to the DC, start restoring tapes, and for the love of god quit with the pissing contest. its becoming apparent the US, as well as both koreas are incapable of understanding the repercussions of a thermonuclear war.
Good people go to bed earlier.
The advantage of a toot login vs root is that it uses a double olfactory authentication. Plus it just feels good.
victims deserved it
Uh huh. And if NK decides to shell another island or sink another boat, it will be entirely SK's fault for not making a powerful magic force field that can deflect artillery shells and torpedoes. Victims are always to blame, because they definitely cause their attackers to attack them, because of their weakness, right?
And people who leave the logins set to the factory default account=Admin, password=1234, aren't to blame, either.
Nonetheless, they will provide examples that we may call "Natural Selection At Work".
It will, indeed, if they were able to make that powerful magic force field AND they did not enable it.
So SK is not the victim of an attack if NK launches a missle and it bounces off SK's magic shield. And SK is at fault for the attack if NK's missile isn't stopped by SK's defenses. But NK is not at fault for launching the missile in the first place. Are you even listening to yourself?
Don't disappoint your bird dog. Go to the range.
How did the North get the equipment to do this? From China or Russia? I thought they were way behind the rest of the world in technology?!?!?
If I understand correctly (do I?) the way it attacked Linux systems was that some people use a ssh client, where they literally have a preference or setting stored, for logging into the Linux machine as root. User clicks something (which does the equivalent of "ssh root@whatever" and the software automatically supplies a key or passphrase) and the next thing they see is a root bash prompt. Wow.
If that's right, then assuming your Linux machines still have
in /etc/ssh/sshd_config, then your setup isn't compatible with this malware. You'll need an updated version of this malware.
All machines should have "PermitRootLogin no" and if yours doesn't, you're doing something very very strange. Maybe you should go check that, right now. It'll take .. seconds.
That said, things still aren't very rosy. Presumably the user of this ssh client would also have non-root passwords or keys stored too, to get non-root access. But how many of us usually login as a user with some sudoers powers? And how many of us have a very lazy sudoers configuration, where you're literally allowed to just do "sudo -s" and get a root shell, by only having to type in your password again?
So my earlier "joke" about you needing an updated version of malware, might not really be all that much of a joke.
Tighten up your sudoers file if you can. And whether you can or not, have ssh use key authentication instead of password authentication, so that no remote clients can, or need to, have your password stored in them.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I'm surprised they opted to wipe the compromised machines. North Korea has a long history of earning hard-currency funds through illicit activity (counterfeiting, drug-smuggling, etc). By wiping their targets, they've lost the possibility of using them to turn a fraudulent profit.
Probably means someone over there needed a short-term propaganda coup for internal political reasons.
the internet is a hostile place
And it's the victims' fault that it is a hostile place, right? The people actually acting out the hostility are never to blame, because that might hurt their feelings, I guess.
Don't disappoint your bird dog. Go to the range.
Of course I mean "PermitRootLogin no" fixes it .. or rather, might not really fix it.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
They still don't deserve it. Nobody deserves it.
All the vulnerable machines were wiped. So now there are no vulnerable machines anymore. Second attack will be much harder. And the percentage of Korean users doing proper backups will probably be growing :-) (Not that I'm saying people in Korea are more negligent with backups than others).
That was Windows8....
lazy and stupid IT people, whose jobs are to at least adhere to minimal security practices, deserve to reap the rewards of their negligence. as do the people who hire and manage them.
Have you audited all your rice's genes? A leaked Monsanto report said most versions have a buffer-overflow bug somewhere in chromosome 6, but they didn't say exactly where. Unless North Korea buys their seed rice from Theo De Raadt...
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Elite hackers from North Korea? Pull the other one. Most people in NK don't even have access to computers. Those who do are stuck with Red Star OS and a BBS. No, something like this malware would have to come from an very advanced country. USA or South Korea maybe? It's all part of the propaganda war.
NK has a very strong IT sector - http://spectrum.ieee.org/podcast/at-work/tech-careers/for-outsourcing-it-have-you-considered-north-korea
I will never think of the word "norks" quite the same again.
Do you keep your car outside? Do you walk around with a wallet on your person? Do you wear anything of value?
I suppose you will blame yourself if someone sets your car on fire (because you didn't put an automatic extinguisher system in). And you'll blame yourself for being pick-pocketed because your walled wasn't made of razor blades. And you'll blame yourself for wearing anything of value because hey, nobody should do that since it would get stolen.
This is the sort of anarchy an angsty high-school student enjoys, I have to agree with ScentCone here, you need to grow up.
Wonder if North Korea was the original target, and the malware leaked out into the wild.
I wonder if the miscreant just used NK to carry out the attack, in order to incriminate them. I'm lookin' at you, CIA. I must say I'm also a bit surprised to learn that NK allows any connection to the net outside its borders, especially to SK (the enemy).
"Tongue tied and twisted, just an Earth bound misfit
I felt a disturbance in the force. As if thousands of Korean Starcraft characters all cried out at once then were deleted.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
What equipment? A computer? From Newegg. The general population of NK is way behind, largely BECAUSE the government spends all the money on military and political posturing. Their military, apparently including cyber-warfare, is quite well funded.
If for some reason you can't use: PermitRootLogin no Consider allowing root login only with a key, not with a password: PermitRootLogin without-password If you do allow root login with a key by using "without-password", use a passphrase on the key if possible. That gives two factor security. something you have (the key) plus something you know (the passphrase). For automated SSH login such as remote cron, consider "command=" to an ssh key, so it can run as root, but it can only execute that one command.
None of which helps if you have a piece of software storing all the credentials you need to log onto a remote machine.
If they got them from Theo De Raadt, they will be secure, but hard to grow, and not very healthy. His mouth will also tempt people to attack your rice fields.
I've heard "the victim deserves it for not protecting themselves" a couple of dozen times, ad ALWAYS from thieves, as an excuse. Therefore, most likely sildur and iggy are simply common thieves who are too stupid to even come up with a halfway logical sounding excuse to tell themselves.
sildur, your house must be surrounded by razor wire, and you've replaced all those nice breakable windows in your house and car with solid steel, right?
You COULD do those things to protect yourself, so if you don't do them, it's perfectly okay for me to smash your windows and steal your stuff, right? That's what you said, is it not?
That may be and may make a difference AFTER the regime fails but in case they start shooting the difference is irrelevant. I guess it was similar with Germans at the end of the second big one - it was clear for almost everybody that it was over and there were only two parties then: those that resigned and just waited till all is over and those who were inclined to fight till the last drop of blood of everybody else.
Audit *all* genes? That is like asking someone to determine if a database has hidden data when all you can do is use a SELECT statement. In other words, you aren't going to find anything bad unless you know what to look for.
Yes, I know I'm completely missing the point of the comment.
... Except if you read about those attacks on Linux, you'll realise those are actually attacks on Windows finding saved Linux credentials in terminal program's settings.
Stop the presses, slashmydots had an epiphany - it doesn't matter what locks you use, your house is not secure if you just leave your keys under the rug!
If you think my comment actually had a point, then you missed the point. :-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Where do you get the idea that only one party can be at fault?
Because nobody is talking about attacking NK, while NK talks non-stop about attacking everybody else. And people here are pre-emptively saying that it's SK's fault ... not for being some degree of able or not to deflect attacks, but SK's fault for being attacked in the first place
Your analogy makes no sense. What mine is it that you think SK is stepping on, exactly? Are you actually persuaded by NK's rhetoric, and think that the very existence of SK as a non-communist, non-totalitarian state is grounds to attack it? Is going about their business the stepping-on-the-mine part? Do you have some vision in your head of SK crossing the DMZ into NK?
There's one party, here, that is sinking ships, shelling civilians, and the rest, on a regular basis. That's where I get the idea that one party not only can be, but is at fault.
Don't disappoint your bird dog. Go to the range.
Most likely you fail at logic forever
Why, because he pointed out the truth?
victim deserves it == perpetrator is innocent
If the victim deserves it, then you mean that they are morally culpable. Which can only mean that the other party - which is solely responsible for taking the action in question, and absent taking that action nothing would happen - is morally in the right in taking that action.
Your own weasle words ("most likely" on a matter of logic?) show you're just another spineless moral relativist.
Don't disappoint your bird dog. Go to the range.
Personally I'd prefer no internet access to North Korea over a wiped computer. So how about we just disconnect them from the global internet instead?
Funded by what? What is NK exporting that gives them money to actually buy shit?
"Dre don't get as high as me.... I'm Cheech and Chong" - Snoop Dogg
Yay, ain't it nice living in a binary world? Black and white's all we need.
Asserting that SK deserves being attacked is exactly such a binary position. They either do deserve to be attacked, or they do not. Tap-dancing around that is just BS.
Don't disappoint your bird dog. Go to the range.
Among other things missiles and missile tech. Iran pays hard cash for that.
US-UK-Israel: The real Axis of Evil
> lazy and stupid IT people, whose jobs are to at least adhere to minimal security practices, deserve to reap the rewards of their negligence. as do the people who hire and manage them. These are two different things. Yes, IT people should do their job. But, no, it doesn't mean that they deserve to get hacked. There is no justification for criminal behaviour of the aggressor. You can easily apply your incorrect reasoning to various other things in life and see how wrong it is.
I have am not mistaken they also have mines digging up some valuable elements.
Interestingly, I just started playing with Rootkit Hunter a couple of weeks back, and it complained when it saw "PermitRootLogin yes".
Since I didn't know that existed, it was either set that way by the very popular distribution I'm using OR (unlikely) by an external force. I'm sure no expert, but allowing login as root via SSH just didn't sound like a good idea. Maybe it's all those 'Security Now' episodes.
"You must try to forget all you have learned. You must begin to dream." -- Sherwood Anderson
None of which helps if you have a piece of software storing all the credentials you need to log onto a remote machine.
If you follow my suggestion and use command="", it certainly DOES help that that login can only run "startbackup" and nothing else.
There is a slight difference. If you're running a web server, this is a service designed to share your information with the rest of the world.
If, for example, you have some data that is only accessible by typing in a URL--ie. you don't have a link to it--is someone "hacking" if they access it?
In other words, the analogy with physical security is a false one.
expandfairuse.org
Are you out of your mind? Have you never hacked a site *on accident*?
expandfairuse.org