| |
| "The future masters of technology will have to be lighthearted and intelligent. The machine easily masters the grim and the dumb." -- Marshall McLuhan, 1969 |
|
McAfee: 'Amateur' malware not used in Google attacks |
|
|
|---|
| Topic: Computer Security |
11:53 am EDT, Mar 31, 2010 |
A misstep by McAfee security researchers apparently helped confuse the security research community about the hackers who targeted Google and many other major corporations in cyber attacks last year. On Tuesday, McAfee disclosed that its initial report on the attacks, which it branded Operation Aurora, had mistakenly linked several files to the attacks that had nothing to do with Aurora after all. The files mistakenly linked to Aurora in McAfee's initial research are actually connected to a still-active botnet network of hacked computers that was created to shut down Vietnamese activists. Other companies that followed up on McAfee's research were apparently confused too, according to McAfee's Alperovitch. "Some of the other companies that published their analysis on Aurora were analyzing this event and just didn't realize it," he said. One such company was Damballa, Alperovitch said. Earlier this month, Damballa concluded that the Aurora attacks were the work of somewhat amateur botnet writers. This type of attack is what computer forensics company Mandiant calls an advanced persistent threat. In it's report, Damballa described it as the work of a "fast-learning but nevertheless amateur criminal botnet team." "The advanced persistent threat is not a botnet," said Rob Lee, a Mandiant director. Damballa said it would have a comment on the matter sometime on Wednesday. "Damballa does not have first hand knowledge of our investigation of the attacks we announced in January," a Google spokesman said via email Tuesday. "There did seem to be confusion about the two issues on the part of some people, and we've said clearly in our blog post that they were separate."
See my earlier comments about Damballa's flawed analysis. Too many people are trying to get on the APT buzzword wagon. Update: I respect Gunther based on what I've been told about him from people who've worked with him... That being said, I still think he continues to be wrong about a few key things. Just because an attacker uses inferior tools, does not mean they are an inferior attacker. Security outcomes are the only thing both defenders and attackers are judged by. In the case of Sino-APT, they are getting the outcomes they want using their least advanced tools and compromised resources in the majority of cases, always leaving them a way to scale up the sophistication of their attacks to achieve their desired outcomes. This is the mark of an attacker really thinking out their strategy, not an amateur. Also, Damballa has yet to reference the division of labor and timing of activities seen in Sino-APT attacks, which is key evidence of their high level of organization. That alone continues to lead me to believe that Damballa has no inside knowledge of Sino-APT activities, as Google has suggested. McAfee: 'Amateur' malware not used in Google attacks |
|
Damballa doesn't get it... |
|
|
|---|
| Topic: Computer Security |
4:27 pm EST, Mar 4, 2010 |
Damballa is missing the forest for the trees... The computer attack which led Google to threaten leaving China and created a firestorm between Washington and Beijing appears to have been deployed by amateurs, according to an analysis by a U.S. technology firm. "I would say this particular botnet group was not well funded, in which case I would not conclude they were state sponsored, because the level of the tools used would have been far superior to what it was," said Gunter Ollmann, vice president of research at Damballa, an Atlanta-based company that provides computer network security. If the security hole in Internet Explorer was the smoking gun of the attacks, what Ollmann and his researchers looked at was "the occupants and driver of the getaway van," he said. They analyzed the global network of computers that attackers remotely used to deploy the attack, called a "botnet" -- computers that, unbeknownst to owners, are taken over remotely and used to spread malicious software, or malware. What Damballa researchers found in the Google attack botnet was less '007' and more 'DIY,' using software that could be found and downloaded widely on the Internet. "This team launching the attack were unsophisticated amateurs," Ollmann said. The botnet used in the attack began being tested in July, nearly six months before the attack, according to Damballa analysis. He added, "Some of the codes within the malware were at least five years old" -- ancient, by software development standards. The attackers used technology "that had been abandoned by professional botnet operators years ago," he said.
The botnet is not the key to this. APT doesn't use many hosts in their attacks. They don't maintain some huge botnet, nor do they don't need to. One of the key hallmarks of APT is using the minimum resources and least advanced techniques necessary to get the job done. You see old code, old tricks, and few hosts (which are often used by other groups). As long as it gets past the security solutions the target has in place, they don't care. When you analyze APT activities, you see a clear division between teams doing the work. They do a 7-day week with 8 to 11 hour days. These are all hallmarks of a non-amature outfit. Stop thinking about the botnet aspect. Think like an intelligence operative. If you were targeting an organization, and you started by using your most advanced tools, what happens when you get caught? You start using less advanced tools? That's stupid.. You'd use your most basic assets, then when you got caught, you'd start using your next best set of assets. The P in APT is PERSISTENT. Damballa doesn't get it... |
|
Mike McConnell on how to win the cyber-war we're losing |
|
|
|---|
| Topic: Computer Security |
11:38 am EST, Mar 2, 2010 |
The challenge is to shape an effective partnership with the private sector so information can move quickly back and forth from public to private -- and classified to unclassified -- to protect the nation's critical infrastructure. We must give key private-sector leaders (from the transportation, utility and financial arenas) access to information on emerging threats so they can take countermeasures. For this to work, the private sector needs to be able to share network information -- on a controlled basis -- without inviting lawsuits from shareholders and others. Obviously, such measures must be contemplated very carefully. But the reality is that while the lion's share of cybersecurity expertise lies in the federal government, more than 90 percent of the physical infrastructure of the Web is owned by private industry. Neither side on its own can mount the cyber-defense we need; some collaboration is inevitable.
People should listen to the point McConnell is making about information moving in and out of the classified space. The rest of what he is saying, not so much... We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options -- and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment -- who did it, from where, why and what was the result -- more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.
This is not based in reality. How exactly should we re-engineer the Internet to solve the attribution problem? The "technologies already available from public and private sources" that McConnell speaks of are vaporware. I agree with many of the points Threat Level is making in regard to this. The biggest one, that I think people are very fast losing site of, is that the cyber activities the Chinese are engaged in are not "Cyberwar", they are "Espionage" (with a capital E). I admit to having been part of causing this perception problem. I have highly enjoyed tossing around the term "cyberwar" because it's fun to say. Now I'm starting to get worried about it.. Putting this into a war context is going to drive policy people to make proposals and decisions that don't have practical effects. APT is fairly good at pushing admins into taking actions that they already have a plan to side-step around. APT thinks about how to get you spending your security budget they way they want you to. If we lose sight of wha... [ Read More (0.2k in body) ] Mike McConnell on how to win the cyber-war we're losing |
|
Daniel Ellsberg on the Limits of Knowledge | Mother Jones |
|
|
|---|
| Topic: Computer Security |
9:12 pm EST, Feb 27, 2010 |
"In the meantime it will have become very hard for to learn from anybody who doesn't have these clearances. Because you'll be thinking as you listen to them: 'What would this man be telling me if he knew what I know? Would he be giving me the same advice, or would it totally change his predictions and recommendations?' And that mental exercise is so torturous that after a while you give it up and just stop listening. I've seen this with my superiors, my colleagues....and with myself. "You will deal with a person who doesn't have those clearances only from the point of view of what you want him to believe and what impression you want him to go away with, since you'll have to lie carefully to him about what you know. In effect, you will have to manipulate him. You'll give up trying to assess what he has to say. The danger is, you'll become something like a moron. You'll become incapable of learning from most people in the world, no matter how much experience they may have in their particular areas that may be much greater than yours."
We are so superciliously fucked... (Thank you to spell check for making this moment possible...) Daniel Ellsberg on the Limits of Knowledge | Mother Jones |
|
Capability of the PRC to Conduct CW and CNE |
|
|
|---|
| Topic: Computer Security |
1:30 pm EST, Feb 26, 2010 |
This paper presents a comprehensive open source assessment of China’s capability to conduct computer network operations (CNO) both during peacetime and periods of conflict. The result will hopefully serve as useful reference to policymakers, China specialists, and information operations professionals.
This is a very good read for anyone interested in APT. Capability of the PRC to Conduct CW and CNE |
|
China says Google hacking claims groundless | Reuters |
|
|
|---|
| Topic: Computer Security |
1:00 pm EST, Feb 23, 2010 |
"Google's statement from January 12 is groundless, and we are firmly opposed to it," Qin told a regular news briefing in the Chinese capital, when asked if there had been any development in a dispute that is now more than a month old. "China administers its internet according to law, and this position will not change. China prohibits hacking and will crack down on hacking according to law," he added. The issue was pushed back into headlines by recent reports in the Western media that the attacks had been traced to two schools in China, and the writer of the spyware used had been identified as a Chinese security consultant in his 30s with government links. The prestigious Shanghai Jiaotong University and previously unknown Lanxiang vocational college, a high-school level institution, have both denied any role in the attacks.
Ok, that's swell. You will crack down on hacking according to the law. So what is the status of your investigation into the usage of the IPs in question on the Jiaotong network? Have you questioned the researcher implicated? Have you investigated any of the front companies connected with APT activities? No? Imagine that... China says Google hacking claims groundless | Reuters |
|
FT - US experts close in on Google hackers |
|
|
|---|
| Topic: Computer Security |
2:11 pm EST, Feb 22, 2010 |
US analysts believe they have identified the Chinese author of the critical programming code used in the alleged state-sponsored hacking attacks on Google and other western companies, making it far harder for the Chinese government to deny involvement. A freelance security consultant in his 30s wrote the part of the program that used a previously unknown security hole in the Internet Explorer web browser to break into computers and insert the spyware, a researcher working for the US government told the Financial Times. Chinese officials had special access to the work of the author, who posted pieces of the program to a hacking forum and described it as something he was “working on”. “If he wants to do the research he’s good at, he has to toe the line now and again,” the US analyst said. “He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers’ work.”
As an interesting side note, I've been able to connect APT activity to a front company located in the same Shanghai neighborhood as Jiaotong University. None of this shouldn't come as a shock to anyone by this point... FT - US experts close in on Google hackers |
|
