Create an Account
username: password:
 
  MemeStreams Logo

Spontaneous Sociability and The Enthymeme

search

Rattle
Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
  Music
Business
  Tech Industry
  Telecom Industry
Games
Health and Wellness
Holidays
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
Recreation
  Travel
Local Information
  SF Bay Area
   SF Bay Area News
Science
  Biology
  History
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Security
Sports
Technology
  Biotechnology
  Computers
   (Computer Security)
    Cryptography
   Cyber-Culture
   PC Hardware
   Computer Networking
   Macintosh
   Linux
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Current Topic: Computer Security

Yet even more ranting about Damballa and APT...
Topic: Computer Security 3:45 pm EDT, Apr  1, 2010

This post was just brought to my attention. I don't know how much more I'm going to share my thoughts about Damballa's take on this stuff, because it's just getting frustrating... I don't take enjoyment from sitting around telling people they are wrong when they clearly are not listening to anyone.

Does anyone really believe that the botnet operators behind the Aurora attacks chose to use the most basic and amateurish malware they had on hand because they didn’t need anything more advanced? That sounds about as silly as a bank robber choosing to leave his gun at home in favor of taking an 18 inch wooden baton along because he hears that the guards are only armed with 16 inch batons.

When these guys get caught, they step up their techniques and tools. I've seen it play out at least three times in the past year. It's a key aspect of the Sino-APT groups' MO. Ask Mandiant.. Ask FBI.. Ask someone at ShadowServer.. Many people have seen it play out. You should stop ignoring people who have dealt with these specific groups. (Update: See the bottom of the full post for more details about this.)

I’ve also heard a few people say that the botnet operators were so smart that they may have created the malware to look like it was developed by a bunch of amateurs. It’s all beginning to sound like a conspiracy theory – next we’ll hear that aliens have landed and are subtlety infiltrating online businesses as they proceed with their plan for world domination…

You are totally locked into the mentality that attackers need advanced botnets to get the job done. Get over it. Sino-APT has nothing to do with advanced botnets. Your product has to do with advanced botnets... From a distance, the comments coming from Damballa amount to "if our product can't help with battling Sino-APT, than Sino-APT doesn't exist as you define it."

One question I’ve got to ask though is “Why didn’t they just use a DIY kit?” Malware generated using one of the kits would have offered greater functionality, armoring, and would generally have had less likelihood of detection. Some possible reasons for not using a DIY kit:

They didn’t trust the kits that are out there. Many of the free and pirated kits are backdoored – meaning that any malware created from them have hidden CnC’s built in, and report back to the kit author/pirate.

Again, Sino-APT doesn't use (or need) botnets. At any given time, Sino-APT uses less than five hosts to receive beacons and c&c connections per-victim.

Using DYI kits increases the likelihood of detection, as eventually every DYI kit is going to get some analysis done on it by a security vendor if it becomes even remotely widespread. Crafting tools specific to the victim, o... [ Read More (0.5k in body) ]

Yet even more ranting about Damballa and APT...


SANS - Computer Forensics - Community
Topic: Computer Security 12:31 pm EDT, Mar 31, 2010

The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.

SANS - Computer Forensics - Community


McAfee: 'Amateur' malware not used in Google attacks
Topic: Computer Security 11:53 am EDT, Mar 31, 2010

A misstep by McAfee security researchers apparently helped confuse the security research community about the hackers who targeted Google and many other major corporations in cyber attacks last year.

On Tuesday, McAfee disclosed that its initial report on the attacks, which it branded Operation Aurora, had mistakenly linked several files to the attacks that had nothing to do with Aurora after all.

The files mistakenly linked to Aurora in McAfee's initial research are actually connected to a still-active botnet network of hacked computers that was created to shut down Vietnamese activists.

Other companies that followed up on McAfee's research were apparently confused too, according to McAfee's Alperovitch. "Some of the other companies that published their analysis on Aurora were analyzing this event and just didn't realize it," he said.

One such company was Damballa, Alperovitch said. Earlier this month, Damballa concluded that the Aurora attacks were the work of somewhat amateur botnet writers.

This type of attack is what computer forensics company Mandiant calls an advanced persistent threat. In it's report, Damballa described it as the work of a "fast-learning but nevertheless amateur criminal botnet team."

"The advanced persistent threat is not a botnet," said Rob Lee, a Mandiant director.

Damballa said it would have a comment on the matter sometime on Wednesday.

"Damballa does not have first hand knowledge of our investigation of the attacks we announced in January," a Google spokesman said via email Tuesday. "There did seem to be confusion about the two issues on the part of some people, and we've said clearly in our blog post that they were separate."

See my earlier comments about Damballa's flawed analysis. Too many people are trying to get on the APT buzzword wagon.

Update: I respect Gunther based on what I've been told about him from people who've worked with him... That being said, I still think he continues to be wrong about a few key things. Just because an attacker uses inferior tools, does not mean they are an inferior attacker. Security outcomes are the only thing both defenders and attackers are judged by. In the case of Sino-APT, they are getting the outcomes they want using their least advanced tools and compromised resources in the majority of cases, always leaving them a way to scale up the sophistication of their attacks to achieve their desired outcomes. This is the mark of an attacker really thinking out their strategy, not an amateur. Also, Damballa has yet to reference the division of labor and timing of activities seen in Sino-APT attacks, which is key evidence of their high level of organization. That alone continues to lead me to believe that Damballa has no inside knowledge of Sino-APT activities, as Google has suggested.

McAfee: 'Amateur' malware not used in Google attacks


Coolest SQL Injection attempt ever!
Topic: Computer Security 4:42 pm EDT, Mar 19, 2010

I hate speed cameras.

Coolest SQL Injection attempt ever!


Damballa doesn't get it...
Topic: Computer Security 4:27 pm EST, Mar  4, 2010

Damballa is missing the forest for the trees...

The computer attack which led Google to threaten leaving China and created a firestorm between Washington and Beijing appears to have been deployed by amateurs, according to an analysis by a U.S. technology firm.

"I would say this particular botnet group was not well funded, in which case I would not conclude they were state sponsored, because the level of the tools used would have been far superior to what it was," said Gunter Ollmann, vice president of research at Damballa, an Atlanta-based company that provides computer network security.

If the security hole in Internet Explorer was the smoking gun of the attacks, what Ollmann and his researchers looked at was "the occupants and driver of the getaway van," he said. They analyzed the global network of computers that attackers remotely used to deploy the attack, called a "botnet" -- computers that, unbeknownst to owners, are taken over remotely and used to spread malicious software, or malware.

What Damballa researchers found in the Google attack botnet was less '007' and more 'DIY,' using software that could be found and downloaded widely on the Internet. "This team launching the attack were unsophisticated amateurs," Ollmann said.

The botnet used in the attack began being tested in July, nearly six months before the attack, according to Damballa analysis.

He added, "Some of the codes within the malware were at least five years old" -- ancient, by software development standards. The attackers used technology "that had been abandoned by professional botnet operators years ago," he said.

The botnet is not the key to this. APT doesn't use many hosts in their attacks. They don't maintain some huge botnet, nor do they don't need to.

One of the key hallmarks of APT is using the minimum resources and least advanced techniques necessary to get the job done. You see old code, old tricks, and few hosts (which are often used by other groups). As long as it gets past the security solutions the target has in place, they don't care.

When you analyze APT activities, you see a clear division between teams doing the work. They do a 7-day week with 8 to 11 hour days.

These are all hallmarks of a non-amature outfit.

Stop thinking about the botnet aspect. Think like an intelligence operative. If you were targeting an organization, and you started by using your most advanced tools, what happens when you get caught? You start using less advanced tools? That's stupid.. You'd use your most basic assets, then when you got caught, you'd start using your next best set of assets. The P in APT is PERSISTENT.

Damballa doesn't get it...


Mike McConnell on how to win the cyber-war we're losing
Topic: Computer Security 11:38 am EST, Mar  2, 2010

The challenge is to shape an effective partnership with the private sector so information can move quickly back and forth from public to private -- and classified to unclassified -- to protect the nation's critical infrastructure.

We must give key private-sector leaders (from the transportation, utility and financial arenas) access to information on emerging threats so they can take countermeasures. For this to work, the private sector needs to be able to share network information -- on a controlled basis -- without inviting lawsuits from shareholders and others.

Obviously, such measures must be contemplated very carefully. But the reality is that while the lion's share of cybersecurity expertise lies in the federal government, more than 90 percent of the physical infrastructure of the Web is owned by private industry. Neither side on its own can mount the cyber-defense we need; some collaboration is inevitable.

People should listen to the point McConnell is making about information moving in and out of the classified space. The rest of what he is saying, not so much...

We need to develop an early-warning system to monitor cyberspace, identify intrusions and locate the source of attacks with a trail of evidence that can support diplomatic, military and legal options -- and we must be able to do this in milliseconds. More specifically, we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment -- who did it, from where, why and what was the result -- more manageable. The technologies are already available from public and private sources and can be further developed if we have the will to build them into our systems and to work with our allies and trading partners so they will do the same.

This is not based in reality. How exactly should we re-engineer the Internet to solve the attribution problem? The "technologies already available from public and private sources" that McConnell speaks of are vaporware.

I agree with many of the points Threat Level is making in regard to this. The biggest one, that I think people are very fast losing site of, is that the cyber activities the Chinese are engaged in are not "Cyberwar", they are "Espionage" (with a capital E).

I admit to having been part of causing this perception problem. I have highly enjoyed tossing around the term "cyberwar" because it's fun to say. Now I'm starting to get worried about it.. Putting this into a war context is going to drive policy people to make proposals and decisions that don't have practical effects.

APT is fairly good at pushing admins into taking actions that they already have a plan to side-step around. APT thinks about how to get you spending your security budget they way they want you to. If we lose sight of wha... [ Read More (0.2k in body) ]

Mike McConnell on how to win the cyber-war we're losing


Daniel Ellsberg on the Limits of Knowledge | Mother Jones
Topic: Computer Security 9:12 pm EST, Feb 27, 2010

"In the meantime it will have become very hard for to learn from anybody who doesn't have these clearances. Because you'll be thinking as you listen to them: 'What would this man be telling me if he knew what I know? Would he be giving me the same advice, or would it totally change his predictions and recommendations?' And that mental exercise is so torturous that after a while you give it up and just stop listening. I've seen this with my superiors, my colleagues....and with myself.

"You will deal with a person who doesn't have those clearances only from the point of view of what you want him to believe and what impression you want him to go away with, since you'll have to lie carefully to him about what you know. In effect, you will have to manipulate him. You'll give up trying to assess what he has to say. The danger is, you'll become something like a moron. You'll become incapable of learning from most people in the world, no matter how much experience they may have in their particular areas that may be much greater than yours."

We are so superciliously fucked...

(Thank you to spell check for making this moment possible...)

Daniel Ellsberg on the Limits of Knowledge | Mother Jones


Capability of the PRC to Conduct CW and CNE
Topic: Computer Security 1:30 pm EST, Feb 26, 2010

This paper presents a comprehensive open source assessment of China’s capability to conduct computer network operations (CNO) both during peacetime and periods of conflict. The result will hopefully serve as useful reference to policymakers, China specialists, and information operations professionals.

This is a very good read for anyone interested in APT.

Capability of the PRC to Conduct CW and CNE


China says Google hacking claims groundless | Reuters
Topic: Computer Security 1:00 pm EST, Feb 23, 2010

"Google's statement from January 12 is groundless, and we are firmly opposed to it," Qin told a regular news briefing in the Chinese capital, when asked if there had been any development in a dispute that is now more than a month old.

"China administers its internet according to law, and this position will not change. China prohibits hacking and will crack down on hacking according to law," he added.

The issue was pushed back into headlines by recent reports in the Western media that the attacks had been traced to two schools in China, and the writer of the spyware used had been identified as a Chinese security consultant in his 30s with government links.

The prestigious Shanghai Jiaotong University and previously unknown Lanxiang vocational college, a high-school level institution, have both denied any role in the attacks.

Ok, that's swell. You will crack down on hacking according to the law. So what is the status of your investigation into the usage of the IPs in question on the Jiaotong network? Have you questioned the researcher implicated? Have you investigated any of the front companies connected with APT activities?

No? Imagine that...

China says Google hacking claims groundless | Reuters


FT - US experts close in on Google hackers
Topic: Computer Security 2:11 pm EST, Feb 22, 2010

US analysts believe they have identified the Chinese author of the critical programming code used in the alleged state-sponsored hacking attacks on Google and other western companies, making it far harder for the Chinese government to deny involvement.

A freelance security consultant in his 30s wrote the part of the program that used a previously unknown security hole in the Internet Explorer web browser to break into computers and insert the spyware, a researcher working for the US government told the Financial Times. Chinese officials had special access to the work of the author, who posted pieces of the program to a hacking forum and described it as something he was “working on”.

“If he wants to do the research he’s good at, he has to toe the line now and again,” the US analyst said. “He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers’ work.”

As an interesting side note, I've been able to connect APT activity to a front company located in the same Shanghai neighborhood as Jiaotong University.

None of this shouldn't come as a shock to anyone by this point...

FT - US experts close in on Google hackers


(Last) Newer << 1 - 2 - 3 - 4 - 5 - 6 ++ 16 >> Older (First)
 
 
Powered By Industrial Memetics
RSS2.0