Security Thread

[Triple Zero]

Original article from the CCC: http://www.ccc.de/en/updates/2011/staatstrojaner (has basically the same info).

I love the word "Bundestrojaner"

[Triple Zero]

Slashdot on the BundesTrojaner:

http://yro.slashdot.org/story/11/10/11/1322202/German-State-Confesses-To-Downplays-Government-Spyware?utm_source=slashdot&utm_medium=twitter

[Triple Zero]

Chinese government is systemically penetrating every US company and government agency of any regard, 0wning the fuck out of everybody:

http://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/

Ok to be completely fair, this list, while VERY impressive, actually just lists a prerequisite of being 0wned, namely that they did a DNS request for one of the C&C servers of the botnet:

A few caveats are in order here. First, many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit. Second, it is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims. Finally, some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.

But then still, look at that list, it's 760 companies. Only a few of them are AV companies that might have had a non-0wnage reason to access the C&C servers, and even for the ISPs, it means that at least one of their clients was hit.

There's a lot of criticism on this list and I agree that it would have been nice if mr Krebs could have provided a littlebit more conclusive info, but on the other hand it's just irrelevant details, fighting over who exactly got 0wned and how badly is neither here nor there:

China is indeed systematically penetrating systems all over the world¹.


You know, actually, the big unasked question is: Why?

I mean of course, gathering intel and all that, but they've been at it for a while now, and doing it with tremendous force and magnitude, but to what specific end? Just for knowing what is going on, and specific business intel? They're not destructive or doing DDoS attacks, just penetrating and gathering unknown amounts of data.
Cain didn't you mention one that China basically has this kind of "wait and see" strategy, something about their reluctance of involvement, so they're basically trying to observe the outside world as best as possible in order to keep their status quo and avoid anything that might challenge it, is that it?


¹ at least, we only hear mostly about US companies getting hit, but why wouldn't they target Europe too? I don't think our digital security is specifically better (or worse), I'm guessing it's a matter of publicity?

[Cain]

Thats what I believe, yes.  China is keen to grow it's economy and little else.  It knows economic superiority invariably leads to military superiority, but for the moment that economic goal is the overriding one.

American history, or a version thereof, has been keenly studied in China.  And what the Chinese with influence believe is that America got to the top of the world by not intervening too closely in either major world war until it had to, by building a massive economic base and one of the reasons they got such a large industrial base was, apart from resources and population, through naked copyright theft from more advanced European nations (at least in the 19th century, when they could more plausibly get away with it).  Stealing innovation and then making the product cheaper means more market access, more sales and more money to put into research and development further down the line.  It's a solid way forward for a country where production costs can be kept especially low.

Also, I'd be willing to bet NSA penetration of US companies is just as extensive, if not more so.

[Triple Zero]

F-Secure published a very interesting Q&A about Operation Duqu:

http://www.f-secure.com/weblog/archives/00002264.html

What's that then? Well basically Duqu is closely related to Stuxnet, probably engineered partly by the same team, and it uses a really advanced and expensive Windows kernel exploit to do its work. Except it's being much more secretive about its purposes, and well it looks like it's just only doing recon work for the next "StuxNet 2.0" operation.

And a lot of other interesting things, how it's probably one cog in larger operation, and tries to hide itself in different ways.

Highly recommended for reading if you're interested in these things.

[Triple Zero]

Iran Working to Control Duqu Virus Attack

Iranian officials have confirmed that the Stuxnet-like Duqu virus hit computers in the country, but said a fix is being provided to those affected.

[Triple Zero]

So apparently ... in between developing censoring and deep packet inspection infrastructure for Iran and Egypt (in a joint venture with Nokia) and getting their PLC control software rooted by Stuxnet, Siemens makes badly secured SCADA systems for Texan water supplies:

http://threatpost.com/en_us/blogs/hacker-says-texas-town-used-three-character-password-secure-internet-facing-scada-system-11201

[Faust]

So apparently ... in between developing censoring and deep packet inspection infrastructure for Iran and Egypt (in a joint venture with Nokia) and getting their PLC control software rooted by Stuxnet, Siemens makes badly secured SCADA systems for Texan water supplies:

http://threatpost.com/en_us/blogs/hacker-says-texas-town-used-three-character-password-secure-internet-facing-scada-system-11201

OH GOOD GOD! Putting any kind of process control on internet accessable SCADA systems is something that should never be done lightly, especially a potentially LETHAL one like a water system.

And using a three character password to boot, not only should someone get fired, that department should get shut down.

[Triple Zero]

Also, very weird shit going on from within China's Great Firewall:

http://www.nsc.liu.se/~nixon/sshprobes.html

Servers accepting incoming SSH connections from Chinese IPs sometimes first get "probed" with a short burst of completely random data from completely different Chinese IPs. Sometimes the SSH connection itself is dropped shortly thereafter. Assumed is it's got something to do with Chinese censorship, but it's a complete mystery what the random data is for (as it just generates an error at the server, doesn't exploit anything).

[Faust]

Also, very weird shit going on from within China's Great Firewall:

http://www.nsc.liu.se/~nixon/sshprobes.html

Servers accepting incoming SSH connections from Chinese IPs sometimes first get "probed" with a short burst of completely random data from completely different Chinese IPs. Sometimes the SSH connection itself is dropped shortly thereafter. Assumed is it's got something to do with Chinese censorship, but it's a complete mystery what the random data is for (as it just generates an error at the server, doesn't exploit anything).

They are targeting coordinates for the space based laser that etched those markings.

[Triple Zero]

Just got this off the twitter:

UNDERSTANDING CYBERCRIME: A GUIDE FOR DEVELOPING COUNTRIES -- ICT Applications and Cybersecurity Division, Policies and Strategies Department, ITU Telecommunication Development Sector, Draft April 2009  via @laviero

and http://www.cybercrimelaw.net/Cybercrimelaw.html -- "An International Criminal Tribunal for Cyberspace should be established as an United Nations court of law for the most serious cybercrimes of global concern. Such Court may have its seat in The Hague or in Singapore, discusses Judge Stein Schjolberg, Norway, in a book «A Global Treaty on Cybersecurity and Cybercrime» that was published on February 23." (PDF download of the book on that page) via @laviero

It's an interesting angle, different from my usual interests, which are of course with the more technical aspects of "cyber" security. This focuses more on the international, political and legal ways of dealing with the problems.

Like if there's a rogue group of hackers from Lithuania attacking servers in Switzerland, who's responsibility is that and what can the Swiss do to bring these people to justice? Much more complex than with meat-crime¹, as the first response has traditionally always been "catch them before they cross your border again", but that doesn't work, the Internet has no borders and cybercrime being perpetrated completely within one nation's border is truly more the exception than the rule. A hacker would be stupid to not route his attack through one or more unrelated countries to take advantage of exactly these difficulties.

Problem is, naive solutions result in huge privacy violations and/or wrecking the very fundamental concepts that made the Internet grow so useful, and all that.

Bigger problem is, the political/legal people making up these regulations may not have the technical knowledge to realize these naive solutions are naive and come up with alternatives. They feel they need to do something, and this is the best they can come up with, cause they don't understand the subject matter (which is very complex and I'd be hard pressed to come up with a solid waterproof solution myself as well), and then something monkeystupid will happen: the biggest hurdle to implement these naive solutions to them is getting all these nations to agree, work together, make treaties, the whole political game, it's complex and even if the answer was straightforward, it'd still take a lot of greasing to get everyone facing mostly the same way. And seeing that big hurdle, the politicans are happy, because this is a difficult task that they are good at and can sink their teeth in! So they gladly forget about all that technical stuff which keeps reminding them of their ignorance and start campaigning and putting their weight in and whenever they make some progress with that, they feel like they've accomplished something useful because it was politically hard, not because it was the best way forward.

I dunno if this book discusses the above, btw. I should probably read it, even though I fear it'll bore the fuck out of me

But on PD there's enough people that are interested more in these legal/political aspects than myself, so I hope it's interesting to you (and that if you read it maybe give me a TLDR/summary) -- there's more links on that page btw, this book's just one of them.





¹ if they're going to insist on calling it "cyber-crime", I'm going to insist we call regular crime "meat-crime" from now on.

[Mesozoic Mister Nigel]

MEAT-CRIME.

!

[Triple Zero]

MEAT-CRIME.

!

SUCH AS THROWING AWAY BACON FAT


OR THAT PINK SHIT IN CHEAP HOT DOGS

[Triple Zero]

Hackers Completely Penetrated U.S. Chamber of Commerce's IT Systems
The Wall Street Journal published a story today that is no doubt causing consternation in many US businesses today. According to the story, a hacking group based in China was able to fully penetrate the U.S. Chamber of Commerce's computer systems in November 2009, if not before. The intrusion, in which administrator level passwords were stolen, was not discovered until May 2010 by the US Federal Bureau of Investigation (FBI). The FBI immediately informed the Chamber, at which time the Chamber began to take measures to close off the intrusion. The WSJ says that all the Chamber's systems may not be completed secure even now.


check it out, they got 0wned pretty bad ...

[Mesozoic Mister Nigel]

Hackers Completely Penetrated U.S. Chamber of Commerce's IT Systems
The Wall Street Journal published a story today that is no doubt causing consternation in many US businesses today. According to the story, a hacking group based in China was able to fully penetrate the U.S. Chamber of Commerce's computer systems in November 2009, if not before. The intrusion, in which administrator level passwords were stolen, was not discovered until May 2010 by the US Federal Bureau of Investigation (FBI). The FBI immediately informed the Chamber, at which time the Chamber began to take measures to close off the intrusion. The WSJ says that all the Chamber's systems may not be completed secure even now.


check it out, they got 0wned pretty bad ...

Whoa!