Countdown to #ZeroDay: #Stuxnet and the Launch of the World’s First #DigitalWeapon
Jun 08 2011
In cyberspy vs cyberspy, China has the edge
Image via Wikipedia
By Brian Grow and Mark Hosenb
WASHINGTON: As America and China grow more economically and financially intertwined, the two nations have also stepped up spying on each other. Today, most of that is done electronically, with computers rather than listening devices in chandeliers or human moles in tuxedos.And at the moment, many experts believe China may have gained the upper hand.
Though it is difficult to ascertain the true extent of America`s own capabilities and activities in this arena, a series of secret diplomatic cables as well as interviews with experts suggest that when it comes to cyber-espionage, China has leaped ahead of the United States.
According to US investigators, China has stolen terabytes of sensitive data â from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up.
âThe attacks coming out of China are not only continuing, they are accelerating,â says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.
Secret US State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches â colourfully code-named âByzantine Hadesâ by US investigators â to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China`s People`s Liberation Army.
Privately, US officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.
US efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department`s Cyber Threat Analysis Division noted that several Chinese-registered websites were âinvolved in Byzantine Hades intrusion activity in 2006.â
The sites were registered in the city of Chengdu, the capital of Sichuan Province in central China, according to the cable. A person named Chen Xingpeng set up the sites using the âpreciseâ postal code in Chengdu used by the People`s Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military. âMuch of the intrusion activity traced to Chengdu is similar in tactics, techniques and procedures to (Byzantine Hades) activity attributed to otherâ electronic spying units of the People`s Liberation Army, the cable says.
Reconnaissance bureaus are part of the People`s Liberation Army`s Third Department, which oversees China`s electronic eavesdropping, according to an October 2009 report by the US-China Economic and Security Commission, a panel created by Congress to monitor potential national security issues related to US-China relations.
Staffed with linguists and technicians, the Third Department monitors communications systems in China and abroad. At least six Technical Reconnaissance Bureaus, including the Chengdu unit, âare likely focused on defence or exploitation of foreign networks,â the commission report states.âReuters
Cyber War: The Next Threat to National Security and What to Do About It
Related articles
- PRC and USA in ‘Heated Cyber-Espionage Battle’ (infosecurity.us)
- WikiLeaks Cable about Chinese Hacking of U.S. Networks (schneier.com)
Jun 02 2011
Google blaming Chinese hackers for security breach
Image via CrunchBase
For the second time in 17 months, Google is pointing its finger at China for a security breach in one of its systems.
This time, Google says Chinese hackers were responsible for breaking into the personal Gmail accounts of several hundred people _ including those of senior U.S. government officials, military personnel and political activists.
The latest cyber attack isn’t believed to be tied to a more sophisticated one that originated from China in late 2009 and early last year. That intrusion went after some of Google’s trade secrets and triggered a high-profile battle with China’s Communist government over online censorship. (AP, ccg)
This seems pretty intrusive and targeted incident. Iâm curious, what is a threshold trigger for declaring a cyber war between two countries. I understand this was not a very prolong incident but these small incidents here and there can certainly achieve some long term objectives for the other side. It is very difficult to prove the correct source of these incidents in the wild west of internet and also there is a lack of international law to pursue these cases as a criminal offense.
Apparently the pentagon recently concluded that computer sabotage can constitute an act of war and justify the use of military force, the wall street journal reported this week.
Well before the use of military force you have to prove beyond reasonable doubt that you are targeting the correct culprit nation. Well if this is the criteria to declare a war against other nation we better buy a good error and omission insurance. In cyber world it hard to prove and easy to spoof, where some groups will be eager to setup an easy victim to justify the use of military force…
Clinton: China hacking charge âVey Seriousâ
Cyber War: The Next Threat to National Security and What to Do About It
Related articles
- China rejects Gmail spying claims (bbc.co.uk)
- ‘China hackers’ hit Google e-mail (bbc.co.uk)
Feb 10 2011
China-based hackers targeted oil, energy companies in ‘Night Dragon’ cyber attacks
Image by lisbokt via Flickr
From the LA Times
China-based hackers may have been stealing sensitive information from several international oil and energy companies for as long as four years, cyber-security firm McAfee Inc. said in a report Thursday.
The company said it traced the “coordinated covert and targeted cyberattacks” back to at least November 2009 and that victims included companies in the U.S., Taiwan, Greece and Kazakhstan. McAfee has dubbed the security breach “Night Dragon.”
McAfee said the hackers, using techniques and tools originating in China and often found on Chinese hacking forums, grabbed details about company operations, project financing and bidding that “can make or break multibillion dollar deals.”
Operating through servers in the U.S. and the Netherlands, the company said, the hackers exploited vulnerabilities in the Microsoft Windows operating system. Techniques included social engineering, spear-phishing, Active Directory compromises and remote administration tools, or RATs.
Although elaborate, Santa Clara-based McAfee said the hacking method was “relatively unsophisticated.” And because most of the Night Dragon attacks originated between 9 a.m. and 5 p.m. Beijing time on weekdays, the cyber-security firm said it suspects that the hacking was not the work of freelancers.
Jan 03 2011
New virus threatens phones using Android
- Image via Wikipedia
Mobile Malware Attacks and Defense
WASHINGTON (AFP) â A virus infecting mobile phones using Google’s Android operating system has emerged in China that can allow a hacker to gain access to personal data, US security experts said.
A report this week from Lookout Mobile Security said the new Trojan affecting Android devices has been dubbed “Geinimi” and “can compromise a significant amount of personal data on a user?s phone and send it to remote servers.”
The firm called the virus “the most sophisticated Android malware we’ve seen to date.”
“Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone,” Lookout said.
“Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities.”
The motive for the virus was not clear, accoring the Lookout, which added that this could be used for anything from “a malicious ad-network to an attempt to create an Android botnet.”
But the company said the only users likely to be affected are those downloading Android apps from China.
The infected apps included repackaged versions sold in China of Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010.
“It is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected,” the security firm said.
Mobile Malware Attacks and Defense
Related articles
- Geinimi, Sophisticated New Android Trojan Found in Wild (mylookout.com)
- Pirated Apps Smuggle Trojans Onto Android Phones (tjantunen.com)
- Android Mobile under Botnet-like Malware threat: LookOut (globalthoughtz.com)
- Mobile security firm warns of new Android Trojan (news.cnet.com)
Apr 21 2010
Raid said to have hacked Google password system
- Image via Wikipedia
John Markoff, New York Times
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret.
But a source with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s services, including e-mail.
The program, code-named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days in December, the source said. The software is intended to enable users to sign in with their password just once to operate a range of services.
The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making changes to the security of its networks after the intrusions. But the theft leaves open the possibility that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.
The new details seem likely to increase the debate about the security and privacy of systems that now centralize the personal information of millions of individuals and businesses.
Link to ‘poisoned’ site
The theft began with a single instant message sent to a Google employee in China, according to the person with knowledge of the inquiry, who spoke on the condition he not be identified. By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View.
Ultimately, the intruders were able to gain control of a software repository used by that team.
Tightening security
The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting, which stated that the company was changing its policy toward China in the wake of the theft of unidentified “intellectual property” and the apparent compromise of the e-mail accounts of two human rights activists.
Company executives declined to comment Monday about the new details of the case.
Google continues to use the Gaia password system, now known as Single Sign-On, but has tightened the security of its data centers.
Several technical experts said that because Google had quickly learned of the theft of the software, it is unclear what the consequences of the theft have been. One of the most alarming possibilities is that the attackers might have intended to insert a Trojan Horse – a secret backdoor – into Gaia and install it in dozens of Google’s global data centers to establish clandestine entry points.
This article appeared on page D — 1 of the San Francisco Chronicle on Apr 20, 2010
Cyber War: The Next Threat to National Security and What to Do About It
Feb 01 2010
Google attack highlights ‘zero-day’ black market
- Image by Laughing Squid via Flickr
By Jordan Robertson, AP
The recent hacking attack that prompted Google’s threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws â and renewing debate over buying and selling information about them in the black market.
Because no fix was available, the linchpin in the attack was one of the worst kinds of security holes. Criminals treasure these types of “zero day” security vulnerabilities because they are the closest to a sure thing and virtually guarantee the success of a shrewdly crafted attack.
The attackers waltzed into victims’ computers, like burglars with a key to the back door, by exploiting such a zero-day vulnerability in Microsoft Corp.’s Internet Explorer browser. Microsoft rushed out a fix after learning of the attack.
How did the perpetrators learn about the flaw? Likely, they merely had to tap a thriving underground market, where a hole “wide enough to drive a truck through” can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc. Such flaws can take months of full-time hacking to find.
“Zero days are the safest for attackers to use, but they’re also the hardest to find,” Silva said. “If it’s not a zero day, it’s not valuable at all.”
The Internet Explorer flaw used in the attack on Google Inc. required tricking people into visiting a malicious Web site that installed harmful software on victims’ computers.
The attack, along with a discovery that computer hackers had tricked human-rights activists into exposing their Google e-mail accounts to outsiders, infuriated Google and provoked a larger fight over China’s censorship of the Internet content. Google has threatened to shut down its censored, Chinese-language search engine and possibly close its offices in China.
Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users’ part.
Zero days refer to security vulnerabilities caused by programming errors that haven’t been “patched,” or fixed, by the products’ developers. Often those companies don’t know the weaknesses exist and have had zero days to work on closing the holes.
In this case, Microsoft actually knew about the flaw since September but hadn’t planned to fix it until February, as companies sometimes prioritize fixing other problems and wait on the ones they haven’t seen it used in attacks.
Microsoft often fixes multiple vulnerabilities at once because testing patches individually is time-consuming and costly, said Chris Wysopal, co-founder of security company Veracode Inc.
But criminals know how the patch cycle works, and Wysopal said the Google attackers may have realized their zero-day flaw was getting old â and thus struck in December just before they thought Microsoft was going to fix it.
“They likely thought the bug would be fixed in January or February,” he said. “They were right.”
Microsoft certainly could have fixed the bug earlier and prevented it from being used on Google, but security experts caution that an adversary that is well-funded or determined could have easily found another bug to use.
“Zero days aren’t difficult to find,” said Steve Santorelli, a former Microsoft security research who now works with Team Cymru, a nonprofit research group. “You don’t have to have a Ph.D. in computer science to find a zero-day exploit. It really is a factor of the amount of energy and effort you’re willing to put in.”
In fact, such exploits are widely available for the right price. VeriSign’s iDefense Labs and 3Com Corp.’s TippingPoint division run programs that buy zero-day vulnerabilities from researchers in the so-called “white market.” They alert the affected companies without publicly disclosing the flaw and use the information to get a jump on rivals on building protections into their security products.
There’s also another, highly secretive market for zero days: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.
TippingPoint’s Amini said he has heard of governments offering as high as $1 million for a single vulnerability â a price tag that private industry currently doesn’t match.
Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.
One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system.
Whether to pay â and seek payment â is hotly debated among researchers.
“I basically had to make a choice between doing something that would protect everybody and remodeling my kitchen â as terrible as that is, I made that choice, and it’s hard,” Miller said. “It’s a lot of money for someone to turn down.”
Companies whose products are vulnerable generally won’t pay outside researchers for bugs they’ve found. Microsoft said offering payment “does not foster a community-based approach to protecting customers from cybercrime.” The company declined further comment on its practices and the timing of the fix for the flaw used in the Google attack.
On Thursday, Google announced that it will start paying at least $500 to researchers who find certain types of bugs in its Chrome browser, calling the program an “experimental new incentive.” That mirrors a reward that Mozilla has been offering for critical bugs found in its Firefox browser.
Computer vulnerabilities are so dangerous that one day private companies such as Microsoft might be pressured into buying from the black market to prove they’re doing all they can to keep customers secure â especially the most critical ones such as the military and power companies.
“I think it’s only a matter of time,” said Jeremiah Grossman, founder of WhiteHat Security Inc. “Something really bad has to happen first, and it hasn’t yet. When a virus runs through a children’s hospital and causes loss of life, it’s going to matter a lot.”
Related articles by Zemanta
- Web browser flaw used in Google attack highlights black market for ‘zero-day’ vulnerabilities (taragana.com)
- Core Security Expert to Detail Critical IE Browser Security Issues at Black Hat DC 2010 Conference (eon.businesswire.com)
- China attacks exploited Microsoft IE vulnerability (seattlepi.com)
- Microsoft to issue emergency patch today for IE flaw (computeractive.co.uk)
Oct 13 2008
World Bank security breach and financial crisis
The World Bank controls the Worldâs banking system, creates plans and strategies to develop economies to protect countries from financial turmoil. This information is a treasure trove of data which can be manipulated for huge monetary or political gain.
Amongst the financial crisis, a major security breach has been reported at World Bank that might tell us a story that protecting consumersâ data during these crisis might not be the first priority for many suffering financial institutions.
World Bank Under Siege in âUnprecedented Crisisâ
âIt is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.â
âIn total, at least six major intrusions â two of them using the same group of IP addresses originating from China have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. â
The World Bankâs technology and security expert states that the incident is an âunprecedented crisis.â Some security experts are saying that this might be the worst security breach to date at a global financial institution. The hackers controlled around 18 servers for more than a month and World Bank admits that sensitive data could have been stolen but they are not sure about the total impact of the breach.
Alan Calder wrote about âData protection and financial chaosâ and mentioned that âWhen financial markets appear to be in free fall, many organizations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist anymore?â
I concur with Alan on this point, in the midst of this chaos, our personal data might be at great risk and we have to be vigilant and carry the load to protect our data. At the same time, this might become another reason for the financial institutionsâ demise if they let their guards down now and do not make a priority to protect customersâ data.
During this turmoil, some financial institutionsâ upper management doesnât have to worry about their responsibility of securing the customers data adequately when they already know that eventually the taxpayers will be paying for their mistakes and their bonus plan will stay intact. Unprecedented crisis are sometimes the result of unprecedented greed.
Glassner âI donât know that the captain of the Titanic got a bonus for driving the boat into iceberg. They at least had the decency to go down with the shipâ [quoted in âWachoviaâs Golden Parachutesâ story in S.F. Chronicle of 10/10/08 pg. C1].
Bill Gates âI’m quite worried about the fiscal imbalances that we’ve got and what that might mean in terms of financial crisis ahead.â
Chinese hackers: No site is safe
httpv://www.youtube.com/watch?v=ovNVhk1rVVE&feature=related
(Free Two-Day Shipping from Amazon Prime). Great books
