Scripps Employees Called 'Hackers' For Exposing Massive Security Flaw
Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Jaw-dropping and life-changing details about Chinese attacks on Google emerge
If you're not a hardened, tinfoil hat-wearing the-apocalypse-is-nigh conspiracy theorist, you soon will be. Wired has just published a stunning article detailing a really scary report from computer forensic firm Mandiant. The story brings to light some disturbing truths about the always-connected, always-on world we live in.
As an Internet nerd, I actually found the details numbly humbling. It made me think about a silent war, a cold war that is warming the ground we walk and air we breath -- but has not yet bubbled forth to be joined in the field of war. Reading Wired's story and thinking about the depth and detail and concerted effort required to pull off such a hack scares me.
You should read the full article for complete details, but here's a quick breakdown of the attacks employed against targets such as Google, U.S. oil companies, defense contractors and counter-terrorism departments:
- A new form of attack is being leveraged by hackers, called Advanced Persistent Threats (APT) -- think of APT as a 'ticking bomb', an apparently-benign piece of software that can be turned on at any time. These APTs can avoid detection and remain dormant for months or years, only turning on when the 'coast is clear'. In this most recent case, an unpatched zero-day attack on Internet Explorer 6 was the entry point.
- These attacks are theft-oriented -- the sole purpose behind these APT attacks are to get at sensitive data: email, Word documents, Powerpoint presentations, spreadsheets, etc. Corporate secrets, counter-intelligence, you name it.
- 'Spear-phishing' provides the way in -- spear phishing is a 'targeted' attack where email, chat or other communication tools are used to trick individuals in a position of power. In this case, a campaign of phishing attacks tailored towards getting a counter-terrorism official's password was successful. Once you have a way in -- malware, via the high-ranking and high-clearance user -- it's much easier to get more data...and so the web of exploited and compromised machines and accounts grows!
- A very clever way of sending the data back home -- once the network and users have been compromised and the data harvested, it has to be sent back. In these advanced APT attacks, data is compressed and then slowly leaked out of the home network using false headers and custom protocols sent over obscure or misleading ports (SSL, in this case).
Perhaps the most chilling fact that comes to light from this report is that this recent attack on Google and other Silicon Valley companies wasn't the first -- and it certainly won't be the last. Stories have emerged that show these hacks have have been going on for years, and are not merely targeting corporate entities. For example, Mandiant's CEO Kevin Mandia told Wired "If you're a law firm and you're doing business in places like China, it's so probable you're compromised and it's very probable there's not much you can do about it."
This is the beginning of the cyber war that we've been theorizing about for years. I hope we have a contingency plan in place.
Comments
22
Subscribe to commentsAnnoying PosterFeb 4th 2010 8:48AM
nothing jaw dropping at all about this. dont be a dumbass, keep your computer patched and you wont get hacked.
Sebastian AnthonyFeb 4th 2010 9:07AM
You know the IE6 zero-day attack used a hole that Microsoft knew about, but hadn't patched? :)
Gustavo MusleraFeb 6th 2010 12:35PM
APT could be any piece of software, infiltrated years ago and as it never manifested itself, never was suspected, and more important, never patched. It could be something that the infiltrators did on pourpose (i.e. a widely used application or library with rogue code inside) or a discovered vulnerability but never disclosed (that IE6 vulnerability could have been know for years, but 5 months ago a researcher found it and announced it to Microsoft, that went quiet till all the Google problem hit the fan).
This could be used against propietary software and open one
BrandscillFeb 4th 2010 9:02AM
His point was it can happen even with patched computers on unknown zero day attack unpatched flaws like the IE6 one, there will always be holes nobody has yet discovered
BrdystylsFeb 4th 2010 9:04AM
First off Annoying Poster that is exactly what you are. Secondly just because you patched it doesn't mean there aren't other holes not patched in which to sneek in. The IE hack was in MS Windows for almost 6 years. Yeah patching would have really helped.
Thirdly and more geared towards the article.
It's just too bad that our government has shit on us so much, that our hackers don't even care enough about this country (I know I don't) to show these people who the real hackers are. But since they don't care about us we won't care about them. We will just sit back and laugh and protect our own shit.
Sebastian AnthonyFeb 4th 2010 9:08AM
Sounds like WHITE HAT hackery! Or... our black hats versus their black hats...
Could be an epic battle. As you say, I hope the US government has something up their sleeve :)
richard.gaileyFeb 4th 2010 9:10AM
Hat well and truly adopted.
That's a pretty scary read, but as you say it is an inevitable and unavoidable type of attack that we are going to see more and more of, and I don't think the attacks will stay at the high-end level either. It won't be too long before banks are fully compromised and personal account details of the little people (you and me) will also be available for a price in a way that hasn't happened yet.
Sebastian AnthonyFeb 4th 2010 10:31AM
What a chilling thought... :(
If ever there has been a reason to remain mediocre and uninteresting, below the radar... this is it!
r3loadedFeb 4th 2010 9:58AM
It's not that scary...
At the heart of it all is the old phishing e-mail trick. Don't use IE6, don't open stuff from untrusted users, etc. etc.
What is scary is how many people fall for them. There needs to be some basic "security-awareness" course that people have to take before they can work a job requiring privileged access to computer systems.
Sebastian AnthonyFeb 4th 2010 10:30AM
Well, you have to imagine that these are highly-targeted phishing attacks.
Imagine if you received an email from your mother, father, a trusted friend... and it didn't look like the standard 'click here to update your Paypal settings' attack.
You can see how it might be easy to fall for... (in my opinion).
r3loadedFeb 4th 2010 10:32AM
Ah, that's why I always refuse to accept attachments sent by e-mail. I always insist my friends/family use a verifiable method of transmission such as YouSendIt, Dropbox, or IM transfer. Failing that, I just e-mail/call them back asking if they sent the e-mail in the first place.
S4RsFeb 4th 2010 10:29AM
Use Ubuntu. Problem solved...
WhatevaFeb 4th 2010 12:05PM
S4Rs, once everyone has switched to Ubuntu, according to your advice, Ubuntu will become the next target. And I think attack on Ubuntu will be even easier than attack on windows systems, despite Ubuntu's superior security. A huge number of Windows users can not keep their system even remotely secure, and they are using a very casual-user-oriented os. My guess is when many people are using Ubuntu, the geek will be somewhat safe, and the casual users will fare much worse than if they had stayed on a Windows system. If they had not updated their computers with microsoft's in-your-face updates, I doubt they will go the length to update their Ubuntu system to the latest version. So in short, problems are far from solved.
FenrizFeb 4th 2010 3:39PM
The problem isn't with your own system. Geeks can keep their owns systems fairly safe through prudent web practices and computer maintenance. Chinese hacker syndicates aren't after you anyway, so the danger is low. Problem is, geeky and protected as you may be, you still use Internet, phone, banking, medical and other community services who's computer systems and employees are not always secure. If your bank gets hacked, doesn't matter you run Ubuntu.
This is a widespread social issue that's warming up, not a personal issue. All computer-reliant industries need to be brought up to modern computer security standards, because unless you live in a cave their security failures are going to impact you.
BrianFeb 4th 2010 5:50PM
From a technical perspective, the article was fairly useless. Nothing new was discussed. Hackers have been using those techniques since the creation of the computer in the first place. Creating a fancy name for age old techniques doesn't make it anymore sophisticated.
TannerFeb 5th 2010 1:28AM
What I love to see is average computer users freak out about things like this. As if they have some vital pieces of information that could fall into the wrong hands. Any hacker is going to go after some large-scale target. They honestly hold zero interest into breaking into your computer and stealing those oh-so-adorable photos of your cats, or that Word document full of bad poetry you wrote on a whim one night. Chill. Unless you're some high priority target, you have nothing to worry about. (Unless you have an uncontrollable urge to open email attachments with ambiguously cheery titles. Then you just have it coming to you.)
www.factopo.comFeb 5th 2010 4:04PM
yeah, this is bullshit. OH NO, ONLY AMERICAN HACKERS ARE ALLOWED TO HACK AMERICAN WEBSITES! Get over it, there are hackers all over the world, and they all do the same thing. it's not necessarily to be malicious, it's just to show what they can do. sometimes they think they can make some money out of it or something, but in the end asians, like americans, just hack to hack
MattFeb 5th 2010 10:58AM
It's all about cost effectiveness. Prolonged attacks like this used to be limited to military and high end financial targets, because they cost more than the info was worth otherwise. They are becoming more affordable now.
And that's the same reason the "use Ubuntu" argument is BS. If any flavor of *nix reaches critical mass, then attacks against it will become cost effective. Obscurity and rarity are the only things keeping any operating system (with the notable exception of OpenBSD) safe.
SilverWaveFeb 5th 2010 10:26AM
If you have something of note physical persuasion is the route most used. This is nothing new.
SilverWaveFeb 5th 2010 10:28AM
This is more of a threat:
Lawful Intercept [100] The methods networking companies use to let the Feds watch suspects also expose the rest of us. http://bit.ly/cZRZg0