Anyone see a game changer here?

Part of the discussion of recent attacks by targeted email to
individuals crafted to deceive that particular individual based on
intelligence gathered for this use by governments.

"The alleged attacks from China are troubling on many fronts. On
Thursday, security firm McAfee released a report saying the program
used to target U.S. firms involved a so-called "zero day"
vulnerability -- one that was to this point unknown to the security
community, and thus indefensible by anti-virus software. The flaw
involved Microsoft's Internet Explorer, McAfee said. Microsoft says it
is working quickly to provide a software patch. But the malicious
software attacks other software flaws too, McAfee said, adding this
ominous note: "There very well may be other attack vectors that are
not known to us at this time."

"These highly customized attacks known as advanced persistent threats
were primarily seen by governments and the mere mention of them
strikes fear in any cyberwarrior,” wrote McAfee's George Kurtz in a
blog post today. “They are in fact the equivalent of the modern drone
on the battle field. With pinpoint accuracy they deliver their deadly
payload and once discovered - it is too late…All I can say is wow. The
world has changed. Everyone's threat model now needs to be adapted to
the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your
core intellectual property."

Mark Rasch, former head of the Department of Justice computer crime
unit, called the attacks “cyberwarfare,” and said it was clearly an
escalation of a digital conflict between China and the U.S.

As if the old threat models weren't bad enough...

Bruce

As if the old threat models weren't bad enough...

The old threat models were simply not up to date.

  Gadi.

Where are these quotes coming from ?

Marshall

Precisely correct. This has been going on for quite some time; some people simply weren't paying attention.

    --Steve Bellovin, http://www.cs.columbia.edu/~smb

"The alleged attacks from China are troubling on many fronts. On
Thursday, security firm McAfee released a report saying the program
used to target U.S. firms involved a so-called "zero day"
vulnerability -- one that was to this point unknown to the security
community, and thus indefensible by anti-virus software. The flaw

...

"These highly customized attacks known as advanced persistent threats
were primarily seen by governments and the mere mention of them
strikes fear in any cyberwarrior, wrote McAfee's George Kurtz in a

He makes it sound like nobody's ever discovered 0-day sploits in use in the wild / had 0-day sploits used against them. The term 0-day has been around for quite some time for a reason.

I don't see anything new here other than the insinuation that the Chinese government might have been behind their use.

Does anyone really believe that the use of targeted 0-day exploits to gain unauthorized access to information hasn't been at least considered if not used by spies working for other [than China] countries?

I think only those not paying attention would be left with that impression.

Spying has been done for years on every side of various issues. Build a more complex system, someone will eventually find the weak points.

Personally I was amused at people adding cement to USB ports to mitigate against the "removable media threat". The issue I see is people forget that floppies posed the same threat back in the day.

The reality is that the technology is complex and easily used in asymmetrical ways, either for DDoS or for other purposes.

The game is the same, it's just that some people are paying attention this week. It will soon go back to being harmless background radiation for most of us soon.

- Jared

The "difference" this week is motive.

In the 1980s-1990s, we had joy-hacking.

In the 2000s, we had profit-motivated hacking by criminals.

We now have (and have had for a few years) what appears to be nation-state hacking. The differences are in targets and resources available to the attacker.

    --Steve Bellovin, http://www.cs.columbia.edu/~smb

That particular one:

    http://redtape.msnbc.com/2010/01/gregory-fayer-opened-an-e-mail-on-monday-night-that-looked-like-it-was-from-a-fellow-lawyer-at-gipson-hoffman-pancione-inst.html

  Some more commentary:

    http://www.wired.com/threatlevel/2010/01/operation-aurora/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired27b+(Blog+-+27B+Stroke+6+(Threat+Level))&utm_content=Google+Reader

  Of course, you'll have to follow links in an email in order to
  read those, if you dare.

  Marcus

We now have (and have had for a few years) what appears to be nation-state hacking. The differences are in targets and resources available to the attacker.

Agreed, and given that is more easy to aggregate bits of information
from different sources to put together the puzzle it makes more sense
for a nation-state to do so when they are pursuing information about
advanced technology.

Folks are concerned about the coming fall IETF meeting, without
drinking from the conspiracy theory fountain, I'm almost sure that
-unless somebody do something really stupid- nobody will have any
problems, the host country will be delighted to have so many
"technologists" with juicy information and experience under their roof
and "surveillance."

Regards
Jorge

And indeed, what do we even know of this incident _for_sure_ so far?

The reports, depending on vendor, blame either PDF files via email as the original perpetrator, or lay most of the blame on an Internet Explorer 0day. Both are likely vectors which have been seen used before.

Regardless of what really happened, which I hope we will know more on later, these things are clear:

1. Unlike GhostNet, which showed an interesting attack but jumped to conclusions without evidence that it was China behind them -- based on Ethos alone I'd like to think that when Google says China did it, they know. Although being a commercial company with their own agenda, I am saving final judgement. Did Google ever say it's China rather than from China?

2. The 0day disclosed here shows a higher level of sophistication, as well as m.o. which has been shown to be used by China in the past (consider 0days patched by Microsoft and reported by the Taiwanese government).

3. If this was China, which some recent talk seems to make ambiguous, but still likely; they would have more than just one weapon in their arsenal. The attack would not have been against all these corporations, but rather multiple attacks, and possibly multiple tools.

4. This incident has brought cyber security once again to the awareness of the public, in a way no other incident since Georgia has succeeded, and to political awareness in a way no incident since Estonia has done.

As to "everyone does it", here is an example I wrote of the German experience (not my best writing, but good analysis):
http://www.darkreading.com/blog/archives/2009/03/german_intellig.html

  Gadi.

To my understanding they believe that people that live in China are relevant (which is why they brought it up in the context), but they are very carefully saying that they don't know the exact perpetrators.

http://www.ipinc.net/IPv4.GIF

Absolutely, they pointed it out to me elsewhere (I copy-pasted). I made a mistake.

I mention them as #1 before the current incident out of respect. This should have said "but many jumped to conclusions..." which is also what I said at the time, and supports my third point.

Thanks for pointing this out.

  Gadi.

To my understanding they believe that people that live in China are relevant
(which is why they brought it up in the context), but they are very
carefully saying that they don't know the exact perpetrators.

http://www.ipinc.net/IPv4.GIF

Uh, Fred the link is to an image that has nothing to do with the
topic. Can you prove you are not Chinese and my computer is not
hacked? Fred is your real name, isn't it? You are Fred, aren't you?

Seriously, it suddenly came to mind that this list is a "high value
target" and many people click away on links from who knows who. I
guess it's the classic the shoemakers kids have no shoes situation....

Bruce

You. Says so on my business card...

看的也不見！

TV

Google Translation tells me this means "see never see!". Let me guess, there's a better translation.

That's the translation the Chinese Government has inserted into the Google Translation service.

It appears this is just western propaganda because:

One analyst said Friday that he is not sure the attacks point to the
Chinese government. Rob Knake, a cybersecurity expert with the Council
on Foreign Relations, said his analysis of results from a technology
firm investigating the attacks suggests that they "were not
state-sponsored or the work of an elite, sophisticated group such as
the Chinese military."

http://www.washingtonpost.com/wp-dyn/content/article/2010/01/15/AR2010011503321.html

Andrew

Personally I was amused at people adding cement to USB ports to mitigate
against the "removable media threat". The issue I see is people forget
that floppies posed the same threat back in the day.

Do you mean the "AutoRun" threat, since this sort of thing is usually done by people who (a) run M$ Winders and (b) do not know how to turn off the really annoying "helpful" features created by the clueless idiots in Redmond ... and those idiots keep on creating more and more security hole "features" that have to be disabled.

Someone should tell the idiots who design API's that API's are designed to be used -- and they will be used to do what it was designed to do -- and if that design constitutes a security flaw, then it will be used as such and the only solution is to stop designing stupid APIs. The most laughable example is the creation of API hooks into the kernel for use by AntiVirus vendors. Unfortunately, these APIs can, by their very definition, be used by anyone who wants for any purpose they desire.

Personally I would prefer a secure kernel that cannot be tampered with or compromised by anyone. Adding a deliberately designed security flaw to enable a third party to stay in business providing a partial plug for the deliberately designed hole is utter lunacy!

Back to removable media, AutoRun is, and always has been, completely trivial to completely, utterly and irrevocably disable -- and I have been doing so since, well, since this idiotic mis-feature first appeared somewhere in the early 90's.

The same applies to other crap-ware vectors such as Flash.

Just because some people are slow or do not pay attention to what has been going on in the world for 20 years on, does not make these "new".

Its like dogs -- they have been around for thousands of years. Some people just don't notice that they have teeth until they, through their own stupidity, get bitten by one.

Now, back to your regularly scheduled programming ...

At some point, due to fundamental human nature, it doesn't matter if a
government is doing it or not. Imagine if private citizens of one
country were shooting at the citizens of another country across the
border while the army stood by and simply watched. The country on the
receiving end asks for it to stop but the country where the shooting is
originating from says "hey, we aren't doing it! It is originating from
our country but it isn't the government doing it" where the receiving
side says "I don't care who is doing it, please make them stop."

It can be damaging to a country's or network operator's reputation as a
good neighbor if they allow such chaos to continue without doing
anything about it. In many other countries where governments exert less
control, the network operators themselves often police their users by
disconnecting those who are seen to engage in such activities. A
network operator who refuses to cooperate is often seen by their peers
as somehow "rogue" and may be shunned by the community.

The point is that it doesn't matter who is at the keyboard or who is
coding the malware. If they are enabled by their network operator or
government looking the other way, then it is a natural tendency for
people to instinctively hold them partially responsible for the conduct
as being complicit in it. And that isn't anything unique with China in
particular, the same thing goes for a network operator or government
anywhere on the planet.

I think in this case because China does exercise a lot of control over
their network traffic, there is a natural tendency for people to become
frustrated when they get the feeling that the government is doing
nothing to stop this sort of traffic while other types of traffic are
vigorously policed.

So the next question would be, to what extent do the various network
operators in China assist in disconnecting the sources of such traffic?
I think I already know the answer.