The scary part is that so many things got hacked by a bunch of people
who made the totally noob mistake of launching all their attacks from
the same place....
Net net - what we have here is, so far, relatively low tech exploits with a
huge element of brute force, and the only innovation being in the delivery
mechanism - very well crafted spear phishes
They don't particularly need to hide in a location where they're literally
bulletproof (considering how many crimes have the death penalty in china,
said penalty being enforced by a bullet to the head and your family billed
for the bullet, if I remember correctly)
Now there's a light shone on it all, despite the official denial, you'll
simply see this office building shift to an even more anonymous business
park halfway across the country (or maybe inside an army base that people
just can't wander into and photograph), and the exploits will simply start
to cover their traces better.
Sure they'll evolve - let them. The point here is that they're going to
evolve anyway if we let them operate with impunity from a location where
they're bulletproof.
--srs
I can't help but wonder what would happen if US Corporations simply blocked all inbound Chinese traffic. Sure it would hurt their business, but imagine what the Chinese people would do in response. It seems like China takes very little seriously until it goes mainstream. This is happening right now with their political system, they are attempting (publicly) to rid themselves of bad apples. I think this applies to the majority of the Internet dependant countries, people are ready to jump out of a window if facebook or Twitter is down. Imagine the revolt after every major US based provider stopped taking their calls, and data. I understand the implications, but I think this may be the only real way to spank them (I know the financial ramifications..)
::This all seems to be noobie stuff. There's nothing technically cool
::to see here
You mean the report or the activity?
You seem "upset" that they are using M$ only(target and source). They steal data!!! From whom to steal? From a guru that spend minimum 8 hours a day in from of *nix?
Why to put so much effort to steal information from that guy, when there are thousands of people out there with vulnerable and easy to break M$.
They aren't looking to do something cool, but just a regular, plain old thief stuff. Targeting M$ users if easy, involve less resources and it's "business" profitable. You need to look at this action from business perspective.
IMO, why to spend hours to break something (like *nix systems) that you don't even know if it contains valuable information. This is more like sniffing around to find something useful and not targeting exact system.
Somebody here mentioned that this unit is not their top unit. I'm sure that it's not. Maybe it was meant to be found.
Cheers,
Calin
The focus on platform here is ridiculous; can someone explain how
platform of attacker or target is extremely relevant? Since when did
people fail to see that we have plenty of inter-platform tools and
services, and plenty of tools for either platform built with the
express purpose of interaction with the other? Just because you
learned to code/operate on/for/with/from a *nix doesn't mean that
teams of Chinese coders can't make a tool that gets the job done
on/for/with/from a Windows box. Many people write many softwares of
diverse purpose and use for many platforms. Platform is, as far as I
can tell, moot in this discussion. Feel free to enlighten me.
Consider the US's indignation over the targeting of civillian or
corporate intellectual property and the shifting of reality from
preconceived expectation. I have had it explained to me as a purely
ideological difference between the US and China. Simply put: just
because we might find it immoral for state-sponsored espionage to feed
stolen IP into the private sector, doesn't mean that China will feel
the same; to some, it is perceived as nationalistic, another way the
government helps to strengthen the nation.
For another example of this, an acquaintance once told me about the
process of getting internationally standardized technologies approved
for deployment in China; the process that was described to me involved
giving China the standards-based spec that had been drafted and
approved, being told that for deployment, they would have to improve
upon it in a laundry list of ways to bring it some 5-10 years ahead of
the spec, and THEN it would be allowed to be deployed.
Whenever you have enough new players, or the game goes on long enough,
the rules end up changing.
My recent experience doing exactly this at $EMPLOYER doesn't match this
story at all.
The main problem, as with several other "second world" countries, is
that the standards you must comply with are only in the local language
and you must make your submission in the local language as well.
However, if you have a local technical presence, you can often get
software approval (or a formal notice of exemption--even for products
that contain "dangerous" features like encryption) in a matter of days
or even hours. If you don't, it can drag on for months. Hardware
testing can be even worse because it must be performed in their labs and
can cost tens of thousands of dollars, but at least that doesn't have to
be repeated each time you publish a new version of code.
In contrast, "first world" countries generally publish their standards
in, and accept submissions in, English. They also tend not to care
about software features, just hardware. The standards tend to be shared
across countries (eg. EU/EFTA and US/Canada), or at least they accept
test results from third-party labs that can test for all such countries
at the same time. As a result, many vendors simply don't bother going
past that group--or do it so infrequently that they don't gain the
institutional knowledge of how to navigate the approval processes in the
other group successfully and with minimal effort/cost.
S
Would it hurt their business? Really?
Well, if they're eBay, probably. If they're Joe's Fill Dirt and
Croissants in Omaha, then probably not, because nobody, NOBODY in China
is ever actually going to purchase a truckload of dirt or a tasty
croissant from Joe. So would it actually matter if they couldn't
get to Joe's web site or Joe's mail server or especially Joe's VPN server?
Probably not.
Nobody in Peru, Egypt, or Romania is likely to be buying from Joe
any time soon either.
This is why I've been using geoblocking at the network and host levels
for over a decade, and it works. But it does require that you make an
effort to study and understand your own traffic patterns as well as your
organizational requirements. [1]
I use it on a country-by-country basis (thank you ipdeny.com) and
on a service-by-service basis: a particular host might allow http
from anywhere, but ssh only from the country it's in. I also
deny selected networks access to selected services, e.g., Amazon's
cloud doesn't get access to port 25 because of the non-stop spam
and Amazon's refusal to do anything about it. Anything on the
Spamhaus DROP or EDROP lists (thank you Spamhaus) is not part
of my view of the Internet. And so on. Combined, all this
achieves lossless compression of abusive traffic.
This is not a security fix, per se; any services that are vulnerable
are still vulnerable. But it does cut down on the attack surface as
measured along one axis, which in turn reduces the scope of some
problems and renders them more tractable to other approaches.
An even better approach, when appropriate, is to block everything
and then only enable access selectively. This is a particularly
good idea when defending things like ssh. Do you *really* need to
allow incoming ssh from the entire planet? Or could "the US, Canada,
the UK and Germany" suffice? If so, then why aren't you enforcing that?
Do you really think it's a good idea to give someone with a 15-million
member global botnet 3 or 5 or 10 brute-force attempts *per bot*
before fail2ban or similar kicks in? I don't. I think 0 attempts per
most bots is a much better idea. Let 'em eat packet drops while they
try to figure out which subset of bots can even *reach* your ssh server.
Which brings me to the NYTimes, and the alleged hacking by the Chinese.
Why, given that the NYTimes apparently handed wads of cash over to
various consulting firms, did none of those firms get the NYTimes to
make a first-order attempt at solving this problem? Why in the world
was anything in their corporate infrastructure accessible from the 2410
networks and 143,067,136 IP addresses in China? Who signed off on THAT?
(Yes, yes, I *know* that the NYTimes has staff there, some permanently
and some transiently. A one-off solution crafted for this use case
would suffice. I've done it. It's not hard. And I doubt that
it would need to work for more than, what, a few dozen of the NYTimes'
7500 employees? Clone and customize for Rio, Paris, Moscow, and
other locations. This isn't hard either. Oh, and lock it out of
everything that a field reporter/editor/photographer doesn't need,
e.g., there is absolutely no way someone coming in through one of
those should be able to reach the subscriber database.)
Two more notes: first, blocking inbound traffic is usually not enough.
Blocks should almost always be bidirectional. [2] This is especially
important for things like the DROP/EDROP lists, because then spam
payloads, phishes, malware, etc. won't be able to phone home quite
so readily, and while your users will still be able to click on
links that lead to bad things...they won't get there.
Second, this may sound complex. It's not. I handle my needs with
make, rsync, a little shell, a little perl, and other similar tools,
but clearly you could do the same thing with any system configuration
management setup. And with proper logging, it's not hard to discover
the mistakes and edge cases, to apply suitable fixes and temporary
point exceptions, and so on.
---rsk
[1] 'Now, your typical IT executive, when I discuss this concept with
him or her, will stand up and say something like, "That sounds great,
but our enterprise network is really complicated. Knowing about all the
different apps that we rely on would be impossible! What you're saying
sounds reasonable until you think about it and realize how absurd it
is!" To which I respond, "How can you call yourself a 'Chief Technology
Officer' if you have no idea what your technology is doing?" A CTO isn't
going to know detail about every application on the network, but if you
haven't got a vague idea what's going on it's impossible to do capacity
planning, disaster planning, security planning, or virtually any of the
things in a CTO's charter.' --- Marcus Ranum
[2] "We were so concerned with getting out that we never stopped to
consider what we might be letting in, until it was too late."
Let's see who recognizes that one. 
I can't help but wonder what would happen if US Corporations simply
blocked all inbound Chinese traffic. Sure it would hurt their
business, but imagine what the Chinese people would do in response
First thing is the Chinese government would rejoice since they don't
want their citizens on our networks (except the ones they recruit for
cyber warfare, they can get other address ranges for those guys).
Second thing is someone will make a ton of money bouncing Chinese
traffic through somewhere else (and someone will create a SPAMHAUS like
service to detect that, and so on, and so on, and so on)
Third thing is all the companies that do business in and around China
would be screaming because tons of them use VPNs that are sourced from
Chinese IP address space. Some people even like to travel and access
things back home, you know weird stuff, like email, news, music, videos.
One of the biggest problems with geoblocking is that often the addresses
do not reveal the true source of the traffic. If you block everything
from China, you miss attacks sourced from China that are bouncing
through bot networks with hosts worldwide. Remember Tor, it is built to
defeat just that sort of security by obscuring source locations.
Corporations also often have egress points to the Internet in countries
other than the one the user is in. If you block everything from China,
then you are locking out any of your own personnel that travel
Internationally or any of your customers that travel. Who here has not
surfed the web from a hotel room on business. Anyone with malicious
intent has a zillion ways to bypass that sort of security. Obscuring
your source address is child's play. The management of the geoblocking
will not be worth the minimal protection it provides. Trying to locate
someone by address is a complete PITA in my opinion. If you go to
Europe you will often get sent to the wrong Google sites because they
attempt to locate you instead of just letting you put in the correct URL
(if you are in the UK, it is not that hard to include .co.uk in your
URL. I have been in the UK and gotten Google Germany and Google Spain
for no apparent reason (except that carriers in Europe have addresses
from all over the place because of mergers, alliances, and all sort of
other arrangements).
Blocking networks by service will also be a management nightmare since
addresses often change and new blocks get assigned and companies offer
different services. Who manages all of that and who is going to tell
you when something changes (the answer is nobody, you will know when
stuff breaks). If my network security guy had enough time to keep track
of all of Amazon's address space and what services they are offering
this week and all the services they host in their datacenters, I would
fire him for having that much time on his hands. Can you keep track of
all the stuff coming from Akamai and where all their servers are at on a
continuing basis? Cloud services will make blocking by service nearly
impossible since the network can reconfigure at any time.
I would love to see this implementation in a large corporate or
government network. What a huge game of whack a mole that is. Seems to
me that the time would be much better spent tuning up firewalls and
securing hosts properly.
I think geoblocking gives you nothing but a false sense of security. I
also believe that if you see an attack coming from China in particular
it is because they WANT you to know it is coming from China. I would
think any state sponsor conducting a very serious attack would conceal
themselves better than that. I also believe that a lot of attacks that
look like they are coming from China are actually coming from elsewhere.
Think about this, if I am a hacker in the US, attacking a US victim, it
would be a big advantage to look like I was coming from China because it
almost guarantees no attempt to prosecute or track me down since
everyone in this business knows that if it comes out of China you can't
do anything about it. I would not be surprised to find out China is
letting their capabilities be known just to remind everyone of what the
implications of messing with them is. Remember Doctor Strangelove,
"what good is a doomsday bomb if you don't tell anyone about it ?!?!?"
Steven Naslund
[a number of very good points ]
Geoblocking, like passive OS fingerprinting (another technique that
reduces attack surface as measured along one axis but can be defeated
by a reasonably clueful attacker), doesn't really solve problems, per se.
If you have a web app that's vulnerable to SQL injection attacks, then
it's still just as hackable -- all the attacker has to do is try from
somewhere else, from something else.
But...
1. It raises the bar. And it cuts down on the noise, which is one of the
security meta-problems we face: our logs capture so much cruft, so many
instances of attacks and abuse and mistakes and misconfigurations and
malfunctions, that we struggle to understand what they're trying to tell
us. That problem is so bad that there's an entire subindustry built
around the task of trying to reduce what's in the logs to something
that a human brain can process in finite time. Mountains of time
and wads of cash have been spent on the thorny problems that arise
when we try to figure out what to pay attention to and what to ignore...
and we still screw it up. Often.
So even if the *only* effect of doing so is to shrink the size of
the logs: that's a win. (And used judiciously, it can be a HUGE win,
as in "several orders of magnitude".) So if your security guy is
as busy as you say...maybe this would be a good idea.
And let me note in passing that by raising the bar, it ensures that
you're faced with a somewhat higher class of attacker. It's one
thing to be hacked by a competent, diligent adversary who wields
their tools with rapier-like precision; it's another to be owned
by a script kiddie who has no idea what they're doing and doesn't
even read the language your assets are using. That's just embarassing.
2. Outbound blocks work too, y'know. Does anybody in your marketing
department need to reach Elbonia? If not, then why are you allowing
packets from that group's desktops to go there? Because either
(a) it's someone doing something they shouldn't or (b) it's something doing
something it shouldn't, as in a bot trying to phone home or a data
exfiltration attack or something else unpleasant. So if there's
no business need for that group to exchange packets with Elbonia
or any of 82 other countries, why *aren't* you blocking that?
3. Yes, this can turn into a moderate-sized matrix of inbound and
outbound rules. That's why make(1) and similar tools are your friends,
because they'll let you manage this without needing to resort to scotch
by 9:30 AM. And yes, sometimes things will break (because something's
changed) -- but the brokeness is the best kind of brokeness: obvious,
deterministic, repeatable, fixable.
It's not hard. But it does require that you actually know what your
own systems are doing and why.
4. "We were hacked from China" is wearing awfully damn thin as the
feeble whining excuse of people who should have bidirectionally firewalled
out China from their corporate infrastructure (note: not necessarily
their public-facing servers) years ago. And "our data was exfiltrated
to Elbonia" is getting thin as an excuse too: if you do not have an
organizational need to allow outbound network traffic to Elbonia, then
why the hell are you letting so much as a single packet go there?
Like I said: at least make them work for it. A little. Instead of
doing profoundly idiotic things like the NYTimes (e.g., "infrastructure
reachable from the planet", "using M$ software", "actually believing that
anti-virus software will work despite a quarter-century of uninterrupted
failure", etc.). That's not making them work for it: that's inviting
them in, rolling out the red carpet, and handing them celebratory champagne.
---rsk
I think it is safe to say that finding a foothold inside of the United
States from which to perform/proxy an attack is not the hardest thing
in the world. I don't understand why everyone expects that major
corporations and diligent operators blocking certain countries'
prefixes will help. That being said, you make a solid point to which
people should absolutely listen: applying an understanding of your
business-needs-network-traffic baseline to your firewall rules and
heuristic network detections (in a more precise fashion than just "IPs
from country $x") is a SOLID tactic that yields huge security
benefits. Nobody who cares about security should really be able to
argue with it (plenty of those who care don't will hate it, though),
and makes life _awful_ for any attackers.
I think it is safe to say that finding a foothold inside of the United
States from which to perform/proxy an attack is not the hardest thing
in the world. I don't understand why everyone expects that major
corporations and diligent operators blocking certain countries'
prefixes will help. That being said, you make a solid point to which
people should absolutely listen: applying an understanding of your
business-needs-network-traffic baseline to your firewall rules and
heuristic network detections (in a more precise fashion than just "IPs
from country $x") is a SOLID tactic that yields huge security
benefits. Nobody who cares about security should really be able to
argue with it (plenty of those who care don't will hate it, though),
and makes life _awful_ for any attackers.>
> [a number of very good points ]
>
> Geoblocking, like passive OS fingerprinting (another technique that
> reduces attack surface as measured along one axis but can be defeated
> by a reasonably clueful attacker), doesn't really solve problems, per se.
> If you have a web app that's vulnerable to SQL injection attacks, then
> it's still just as hackable -- all the attacker has to do is try from
> somewhere else, from something else.
>
> But...
>
> 1. It raises the bar. And it cuts down on the noise, which is one of the
> security meta-problems we face: our logs capture so much cruft, so many
> instances of attacks and abuse and mistakes and misconfigurations and
> malfunctions, that we struggle to understand what they're trying to tell
> us. That problem is so bad that there's an entire subindustry built
> around the task of trying to reduce what's in the logs to something
> that a human brain can process in finite time. Mountains of time
> and wads of cash have been spent on the thorny problems that arise
> when we try to figure out what to pay attention to and what to ignore...
> and we still screw it up. Often.
>
> So even if the *only* effect of doing so is to shrink the size of
> the logs: that's a win. (And used judiciously, it can be a HUGE win,
> as in "several orders of magnitude".) So if your security guy is
> as busy as you say...maybe this would be a good idea.
>
> And let me note in passing that by raising the bar, it ensures that
> you're faced with a somewhat higher class of attacker. It's one
> thing to be hacked by a competent, diligent adversary who wields
> their tools with rapier-like precision; it's another to be owned
> by a script kiddie who has no idea what they're doing and doesn't
> even read the language your assets are using. That's just embarassing.
>
> 2. Outbound blocks work too, y'know. Does anybody in your marketing
> department need to reach Elbonia? If not, then why are you allowing
> packets from that group's desktops to go there? Because either
> (a) it's someone doing something they shouldn't or (b) it's something
doing
> something it shouldn't, as in a bot trying to phone home or a data
> exfiltration attack or something else unpleasant. So if there's
> no business need for that group to exchange packets with Elbonia
> or any of 82 other countries, why *aren't* you blocking that?
>
> 3. Yes, this can turn into a moderate-sized matrix of inbound and
> outbound rules. That's why make(1) and similar tools are your friends,
> because they'll let you manage this without needing to resort to scotch
> by 9:30 AM. And yes, sometimes things will break (because something's
> changed) -- but the brokeness is the best kind of brokeness: obvious,
> deterministic, repeatable, fixable.
>
> It's not hard. But it does require that you actually know what your
> own systems are doing and why.
>
> 4. "We were hacked from China" is wearing awfully damn thin as the
> feeble whining excuse of people who should have bidirectionally
firewalled
> out China from their corporate infrastructure (note: not necessarily
> their public-facing servers) years ago. And "our data was exfiltrated
> to Elbonia" is getting thin as an excuse too: if you do not have an
> organizational need to allow outbound network traffic to Elbonia, then
> why the hell are you letting so much as a single packet go there?
>
> Like I said: at least make them work for it. A little. Instead of
> doing profoundly idiotic things like the NYTimes (e.g., "infrastructure
> reachable from the planet", "using M$ software", "actually believing that
> anti-virus software will work despite a quarter-century of uninterrupted
> failure", etc.). That's not making them work for it: that's inviting
> them in, rolling out the red carpet, and handing them celebratory
champagne.
>
> ---rsk
>--
Kyle CreytsInformation Assurance Professional
BSidesDetroit Organizer
I've been doing some thinking about the internet tonight and came across
this e-mail by which I am intrigued. Currently we suffer from DDoS downtime
on Rackspace (granted it's a very small amount of time, its a hit to our
only single point of failure for which I am currently trying to solve by
obtaining a /24 and an anycast address as a means of mitigation and
providing a highly available HTTP cluster of load balancers. I can't help
but wonder if the cost (both in ipv4 resources and cash) outweighs the
worth of an environment that is sanctioned from the globe. While cloud
hosting has proven to be a scalable solution for our needs, we currently
are only serving US-based organizations as far as I know. Even so, the
desire to grow beyond that isn't far fetched when adding networks that are
still segregated from access outside of a country becomes more available
(kinda like vlans.)
Germany, Russia, and Spain.