Aurora Attack — Resistance Is Futile, Pretty Much 268
eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."
oh for the love of ____! (Score:3, Interesting)
Okay, I know an ex-pat who has moved to China and married. I have a much better understanding of the current state of technology and governmental oversight there than most here. Let's clear some things up:
The government closely monitors it citizens using every form of surveillance available in public places (which include the internet) to ensure that they are not acting in a fashion the government defines as "subversive". They aren't interested in international cyber-terrorism. They simply realize that they need to be where their citizens are to maintain the umbrella of surveillance. They're not trying to blow up power plants or destroy financial markets, or engage in other acts of cyber-terrorism. They are simply of the mindset that the internet lacks geographical boundaries, and hence treat it somewhat like international waters, and regularily patrol and conduct intrusions on remote systems for the purpose of effecting surveillance on its own citizens.
They are also interested in industrial espionage against specific high-value targets that have technology that China cannot replicate with its limited (though rapidly growing) infrastructure. China is very good at copying technology. It has very little ability (or desire) to innovate. They are focused primarily on a massive modernization program so as to set themselves up to compete with the EU, US, and south asian markets. Hong Kong is about the only ace they have up their sleeve right now there. So they conduct limited cyber attacks for the purpose of acquiring the information and designs to manufacture technologies that are highly intricate (such as microprocessor design).
This is not a statement on the validity of any sovereignty claims, or a moral judgement on China's state-sponsored activities on the global communications networks, merely an statement of their motivations.
Re:oh for the love of ____! (Score:5, Interesting)
Meanwhile I _am_ an expat, currently in China, and I can tell you your information is lacking in a few areas.
The Chinese government may not be out to detonate nuclear plants remotely (though you can be damn sure that when such abilities/openings are located that they are carefully filed against future need), but they are most certainly out to obtain every piece of hi-tech IP they can get hold of, as well as every bit of blackmail material, every bit of financial info and absolutely everything else they can find that will give them an edge in any arena over any and every other nation.
That's on top of all the internal monitoring of course.
Re:oh for the love of ____! (Score:2, Interesting)
Comment removed (Score:4, Interesting)
Re:oh for the love of ____! (Score:3, Interesting)
China's due some really serious shakeups in the next decade. The China of 10 years from now will be as different from current day China as current day China is from 1970's China. What will it actually be like? That's so far beyond my skills to figure that I couldn't even hazard a guess. Anyone here who cares to look can see the fuse fizzing, but as for where the bits will land... Who knows?
There are no communists in power in China, and have not been for quite some time. They have kept the title, but that's meaningless. China's government is Totalitarian Capitalist.
The red books are optional these days, unless you are Chinese, a Party member, in a significant government building and trying to impress someone. Foreigners with little red books are viewed with amusement at best, contempt and suspicion at worst.
China vs world (Us is only one player in many these days)... Unless the internal restructuring prevents it then expect to see current "Angry Letters" style face-offs continue and expand, but as for the possibility of actual physical or serious trade conflict? Not a chance. Even Bush wasn't stupid enough to countenance that.
Re:google has a corporate windows network? (Score:4, Interesting)
Because, by law, to have an office in China you must have Chinese employees in high-ranking positions.
If your company is of interest then you can be guaranteed of having at least two plants in the office. One to be the obvious pro-party red-book waving decoy, and the other to save them the time and effort of having to phish someone to start the attack.
Asymmetric Warfare (Score:5, Interesting)
I read a paper about a decade ago (which I found thanks to Slashdot) describing how China would "hypothetically" wage a war against the US and win without firing a shot. I can't find the paper any more, but it was written by four Chinese generals. Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault, a propaganda assault, and an electronic assault. If anyone knows the paper I would love to see it again -- I think it even got turned into a book.
One day, long from now, will people wonder why we didn't see the attack coming until it was way too late?
SMBs and Cloud Computing (Score:3, Interesting)
The paper says that small and medium sized businesses are often targets and that they rarely have the resources to mitigate the attacks. Seems to me like this is a great reason to move to cloud computing. I would think 99% of businesses would be better off letting Google protect their servers than trying to find away around these attacks themselves.
Re:Who clicked on the PDF? (Score:1, Interesting)
I don't have a service for every thing I've installed to update it, because, like any decent OS, the system package manger handles all that in one central, elegant, secure, and user-friendly system called 'apt'.
Practice safe computing. Use a 'buntu.
Woo! Monoculture! (Score:4, Interesting)
I'm sure that doesn't carry any risks!
But seriously, if Google were evil geniuses, they'd create hundreds of smaller data centers around the US, with different ecosystems of software security and virtualization and ip blocks, and then use them as a raid array to back up each other.
Damn I wish I had a billion bucks.
Re:Chinese Patience (Score:1, Interesting)
I always found this shortsightedness endemic to laissez faire thinking.
Re:Buzzwords (Score:2, Interesting)
American egos happened.
"I got conned," versus, "I was the victim of a social engineering attack."
Being a victim isn't as embarrassing as being stupid.
Re:Chinese Patience (Score:2, Interesting)
Same thing happened when the Iranians overtook the US Embassy in 1979. The students pieced the documents back together looking for identities of CIA informants and the like. An example [gwu.edu] of the reconstructed documents is in the National Security Archive at GWU.
alternative: no-nonsense sandboxing (Score:3, Interesting)
Let's try less crap on our machines that might be vulnerable.
I can agree for performance and cross-platform issues, but proper sandboxing solves the attack surface problem.
Imagine a web browser that starts up a fresh new virtual PC for each web site, then deletes the machine when you leave the web site. The virtual machine could even run IE 6 on Windows XP without any service packs, and the entire world allowed to run Active X shit without prompting. The virtual PC can get pwned in a fraction of a second every time, and you just don't need to care. Firewalling on the host OS can restrict the guest OS to the intended web site, so you don't need to worry about being a botnet node.
Re:oh for the love of ____! (Score:3, Interesting)
Fascism doesn't necessarily require a small government, just that the government be controlled by corproate interests... In fact, a large totalitarian government is beneficial to a fascist state because it becomes easier to create conditions more favorable to business.
TCp is not the answer to this. (Score:4, Interesting)
There are still the same vector of attack possible. e.g. if someone signs adobe an old PDF reader.exe as trusted, TCP is vulnerable immediately.
There really is no simple answer to this. The fact that everything is networked nowadays is not helping.
But all vector of attack can be made as hard as possible.
1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
Anwer -Train users.
2. This website uses a browser vulnerability to load custom malware on the initial victim's machine.
Answer: minimize number of plugin, up to date browser, Put internet acces in a virualized separate part of the network
3. The malware calls out to a control server, likely identified by a dynamic DNS address.
Anser: kill those control servers!
4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
Answer: Should not be possible. A users should not get admin right.
5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
Answer: no answer possble, see 4.
6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
Answer: Check the VPN access logs AND Use second channel authorisation(token)
7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.'
Answer: Don't put all the eggs in one basket. A user should only be able to acces what he needs, not everything.
Re:Sounds like resistance is easy. (Score:4, Interesting)
We then emailed that to everyone in the company, from an outside address (and specifically allowed it in the email filters to simulate a worst case scenario), and sat back and watched who clicked and who didn't. It was quite enlightening.
Re:Who clicked on the PDF? (Score:3, Interesting)
I disagree. What we need to do is compartmentalize.
Why do you have to use the same system to browse the corporate intranet over VPN and handle personal web browsing? Each of these activities should take place on a different virtual machine on a different virtual network. Then you watch the virtual/host interfaces like a hawk.
This is not an airtight strategy -- there is no such thing. What it does is buys time and spreads the footprint of the attack.
It's not entirely convenient. But you can focus your security attention on mechanisms you use to move data between different security universes.
Companies seriously interested in security also really need a solid cryptographic infrastructure, including two factor security with a hardware component, and revocable trust. That's not convenient either.