Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security Google Technology

Aurora Attack — Resistance Is Futile, Pretty Much 268

Posted by kdawson
from the big-leagues dept.
eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."
This discussion has been archived. No new comments can be posted.

Aurora Attack — Resistance Is Futile, Pretty Much

Comments Filter:
  • by symbolset (646467) on Monday March 01, 2010 @09:36PM (#31325638) Journal
    Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Target corporation: Unemployed geeks in their mothers' basements.

      Damn. This attack is going to wipe the IT industry out...

    • by biryokumaru (822262) * <biryokumaru@gmail.com> on Monday March 01, 2010 @09:42PM (#31325698)
      Major attack preventer: Google docs PDF reader [google.com].
      • by Machtyn (759119)
        What about PDFXViewer [docu-track.com]. Besides being highly convenient for editing PDF doc's, could also be a way to prevent hijacks? (I don't know, I'm asking.)
    • Re: (Score:2, Informative)

      by EvanED (569694)

      Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

      This is Slashdot. Who clicks on the article links?

      On a serious note, the Link Alert [mozilla.org] extension for Firefox will put an icon following links that go to a PDF file. (I know that the /. editors kindly put "(PDF)" after it, but to be honest I tuned it out, and if I felt like reading TFA would have just clicked.)

    • by PsychoSlashDot (207849) on Monday March 01, 2010 @09:52PM (#31325786)

      Absolutely. It's kind of funny because it was over five years ago that Microsoft "got it" and started reducing the attack surface in their operating systems. Non-essential services were disabled by default for instance.

      Now, in 2010 the web experience "requires" a browser, Flash, Adobe Reader, Java run-time, and potentially a slew of other plug-ins. Everything from WinZip to the Google Toolbar has a service running in the background to update it periodically, and there's a push for unrelated shit to be bundled with what we try to install. Download managers are becoming increasingly the norm, with Adobe burying their direct link to Reader and Flash one link further from the "Click Here to Download" link the same week they patched an exploit in it.

      We need to re-think how we compute. Less is more. Pick a standard such as HTML5 and stick to it. No plugins. (Beyond page-agnostic browser functionality add-ons like Ad-Block Plus.) No background services, no download managers, no web-extending formats. If a stock browser less than three years old can't render it, it isn't the web. If it isn't the web, we don't code for it. JPG, PNG, and a handful of standardized other formats can be direct linked-to.

      That's not the panacea... it won't solve it all. But going the way we're going is the wrong direction. Let's try less crap on our machines that might be vulnerable.

      • by adolf (21054)

        You left out GIF. The patents are expired, and it is a free standard.

        [Yes, I know that PNG does the same things as GIF, only better. Except, that it can't do animations. And simple animations, though often annoying, can be very useful, especially in a world like you suggest in which Flash does not exist. See? [wikipedia.org] And though HTML5 + Ogg Theora fills some of the gap, lossy compression [wikipedia.org] like that sucks for technical drawings, whereas lossless formats can do very well. Of course, there's MNG, which is similar

        • by Korin43 (881732)
          There's always APNG. It's only supported by Firefox and Opera, but if someone put it in Webkit it could be useful.
      • If a stock browser less than three years old can't render it, it isn't the web. If it isn't the web, we don't code for it.

        That sounds a bit like a chicken and the egg problem. If we don't currently support it, we won't ever support it.

      • Let's try less crap on our machines that might be vulnerable.

        I can agree for performance and cross-platform issues, but proper sandboxing solves the attack surface problem.

        Imagine a web browser that starts up a fresh new virtual PC for each web site, then deletes the machine when you leave the web site. The virtual machine could even run IE 6 on Windows XP without any service packs, and the entire world allowed to run Active X shit without prompting. The virtual PC can get pwned in a fraction of a second every time, and you just don't need to care. Firewalling on the

      • Re: (Score:3, Interesting)

        by hey! (33014)

        I disagree. What we need to do is compartmentalize.

        Why do you have to use the same system to browse the corporate intranet over VPN and handle personal web browsing? Each of these activities should take place on a different virtual machine on a different virtual network. Then you watch the virtual/host interfaces like a hawk.

        This is not an airtight strategy -- there is no such thing. What it does is buys time and spreads the footprint of the attack.

        It's not entirely convenient. But you can focus your sec

  • by Kludge (13653) on Monday March 01, 2010 @09:39PM (#31325664)

    Just don't use MS Windows.

    • by Wingman 5 (551897) on Monday March 01, 2010 @09:41PM (#31325680)

      Yea, because there is no way to get rootkited or other vulnerabilities on Linux system.

      Hey, I wonder where the term "rootkit" originated?

      • by sopssa (1498795) * <sopssa@email.com> on Monday March 01, 2010 @09:44PM (#31325718) Journal

        This is especially true because these are highly targeted attacks. Unlike other malware, these don't go where the majority of users are - they go against what the target company is using and have a reason to spend the extra time on it.

        • But it sounds like the attackers were able to make assumptions about the target information systems by using knowledge of standard IS practices. Avoiding those practices may introduce a handy layer of obscurity.

          Insisting on crypto all the way to the clients may help as well.

        • by Sycraft-fu (314770) on Tuesday March 02, 2010 @12:31AM (#31326754)

          Yep. I do find it funny how many Linux types will advocate Linux more or less as a "security through obscurity" thing. "Oh use Linux because all these attacks target Windows!" Ok, well if everyone took your advice and switched to Linux, they'd target Linux instead.

          The correct answer for security is, regardless of the system you use, assume it is vulnerable. Assume you can be attacked (because you can). Then take steps to remediate it. Have defense in depth, have layers of security so if one fails others still exist. Keep your security up to date and able to deal with current threats. Do this, and it doesn't really matter what OS you run, you are as safe as you can be.

          You have to look at it like with physical security, where there is no such thing as perfect security. There is no system that cannot be broken or bypassed in some way. All you can do is make it good enough to ward off any threats for long enough to detect and stop the threats. There is not a single step you can take to keep thing safe, including moving your location.

          That is sort of what is being talked about here. It would be like moving from the city out to a sparse area. Ok, that probably will reduce attacks however if that's your solution for security, you've done nothing. You are just hoping you don't get attacked, you haven't done anything to actually deal with the attacks. Same deal with switching OSes. Just saying "Oh well use Linux," doesn't really help. Sure there are less attacks over all for it, but that doesn't mean anything. If you still implement bad security practices (like having users run as root and having weak passwords) then you've done nothing for real security. You are just hoping that by being less visible you won't get attacked, you've no ability to actually deal with an attack.

          So choose your OS based on which one works the best for what you do. Then take steps to properly secure it, because the proactive security measures are what really keep you safe, not the OS. It is perfectly possible to have an extremely secure Windows network, and an extremely insecure Linux network.

      • Yes, BUT - what are the primary vectors again? Adobe stands head and shoulders above the crowd of other vectors. What Adobe do you find on the average *nix machine? Of my machines, two have Adobe Flash - the others have Gnash. Given just a little more motivation to move away from Adobe completely, I would rip their Flash programs out of the two machines that run it now.

        Admittedly, Adobe runs in some places that Gnash doesn't do so well on - but do I really NEED flash to watch something on Youtube? Of c

        • Re: (Score:2, Insightful)

          by Wingman 5 (551897)

          Go ahead - root me. What are you waiting for? You want the details of my operating system? HA! I'm not that easy to social engineer!

          Thats why I don't root you, I root your receptionist to get the proverbial foot in the door. "Hi this is John from IT, we found a virus on your workstation I just emailed you the program to remove it, just open it and it will solve the issue"

      • Re: (Score:3, Informative)

        by phantomfive (622387)
        You do realize that the existence of a rootkit for a system in no way implies a vulnerability for a system, right? A rootkit isn't something that 'grants you root', it's a tool to help you hide your tracks once you are already root. Wikipedia has a good page about it [wikipedia.org].

        That said, the easiest way to get your linux box rooted (do you see the difference between getting your box rooted and a rootkit?) is to use a weak ssh password. I don't know how common privilege escalation vulnerabilities are, but I've see
    • by xzvf (924443) on Monday March 01, 2010 @09:45PM (#31325722)
      Humans are the biggest weakness in the chain. Don't hire them, or at least hire the most non-people types you can. Hire the non-team players and the ones that argue with everyone. When someone calls them and asks them to go to a web site, they'll say screw you and hang up.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Humans are the biggest weakness in the chain. Don't hire them

        This.

        • Re: (Score:3, Funny)

          by Machtyn (759119)
          Actually, I've noticed a lot of "this" going around in the US and world economy.
      • Companies are way ahead of you. Hell, they'd even outsource their malware infections if ... erh... they even did that it seems...

      • by turing_m (1030530)

        Hire the non-team players and the ones that argue with everyone.

        It's not necessary to employ true arguers. You could easily get away with hiring those only capable of simple contradiction.

    • Re: (Score:3, Insightful)

      by MichaelSmith (789609)

      the best practices corporate IT departments have been following for years are ineffective against the attacks

      Well obviously. Antivirus protects against old, common vectors. But if a company ran (say) ubuntu or (more likely) macos an attacker could still craft an attack against them, as long as they had information on the systems being used.

      • by grcumb (781340)

        [I]f a company ran (say) ubuntu or (more likely) macos an attacker could still craft an attack against them, as long as they had information on the systems being used.

        Agreed. These guys know what they're about, and they're willing to invest patience and resources in their attacks.

        That said, reducing the number of attack vectors is a useful and productive exercise. As Schneier loves to point out, the real goal of the security process is to make breaking in cost more than it's worth to the attacker. In this particular case, that puts the cost pretty high indeed. But choosing a more secure OS and simplifying the exposed systems would help a lot.

        The next step would be to red

  • by girlintraining (1395911) on Monday March 01, 2010 @09:44PM (#31325720)

    Okay, I know an ex-pat who has moved to China and married. I have a much better understanding of the current state of technology and governmental oversight there than most here. Let's clear some things up:

    The government closely monitors it citizens using every form of surveillance available in public places (which include the internet) to ensure that they are not acting in a fashion the government defines as "subversive". They aren't interested in international cyber-terrorism. They simply realize that they need to be where their citizens are to maintain the umbrella of surveillance. They're not trying to blow up power plants or destroy financial markets, or engage in other acts of cyber-terrorism. They are simply of the mindset that the internet lacks geographical boundaries, and hence treat it somewhat like international waters, and regularily patrol and conduct intrusions on remote systems for the purpose of effecting surveillance on its own citizens.

    They are also interested in industrial espionage against specific high-value targets that have technology that China cannot replicate with its limited (though rapidly growing) infrastructure. China is very good at copying technology. It has very little ability (or desire) to innovate. They are focused primarily on a massive modernization program so as to set themselves up to compete with the EU, US, and south asian markets. Hong Kong is about the only ace they have up their sleeve right now there. So they conduct limited cyber attacks for the purpose of acquiring the information and designs to manufacture technologies that are highly intricate (such as microprocessor design).

    This is not a statement on the validity of any sovereignty claims, or a moral judgement on China's state-sponsored activities on the global communications networks, merely an statement of their motivations.

    • by VendettaMF (629699) on Monday March 01, 2010 @09:53PM (#31325788) Homepage

      Meanwhile I _am_ an expat, currently in China, and I can tell you your information is lacking in a few areas.

      The Chinese government may not be out to detonate nuclear plants remotely (though you can be damn sure that when such abilities/openings are located that they are carefully filed against future need), but they are most certainly out to obtain every piece of hi-tech IP they can get hold of, as well as every bit of blackmail material, every bit of financial info and absolutely everything else they can find that will give them an edge in any arena over any and every other nation.

      That's on top of all the internal monitoring of course.

      • by Anonymous Coward on Monday March 01, 2010 @10:02PM (#31325844)

        Meanwhile I _am_ Chinese, currently in China, and I can tell you your information is lacking in a few areas.

        The Chinese Government is your friend and only wants the best for you.

      • Thanks for clarifying this. My understanding of the situation mirrored what you described, but it is nice to hear it from someone first-hand.

        How do you see this playing out in, say, 10 years?

        Will the communists back away from their firm grasp on the country?

        Or will the US end up on a collision course with china?

        Or will the US in 10 years have the same limits on freedom they have there?

        And, do they still make people carry around those little red books?

        • Re: (Score:3, Interesting)

          by VendettaMF (629699)

          China's due some really serious shakeups in the next decade. The China of 10 years from now will be as different from current day China as current day China is from 1970's China. What will it actually be like? That's so far beyond my skills to figure that I couldn't even hazard a guess. Anyone here who cares to look can see the fuse fizzing, but as for where the bits will land... Who knows?

          There are no communists in power in China, and have not been for quite some time. They have kept the title, but that's

        • Re: (Score:3, Insightful)

          by Runaway1956 (1322357)

          Have you been keeping up with current events? The news on ACTA, for starters. Those school kids being spied on in Philadelphia via school mandated computers. Traffic light cameras. There is little doubt in my mind that the US is moving toward the same sort of round the clock surveillance that England and China enjoy right now. Law enforcement is pushing through a variety of rules, regulations, and even laws, permitting them to track citizens via mobile phone and other means, WITHOUT a warrant.

          I definit

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      As some one who has worked in various places that are of extreme interest to China, I can honestly say that you have do not have a FUCKING clue of what you are talking about. All you are doing is talking out side of your mouth. The simple fact is, that China is spying in a large number of areas. And yes, some of it is very much targeting the WEST's vulnerable areas.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Okay, I know an ex-pat who has moved to China and married.

      It's refreshing to see such a rock-solid substantiation on Slashdot.

    • Re: (Score:2, Insightful)

      by vajorie (1307049)

      Okay, I know an ex-pat who has moved to China and married. I have a much better understanding

      Hey, nice to hear. I have this Black friend so I know Blacks. /yay

    • by Nazlfrag (1035012)

      I'm still not quite getting this government sponsored industrial enspionage. Can someone provide a CIA refrence?

  • Antivirus? (Score:3, Insightful)

    by TubeSteak (669689) on Monday March 01, 2010 @09:51PM (#31325766) Journal

    "Attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies," [iSec founding partner Alex Stamos] told The Register. "The malware for each of these companies has been customized based on the versions of vulnerable software they're running, as well as what kind of anti-virus they're using. ...

    Since when has anti-virus heuristics algorithms been at all useful against custom malware?

    Even the script kiddies can find encrypters to take their cookie cutter programs and make them invisible to the majority of anti-virus programs.

  • by Anonymous Coward
    QUIT RUNNING WINDOWS. Look, if anybody runs windows on more than their client box (and many would argue even that is stupid), then you deserve what you get. The same set of idiots will design tanks and subs with picture windows.
  • by Anonymous Coward on Monday March 01, 2010 @09:54PM (#31325800)

    1. You must first find someone using windows who is prone to clicking things without thinking. - ok, I accept that.
    2. Running a vulnerable browser - Still quite common, First security failure
    3. Running windows - Still very plausible
    4. Vulnerable to a privilege escalation exploit - Second security failure
    5. With a network setup that is vulnerable to this kind of thing - Third security failure
    5. Then "accessing" an AD server database - Fourth security failure
    6. To be cracked - ok

    So for this to work you have to have an insecure browser or other userland app that is easily exploitable (Acrobat), an OS with a privilege escalation flaw and A network that will let someone do things they probably shouldn't, an AD server that is crackable so that you can get at the DB.

    IMHO that is a hell of a lot of failures by the various parties for this to work.

    • by Shikaku (1129753) on Monday March 01, 2010 @10:11PM (#31325898)

      Your boss at work:

      "Why can't I install programs on my own machine, I'm the boss for god's sake!"

      He's admin of his own machine now on his corporate internet. Hilarity ensues.

      • Yeah, but try to push this past a boss' skull.

        Human factor at work. He does not need admin privileges. Even the idea to give him an admin account so he could become admin if he for some reason needs to will get shot down (or simply ignored and the admin account becomes the standard account) because he must not be bothered with that whole "computer crap", it has to "just work".

        If you warn about such scenarios you get belittled as scaredy-cat. That it is your effing job as his CISO to be such a scaredy-cat an

      • Your boss at work:

        "Why can't I install programs on my own machine, I'm the boss for god's sake!"

        If your boss has an iphone then you have them right there.

        As much as I hate them for it, Apple have surely built a good argument for not allowing people complete control of devices they *own* but which they don't 'understand sufficiently well' or 'cannot be trusted' to protect properly.

        I guess... try to get your boss to see you as Steve Jobs. Might not work but probably worth a shot.

        • by rts008 (812749)

          ...try to get your boss to see you as Steve Jobs.

          I don't have any turtle neck sweaters, you insensitive clod!!!

      • by jon3k (691256) on Tuesday March 02, 2010 @12:20AM (#31326682)
        Boss's browser is configured to use Websense proxy (running on Linux actually, Websense Security Gateway). All traffic blocked at firewall, only Websense allowed out and only via destination port 80 and port 443 (and other specific allows for certains servers/apps to specific destination networks). Uncategorized sites are blocked in Websense. Cisco Botnet filtering installed on ASA's at the edge. Sourcefire IDS monitoring. Ironport e-mail gateways filtering spam. Trend anti-virus running on everything running Windows.

        And most importantly - constant user training, re-training and reminders.

        I'm sure I missed a few other security components I take for granted but that should be enough to cover it. I work for a medium sized health care company, nothing fancy.
      • by Nazlfrag (1035012)

        Just tell him you have a secret awesome technology that's even better than his work computer that only IT people know about but you know how to get him one for the 'right price'. Put a 007 sticker over the 'eee', a quick netBSD install + matrix desktop theme later and presto! You're 2 grand richer and the boss won't fuck up your toys.

    • Re: (Score:3, Insightful)

      by esocid (946821)
      Have you not ever worked in an office setting? Walk by your sysadmin's dungeon and mention something about clicking a link in some email you got, and sit back and watch the fireworks.

      I can pretty much guarantee you that even in a tech setting, there will even be a handful of those people who still lack common, and/or tech, sense. This is exactly why certain places prevent their employees from installing software, running as admin, running off of flashdrives, or even discs.
    • You just described most of corporate america with your six steps.

      Step #1 is very very plausible. One develops a potential working relationship with the target company and crafts an email to contain an innocuous looking document or link requested by the target. The link/document contains the latest exploit that has not been patched. The email is not suspicious because who would attack a potential business partner after all. It is an exploit that is preferably zero day and not yet in the virus/malware datab
    • by Tracy Reed (3563)

      And you have just described the business network (as opposed to production server network which is of course Linux and by definition far more secure) of pretty much every place I have ever worked.

    • by Sikmaz (686372)

      Point by point:
      #2: Many of the attacks use Zero-day exploits that are not public knowledge.
      #4: See #2
      #5: If you have more than 1400 servers there will be some that are vulnerable and when that happens they get one door they need. Hopefully it is just some departmental webserver so the scope is small but they almost certainly now have at least the first foothold they need to grab some accounts and move from there if they don't have a Zero-day exploit they can use.
      #5 (2nd #5?): What they get is the SAM data

    • A lot of failures, and all of them are at work in most companies.

      Vulnerable browser? A necessity, since most company-intern webpages are geared for IE (sometimes even an ancient version of IE because the adaptation for the quirks of newer versions take time), and of course programmed by the cheapest idiot who didn't test for any other browser. Let's be happy that it at least works with IE... if only with version 6.

      Vulnerable to priv escalation? A given in most companies. You usually have the cheapest admins

  • Number 5? (Score:4, Interesting)

    by DigiShaman (671371) on Monday March 01, 2010 @10:19PM (#31325960) Homepage

    5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.

    HOW!!!?? Unless some boneheaded sysadmin granted a user with Domain Admin access, I don't see how this is even remotely possible. Someone with just plain Domain User access either authenticates, or doesn't. Is this article suggesting all local user names and passwords from a DC (domain controller) are locally cached prior to authentication?

    • Scenario: Boss has (local) admin privs on his machine. Because he's the boss (no, no sensible explanation following). Boss gets owned, keylogger gets installed. Boss' machine gets fucked up when he installs the latest and greatest must-have-boss-toy for his Blackberry, calls IT and goes to lunch.

      IT comes, logs in with domain admin password...

  • Oldschool (Score:2, Insightful)

    by Anonymous Coward

    This type of social engineering attack has been around for atleast 2 decades now. there are manny books about it, including mitnicks.
    Windows exploits, spicificley owning a windows AD network via local privelege escalation, sniffing, buffer under/overflows and dumping hashes from the domain controller has been around for atleast 1 decade, the kind of thing I pulled off in highschool.
    All they did here is put together very old puzzle peices with a little bit of stratigy.

    when will pepole learn to stop using win

  • and why would being inside china be any difference? the whole attack is remote, sounds like it can be done to any network from anywhere in the world. why would a chinese office be at higher risk?

  • Packet Filter (Score:5, Informative)

    by nuckfuts (690967) on Monday March 01, 2010 @10:41PM (#31326084)
    If you don't expect/want traffic from China, configure your firewall to block IP addresses assigned to China [okean.com].
  • The initial route of infection for all of the known attacks has been through exploiting flaws in Internet Explorer or Adobe Acrobat using content hosted on external servers.

    My box has no IE, no Acrobat. I even use Skim instead of Preview. Flash is turned off by default in the browsers that I do use. Back when I worked for someone who needed to use Windows, we would delete IIS from the system, just to be careful.

    On the other hand, if it's an skilled, targeted attack, I would expect a custom explorat
  • Asymmetric Warfare (Score:5, Interesting)

    by sp3d2orbit (81173) on Monday March 01, 2010 @10:57PM (#31326178)

    I read a paper about a decade ago (which I found thanks to Slashdot) describing how China would "hypothetically" wage a war against the US and win without firing a shot. I can't find the paper any more, but it was written by four Chinese generals. Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault, a propaganda assault, and an electronic assault. If anyone knows the paper I would love to see it again -- I think it even got turned into a book.

    One day, long from now, will people wonder why we didn't see the attack coming until it was way too late?

    • by Anonymous Coward on Monday March 01, 2010 @11:19PM (#31326306)

      That paper was this one hosted on Cryptome: Unrestricted Warfare [cryptome.org]
      by Qiao Liang and Wang Xiangsui (Beijing: PLA Literature and Arts Publishing House, February 1999)
      It is translated by the FBIS, the CIA's Foreign Broadcast Information Service, which collects and translates reports from around the globe.

    • Re: (Score:3, Informative)

      by advocate_one (662832)

      Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault,

      and what's really depressing is our own corporations are falling over backwards (outsourcing production, relocating, sourcing goods from China) to help them all in the name of short term profit to make the next quarter's numbers look good. There is no level playing field. The Chinese are deliberately polluting their country and ruining their workers health in order to make their labour and pro

  • by sp3d2orbit (81173) on Monday March 01, 2010 @11:00PM (#31326196)

    The paper says that small and medium sized businesses are often targets and that they rarely have the resources to mitigate the attacks. Seems to me like this is a great reason to move to cloud computing. I would think 99% of businesses would be better off letting Google protect their servers than trying to find away around these attacks themselves.

    • Woo! Monoculture! (Score:4, Interesting)

      by copponex (13876) on Monday March 01, 2010 @11:25PM (#31326348) Homepage

      I'm sure that doesn't carry any risks!

      But seriously, if Google were evil geniuses, they'd create hundreds of smaller data centers around the US, with different ecosystems of software security and virtualization and ip blocks, and then use them as a raid array to back up each other.

      Damn I wish I had a billion bucks.

  • Oh brother.. (Score:2, Insightful)

    by jav1231 (539129)
    "We went to do business in a communist nation and they attacked our network, attempting to gain access and who knows what!?" As my teenaged daughter used to say, "Uh..Hello! Yeah!?" Which loosely translates to: And you're surprised?
  • Chinese Patience (Score:4, Informative)

    by IonOtter (629215) on Monday March 01, 2010 @11:29PM (#31326370) Homepage

    When I was in the military, we used to shred our secret documents to NSA specs, which is 0.8mm x 4mm. That's about the same width as the "i" in the subject, and about twice as long.

    In 2002, we were informed that this was not small enough, and now had to run the shredded documents through the hammer mill [wikipedia.org], so everything would be reduced to powder.

    They caught some folks rummaging at the local landfill, looking for the trash bags filled with end of week, end of month and end of year destruction.

    Those people had stereo microscopes [wikipedia.org] in their homes and apartments, and were reassembling the documents and crypto tapes, one tiny piece at a time.

    The Chinese have existed as a nation for longer than any other civilization on the face of this planet, and they take the "long view" in such things.

    • Re:Chinese Patience (Score:5, Informative)

      by VendettaMF (629699) on Monday March 01, 2010 @11:44PM (#31326464) Homepage

      > The Chinese have existed as a nation for longer than any other civilization on the face of this planet,
      > and they take the "long view" in such things.

      Thankfully both of these are incorrect to a lesser and greater degree respectively.

      There may have been people living in the areas of land now referred to as China, but any links between historical cultures and thought and the modern morass are purely fictional.

      And as anyone who has done business in/with China can tell you one of the biggest problems inherent to the nation is a complete inability to plan ahead or consider delayed benefits. None of the Chinese businesses I've worked in, nor the government bureaucracy I've suffered through, have ever included any possibility of passing up 10 bucks in their pocket right now in exchange for a thousand tomorrow.

      We're dealing with a cultural mindset that would unhesitatingly slaughter the goose that laid the golden eggs, not in hopes of finding lots of eggs inside (that assumption requires some logical thought and deductive reasoning), but simply to take its feed and head for picking.

      There is no concept of repeat business here. Any supplier who believes they can get away with it will supply a shipment of non-functional crap and pocket the single payment rather than even bother trying to set up monthly deliveries of functional goods.

      The unstable legal system is partly at fault here. There is just no way in this culture to be sure that your products won't be outlawed/super-taxed next week. Money under the mattress is the only surety.

      • by phantomfive (622387) on Tuesday March 02, 2010 @01:16AM (#31326990) Journal

        There is no concept of repeat business here. Any supplier who believes they can get away with it will supply a shipment of non-functional crap and pocket the single payment rather than even bother trying to set up monthly deliveries of functional goods.

        Don't know about China, but I read about one guy in a similar situation in Belgrade, where at the time they sold gasoline for cars in open buckets on the side of the road. Some of the gas was high quality, and others was cheap and could ruin your car. This guy built a relationship with a 'supplier' (who was named Stevo, from Zemun), and paid him extra to make sure he always got him the high quality stuff.

        Same thing in China, if you are willing to establish a good relationship with some suppliers, and make sure they get paid extra for their effort. If you aren't willing to pay extra, if you are stingy and try to wring the last cent out of your supplier, well, you get what you pay for.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Same thing happened when the Iranians overtook the US Embassy in 1979. The students pieced the documents back together looking for identities of CIA informants and the like. An example [gwu.edu] of the reconstructed documents is in the National Security Archive at GWU.

      • Re: (Score:3, Informative)

        by turing_m (1030530)

        Same thing happened when the Iranians overtook the US Embassy in 1979.

        The difference was that the Iranians only had to piece together strip cut shredded documents. Not .8mmx4mm (level 6). From what I can tell, this is still the highest standard of shredding used in the USA. To piece that together requires completing a 19k piece jigsaw per page, something I tend to doubt that you are going to do by hand - each page is going to take longer than 30 days for a family to complete. http://www.worldslargestpuzzle [worldslargestpuzzle.com]

  • This problem was SOLVED by Dennis and Van Horn back in the 1960s, it's called capability based security. You can read more here: http://old.nabble.com/On-the-Spread-of-the-Capability-Approach-to5608409.html [nabble.com]

    The concept is simple, every process has a list of capabilities handed to it. It doesn't get to do anything not on the list.

    It would be fairly easy to make sane default lists and still have a very usable computer.

  • Brace for impact. (Score:3, Informative)

    by dweller_below (136040) on Tuesday March 02, 2010 @12:29AM (#31326742)

    I imagine most of us are saying: "Not a problem. I don't have anything China wants."

    I wish. This is what hacking looks like now. If you haven't noticed, you haven't been paying attention.

    We asked ourself, which 10 computers would cause us the greatest loss if they were compromised. When we took a hard look at their network traffic, we found an otherwise indetectable compromise. It appears to have been in place for at least 3 months. Just patiently listening and waiting.

    You may want to try the same exercise.

    Organized crime has demonstrated (http://www.ren-isac.net/alerts/banking-attacks_technical_201001.html) that patient, disciplined attacks yeild great monetary rewards.

    The Chinese have demonstrated that patient, disciplined attacks are virtually unstoppable.

    What more could any hacker want?

    The most fragile secret is a successful economic model. Once it gets out, EVERYBODY copies it.

    Learn how to defend yourself if you want to survive.

    Miles

  • Currently I've been attempting to convert my Fedora system from SELinux working in targeted mode to strict mode. I found that numerous programs I'd like to run and that are provided will not work with SELinux without giving them permission to do insecure functions. So far several programs violate SELinux execmem rules when enforced. There is no way for a non-coder to fix this. One problem for a VLSI IDE I want to run is the TK interpreter 'wish'. Most of the others are 3D tools or games.

    I will at some point

"Consider a spherical bear, in simple harmonic motion..." -- Professor in the UCB physics department

Working...