S. Korea Says Cyber Attack From North Wiped 48,700 Machines 186
wiredmikey writes "An official investigation into a major cyber attack on South Korean banks and broadcasters last month has determined that North Korea's military intelligence agency was responsible. An investigation into access records and the malware used in the attack pointed to the North's military Reconnaissance General Bureau as the source, the Korea Internet and Security Agency (KISA) said on Wednesday. To spread the malware, the attackers went through 49 different places in 10 countries including South Korea, the investigation found. The attacks used malware that can wipe the contents of a computer's hard disk (including Linux machines) and damaged 48,700 machines including PCs, ATMs, and servers."
Civillian cyber-casualties (Score:2, Interesting)
Just makes me wonder what war is turning into. Instead of bombing cities, I can see nations targeting unprotected civilian computers in enemy nations. Massive destruction ensues, even though it's imprecise. In other words: bombing, but without all the mess.
Re:Civillian cyber-casualties (Score:5, Insightful)
But I'm sure most civilians prefer an empty computer rather than being dead...
Re:Civillian cyber-casualties (Score:4, Interesting)
Speaking as a civilian, I'd much rather prefer to both be alive and not have my livelyhood threatened, thanks. That's the worst false dichotomy I've heard all week and you should feel bad.
Re: (Score:2, Interesting)
If this is the evolution of war, then war has evolved to something that is distinctly more friendly to humanity.
Your point is that war is bad. Sure it is. But the actual point is this type of war is less bad.
Re: (Score:2)
Re: (Score:2, Insightful)
If you're doing proper backups, your livelyhood shouldn't be threatened. But there ain't no restoring a dead person from backup.
Re:Civillian cyber-casualties (Score:5, Insightful)
Re:Civillian cyber-casualties (Score:4, Funny)
albiet in a state not necessarily the same as you were before
Yeah, your timestamp and permissions might be missing.
Re: (Score:2)
I'll also take the wiped hard drive and non working ATM card over the 500 pounder coming through the living room window, thanks.
Re: (Score:2)
And less danger to your own people - no one flying planes or shooting guns.
Re:Civillian cyber-casualties (Score:5, Insightful)
It isn't so much a person's personal PC that is the danger, but of having his bank disrupted, and he can't get money. If food distribution is messed up, if drugs can't be accessed...all this stuff is interconnected.
Let's see what happens when some extremely urban center gets hit, say like NYC...the power goes out, food can't get in/out, and see how long it takes for things to go bad really fast.
Hell, with so many out there living cashless....what are they going to use for payment for things, if that system is down for awhile? That alone would bring a lot of misery, even if you discount the more tragic events I put forth above.
Re:Civillian cyber-casualties (Score:5, Interesting)
Yeah just look at what happened at Royal Bank of Scotland last year. Some people at Ulster Bank (a subsidiary of RBS) where unable to access their account for the best part of a month.
http://en.wikipedia.org/wiki/2012_RBS_computer_system_problems [wikipedia.org]
Now imagine that every bank is in the same situation as RBS along with VISA and Mastercard.
Re:Civillian cyber-casualties (Score:5, Insightful)
I would add that even having cash is no good if the power is out. These days even the till won't open, the scales won't weigh anything and the pump's won't pump the fuel. Heck even the water in the taps will stop flowing rather quicker than you might imagine without power.
So while I do have emergency cash and both VISA and Mastercard credit cards I am realistic that in the event of a total failure it won't get me that far.
Re: (Score:2)
I keep backups, but if my PC was wiped, there's a certain minimum amount of time before I'm back up and running again.
If you kept doing it, my job would turn into restoring backups instead of programming.
Even if you only get hit once, and then armour your systems against it, your economic activity is diverted away from something that was (presumably..) productive. That might be the difference between being able to compete with your foreign competitors and going under - unscrupulous states would be happy to
Re:Civillian cyber-casualties (Score:4, Interesting)
Re: (Score:2, Funny)
Re: (Score:2)
If your livelihood depends on it, then the inconvenience of being too careful isn't really a factor.
Re:Civillian cyber-casualties (Score:4, Interesting)
But I'm sure most civilians prefer an empty computer rather than being dead.
Most civillians are ignorant morons wrt computers. If that empty computer was used to locate (see story yesterday) the poorly secured, net connected SCADA box that controls the spillways of the hydroelectric dam upstream of your place, an empty computer is the least of your worries.
Re: Civillian cyber-casualties (Score:2, Insightful)
Speaking as someone who designs control systems like what you talk about for a living, the chances of that are slim. To penetrate the Iranian centrifuges someone had to first physically infect the computers in the facility(windows based pc's) and then a technician had to connect to a seperate network that contained the PLC's controlling centrifuges and put a new program on them(the malware then spliced itself into the program while it was downloading). This kind of attack tookany years to plan out and coope
Re: (Score:3)
Speaking as someone who designs control systems like what you talk about for a living, the chances of that are slim. To penetrate the Iranian centrifuges ... This kind of attack took [many] years to plan out and cooperation from the company that manurfactured the PLC's(Siemens), and it required the tech reprogramming them, which would only happen because the system was still in [its] software infancy.
Yet the result was, it worked. Someone was sufficiently motivated for the long haul to make it happen. I prefer not to underestimate the opposition. Slim chances are a challenge; that's all. We have to be right all the time. They only have to be right once. That story yesterday talked about (tens of|hundreds of) thousands of machines whose security were trivially unsecured (factory admin username/passwords unchanged & machines networked). It showed that there's oodles of low-hanging fruit with li
Re:Civillian cyber-casualties (Score:4, Insightful)
But I'm sure most civilians prefer an empty computer rather than being dead...
Civilian computers are not the primary target. A military cyber-attack would primarily be focussed on leaving the target area without electrical power, water, transportation (including traffic lights) or communications, with its banking and financial capabilities damaged. Consider, for example, how Iran was targeted. Their nuclear centrifuges were deliberately made to spin "off-key" with the intent that the results would be useless and the centrifuges would be physically ruined.
Obviously, if you can keep everyone busy trying to restore their personal computers and devices at the same time, it's a bonus. That way they're distracted from working on core infrastructure.
Re: (Score:3)
With the number of Bitcoin fanatics currently on Slashdot, I'm sure that there would be at least one person here who would rather be dead than lose their wallet file with a $100,000 worth of cryptocurrency on it :)
A better choice (Score:2)
Re:Civillian cyber-casualties (Score:4, Insightful)
Re:Civillian cyber-casualties (Score:5, Insightful)
Re: (Score:2)
Luckily for us, a crooked nail in a building won't make it explode.
Re: (Score:2)
Call me when they exist.
Ring [bigelowaerospace.com], ring [ussubmarines.com].
Re: (Score:2)
Our infrastructure's and societal functions' dependency on the Internet is grossly underestimated.
Or overstated. That's the other general possibility. Maybe even both.
This is a fact.
Or more accurately, an opinion gussied up as a fact.
Re: (Score:2)
with banking infrastructure, power grids etc. being online and reachable via public internet channels, how is the statement overstates?
So? That doesn't demonstrate vulnerability.
Re: (Score:1)
Re: (Score:1)
Kinda reminds me of an old Star Trek episode from the original series. War was just a computer simulation for calculating casualties and then people were sent for disintegration according to the simulation results.
Re: (Score:1)
I see this as, they cost 48 million over a large selection of banks (1000/each machine to repair).
hardly a terrible attack.
Re:Civillian cyber-casualties (Score:5, Interesting)
What I find amazing is that NK is technologically capable of causing that amount of damage both in terms of technology and infrastructure. I didn't believe they'd get enough bandwidth by using the soldiers to manually hand off the packets. I figured they'd be too busy eating grass and tree bark really.
Okay, okay. So I'm only a little kidding. I'm still surprised they had the tech chops to pull that off OR that they were so poorly defended. It could go either way I suppose.
Re: (Score:1)
I assumed they simply had more script kiddies than anonymous not fearing retribution.
Re: (Score:3)
It is pretty clever. Someone linked to an autopsy down further in the thread. I'm kind of surprised though it does look like poor security practices were in place.
Re: (Score:2)
NK is the subject of a lot of Western propaganda. As such, you usually only hear the bad stuff about them. Any tech progress they've made would never be reported in the Western press, of course. So I suspect they're a lot more technologically advanced than most of us realize. It was the same way with the USSR in the 50's. One of the reasons a lot of Americans were so shocked by Sputnik was that they had been hearing for years that the USSR was all gulags and poverty, and had no idea that they were so techno
Re:Civillian cyber-casualties (Score:4, Insightful)
I'm still surprised they had the tech chops to pull that off ...
You can buy tech chops. Cf. Werner von Braun. There's always been plenty of people who're easily persuaded to supress any sense of morality or ethics that might get in the way of them getting the filthy lucre. Some (WvB again) aren't even after money.
Re: (Score:2)
True, I just don't see them getting out much in order to do so. I am usually the guy that laughs at the conspiracy nuts but I wonder if this is a false flag op or something. I don't really know or anything, it just seems a little off.
Re: (Score:2)
I got curious and am too lazy to go order a book so I fired up a search engine and found this:
http://movies.netflix.com/WiMovie/Camp_14_Total_Control_Zone/70264533?locale=en-US [netflix.com]
I've watched a lot of documentaries and many of them have been about NK. This is one that I haven't seen but I'll watch it tonight. Thank you for bringing the title to my attention though, I appreciate it. I have read a lot of information about NK but I've never read a book about them. Odd I guess. Either way, your mentioning the book
Re:Civillian cyber-casualties (Score:5, Funny)
"I can see nations targeting unprotected civilian computers in enemy nations."
The South should immediately retaliate and wipe all the North's computers, both of them.
Re: (Score:2)
They actually tried, but NK pulled the phone cable out of the modem.
Re: (Score:2)
Both sides should just play StarCraft. South Korea would win easily. ;)
The Scoop (Score:5, Informative)
Re: (Score:2)
Re:The Scoop (Score:5, Informative)
more accurately, it checks for parameters of any ssh connection *with root privileges*. everyone see the problem there? every owner of every machine that fell to the n. korean attack richly deserved what they got. piss poor security will bite one in the ass.
Re:The Scoop (Score:5, Insightful)
more accurately, it checks for parameters of any ssh connection *with root privileges*. everyone see the problem there? every owner of every machine that fell to the n. korean attack richly deserved what they got. piss poor security will bite one in the ass.
People with poor security do not *deserve* an attack.
Re: (Score:2)
If, for example, you have some data that is only accessible by typing in a URL--ie. you don't have a link to it--is someone "hacking" if they access it?
In other words, the analogy with physical security is a false one.
Re: (Score:2)
If, for example, you have some data that is only accessible by typing in a URL--ie. you don't have a link to it--is someone "hacking" if they access it?
In other words, the analogy with physical security is a false one.
Re: (Score:2)
Re: (Score:2)
If, for example, you have some data that is only accessible by typing in a URL--ie. you don't have a link to it--is someone "hacking" if they access it?
In other words, the analogy with rape is a false one.
Re:The Scoop (Score:4, Informative)
Yup, this is why you should only accept standard user logins, let them use sudo if they need to administer the box.
Re: (Score:2)
Faulty logic. Poor administration of the software does not make the software poor, it makes the administration of the software poor. Just like people that load Linux and surf pr0n as "root" does not make Linux poor, it makes users foolish.
Many admins with your attitude believe that root ssh keys are more secure than Sudo as well. The logic is extremely bad.
I won't discount that people need to be trained in software like Sudo. I have spent 25+ years working in the business, the majority of that in secure
Re: (Score:2)
Really nasty, if you run it as root. How do they escalate their privileges?
Re: (Score:3)
Not possible. Toot is the same as full access to everything - root has no access restrictions whatsoever. being root is being god on that computor.
Thus no one sane accept ssh to root.
Toot login (Score:1)
The advantage of a toot login vs root is that it uses a double olfactory authentication. Plus it just feels good.
Re: (Score:3)
Re: (Score:3)
Not possible. Toot is the same as full access to everything - root has no access restrictions whatsoever. being root is being god on that computor.
Thus no one sane accept ssh to root.
While it's rarely possible to login directly as root via ssh on current *n*x systems, it is common to be able to elevate oneself once logged in as an ordinary user. Otherwise remote administration would not be possible.
Conversely, root is not god if you have selinux switched on. Still immensely powerful, but not god.
Re: (Score:3)
Evidently, mRemote is orphanware [royalts.com], although it appears it was forked into mRemoteNG [mremoteng.org]. Sets up an interesting idea - what if mRemote was just a way to set up access to non-Windows systems from malware that first exploits one of the seemingly-endless entry points into Windows.
Re: (Score:2)
Am I mistaken or does this mRemote application store passwords in the clear? That's just plain nuts!
backups (Score:1)
People, N. Korea has declared war. Time to make a backup...
Re: (Score:3)
NK waged war in 1950. What they just did was declare... Never mind, you've ignored history and current events until this point so I'll leave you with this [lmgtfy.com].
Think of all of the StarCraft hours lost! (Score:5, Funny)
Just think about all of those hours lost playing StarCraft.
In other news, the entire population of South Korea is now looking for that 1 StarCraft CD so they can install it on all their machines again.
Re: (Score:2)
It runs in Windows. They've likely had to reformat lately so the disks should be easy to find.
Re: (Score:2)
"PermitRootLogin yes" fixes it .. or not (Score:4, Interesting)
If I understand correctly (do I?) the way it attacked Linux systems was that some people use a ssh client, where they literally have a preference or setting stored, for logging into the Linux machine as root. User clicks something (which does the equivalent of "ssh root@whatever" and the software automatically supplies a key or passphrase) and the next thing they see is a root bash prompt. Wow.
If that's right, then assuming your Linux machines still have
in /etc/ssh/sshd_config, then your setup isn't compatible with this malware. You'll need an updated version of this malware.
All machines should have "PermitRootLogin no" and if yours doesn't, you're doing something very very strange. Maybe you should go check that, right now. It'll take .. seconds.
That said, things still aren't very rosy. Presumably the user of this ssh client would also have non-root passwords or keys stored too, to get non-root access. But how many of us usually login as a user with some sudoers powers? And how many of us have a very lazy sudoers configuration, where you're literally allowed to just do "sudo -s" and get a root shell, by only having to type in your password again?
So my earlier "joke" about you needing an updated version of malware, might not really be all that much of a joke.
Tighten up your sudoers file if you can. And whether you can or not, have ssh use key authentication instead of password authentication, so that no remote clients can, or need to, have your password stored in them.
Subject line error (Score:2)
Of course I mean "PermitRootLogin no" fixes it .. or rather, might not really fix it.
Re: (Score:2)
Hmm..just looked on my home linux box I recently set up to play with....bydefault, with OpenSSh...it appears that is set to yes by default.
Just changed that and rebooted.
Re: (Score:2)
> Why reboot? All you need is
> # service sshd restart
For the non-RedHatters in the audience, it's...
# /etc/init.d/sshd restart
Re: (Score:2)
And exactly how does key authentication stop the malware loging onto remote machines. Clue it does not. Even if I ditched key based authentication as well and kerberosied everything in sight that would still not help, because presumably I have a valid kerberos ticket when I log on...
The only solution is to stop being lazy and require a password ever time you log into a remote machine and/or to run anything under sudo require a password.
Re: (Score:3)
It doesn't. What it would stop, is the malware (once logged in) having an easy-to-guess sudo password. sudo doesn't care if you know the ssh key and are therefore allowed to log in; it wants a password (not an ssh key) before it'll let you rm -rf /.
Re:"PermitRootLogin yes" fixes it .. or not (Score:4, Informative)
Even that doesn't do much, if the attacker has control of your user account and your user account can create psuedo terminals (and if you cant create psuedo terminals then you can't use anything like xterm or screen) then they can easilly change your bash profile to add a directory under your homedir to the path. Then add malicious su and sudo wrappers in there which record the credentials.
Also: PermitRootLogin without-password (key only) (Score:2)
Re: (Score:2)
None of which helps if you have a piece of software storing all the credentials you need to log onto a remote machine.
Yes it does (Score:2)
None of which helps if you have a piece of software storing all the credentials you need to log onto a remote machine.
If you follow my suggestion and use command="", it certainly DOES help that that login can only run "startbackup" and nothing else.
Scruffy-looking bot herders (Score:2)
I'm surprised they opted to wipe the compromised machines. North Korea has a long history of earning hard-currency funds through illicit activity (counterfeiting, drug-smuggling, etc). By wiping their targets, they've lost the possibility of using them to turn a fraudulent profit.
Probably means someone over there needed a short-term propaganda coup for internal political reasons.
Problem fixes itself (Score:5, Interesting)
Re: (Score:2)
Indeed, if mere destruction was their aim, they succeeded. But beyond taking out the vulnerable machines, if this attack has left enough of a cultural impact, it may have instilled a greater vigilance among South Koreans, such that not only will the [presumably] reinstalled machines be fully patched and secured, but the defenses of the still-standing machines will be shored up higher in the future.
If a large enough amount of computers in my city were wiped, it would make the news, people would be talking a
Re: (Score:2)
Destructive malware stopped being common simply because it is more profitable to keep the machine compromised. (And perhaps because with the death of DOS and Win9x, destruction became harder to do.) Unless you are a government or other political entity, most hacking is done for money or for lulz. For governments and terrorist organizations, destruction is still a valid goal.
I felt a disturbance in the force (Score:2)
I felt a disturbance in the force. As if thousands of Korean Starcraft characters all cried out at once then were deleted.
thanks, rkhunter (Score:2)
Interestingly, I just started playing with Rootkit Hunter a couple of weeks back, and it complained when it saw "PermitRootLogin yes".
Since I didn't know that existed, it was either set that way by the very popular distribution I'm using OR (unlikely) by an external force. I'm sure no expert, but allowing login as root via SSH just didn't sound like a good idea. Maybe it's all those 'Security Now' episodes.
Re: (Score:2)
Re:victims deserved it (Score:4, Insightful)
victims deserved it
Uh huh. And if NK decides to shell another island or sink another boat, it will be entirely SK's fault for not making a powerful magic force field that can deflect artillery shells and torpedoes. Victims are always to blame, because they definitely cause their attackers to attack them, because of their weakness, right?
What, is your junior high school out on lunch break right now? Go outside and get some exercise, and quit wasting time building up an interior justification for the future bad shit you're going to do to other people when you get your own computer and stuff.
Re:victims deserved it (Score:4, Insightful)
logic fails you. these cyber attacks are preventable by proper security practices - the internet is a hostile place and there is no excuse for laziness in security by IT people. Do you keep your money stacked on the sidewalk in front of your house overnight, or do you make some effort to keep thieves from easily snatching it? your attitude is the problem we in IT face
Re: (Score:2)
the internet is a hostile place
And it's the victims' fault that it is a hostile place, right? The people actually acting out the hostility are never to blame, because that might hurt their feelings, I guess.
Re: (Score:2, Insightful)
victims deserved it
Uh huh. And if NK decides to shell another island or sink another boat, it will be entirely SK's fault for not making a powerful magic force field that can deflect artillery shells and torpedoes. Victims are always to blame, because they definitely cause their attackers to attack them, because of their weakness, right?
And people who leave the logins set to the factory default account=Admin, password=1234, aren't to blame, either.
Nonetheless, they will provide examples that we may call "Natural Selection At Work".
Re: (Score:2)
It will, indeed, if they were able to make that powerful magic force field AND they did not enable it.
So SK is not the victim of an attack if NK launches a missle and it bounces off SK's magic shield. And SK is at fault for the attack if NK's missile isn't stopped by SK's defenses. But NK is not at fault for launching the missile in the first place. Are you even listening to yourself?
Re: (Score:2)
Where do you get the idea that only one party can be at fault?
Because nobody is talking about attacking NK, while NK talks non-stop about attacking everybody else. And people here are pre-emptively saying that it's SK's fault ... not for being some degree of able or not to deflect attacks, but SK's fault for being attacked in the first place
Your analogy makes no sense. What mine is it that you think SK is stepping on, exactly? Are you actually persuaded by NK's rhetoric, and think that the very existence of SK as a non-communist, non-totalitarian state is grounds
So your house is surrounded by razor wire, thief? (Score:2)
sildur, your house must be surrounded by razor wire, and you've replaced all those nice breakable windows in your house and car with solid steel, right?
You COULD do those things to protect yourself, so if you don't do the
Re: (Score:2)
Most likely you fail at logic forever
Why, because he pointed out the truth?
victim deserves it == perpetrator is innocent
If the victim deserves it, then you mean that they are morally culpable. Which can only mean that the other party - which is solely responsible for taking the action in question, and absent taking that action nothing would happen - is morally in the right in taking that action.
Your own weasle words ("most likely" on a matter of logic?) show you're just another spineless moral relativist.
Re: (Score:2)
Yay, ain't it nice living in a binary world? Black and white's all we need.
Asserting that SK deserves being attacked is exactly such a binary position. They either do deserve to be attacked, or they do not. Tap-dancing around that is just BS.
Re: (Score:2)
lazy and stupid IT people, whose jobs are to at least adhere to minimal security practices, deserve to reap the rewards of their negligence. as do the people who hire and manage them.
Re: (Score:2)
Wonder if North Korea was the original target, and the malware leaked out into the wild...
Re: (Score:3)
Wonder if North Korea was the original target, and the malware leaked out into the wild.
I wonder if the miscreant just used NK to carry out the attack, in order to incriminate them. I'm lookin' at you, CIA. I must say I'm also a bit surprised to learn that NK allows any connection to the net outside its borders, especially to SK (the enemy).
Re: (Score:3)
I will never think of the word "norks" quite the same again.
Re: (Score:2)
A computer? Newegg. NK government spends $$$ (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
Have you audited all your rice's genes? A leaked Monsanto report said most versions have a buffer-overflow bug somewhere in chromosome 6, but they didn't say exactly where. Unless North Korea buys their seed rice from Theo De Raadt...
Re: (Score:2)
Audit *all* genes? That is like asking someone to determine if a database has hidden data when all you can do is use a SELECT statement. In other words, you aren't going to find anything bad unless you know what to look for.
Yes, I know I'm completely missing the point of the comment.
Re: (Score:3)
If you think my comment actually had a point, then you missed the point. :-)