Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Aurora Attack — Resistance Is Futile, Pretty Much

kdawson posted more than 3 years ago | from the big-leagues dept.

Security 268

eldavojohn writes "Do you have branch offices in China? iSec has published a new report (PDF) outlining the severity of the attacks on Google.cn, allegedly by the Chinese government, dubbed 'Aurora' attacks. Up to 100 companies were victims, and some are speculating that resistance to such attacks is futile. The report lays out the shape of the attacks — which were customized per-company based on installed vulnerable software and antivirus protection: '1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website. 2. This website uses a browser vulnerability to load custom malware on the initial victim's machine. 3. The malware calls out to a control server, likely identified by a dynamic DNS address. 4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials. 5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite. 6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server. 7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.' The report also has pages of recommendations as well as lessons learned, which any systems administrator — even those inside the US — should read and take note of."

cancel ×

268 comments

Sorry! There are no comments related to the filter you selected.

Who clicked on the PDF? (5, Insightful)

symbolset (646467) | more than 3 years ago | (#31325638)

Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

Re:Who clicked on the PDF? (2, Funny)

Anonymous Coward | more than 3 years ago | (#31325682)

Target corporation: Unemployed geeks in their mothers' basements.

Damn. This attack is going to wipe the IT industry out...

Re:Who clicked on the PDF? (5, Informative)

biryokumaru (822262) | more than 3 years ago | (#31325698)

Major attack preventer: Google docs PDF reader [google.com] .

How do we know THAT isn't compromised? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#31325820)

For all we know, the Chinese agent who hacked google.cn may have uploaded a trojan pdf reader extension.

Re:How do we know THAT isn't compromised? (4, Funny)

Anonymous Coward | more than 3 years ago | (#31326172)

in china, trojans are small. Because they have small dicks.

Re:How do we know THAT isn't compromised? (1)

jav1231 (539129) | more than 3 years ago | (#31326314)

That is so wrong!!!!!
Yes...I laughed...

Re:Who clicked on the PDF? (2, Informative)

EvanED (569694) | more than 3 years ago | (#31325752)

Major attack vector: Acrobat Reader. Security company publishes intrusion analysis in pdf format. If you clicked it, you may be part of the problem.

This is Slashdot. Who clicks on the article links?

On a serious note, the Link Alert [mozilla.org] extension for Firefox will put an icon following links that go to a PDF file. (I know that the /. editors kindly put "(PDF)" after it, but to be honest I tuned it out, and if I felt like reading TFA would have just clicked.)

Re:Who clicked on the PDF? (5, Insightful)

PsychoSlashDot (207849) | more than 3 years ago | (#31325786)

Absolutely. It's kind of funny because it was over five years ago that Microsoft "got it" and started reducing the attack surface in their operating systems. Non-essential services were disabled by default for instance.

Now, in 2010 the web experience "requires" a browser, Flash, Adobe Reader, Java run-time, and potentially a slew of other plug-ins. Everything from WinZip to the Google Toolbar has a service running in the background to update it periodically, and there's a push for unrelated shit to be bundled with what we try to install. Download managers are becoming increasingly the norm, with Adobe burying their direct link to Reader and Flash one link further from the "Click Here to Download" link the same week they patched an exploit in it.

We need to re-think how we compute. Less is more. Pick a standard such as HTML5 and stick to it. No plugins. (Beyond page-agnostic browser functionality add-ons like Ad-Block Plus.) No background services, no download managers, no web-extending formats. If a stock browser less than three years old can't render it, it isn't the web. If it isn't the web, we don't code for it. JPG, PNG, and a handful of standardized other formats can be direct linked-to.

That's not the panacea... it won't solve it all. But going the way we're going is the wrong direction. Let's try less crap on our machines that might be vulnerable.

Re:Who clicked on the PDF? (0)

Anonymous Coward | more than 3 years ago | (#31325862)

MS has yet to seriously get it. IE with all patches STILL GETS OWNED without the user needing to click on anything. Just load up an attack page and poof.

Re:Who clicked on the PDF? (1, Informative)

Anonymous Coward | more than 3 years ago | (#31325982)

Please provide evidence. Not in the form of an attack page, obviously, but a cite.

Re:Who clicked on the PDF? (1)

Adriax (746043) | more than 3 years ago | (#31326408)

We're averaging about 2 a week so far this year at work, mostly vundo but some koobface and others just identified as generic trojans. I have verified via their histories that the only pages visited were major news, weather, and portal sites (fox news, msn, cnn, weather.com, they skim the articles without heading off to other sites).
350 person government office with all microsoft updates pushed to clients after a 1 week research period, and Symantec with latest definitions enforced on all clients via login scripts.

Unfortunately for us we are forced to use IE for a couple required pages, though I am working on getting a suitable deployment of firefox ready with IEtab and adblock plus preinstalled.

Re:Who clicked on the PDF? (1)

symbolset (646467) | more than 3 years ago | (#31325950)

It's kind of funny because it was over five years ago that Microsoft "got it" and started reducing the attack surface in their operating systems.

Practicing your Monologue on slasdot, Jay? You know normal people aren't going to get this joke.

Non-essential services were disabled by default for instance.

Stop it! You're killing me!

Re:Who clicked on the PDF? (1)

adolf (21054) | more than 3 years ago | (#31326048)

You left out GIF. The patents are expired, and it is a free standard.

[Yes, I know that PNG does the same things as GIF, only better. Except, that it can't do animations. And simple animations, though often annoying, can be very useful, especially in a world like you suggest in which Flash does not exist. See? [wikipedia.org] And though HTML5 + Ogg Theora fills some of the gap, lossy compression [wikipedia.org] like that sucks for technical drawings, whereas lossless formats can do very well. Of course, there's MNG, which is similar to PNG but with animations in mind...which is cool and all, except nobody uses it [wikipedia.org] .)

Re:Who clicked on the PDF? (0)

Anonymous Coward | more than 3 years ago | (#31326070)

I'd go further. We need a new paradigm in computing.

We assume the CPU is safe. We assume the OS is safe. We assume installed software is safe.

Why do we carry on with those assumptions, when they are plainly false. Why not design and engineer future CPU's, OS's and software assuming they are unsafe?

Re:Who clicked on the PDF? (0, Offtopic)

fast turtle (1118037) | more than 3 years ago | (#31326088)

They're already working on it. It's called Pallidin (Trusted Computing Platform). In otherwords: it's WebTV all over again.

Re:Who clicked on the PDF? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#31326296)

I don't have a service for every thing I've installed to update it, because, like any decent OS, the system package manger handles all that in one central, elegant, secure, and user-friendly system called 'apt'.

Practice safe computing. Use a 'buntu.

I use a Mac (1)

ridgecritter (934252) | more than 3 years ago | (#31326400)

with Preview as my pdf reader. I never use Acrobat. Does that move me out of the sight picture for this type of attack?

Sounds like resistance is easy. (3, Insightful)

Kludge (13653) | more than 3 years ago | (#31325664)

Just don't use MS Windows.

Re:Sounds like resistance is easy. (5, Insightful)

Wingman 5 (551897) | more than 3 years ago | (#31325680)

Yea, because there is no way to get rootkited or other vulnerabilities on Linux system.

Hey, I wonder where the term "rootkit" originated?

Re:Sounds like resistance is easy. (4, Insightful)

sopssa (1498795) | more than 3 years ago | (#31325718)

This is especially true because these are highly targeted attacks. Unlike other malware, these don't go where the majority of users are - they go against what the target company is using and have a reason to spend the extra time on it.

Re:Sounds like resistance is easy. (1)

MichaelSmith (789609) | more than 3 years ago | (#31325762)

But it sounds like the attackers were able to make assumptions about the target information systems by using knowledge of standard IS practices. Avoiding those practices may introduce a handy layer of obscurity.

Insisting on crypto all the way to the clients may help as well.

Re:Sounds like resistance is easy. (3, Insightful)

bersl2 (689221) | more than 3 years ago | (#31325836)

Don't think of it as obscurity. Think of it more as diversity.

Re:Sounds like resistance is easy. (1)

Runaway1956 (1322357) | more than 3 years ago | (#31326238)

Yes, BUT - what are the primary vectors again? Adobe stands head and shoulders above the crowd of other vectors. What Adobe do you find on the average *nix machine? Of my machines, two have Adobe Flash - the others have Gnash. Given just a little more motivation to move away from Adobe completely, I would rip their Flash programs out of the two machines that run it now.

Admittedly, Adobe runs in some places that Gnash doesn't do so well on - but do I really NEED flash to watch something on Youtube? Of course not. I can download the video, convert it, and watch it in VLC, Mplayer, or any number of other applications - none of which have been shown to be serious attack vectors.

Go ahead - root me. What are you waiting for? You want the details of my operating system? HA! I'm not that easy to social engineer!

Re:Sounds like resistance is easy. (2, Insightful)

Wingman 5 (551897) | more than 3 years ago | (#31326316)

Go ahead - root me. What are you waiting for? You want the details of my operating system? HA! I'm not that easy to social engineer!

Thats why I don't root you, I root your receptionist to get the proverbial foot in the door. "Hi this is John from IT, we found a virus on your workstation I just emailed you the program to remove it, just open it and it will solve the issue"

Re:Sounds like resistance is easy. (0)

sumdumass (711423) | more than 3 years ago | (#31326260)

I'm not sure there is a situation of a Linux web browser vulnerability that allow malicious websites to install software that will allow the attacker to gain access and escalate privileges.

Sure, rootkits are a real threat but the ease of this operation wouldn't have been there would it? I mean if all I have to do to get a foot in the door is to create a malicious website and provoke someone into visiting it, it's a little more easier then gaining access to the machines in the first place and installing software undetected.

Of course all this goes out the window if they tricked someone into opening an Email attachment saying "I love you" or something. Well, MS has even fixed that problem but you get the general idea, trick the user into running a program of some sort. However, most Linux servers do not run users in the traditional sense... Maybe I'm just naive or something, but it doesn't seem as easy with Linux and the Futile part would not have been mentioned without windows server being part of the mix.

Re:Sounds like resistance is easy. (0)

Anonymous Coward | more than 3 years ago | (#31326280)

No your wrong, it all started with Zuse Z3 back in 1941 Germany :P

Re:Sounds like resistance is easy. (2, Informative)

phantomfive (622387) | more than 3 years ago | (#31326434)

You do realize that the existence of a rootkit for a system in no way implies a vulnerability for a system, right? A rootkit isn't something that 'grants you root', it's a tool to help you hide your tracks once you are already root. Wikipedia has a good page about it [wikipedia.org] .

That said, the easiest way to get your linux box rooted (do you see the difference between getting your box rooted and a rootkit?) is to use a weak ssh password. I don't know how common privilege escalation vulnerabilities are, but I've seen them work in the past.

Even better, don't hire humans (5, Funny)

xzvf (924443) | more than 3 years ago | (#31325722)

Humans are the biggest weakness in the chain. Don't hire them, or at least hire the most non-people types you can. Hire the non-team players and the ones that argue with everyone. When someone calls them and asks them to go to a web site, they'll say screw you and hang up.

Re:Even better, don't hire humans (2, Insightful)

Anonymous Coward | more than 3 years ago | (#31325748)

Humans are the biggest weakness in the chain. Don't hire them

This.

Re:Even better, don't hire humans (1)

Opportunist (166417) | more than 3 years ago | (#31326248)

Companies are way ahead of you. Hell, they'd even outsource their malware infections if ... erh... they even did that it seems...

Re:Even better, don't hire humans (1)

turing_m (1030530) | more than 3 years ago | (#31326334)

Hire the non-team players and the ones that argue with everyone.

It's not necessary to employ true arguers. You could easily get away with hiring those only capable of simple contradiction.

Re:Even better, don't hire humans (0)

Anonymous Coward | more than 3 years ago | (#31326416)

No you couldn't.

Re:Even better, don't hire humans (1)

turing_m (1030530) | more than 3 years ago | (#31326468)

Yes you could.

Re:Even better, don't hire humans (2, Funny)

SkeeZerD (972760) | more than 3 years ago | (#31326420)

I disagree...can I have a job?

Re:Sounds like resistance is easy. (2, Insightful)

MichaelSmith (789609) | more than 3 years ago | (#31325730)

the best practices corporate IT departments have been following for years are ineffective against the attacks

Well obviously. Antivirus protects against old, common vectors. But if a company ran (say) ubuntu or (more likely) macos an attacker could still craft an attack against them, as long as they had information on the systems being used.

Re:Sounds like resistance is easy. (0)

Anonymous Coward | more than 3 years ago | (#31326270)

Yes, there is a tendency here toward self congratulation. From what little I understand about these attacks, if linux variants had been major targets, they probably would have been taken down as well. These guys are pros. We don't get hit so much because we are a smaller target. (With tongue in cheek) we should be grateful to Redmond for being such nasty ghouls - if they weren't, we'd have a lot more trouble than we do.

Re:Sounds like resistance is easy. (0)

Anonymous Coward | more than 3 years ago | (#31325734)

Because there are tons of other options when developing a corporate network.

oh for the love of ____! (3, Interesting)

girlintraining (1395911) | more than 3 years ago | (#31325720)

Okay, I know an ex-pat who has moved to China and married. I have a much better understanding of the current state of technology and governmental oversight there than most here. Let's clear some things up:

The government closely monitors it citizens using every form of surveillance available in public places (which include the internet) to ensure that they are not acting in a fashion the government defines as "subversive". They aren't interested in international cyber-terrorism. They simply realize that they need to be where their citizens are to maintain the umbrella of surveillance. They're not trying to blow up power plants or destroy financial markets, or engage in other acts of cyber-terrorism. They are simply of the mindset that the internet lacks geographical boundaries, and hence treat it somewhat like international waters, and regularily patrol and conduct intrusions on remote systems for the purpose of effecting surveillance on its own citizens.

They are also interested in industrial espionage against specific high-value targets that have technology that China cannot replicate with its limited (though rapidly growing) infrastructure. China is very good at copying technology. It has very little ability (or desire) to innovate. They are focused primarily on a massive modernization program so as to set themselves up to compete with the EU, US, and south asian markets. Hong Kong is about the only ace they have up their sleeve right now there. So they conduct limited cyber attacks for the purpose of acquiring the information and designs to manufacture technologies that are highly intricate (such as microprocessor design).

This is not a statement on the validity of any sovereignty claims, or a moral judgement on China's state-sponsored activities on the global communications networks, merely an statement of their motivations.

Re:oh for the love of ____! (5, Interesting)

VendettaMF (629699) | more than 3 years ago | (#31325788)

Meanwhile I _am_ an expat, currently in China, and I can tell you your information is lacking in a few areas.

The Chinese government may not be out to detonate nuclear plants remotely (though you can be damn sure that when such abilities/openings are located that they are carefully filed against future need), but they are most certainly out to obtain every piece of hi-tech IP they can get hold of, as well as every bit of blackmail material, every bit of financial info and absolutely everything else they can find that will give them an edge in any arena over any and every other nation.

That's on top of all the internal monitoring of course.

Re:oh for the love of ____! (5, Funny)

Anonymous Coward | more than 3 years ago | (#31325844)

Meanwhile I _am_ Chinese, currently in China, and I can tell you your information is lacking in a few areas.

The Chinese Government is your friend and only wants the best for you.

Re:oh for the love of ____! (0)

Anonymous Coward | more than 3 years ago | (#31325966)

hahaha good one.

The Chinese government is out to take over the world. And for the time being, it's easy to be covert on the interwebz.

Re:oh for the love of ____! (0)

Anonymous Coward | more than 3 years ago | (#31326114)

Ah, you must know Friend Computer! We shall root out all commies and report them!
Um what color clearance do you have again?

Re:oh for the love of ____! (0)

Anonymous Coward | more than 3 years ago | (#31326166)

Meanwhile, I represent Chinese government. Now, if all you gentlemen would kindly border that black van outside your house...

Re:oh for the love of ____! (0)

Anonymous Coward | more than 3 years ago | (#31326264)

I vote parent's post for Slashdot footer quote.

Re:oh for the love of ____! (1)

BlueBoxSW.com (745855) | more than 3 years ago | (#31325942)

Thanks for clarifying this. My understanding of the situation mirrored what you described, but it is nice to hear it from someone first-hand.

How do you see this playing out in, say, 10 years?

Will the communists back away from their firm grasp on the country?

Or will the US end up on a collision course with china?

Or will the US in 10 years have the same limits on freedom they have there?

And, do they still make people carry around those little red books?

Re:oh for the love of ____! (2, Interesting)

VendettaMF (629699) | more than 3 years ago | (#31326034)

China's due some really serious shakeups in the next decade. The China of 10 years from now will be as different from current day China as current day China is from 1970's China. What will it actually be like? That's so far beyond my skills to figure that I couldn't even hazard a guess. Anyone here who cares to look can see the fuse fizzing, but as for where the bits will land... Who knows?

There are no communists in power in China, and have not been for quite some time. They have kept the title, but that's meaningless. China's government is Totalitarian Capitalist.

The red books are optional these days, unless you are Chinese, a Party member, in a significant government building and trying to impress someone. Foreigners with little red books are viewed with amusement at best, contempt and suspicion at worst.

China vs world (Us is only one player in many these days)... Unless the internal restructuring prevents it then expect to see current "Angry Letters" style face-offs continue and expand, but as for the possibility of actual physical or serious trade conflict? Not a chance. Even Bush wasn't stupid enough to countenance that.

Re:oh for the love of ____! (0)

Anonymous Coward | more than 3 years ago | (#31326106)

http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage

I think everyone's underestimating the Wests capabilities in technology, espionage and counterespionage honed during decades of Cold War paranoia.

Sure, the Chinese are targeting Western infrastructure, but in such a cludgy way that their efforts have made slashdot and every other blog.... not particularly good espionage really is it?

A quick search of ebay for ipod and nike reveals that yes, the chinese to blatantly rip stuff off as a matter of course. Any company that manufactures stuff there knows this. Other governments know this. I would wager that Chinese infrastructure is even more vulnerable than western infrastructure is, and has been infiltrated already.

Imagine in a future war if you knew that the enemies main offensive or defensive weapons had a massive flaw that you could pinpoint and take advantage of... game over.

Better the devil you know...

Re:oh for the love of ____! (2, Insightful)

Runaway1956 (1322357) | more than 3 years ago | (#31326288)

Have you been keeping up with current events? The news on ACTA, for starters. Those school kids being spied on in Philadelphia via school mandated computers. Traffic light cameras. There is little doubt in my mind that the US is moving toward the same sort of round the clock surveillance that England and China enjoy right now. Law enforcement is pushing through a variety of rules, regulations, and even laws, permitting them to track citizens via mobile phone and other means, WITHOUT a warrant.

I definitely see an Orwellian future for the United States. Unless, of course, the citizens revolt against it. Unfortunately, the very citizens are subsidizing all of this surveillance. How many people do you know who have PAID FOR that GPS tracking that General Motors offers? Yes, PAID FOR some nice un-intrusive surveillance. Soon, the insurance companies will mandate that all vehicles have such surveillance, and we'll just roll over, and accept the edict.

Re:oh for the love of ____!I'm assuming that becau (0)

Anonymous Coward | more than 3 years ago | (#31325952)

Meanwhile I _am_ an expat, currently in China, and I can tell you your information is lacking in a few areas.

What areas are those. Enquiring minds want to know. GP already covered industrial espionage so what have you got?

Re:oh for the love of ____! (2, Interesting)

Anonymous Coward | more than 3 years ago | (#31325838)

As some one who has worked in various places that are of extreme interest to China, I can honestly say that you have do not have a FUCKING clue of what you are talking about. All you are doing is talking out side of your mouth. The simple fact is, that China is spying in a large number of areas. And yes, some of it is very much targeting the WEST's vulnerable areas.

Re:oh for the love of ____! (2, Funny)

Anonymous Coward | more than 3 years ago | (#31325850)

Okay, I know an ex-pat who has moved to China and married.

It's refreshing to see such a rock-solid substantiation on Slashdot.

Re:oh for the love of ____! (0)

Anonymous Coward | more than 3 years ago | (#31325870)

They are also interested in industrial espionage against specific high-value targets that have technology that China cannot replicate with its limited (though rapidly growing) infrastructure. China is very good at copying technology. It has very little ability (or desire) to innovate.

For this point - this is how economies work by import replacement, which then causes modifications on that product they replaced, making a new product (a division of that work). To think that any economy over the course of human history simply invents something without anything before it (except maybe fire), ignores the way markets are. The USA did it and the Japanese did it and in turn rapidly expanded their economies and markets.

Re:oh for the love of ____! (0)

Anonymous Coward | more than 3 years ago | (#31325878)

There is nothing contradictory between your statement and a statement that China is marked by fascism, the panoptic state and low consideration for the propriety of others.

That IS the definition of a totalitarian state. Total surveillance in public, total surveillance of communication channels, and use of a variety of tiered methods against subversive elements.

It is also sufficient cause for putting a strangehold on Chinese international trade, including high tariffs. Why should a company that spends tens of millions developing a microprocessor and needs to recoup that cost in their prices have to compete with a Chinese company that got the plans for free?

Re:oh for the love of ____! (2, Insightful)

vajorie (1307049) | more than 3 years ago | (#31326368)

Okay, I know an ex-pat who has moved to China and married. I have a much better understanding

Hey, nice to hear. I have this Black friend so I know Blacks. /yay

Antivirus? (2, Insightful)

TubeSteak (669689) | more than 3 years ago | (#31325766)

"Attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies," [iSec founding partner Alex Stamos] told The Register. "The malware for each of these companies has been customized based on the versions of vulnerable software they're running, as well as what kind of anti-virus they're using. ...

Since when has anti-virus heuristics algorithms been at all useful against custom malware?

Even the script kiddies can find encrypters to take their cookie cutter programs and make them invisible to the majority of anti-virus programs.

Auror (1, Funny)

Anonymous Coward | more than 3 years ago | (#31325768)

Anyone else read that as Auror Attack? [wikia.com]

Re:Auror (0)

Anonymous Coward | more than 3 years ago | (#31325900)

Harry Potter. Are you 12 years old or what?

Re:Auror (0)

Anonymous Coward | more than 3 years ago | (#31326156)

Sadly, no.

Resistence is VERY easy (2, Insightful)

Anonymous Coward | more than 3 years ago | (#31325776)

QUIT RUNNING WINDOWS. Look, if anybody runs windows on more than their client box (and many would argue even that is stupid), then you deserve what you get. The same set of idiots will design tanks and subs with picture windows.

So for this attack to work. (3, Insightful)

Anonymous Coward | more than 3 years ago | (#31325800)

1. You must first find someone using windows who is prone to clicking things without thinking. - ok, I accept that.
2. Running a vulnerable browser - Still quite common, First security failure
3. Running windows - Still very plausible
4. Vulnerable to a privilege escalation exploit - Second security failure
5. With a network setup that is vulnerable to this kind of thing - Third security failure
5. Then "accessing" an AD server database - Fourth security failure
6. To be cracked - ok

So for this to work you have to have an insecure browser or other userland app that is easily exploitable (Acrobat), an OS with a privilege escalation flaw and A network that will let someone do things they probably shouldn't, an AD server that is crackable so that you can get at the DB.

IMHO that is a hell of a lot of failures by the various parties for this to work.

Re:So for this attack to work. (4, Insightful)

Shikaku (1129753) | more than 3 years ago | (#31325898)

Your boss at work:

"Why can't I install programs on my own machine, I'm the boss for god's sake!"

He's admin of his own machine now on his corporate internet. Hilarity ensues.

Re:So for this attack to work. (1)

Opportunist (166417) | more than 3 years ago | (#31326290)

Yeah, but try to push this past a boss' skull.

Human factor at work. He does not need admin privileges. Even the idea to give him an admin account so he could become admin if he for some reason needs to will get shot down (or simply ignored and the admin account becomes the standard account) because he must not be bothered with that whole "computer crap", it has to "just work".

If you warn about such scenarios you get belittled as scaredy-cat. That it is your effing job as his CISO to be such a scaredy-cat and prepare and defend against such scenarios will be brushed aside. Then why the heck did you hire me in the first place? Because you had to fill that position so you get some worthless toilet paper certificate? In that case, place someone else on that ejector seat, I'm not going to sit there while you dance around the big red "eject" button going "gee, what does this button do?"

Re:So for this attack to work. (1)

myowntrueself (607117) | more than 3 years ago | (#31326322)

Your boss at work:

"Why can't I install programs on my own machine, I'm the boss for god's sake!"

If your boss has an iphone then you have them right there.

As much as I hate them for it, Apple have surely built a good argument for not allowing people complete control of devices they *own* but which they don't 'understand sufficiently well' or 'cannot be trusted' to protect properly.

I guess... try to get your boss to see you as Steve Jobs. Might not work but probably worth a shot.

Re:So for this attack to work. (0)

sumdumass (711423) | more than 3 years ago | (#31326324)

I had that happen once at a financial site I administrate.

It ended with me asking the manager/owner to sign a paper specifically assuming all the liability from any breaches or security incidents stemming from his use of unapproved software. He then asked me to clarify what I was wanting and I told him about the different requirements placed on financial institutions and places that process credit card information (some by law and some by credit card companies and such). His accounting firm hit on both areas and after speaking with his corporate attorney, he decided not to indulge himself in anything not directly related to his work.

This could have ended with me losing my contract, however it showed that there was more of a reason then just being a dick for all the rules and restrictions. If someone else is having this problem, it might be an approach that could work with them. Just don't be a dick when asking for the release, instead say something like "I sure would feel better about this if I knew I wouldn't be held accountable for regulatory or liability problems created by the use of the software". Peak his interest before dropping the hammer so he knows something is at stake.

Re:So for this attack to work. (1)

FooAtWFU (699187) | more than 3 years ago | (#31326458)

Psst. It's spelled 'pique' when you're doing it to interest. Spread the word.

Re:So for this attack to work. (2, Insightful)

esocid (946821) | more than 3 years ago | (#31325906)

Have you not ever worked in an office setting? Walk by your sysadmin's dungeon and mention something about clicking a link in some email you got, and sit back and watch the fireworks.

I can pretty much guarantee you that even in a tech setting, there will even be a handful of those people who still lack common, and/or tech, sense. This is exactly why certain places prevent their employees from installing software, running as admin, running off of flashdrives, or even discs.

Re:So for this attack to work. (0)

Anonymous Coward | more than 3 years ago | (#31325970)

1 = 2 = 3 = 4
5 = 5 (sic) = running active directory

Re:So for this attack to work. (0)

Anonymous Coward | more than 3 years ago | (#31326014)

And yet they all exist in the majority of all computing systems.

Re:So for this attack to work. (1)

k10quaint (1344115) | more than 3 years ago | (#31326110)

You just described most of corporate america with your six steps.

Step #1 is very very plausible. One develops a potential working relationship with the target company and crafts an email to contain an innocuous looking document or link requested by the target. The link/document contains the latest exploit that has not been patched. The email is not suspicious because who would attack a potential business partner after all. It is an exploit that is preferably zero day and not yet in the virus/malware databases. Also, a new shell for the attack could be devised from the original code to insure it would be unrecognizable.

Step #4 can be obviated by infecting an admin's computer, and if I was targeting a company with a zero day unknown exploit, I would aim it at their IT guys.

Step #5a all networks are vulnerable to this sort of exploit, especially if the exploit is unknown to scanners & filters.

Step #5b if you root an admin's box, you can piggy back on him next time he does maintenance on *every* server and device he maintains.

I am surprised the list was only 100 companies. I assume every S&P 500 company has been penetrated to some degree.

Re:So for this attack to work. (1)

Tracy Reed (3563) | more than 3 years ago | (#31326278)

And you have just described the business network (as opposed to production server network which is of course Linux and by definition far more secure) of pretty much every place I have ever worked.

Re:So for this attack to work. (1)

Sikmaz (686372) | more than 3 years ago | (#31326304)

Point by point:
#2: Many of the attacks use Zero-day exploits that are not public knowledge.
#4: See #2
#5: If you have more than 1400 servers there will be some that are vulnerable and when that happens they get one door they need. Hopefully it is just some departmental webserver so the scope is small but they almost certainly now have at least the first foothold they need to grab some accounts and move from there if they don't have a Zero-day exploit they can use.
#5 (2nd #5?): What they get is the SAM database which is hashed using NTLM so it is vulnerable to rainbow table attacks.

So for it to work you just need:
1) An exploit not publicly known that allows remote code execution or elevation of privilege. There is at least 2-3 of these a month
2) Compromise a departmental webserver/app server and start working backwards.... Eventually you will get more and more accounts until you get something interesting. At the worst you have mapped a typical server and know your attack surface. Maybe they run Tivoli? So scan specific hosts for Tivoli vulnerabilities but do it slow so it isn't seen by IDS. If they run Symantec AV use the exploit that is out right now to get on a privileged system...

So obviously it isn't as hard as it first seemed and it isn't a matter of incompetence with large companies there are simply too many possible ways in. Your best defense is a layered one with a lot of monitoring of your logs and IDS sensors to watch for things that look unusual. Baseline your traffic so if you see a large upload over https to a server in a weird location you can flag it! It might be your SAM database going out the door...

tl:dr: In a large company there are a lot of ways to get in, if you think you are safe you are lying to yourself.

Re:So for this attack to work. (1)

Opportunist (166417) | more than 3 years ago | (#31326318)

A lot of failures, and all of them are at work in most companies.

Vulnerable browser? A necessity, since most company-intern webpages are geared for IE (sometimes even an ancient version of IE because the adaptation for the quirks of newer versions take time), and of course programmed by the cheapest idiot who didn't test for any other browser. Let's be happy that it at least works with IE... if only with version 6.

Vulnerable to priv escalation? A given in most companies. You usually have the cheapest admins, and too few of them. You'd be amazed how much resistance you get for anything that could remotely increase security (and, unfortunately bundled with it, decreases comfort and ease of access). And you'd be amazed just how little the common Windows administrator knows about Windows in the first place.

Network vulnerable to this? A given as well. Security often ends at the company firewall. Behind it, inside the company, you'll rarely find any sensible segmentation or protection. It's actually very common that machines are fully accessable across the whole network.

Accessing AD server database? C'mon, do I have to go into detail? You don't think servers are any better protected against "inside jobs" as the rest of the network, do you?

Binary whitelisting (0)

Anonymous Coward | more than 3 years ago | (#31325814)

Resistance is not so futile -- the use of binary whitelisting tools such as Bit9 (http://www.bit9.com/) combined with network packet analysis allows sysadmins to greatly reduce the chance of an initial infection, and virtually eliminates the chances of an infection spreading across multiple hosts.

Number 5? (3, Interesting)

DigiShaman (671371) | more than 3 years ago | (#31325960)

5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.

HOW!!!?? Unless some boneheaded sysadmin granted a user with Domain Admin access, I don't see how this is even remotely possible. Someone with just plain Domain User access either authenticates, or doesn't. Is this article suggesting all local user names and passwords from a DC (domain controller) are locally cached prior to authentication?

Re:Number 5? (1, Informative)

Anonymous Coward | more than 3 years ago | (#31326140)

Browser exploit to get on the box.

Privilege escalate to LOCAL/Admin.

Grab the user's NT security token (metasploit), or keylog the password.

Enumerate machines (dsquery) to find out where Admin is logged in.

Log into that box.

Privelege escalate to Admin.

Steal his token.

You are now Enterprise Admin.

Re:Number 5? (2, Insightful)

DigiShaman (671371) | more than 3 years ago | (#31326230)

I follow steps 1 - 4. Regarding step 5 however...

Log into that box.

That user must be either a member of the Domain Admins group, or Local Administrators group of that PC. The later seems possible as there are many users that love to RDP into their own boxes from work over a VPN connection. Even then, only one user is allowed access unless it is a Terminal Server.

As for the NT security token. I know that when a user (regardless of membership) logs into a machine, the security credentials get cached. But from what I understand, you can't recover passwords from the local SAMS database unless the box is already rooted.

Re:Number 5? (4, Informative)

DigiShaman (671371) | more than 3 years ago | (#31326272)

Sorry for the follow up post, but I think I now understand in a round about way. You have to be a member of the Domain Admins group to join a PC to the Domain. It's those Domain Admin credentials that get cached - per PC that's been previously joined. YIKES! So if a user is a member of the local Administrators group, he also has access to the local SAMS database. Root the box, and you might be able to recover the cached passwords from it.

Be sure to change your Domain Admins password often. Honestly, how many people often do that? More than they should really.

Re:Number 5? (4, Insightful)

dweller_below (136040) | more than 3 years ago | (#31326504)

.. Root the box, and you might be able to recover the cached passwords from it.

Almost. The iSec paper mentioned, but didn't explain 'Pass The Hash' attacks. See the excellent SANS paper at: http://www.sans.org/reading_room/last.php [sans.org]

Bottom line is, the attacker doesn't need to get back to the passwords by cracking the hashes. The attacker can just directly use the hashes.

Being targetted by these guys is like standing in the middle of a crowd of pick-pockets. No matter what you do, they are going to get stuff. You are lucky get get out with your teeth.

Miles

Re:Number 5? (1)

Opportunist (166417) | more than 3 years ago | (#31326346)

Scenario: Boss has (local) admin privs on his machine. Because he's the boss (no, no sensible explanation following). Boss gets owned, keylogger gets installed. Boss' machine gets fucked up when he installs the latest and greatest must-have-boss-toy for his Blackberry, calls IT and goes to lunch.

IT comes, logs in with domain admin password...

Oldschool (2, Insightful)

Anonymous Coward | more than 3 years ago | (#31325972)

This type of social engineering attack has been around for atleast 2 decades now. there are manny books about it, including mitnicks.
Windows exploits, spicificley owning a windows AD network via local privelege escalation, sniffing, buffer under/overflows and dumping hashes from the domain controller has been around for atleast 1 decade, the kind of thing I pulled off in highschool.
All they did here is put together very old puzzle peices with a little bit of stratigy.

when will pepole learn to stop using windows? when will people learn to start instituting strict mail policies on corprate networks?

Probably never.

This is not about technical security, this is about exploiting the victums way of thinking.
make money first, keep staff happy second. building a well oilded, tightley maintained business machine does not even come into consideration.

google has a corporate windows network? (1)

Punto (100573) | more than 3 years ago | (#31326052)

and why would being inside china be any difference? the whole attack is remote, sounds like it can be done to any network from anywhere in the world. why would a chinese office be at higher risk?

Re:google has a corporate windows network? (3, Interesting)

VendettaMF (629699) | more than 3 years ago | (#31326074)

Because, by law, to have an office in China you must have Chinese employees in high-ranking positions.

If your company is of interest then you can be guaranteed of having at least two plants in the office. One to be the obvious pro-party red-book waving decoy, and the other to save them the time and effort of having to phish someone to start the attack.

Packet Filter (4, Informative)

nuckfuts (690967) | more than 3 years ago | (#31326084)

If you don't expect/want traffic from China, configure your firewall to block IP addresses assigned to China [okean.com] .

Re:Packet Filter (1)

VendettaMF (629699) | more than 3 years ago | (#31326102)

Heh, I am forbidden from seeing content on that site.
Shoulda seen that one coming...

Re:Packet Filter (1)

nuckfuts (690967) | more than 3 years ago | (#31326148)

OK then, here's the list:

58.14.0.0/15 China 58.16.0.0/13 China 58.24.0.0/15 China 58.30.0.0/15 China 58.32.0.0/11 China 58.66.0.0/15 China 58.68.128.0/17 China 58.82.0.0/15 China 58.87.64.0/18 China 58.99.128.0/17 China 58.100.0.0/15 China 58.116.0.0/14 China 58.128.0.0/13 China 58.144.0.0/16 China 58.154.0.0/15 China 58.192.0.0/11 China 58.240.0.0/12 China 59.32.0.0/11 China 59.64.0.0/12 China 59.80.0.0/14 China 59.107.0.0/16 China 59.108.0.0/14 China 59.151.0.0/17 China 59.155.0.0/16 China 59.172.0.0/14 China 59.191.0.0/16 China 59.192.0.0/10 China 60.0.0.0/11 China 60.55.0.0/16 China 60.63.0.0/16 China 60.160.0.0/11 China 60.194.0.0/15 China 60.200.0.0/13 China 60.208.0.0/12 China 60.232.0.0/15 China 60.235.0.0/16 China 60.245.128.0/17 China 60.247.0.0/16 China 60.252.0.0/16 China 60.253.128.0/17 China 60.255.0.0/16 China 61.4.80.0/20 China 61.4.176.0/20 China 61.8.160.0/20 China 61.28.0.0/17 China 61.29.128.0/17 China 61.45.128.0/18 China 61.47.128.0/18 China 61.48.0.0/13 China 61.87.192.0/18 China 61.128.0.0/10 China 61.232.0.0/14 China 61.236.0.0/15 China 61.240.0.0/14 China 110.6.0.0/15 China 110.16.0.0/14 China 110.40.0.0/14 China 110.48.0.0/16 China 110.51.0.0/16 China 110.52.0.0/15 China 110.56.0.0/13 China 110.64.0.0/15 China 110.72.0.0/15 China 110.75.0.0/16 China 110.76.0.0/18 China 110.76.192.0/18 China 110.77.0.0/17 China 110.80.0.0/13 China 110.88.0.0/14 China 110.94.0.0/15 China 110.96.0.0/11 China 110.152.0.0/14 China 110.156.0.0/15 China 110.166.0.0/15 China 110.172.192.0/18 China 110.173.0.0/19 China 110.173.32.0/20 China 110.173.64.0/18 China 110.173.192.0/19 China 110.176.0.0/12 China 110.192.0.0/11 China 110.228.0.0/14 China 110.232.32.0/19 China 110.236.0.0/15 China 110.240.0.0/12 China 111.0.0.0/10 China 111.66.0.0/16 China 111.67.192.0/20 China 111.68.64.0/19 China 111.72.0.0/13 China 111.85.0.0/16 China 111.91.192.0/19 China 111.112.0.0/14 China 111.116.0.0/15 China 111.119.64.0/18 China 111.119.128.0/19 China 111.120.0.0/14 China 111.124.0.0/16 China 111.126.0.0/15 China 111.128.0.0/11 China 111.160.0.0/13 China 111.170.0.0/16 China 111.172.0.0/14 China 111.176.0.0/13 China 111.186.0.0/15 China 111.192.0.0/12 China 111.208.0.0/13 China 111.221.128.0/17 China 111.222.0.0/16 China 111.224.0.0/13 China 111.235.96.0/19 China 111.235.160.0/19 China 112.0.0.0/10 China 112.64.0.0/14 China 112.73.0.0/16 China 112.74.0.0/15 China 112.80.0.0/13 China 112.109.128.0/17 China 112.111.0.0/16 China 112.112.0.0/14 China 112.116.0.0/15 China 112.122.0.0/15 China 112.124.0.0/14 China 112.128.0.0/14 China 112.132.0.0/16 China 112.192.0.0/14 China 112.224.0.0/11 China 113.0.0.0/13 China 113.8.0.0/15 China 113.11.192.0/19 China 113.12.0.0/14 China 113.16.0.0/15 China 113.18.0.0/16 China 113.24.0.0/14 China 113.31.0.0/16 China 113.44.0.0/14 China 113.48.0.0/14 China 113.52.160.0/19 China 113.54.0.0/15 China 113.56.0.0/15 China 113.58.0.0/16 China 113.59.0.0/17 China 113.62.0.0/15 China 113.64.0.0/10 China 113.128.0.0/15 China 113.130.96.0/20 China 113.130.112.0/21 China 113.132.0.0/14 China 113.136.0.0/13 China 113.194.0.0/15 China 113.200.0.0/15 China 113.202.0.0/16 China 113.204.0.0/14 China 113.208.96.0/19 China 113.208.128.0/17 China 113.209.0.0/16 China 113.212.0.0/18 China 113.213.0.0/17 China 113.214.0.0/15 China 113.218.0.0/15 China 113.220.0.0/14 China 113.224.0.0/12 China 113.240.0.0/13 China 113.248.0.0/14 China 114.28.0.0/16 China 114.54.0.0/15 China 114.60.0.0/14 China 114.64.0.0/14 China 114.68.0.0/16 China 114.80.0.0/12 China 114.96.0.0/13 China 114.104.0.0/14 China 114.110.0.0/20 China 114.110.128.0/17 China 114.111.160.0/19 China 114.112.0.0/14 China 114.116.0.0/15 China 114.132.0.0/16 China 114.135.0.0/16 China 114.138.0.0/15 China 114.141.128.0/18 China 114.196.0.0/15 China 114.208.0.0/14 China 114.216.0.0/13 China 114.224.0.0/11 China 115.44.0.0/14 China 115.48.0.0/12 China 115.84.0.0/18 China 115.84.192.0/19 China 115.100.0.0/14 China 115.104.0.0/14 China 115.120.0.0/14 China 115.124.16.0/20 China 115.148.0.0/14 China 115.152.0.0/13 China 115.168.0.0/13 China 115.180.0.0/14 China 115.192.0.0/11 China 115.224.0.0/12 China 116.1.0.0/16 China 116.2.0.0/15 China 116.4.0.0/14 China 116.8.0.0/14 China 116.13.0.0/16 China 116.16.0.0/12 China 116.52.0.0/14 China 116.56.0.0/15 China 116.58.128.0/20 China 116.58.208.0/20 China 116.60.0.0/14 China 116.66.0.0/17 China 116.69.0.0/16 China 116.70.0.0/17 China 116.76.0.0/14 China 116.89.144.0/20 China 116.90.80.0/20 China 116.90.184.0/21 China 116.95.0.0/16 China 116.112.0.0/14 China 116.116.0.0/15 China 116.128.0.0/10 China 116.192.0.0/16 China 116.193.16.0/20 China 116.193.32.0/19 China 116.194.0.0/15 China 116.196.0.0/16 China 116.198.0.0/16 China 116.199.0.0/17 China 116.199.128.0/19 China 116.204.0.0/15 China 116.207.0.0/16 China 116.208.0.0/14 China 116.212.160.0/20 China 116.213.64.0/18 China 116.213.128.0/17 China 116.214.32.0/19 China 116.214.64.0/20 China 116.214.128.0/17 China 116.215.0.0/16 China 116.216.0.0/14 China 116.224.0.0/12 China 116.242.0.0/15 China 116.244.0.0/14 China 116.248.0.0/15 China 116.252.0.0/15 China 116.254.128.0/17 China 116.255.128.0/17 China 117.8.0.0/13 China 117.21.0.0/16 China 117.22.0.0/15 China 117.24.0.0/13 China 117.32.0.0/13 China 117.40.0.0/14 China 117.44.0.0/15 China 117.48.0.0/14 China 117.53.176.0/20 China 117.57.0.0/16 China 117.58.0.0/17 China 117.59.0.0/16 China 117.60.0.0/14 China 117.64.0.0/13 China 117.72.0.0/15 China 117.74.64.0/20 China 117.74.128.0/17 China 117.75.0.0/16 China 117.76.0.0/14 China 117.80.0.0/12 China 117.100.0.0/15 China 117.103.16.0/20 China 117.103.128.0/20 China 117.106.0.0/15 China 117.112.0.0/13 China 117.120.64.0/18 China 117.120.128.0/17 China 117.121.0.0/17 China 117.121.128.0/18 China 117.121.192.0/21 China 117.122.128.0/17 China 117.124.0.0/14 China 117.128.0.0/10 China 118.24.0.0/13 China 118.64.0.0/15 China 118.66.0.0/16 China 118.67.112.0/20 China 118.72.0.0/13 China 118.80.0.0/15 China 118.84.0.0/15 China 118.88.32.0/19 China 118.88.64.0/18 China 118.88.128.0/17 China 118.89.0.0/16 China 118.91.240.0/20 China 118.102.16.0/20 China 118.112.0.0/13 China 118.120.0.0/14 China 118.124.0.0/15 China 118.126.0.0/16 China 118.132.0.0/14 China 118.144.0.0/14 China 118.178.0.0/16 China 118.180.0.0/14 China 118.184.0.0/13 China 118.192.0.0/12 China 118.212.0.0/15 China 118.224.0.0/14 China 118.228.0.0/15 China 118.230.0.0/16 China 118.239.0.0/16 China 118.242.0.0/16 China 118.244.0.0/14 China 118.248.0.0/13 China 119.0.0.0/15 China 119.2.0.0/19 China 119.2.128.0/17 China 119.3.0.0/16 China 119.4.0.0/14 China 119.8.0.0/15 China 119.10.0.0/17 China 119.15.136.0/21 China 119.16.0.0/16 China 119.18.192.0/20 China 119.19.0.0/16 China 119.20.0.0/14 China 119.27.160.0/19 China 119.27.192.0/18 China 119.30.48.0/20 China 119.31.192.0/19 China 119.32.0.0/13 China 119.40.0.0/18 China 119.40.64.0/20 China 119.40.128.0/17 China 119.41.0.0/16 China 119.42.0.0/19 China 119.42.136.0/21 China 119.42.224.0/19 China 119.44.0.0/15 China 119.48.0.0/13 China 119.57.0.0/16 China 119.58.0.0/16 China 119.59.128.0/17 China 119.60.0.0/15 China 119.62.0.0/16 China 119.63.32.0/19 China 119.75.208.0/20 China 119.78.0.0/15 China 119.80.0.0/15 China 119.84.0.0/14 China 119.88.0.0/14 China 119.96.0.0/13 China 119.108.0.0/15 China 119.112.0.0/12 China 119.128.0.0/12 China 119.144.0.0/14 China 119.148.160.0/20 China 119.161.128.0/17 China 119.162.0.0/15 China 119.164.0.0/14 China 119.176.0.0/12 China 119.232.0.0/15 China 119.235.128.0/18 China 119.248.0.0/14 China 119.253.0.0/16 China 119.254.0.0/15 China 120.0.0.0/12 China 120.30.0.0/15 China 120.32.0.0/12 China 120.48.0.0/15 China 120.52.0.0/14 China 120.64.0.0/13 China 120.72.32.0/19 China 120.72.128.0/17 China 120.76.0.0/14 China 120.80.0.0/13 China 120.88.8.0/21 China 120.90.0.0/15 China 120.92.0.0/16 China 120.94.0.0/15 China 120.128.0.0/13 China 120.136.128.0/18 China 120.137.0.0/17 China 120.192.0.0/10 China 121.0.16.0/20 China 121.4.0.0/15 China 121.8.0.0/13 China 121.16.0.0/12 China 121.32.0.0/13 China 121.40.0.0/14 China 121.46.0.0/15 China 121.48.0.0/15 China 121.51.0.0/16 China 121.52.160.0/19 China 121.52.208.0/20 China 121.52.224.0/19 China 121.55.0.0/18 China 121.56.0.0/15 China 121.58.0.0/17 China 121.58.144.0/20 China 121.59.0.0/16 China 121.60.0.0/14 China 121.68.0.0/14 China 121.76.0.0/15 China 121.79.128.0/18 China 121.89.0.0/16 China 121.100.128.0/17 China 121.101.208.0/20 China 121.192.0.0/13 China 121.201.0.0/16 China 121.204.0.0/14 China 121.224.0.0/12 China 121.248.0.0/14 China 121.255.0.0/16 China 122.0.64.0/18 China 122.0.128.0/17 China 122.4.0.0/14 China 122.8.0.0/13 China 122.48.0.0/16 China 122.49.0.0/18 China 122.51.0.0/16 China 122.64.0.0/11 China 122.96.0.0/15 China 122.102.0.0/20 China 122.102.64.0/19 China 122.112.0.0/14 China 122.119.0.0/16 China 122.136.0.0/13 China 122.144.128.0/17 China 122.156.0.0/14 China 122.192.0.0/14 China 122.198.0.0/16 China 122.200.64.0/18 China 122.204.0.0/14 China 122.224.0.0/12 China 122.240.0.0/13 China 122.248.48.0/20 China 123.0.128.0/18 China 123.4.0.0/14 China 123.8.0.0/13 China 123.49.128.0/17 China 123.52.0.0/14 China 123.56.0.0/13 China 123.64.0.0/11 China 123.96.0.0/15 China 123.98.0.0/17 China 123.99.128.0/17 China 123.100.0.0/19 China 123.101.0.0/16 China 123.103.0.0/17 China 123.108.128.0/20 China 123.108.208.0/20 China 123.112.0.0/12 China 123.128.0.0/13 China 123.136.80.0/20 China 123.137.0.0/16 China 123.138.0.0/15 China 123.144.0.0/12 China 123.160.0.0/12 China 123.176.80.0/20 China 123.177.0.0/16 China 123.178.0.0/15 China 123.180.0.0/14 China 123.184.0.0/13 China 123.196.0.0/15 China 123.199.128.0/17 China 123.232.0.0/14 China 123.242.0.0/17 China 123.244.0.0/14 China 123.249.0.0/16 China 123.253.0.0/16 China 124.6.64.0/18 China 124.14.0.0/15 China 124.16.0.0/15 China 124.20.0.0/14 China 124.28.192.0/18 China 124.29.0.0/17 China 124.31.0.0/16 China 124.40.112.0/20 China 124.40.128.0/18 China 124.42.0.0/16 China 124.47.0.0/18 China 124.64.0.0/15 China 124.66.0.0/17 China 124.67.0.0/16 China 124.68.0.0/14 China 124.72.0.0/13 China 124.88.0.0/13 China 124.108.8.0/21 China 124.108.40.0/21 China 124.112.0.0/13 China 124.126.0.0/15 China 124.128.0.0/13 China 124.147.128.0/17 China 124.151.0.0/16 China 124.156.0.0/16 China 124.160.0.0/13 China 124.172.0.0/14 China 124.192.0.0/15 China 124.196.0.0/16 China 124.200.0.0/13 China 124.220.0.0/14 China 124.224.0.0/12 China 124.240.0.0/17 China 124.242.0.0/16 China 124.243.192.0/18 China 124.248.0.0/17 China 124.249.0.0/16 China 124.250.0.0/15 China 124.254.0.0/18 China 125.31.192.0/18 China 125.32.0.0/12 China 125.58.128.0/17 China 125.61.128.0/17 China 125.62.0.0/18 China 125.64.0.0/11 China 125.96.0.0/15 China 125.98.0.0/16 China 125.104.0.0/13 China 125.112.0.0/12 China 125.169.0.0/16 China 125.171.0.0/16 China 125.208.0.0/18 China 125.210.0.0/15 China 125.213.0.0/17 China 125.214.96.0/19 China 125.215.0.0/18 China 125.216.0.0/13 China 125.254.128.0/17 China 134.196.0.0/16 China 159.226.0.0/16 China 161.207.0.0/16 China 162.105.0.0/16 China 166.111.0.0/16 China 167.139.0.0/16 China 168.160.0.0/16 China 169.211.1.0/24 China 175.30.0.0/15 China 175.42.0.0/15 China 175.44.0.0/16 China 175.46.0.0/15 China 175.48.0.0/12 China 175.64.0.0/11 China 175.102.0.0/16 China 175.106.128.0/17 China 175.146.0.0/15 China 175.148.0.0/14 China 175.152.0.0/14 China 175.160.0.0/12 China 175.178.0.0/16 China 175.184.128.0/18 China 175.185.0.0/16 China 175.186.0.0/15 China 175.188.0.0/14 China 180.76.0.0/14 China 180.84.0.0/15 China 180.86.0.0/16 China 180.88.0.0/14 China 180.94.56.0/21 China 180.94.96.0/20 China 180.95.128.0/17 China 180.129.128.0/17 China 180.130.0.0/16 China 180.148.224.0/19 China 180.149.128.0/19 China 180.150.160.0/19 China 180.152.0.0/13 China 180.160.0.0/12 China 180.184.0.0/14 China 180.189.148.0/22 China 180.201.0.0/16 China 180.202.0.0/15 China 180.208.0.0/15 China 180.210.224.0/19 China 180.212.0.0/15 China 180.222.224.0/19 China 180.223.0.0/16 China 180.233.0.0/18 China 180.233.64.0/19 China 180.235.64.0/19 China 182.16.192.0/19 China 182.18.0.0/17 China 182.32.0.0/12 China 182.48.96.0/19 China 182.49.0.0/16 China 182.50.0.0/20 China 182.50.112.0/20 China 182.51.0.0/16 China 182.61.0.0/16 China 182.80.0.0/14 China 183.0.0.0/10 China 183.64.0.0/13 China 183.81.180.0/22 China 183.84.0.0/15 China 183.91.128.0/22 China 183.91.144.0/20 China 183.92.0.0/14 China 183.128.0.0/11 China 183.168.0.0/15 China 183.170.0.0/16 China 183.172.0.0/14 China 183.182.0.0/19 China 183.184.0.0/13 China 192.83.122.0/24 China 192.124.154.0/24 China 192.188.170.0/24 China 198.17.7.0/24 China 198.97.132.0/24 China 202.0.110.0/24 China 202.0.160.0/20 China 202.0.176.0/22 China 202.4.128.0/19 China 202.4.252.0/22 China 202.8.128.0/19 China 202.10.64.0/20 China 202.14.88.0/24 China 202.14.235.0/24 China 202.14.236.0/23 China 202.14.238.0/24 China 202.20.120.0/24 China 202.22.248.0/21 China 202.38.0.0/20 China 202.38.64.0/18 China 202.38.128.0/21 China 202.38.136.0/23 China 202.38.138.0/24 China 202.38.140.0/22 China 202.38.144.0/22 China 202.38.149.0/24 China 202.38.150.0/23 China 202.38.152.0/22 China 202.38.156.0/24 China 202.38.158.0/23 China 202.38.160.0/23 China 202.38.164.0/22 China 202.38.168.0/21 China 202.38.176.0/23 China 202.38.184.0/21 China 202.38.192.0/18 China 202.41.152.0/21 China 202.41.240.0/20 China 202.43.76.0/22 China 202.46.32.0/19 China 202.46.224.0/20 China 202.60.112.0/20 China 202.69.4.0/22 China 202.69.16.0/20 China 202.70.0.0/19 China 202.74.8.0/21 China 202.75.208.0/20 China 202.85.208.0/20 China 202.90.0.0/22 China 202.90.224.0/20 China 202.90.252.0/22 China 202.91.0.0/22 China 202.91.128.0/22 China 202.91.176.0/20 China 202.91.224.0/19 China 202.92.0.0/22 China 202.92.252.0/22 China 202.93.0.0/22 China 202.93.252.0/22 China 202.94.0.0/19 China 202.95.0.0/19 China 202.95.252.0/22 China 202.96.0.0/12 China 202.112.0.0/13 China 202.120.0.0/15 China 202.122.0.0/19 China 202.122.32.0/21 China 202.122.64.0/19 China 202.122.112.0/21 China 202.122.128.0/24 China 202.123.96.0/20 China 202.124.24.0/21 China 202.125.176.0/20 China 202.127.0.0/21 China 202.127.12.0/22 China 202.127.16.0/20 China 202.127.40.0/21 China 202.127.48.0/20 China 202.127.112.0/20 China 202.127.128.0/19 China 202.127.160.0/21 China 202.127.192.0/18 China 202.130.0.0/19 China 202.130.224.0/19 China 202.131.16.0/21 China 202.131.48.0/20 China 202.131.208.0/20 China 202.136.48.0/20 China 202.136.208.0/20 China 202.136.224.0/20 China 202.141.160.0/19 China 202.142.16.0/20 China 202.143.16.0/20 China 202.148.96.0/19 China 202.149.160.0/20 China 202.149.224.0/19 China 202.150.16.0/20 China 202.152.176.0/20 China 202.153.48.0/20 China 202.158.160.0/19 China 202.160.176.0/20 China 202.164.0.0/20 China 202.164.25.0/24 China 202.165.96.0/21 China 202.165.176.0/20 China 202.165.208.0/20 China 202.168.160.0/19 China 202.170.128.0/19 China 202.170.216.0/21 China 202.173.8.0/21 China 202.173.224.0/19 China 202.179.240.0/20 China 202.180.128.0/19 China 202.181.112.0/20 China 202.189.80.0/20 China 202.192.0.0/12 China 203.18.50.0/24 China 203.79.0.0/20 China 203.80.144.0/20 China 203.81.16.0/20 China 203.83.56.0/21 China 203.86.0.0/18 China 203.86.64.0/19 China 203.88.0.0/22 China 203.88.32.0/19 China 203.88.192.0/19 China 203.89.0.0/22 China 203.90.0.0/22 China 203.90.128.0/18 China 203.90.192.0/19 China 203.91.32.0/19 China 203.91.96.0/20 China 203.91.120.0/21 China 203.92.0.0/22 China 203.92.160.0/19 China 203.93.0.0/16 China 203.94.0.0/18 China 203.95.0.0/21 China 203.95.96.0/19 China 203.99.16.0/20 China 203.99.80.0/20 China 203.100.32.0/20 China 203.100.80.0/20 China 203.100.96.0/19 China 203.100.192.0/20 China 203.110.160.0/19 China 203.114.244.0/22 China 203.118.192.0/19 China 203.118.248.0/22 China 203.119.24.0/21 China 203.119.32.0/22 China 203.119.80.0/22 China 203.128.32.0/19 China 203.128.96.0/19 China 203.128.128.0/19 China 203.130.32.0/19 China 203.132.32.0/19 China 203.134.240.0/21 China 203.135.96.0/19 China 203.135.160.0/20 China 203.142.219.0/24 China 203.148.0.0/18 China 203.152.64.0/19 China 203.156.192.0/18 China 203.158.16.0/21 China 203.161.180.0/24 China 203.161.192.0/19 China 203.166.160.0/19 China 203.171.224.0/20 China 203.174.7.0/24 China 203.174.96.0/19 China 203.175.128.0/19 China 203.175.192.0/18 China 203.176.168.0/21 China 203.184.80.0/20 China 203.187.160.0/19 China 203.190.96.0/20 China 203.191.16.0/20 China 203.191.64.0/18 China 203.191.144.0/20 China 203.192.0.0/19 China 203.196.0.0/22 China 203.207.64.0/18 China 203.207.128.0/17 China 203.208.0.0/20 China 203.208.16.0/22 China 203.208.32.0/19 China 203.209.224.0/19 China 203.212.0.0/20 China 203.212.80.0/20 China 203.222.192.0/20 China 203.223.0.0/20 China 210.2.0.0/19 China 210.5.0.0/19 China 210.5.32.0/20 China 210.5.144.0/20 China 210.12.0.0/15 China 210.14.64.0/19 China 210.14.112.0/20 China 210.14.128.0/17 China 210.15.0.0/17 China 210.15.128.0/18 China 210.16.128.0/18 China 210.21.0.0/16 China 210.22.0.0/16 China 210.23.32.0/19 China 210.25.0.0/16 China 210.26.0.0/15 China 210.28.0.0/14 China 210.32.0.0/12 China 210.51.0.0/16 China 210.52.0.0/15 China 210.56.192.0/19 China 210.72.0.0/14 China 210.76.0.0/15 China 210.78.0.0/16 China 210.79.64.0/18 China 210.79.224.0/19 China 210.82.0.0/15 China 210.87.128.0/18 China 210.185.192.0/18 China 210.192.96.0/19 China 211.64.0.0/13 China 211.80.0.0/12 China 211.96.0.0/13 China 211.136.0.0/13 China 211.144.0.0/12 China 211.160.0.0/13 China 218.0.0.0/11 China 218.56.0.0/13 China 218.64.0.0/11 China 218.96.0.0/14 China 218.104.0.0/14 China 218.108.0.0/15 China 218.185.192.0/19 China 218.192.0.0/12 China 218.240.0.0/13 China 218.249.0.0/16 China 219.72.0.0/16 China 219.82.0.0/16 China 219.128.0.0/11 China 219.216.0.0/13 China 219.224.0.0/12 China 219.242.0.0/15 China 219.244.0.0/14 China 220.101.192.0/18 China 220.112.0.0/14 China 220.152.128.0/17 China 220.154.0.0/15 China 220.160.0.0/11 China 220.192.0.0/12 China 220.231.0.0/18 China 220.231.128.0/17 China 220.232.64.0/18 China 220.234.0.0/16 China 220.242.0.0/15 China 220.248.0.0/14 China 221.0.0.0/13 China 221.8.0.0/14 China 221.12.0.0/17 China 221.12.128.0/18 China 221.13.0.0/16 China 221.14.0.0/15 China 221.122.0.0/15 China 221.129.0.0/16 China 221.130.0.0/15 China 221.133.224.0/19 China 221.136.0.0/15 China 221.172.0.0/14 China 221.176.0.0/13 China 221.192.0.0/14 China 221.196.0.0/15 China 221.198.0.0/16 China 221.199.0.0/17 China 221.199.128.0/18 China 221.199.192.0/20 China 221.199.224.0/19 China 221.200.0.0/13 China 221.208.0.0/12 China 221.224.0.0/12 China 222.16.0.0/12 China 222.32.0.0/11 China 222.64.0.0/11 China 222.125.0.0/16 China 222.126.128.0/17 China 222.128.0.0/12 China 222.160.0.0/14 China 222.168.0.0/13 China 222.176.0.0/12 China 222.192.0.0/11 China 222.240.0.0/13 China 222.248.0.0/16 China 222.249.0.0/17 China 222.249.128.0/18 China 222.249.192.0/19 China 222.249.224.0/20 China 222.249.240.0/21 China 222.249.248.0/23 China

Re:Packet Filter (0)

Anonymous Coward | more than 3 years ago | (#31326200)

Dude, wall of text. How am I supposed to read this?

Useless filter. (3, Informative)

FooAtWFU (699187) | more than 3 years ago | (#31326472)

And get 0wned by a zombie in Switzerland or Dubai or Schenectady or something.

Though I wish that MacOS were safer, (1)

dr2chase (653338) | more than 3 years ago | (#31326132)

The initial route of infection for all of the known attacks has been through exploiting flaws in Internet Explorer or Adobe Acrobat using content hosted on external servers.

My box has no IE, no Acrobat. I even use Skim instead of Preview. Flash is turned off by default in the browsers that I do use. Back when I worked for someone who needed to use Windows, we would delete IIS from the system, just to be careful.

On the other hand, if it's an skilled, targeted attack, I would expect a custom exploration of my particular software vulnerabilities.

Asymmetric Warfare (4, Interesting)

sp3d2orbit (81173) | more than 3 years ago | (#31326178)

I read a paper about a decade ago (which I found thanks to Slashdot) describing how China would "hypothetically" wage a war against the US and win without firing a shot. I can't find the paper any more, but it was written by four Chinese generals. Over the last decade things have pretty much played out exactly like the paper laid things out: an economic assault, a propaganda assault, and an electronic assault. If anyone knows the paper I would love to see it again -- I think it even got turned into a book.

One day, long from now, will people wonder why we didn't see the attack coming until it was way too late?

Unrestricted Warfare (4, Informative)

Anonymous Coward | more than 3 years ago | (#31326306)

That paper was this one hosted on Cryptome: Unrestricted Warfare [cryptome.org]
by Qiao Liang and Wang Xiangsui (Beijing: PLA Literature and Arts Publishing House, February 1999)
It is translated by the FBIS, the CIA's Foreign Broadcast Information Service, which collects and translates reports from around the globe.

SMBs and Cloud Computing (2, Interesting)

sp3d2orbit (81173) | more than 3 years ago | (#31326196)

The paper says that small and medium sized businesses are often targets and that they rarely have the resources to mitigate the attacks. Seems to me like this is a great reason to move to cloud computing. I would think 99% of businesses would be better off letting Google protect their servers than trying to find away around these attacks themselves.

Woo! Monoculture! (3, Interesting)

copponex (13876) | more than 3 years ago | (#31326348)

I'm sure that doesn't carry any risks!

But seriously, if Google were evil geniuses, they'd create hundreds of smaller data centers around the US, with different ecosystems of software security and virtualization and ip blocks, and then use them as a raid array to back up each other.

Damn I wish I had a billion bucks.

Re:SMBs and Cloud Computing (1, Insightful)

sumdumass (711423) | more than 3 years ago | (#31326454)

I hope you weren't counting on a Funny mod because Google was a victim of this attack. IF you were, then I'm sorry that I walked around it. I do not think cloud computing would be the solution to something like this.

You see, they infiltrated the regular network before infiltrating the servers. Even cloud computing services wouldn't be looking for attacks from inside as it would appear once the workstations were compromised. They basically tricked users into giving them access or visiting a site that took advantage of an exploit to get access on the workstations. From there, it was almost like sitting in the offices that were supposed to be accessing the servers. This would work with or without cloud computing.

Read the article's last paragraph (0)

Anonymous Coward | more than 3 years ago | (#31326292)

I don't normally read the slashdot articles, but happened to read this one. Read the last paragraph, it is chilling.

DK

but there are easier ways (0)

Anonymous Coward | more than 3 years ago | (#31326312)

Isn't google putting in backdoors to their apps per government requirements? Now bend over.

Oh brother.. (2, Insightful)

jav1231 (539129) | more than 3 years ago | (#31326330)

"We went to do business in a communist nation and they attacked our network, attempting to gain access and who knows what!?" As my teenaged daughter used to say, "Uh..Hello! Yeah!?" Which loosely translates to: And you're surprised?

Custom Built (0)

Anonymous Coward | more than 3 years ago | (#31326362)

Well its obvious why all these attacks work in the first place, companies don't use custom built operating systems. Its a lot harder to attack anything when you have no idea what's what. Where everything is based on a single letter and number sequence to get things done such as f8 for internet, or q0 for delete, or r2 to set us up the bomb. Build it from scratch, write out any vulnerabilities or hell, just make sure everything important is on the corporate intranet and anything you might need to work on has to be copied to a separate intranet for VPN access to work from home, don't allow internet access :D

Chinese Patience (3, Informative)

IonOtter (629215) | more than 3 years ago | (#31326370)

When I was in the military, we used to shred our secret documents to NSA specs, which is 0.8mm x 4mm. That's about the same width as the "i" in the subject, and about twice as long.

In 2002, we were informed that this was not small enough, and now had to run the shredded documents through the hammer mill [wikipedia.org] , so everything would be reduced to powder.

They caught some folks rummaging at the local landfill, looking for the trash bags filled with end of week, end of month and end of year destruction.

Those people had stereo microscopes [wikipedia.org] in their homes and apartments, and were reassembling the documents and crypto tapes, one tiny piece at a time.

The Chinese have existed as a nation for longer than any other civilization on the face of this planet, and they take the "long view" in such things.

Re:Chinese Patience (5, Informative)

VendettaMF (629699) | more than 3 years ago | (#31326464)

> The Chinese have existed as a nation for longer than any other civilization on the face of this planet,
> and they take the "long view" in such things.

Thankfully both of these are incorrect to a lesser and greater degree respectively.

There may have been people living in the areas of land now referred to as China, but any links between historical cultures and thought and the modern morass are purely fictional.

And as anyone who has done business in/with China can tell you one of the biggest problems inherent to the nation is a complete inability to plan ahead or consider delayed benefits. None of the Chinese businesses I've worked in, nor the government bureaucracy I've suffered through, have ever included any possibility of passing up 10 bucks in their pocket right now in exchange for a thousand tomorrow.

We're dealing with a cultural mindset that would unhesitatingly slaughter the goose that laid the golden eggs, not in hopes of finding lots of eggs inside (that assumption requires some logical thought and deductive reasoning), but simply to take its feed and head for picking.

There is no concept of repeat business here. Any supplier who believes they can get away with it will supply a shipment of non-functional crap and pocket the single payment rather than even bother trying to set up monthly deliveries of functional goods.

The unstable legal system is partly at fault here. There is just no way in this culture to be sure that your products won't be outlawed/super-taxed next week. Money under the mattress is the only surety.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>