Yell “Chinese dissidents’ gmail hacked” and people say “huh?” Yell “Cloud” and you lose millions.
Last Updated on Tuesday, 9 March 2010 10:44 Written by Jeffreycarr Tuesday, 9 March 2010 10:44
While there’s far too much information about the December attacks on Google and 30+ other companies that remain unknown, consider what the following companies who were victims of these attacks have in common:
- Yahoo
- Adobe
- Intel
- Rackspace
- Juniper Networks
They either provide Cloud services (Google, Yahoo, Adobe) or support them in some way, i.e.:
- Juniper Networks (the Cloud-ready Data Center)
- Rackspace (The Rackspace Cloud)
- Intel (Trusted Execution Technology for secure Cloud computing)
If my speculation is correct, then I wouldn’t be surprised to hear that Amazon and Microsoft were also hit since both are major Cloud service providers (EC2 and Azure).
Think of this as the cyber equivalent of a reconnaissance mission where the task was to survey and exfiltrate information on the major Cloud service providers as well as the companies that provide hardware and software to support and/or secure Cloud operations. That would imply that the actual attack is yet to come, and it won’t be about Chinese dissidents having their gmail accounts hacked.
Arbor Networks recently released its Fifth Annual Infrastructure Security report: and one of its highlights for 2010 is:
Attacks Shift to the Cloud: Nearly 35% of respondents believe that more sophisticated service and application attacks represent the largest operational threat over the next 12 months.
It should be noted that Google has denied that its attack had anything to do with the Cloud in, tellingly, it’s Enterprise blog. This post was written by David Girouard, president of Google’s Enterprise group:
“This was not an assault on cloud computing. It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers.”
I don’t mean to mock Google’s not-so-subtle attempt to protect it’s income stream but doesn’t this response remind you of that scene from Jaws when the mayor tried to explain to the police chief how he should be more careful with his words?
Mayor Vaughn: Martin, it’s all psychological. You yell barracuda, everybody says, “Huh? What?” You yell shark, we’ve got a panic on our hands on the Fourth of July.
4 Words for U.S. companies suffering network attacks
Last Updated on Wednesday, 27 January 2010 01:34 Written by Jeffreycarr Wednesday, 27 January 2010 01:34
- Put
- Your
- Country
- First
That’s right. I said it. I’m invoking the P word – “Patriotism”. If getting your networks pwned and your sensitive data stolen, and not knowing who’s responsible is beginning to piss you off, there’s a simple solution. Put the interests of your country ahead of yourself; ahead of your shareholders; ahead of your manager, your VP, and your CEO; and acknowledge your breach (and everything that that entails).
I’m talking to all 30+ companies hit by the same parties responsible for the Google – China attack and who have chosen not to admit it. I’m talking to all of the energy companies who have been subject to successful network breaches or given in to extortion threats and are keeping quiet about it because acknowledging it may result in financial losses. Put your fear and self-interest aside, and announce that you’ve been attacked, share what’s been stolen, and make your logs and other facts related to your incident available to the organizations that need it to determine attribution.
This must be done if you expect us to identify the threats out there and protect you from them. The key to determining attribution is, in the words of Jeff Jonas, “data finding data“. Keeping your network breaches and data losses a secret only serves your attacker and makes you more of a target. Put your country first for a change. Let’s get a little patriotism up in this bitch.
The CNE Model favored by State actors in attacks against Google and others
Last Updated on Tuesday, 19 January 2010 08:34 Written by Jeffreycarr Tuesday, 19 January 2010 08:34
Computer Network Exploitation (CNE) is the latest iteration of the age-old game of espionage. Technology has changed the methods used, but the goal remains the same: covert discovery of information of value to the attacker.
One of many things that GreyLogic/Project Grey Goose investigators look at for determining attribution in politically motivated attacks is methodology. Chapter 10 of “Inside Cyber Warfare” provides a detailed explanation of how these types of attacks are planned and executed, the main points of which are listed below in blue. Facts related to the Aurora operation are provided for each in red.
Create a Zero day vulnerability for a popular Client-side application, such as a Web browser, .pdf file, or Word document.
A Zero day vulnerability impacting Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Microsoft Security Advisory
Use Open Source Intelligence to create an operational picture of the target, then create a plausible scenario that will attract the target’s interest.
“As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.” McAfee Security Insights blog
Encrypt the stolen data before exfiltrating it from the compromised network.
“The attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks and obscure their activity, according to Alperovitch. “The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” he said. “We haven’t seen encryption at this level. It was highly sophisticated.” Wired.com/Threatlevel blog
Use multiple staging servers to exfiltrate the data.
“Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan.” Wired.com/Threatlevel blog
Yet another component is the use of insiders. This is not a universal attribute but it is a common strategy that we’ve seen used in foreign research labs operating inside both China and Russia, who employ highly skilled scientists or engineers from the host country. Apparently, Google suspects that such was the case with Operation Aurora.
Had Google not gone public with the details of this attack, we would not be able to add this case to the growing body of evidence that helps governments understand the defining characteristics of State versus Non-state cyber attacks. Companies who continue to hide the fact that they’ve been attacked need to reconsider their justification for such a position and decide which is more important: protecting their stock price or helping their country build a more informed defensive and offensive cyber security strategy.
* the graphic used at the top of this post comes from the 2009 U.S. China Economic and Security Review Commission study on Chinese Information Warfare capabilities.
Use Open Source Intelligence to create an operational picture of the target, then create a plausible scenario that will attract the target’s interest.
“As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.” McAfee Security Insights blog
Encrypt the stolen data before exfiltrating it from the compromised network.
“The attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks and obscure their activity, according to Alperovitch. “The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” he said. “We haven’t seen encryption at this level. It was highly sophisticated.” Wired.com/Threatlevel blog
Use multiple staging servers to exfiltrate the data.
“Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan.” Wired.com/Threatlevel blog
Yet another component is the use of insiders. This is not a universal attribute but it is a common strategy that we’ve seen used in foreign research labs operating inside both China and Russia, who employ highly skilled scientists or engineers from the host country. Apparently, Google suspects that such was the case with Operation Aurora.
Had Google not gone public with the details of this attack, we would not be able to add this case to the growing body of evidence that helps governments understand the defining characteristics of State versus Non-state cyber attacks. Companies who continue to hide the fact that they’ve been attacked need to reconsider their justification for such a position and decide which is more important: protecting their stock price or helping their country build a more informed defensive and offensive cyber security strategy.
Inside Cyber Warfare
