Pages

Friday, April 11, 2014

Is your site vulnerable to the OpenSSL hearbleed flaw?


I was lazy (or too busy?) to write another blog (the last one was written in 2012) - there are so many of them on the Net these days, however, I feel urge to share useful information with those who run the web sites.

You may already know about the widely publicized heartbleed bug (http://heartbleed.com/) that may be impacting more than 500,000 systems across the Internet. Heartbleed is a bug in the OpenSSL program in v. 1.0.1 up to 1.1.f that is being used for encrypted communication in the VPN and web sites across the world. The design flaw in the program makes the information that seats in the resident memory exposed to the hacking. The information itself may contain user’s credentials including credit card numbers as well as private keys of your file server that are being used for encrypted communication.

This flaw may impact many communication systems that use VPN, SSL, Cisco IP phones, VMWare servers. We all appreciate when the flaw if discovered BEFORE actual attacks occur, so, this time it was a timely message to the world community, and most of the vendors applied the fix or workarounds.

There are few workarounds suggested:

1)      Change the communication port 443 being used by SSL

2)      Use the firewall rule to drop all SSL heartbeat requests. For instance, with the iptables module (thanks to Coalfire.com guys for tip):

iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \ 52=0x18030000:0x1803FFFF" -j DROP

Perhaps, you can test if your site is vulnerable by using the following URL from Qualys SSL Lab: https://www.ssllabs.com/ssltest/

Below is the result of the test with RTEK2000.com site:




Quite a detailed report that will follow the Summary with contain plenty of information about the certificates your site is using, algorithms, protocols, ciphers, and even handshake simulation with all known browsers including mobile.

Any confusing information can be investigated further because the lab provides the links to more information. Highly recommended!

Sunday, February 5, 2012

Stop certification test leaks! Saga continues..

Those who have been reading my article about certification exam cheaters (http://securecyber.blogspot.com/2008/08/finally-cheaters-are-panished-kind-of.html) remember that Microsoft sued the TestKing.com for undermining their exams with stolen exam questions turned into huge profit.
Guess what? The saga continues. While being browsing the web for exam materials, I have found the links to the transcender[dot]me web site. Since several vendors resell the Transcender exam simulations where you can download discounted exams from the Transcender web site directly, the named web site has a different approach by flooding the Internet with their cheap imitations of exam questions UNDER TRANSCENDER TRADEMARK(!).When you look at the list of their sponsors, it's easy to see that the sponsors are so-called "dump" web sites where the real exam questions are being "dumped" through the blogs. There is a fierce fight against the sites like this but apparently the fight is not over.

Be aware of cheap imitations! Boycott the "dump" web sites that destroy the value of any certification since the exam becomes just a matter of downloading stolen questions and having the set of ready-to-use answers. No doubts, the companies who are looking for certified professionals will pay less attention on those certifications (even if you were not using the "dump" web sites) because the passed exam might not reflect the level of your expertise.

It is a matter of pride of all IT professionals (who learned hard and spent time and money to certify their knowledge) to fight with cheap imitators. Spread the news about cheaters!

Friday, February 18, 2011

Job Recruiters -falling industry?

It's a good time to express my disgust with today's job recruiters.

The Google rules the world of search but when it goes to the keywords in your resume...it becomes a nightmare. First of all, many job recruiter firms are hiring foreigners or just simply outsource the service in order to save money and have more profit. The result of it is a huge number of e-mails to the potential job candidates that are based on found keywords in the resume posted online.

 In 95% of cases (based on my own statistics), the job recruiters are clueless about:
 1. Your actual technical skills
 2. Where your home is located relative to the company that has a job position opened
3. About your actual technical level (beginner, advanced, expert; entry-level or senior)

 With over 20 years of experience in IT world and the combination of Information Security, Web Design, and LAN/WAN Administration and Management, several industry certifications including CISSP, I have been offered the following jobs as:

 a) A Desktop Support Technician
b) A C++ programmer (I have never programmed in my life)
c) A Java programmer (just last week)
d) An Oracle programmer (because I used Oracle Hyperion Reporting software)
e) A Senior PHP programmer (I used some ready-to-use PHP scripts in old projects)
f) A Help Desk Technician
g) A SAP programmer (I don’t have anything in my resume that would point to SAP!)
h) LAN Administrator for $30/h

… not to mention a number of jobs with about 1.5-2 hrs commute or, in most of the cases, out of my city for temporary to permanent assignment.

Well, I would understand those folks who lost the job and are willing to go anywhere just to get back on track but as I clearly indicated in my resume, thanks G-d, I have the job and it is 8 miles away from my home. What kind of money the employer can offer to compensate my hours in the traffic, the part of my life that would never be repeated?

 Today’s job recruiters are not willing to even read your resume through to understand who you are and what you are capable of – they are just working with the keywords in your resume – not with you. I don’t want to say that ALL of the job recruiters are the same. There is some exclusion. Those recruiters who are willing to make an extra step and research the information on social networking sites (particularly, Linkedin.com) are more successful what results in better job placement and satisfaction.

 However, the most of the e-mails I have received are telling me one thing: the job recruiter is a low-qualification person who did not read your resume and probably has no clue about IT world at all, not to mention that he/she is not familiar with the geography and traffic in your area.

As with any industry, the quality of product or service should grow as time goes but in this case I believe the job recruitment industry is degrading slowly but surely. Many online readers and writers complained too, so, I am not along. Is there any expectation that the thing will improve in the future? Maybe it’s just a temporary “illness” of this industry? Who knows? Let’s hope. Until then, think about your resume as an SEO by optimizing it for Google keywords.

April 2014 update.
My hope for improvement is lost. The things became even worse. The flaw of unqualified foreigners who were subcontracted (and maybe located oversees) by the HR departments or growing like mushrooms job recruiting companies is overwhelming.
Considering my experience with hundreds of useless e-mails with job opportunities, I have inserted the request in my resume NOT TO CONTACT ME if the company location is further than 15-20 miles from my home address (in red ink!). Guess what?
No reaction! I am still getting useless job descriptions from hundreds (!) of so-called "job recruiters" who you can barely understand when they decided to call you if you just delete their e-mails.

If some of the happen to read this blog, please (!!) use the following rules:
1) Get the IT training in the filed you are hiring;
2) Read the resume first to understand the actual qualification;
3) Don't rely only on keywords - the search results can be confusing and misleading!
4) PLEASE don't bother people if you did not follow the 3 rules above.

Good luck everyone!

Thursday, January 13, 2011

FACE THE DANGER

There is no reason to explain again that today’s computing is not possible without adequate protection against viruses, malware, botnets, and all other cyber “weapons”. You probably are overwhelmed with a number of articles, experts’ advices, webinars, and various tutorials about user awareness the same way as I am.

What I want to add to this is to describe the face of real danger, the danger that the majority of computer users are not aware about. The new hacking technique and tools will make your security protection tools like a toy for kids. In my March 2010 article I have suggested a set of software tools to protect your computers (perhaps from all known malware).
What I have learned that after Stuxnet cyberattack became known and was described in more-less details, many security professionals have revised the entire approach to the security protection. The common denominator for all opinions is the fact that our commonly accepted approach to IT security is not working anymore due to the new and highly sophisticated penetration tools that were developed recently. No, I am not going to discuss Stuxnet and similar, highly sophisticated software that was discussed on the Internet widely but rater down-to-earth penetration tools that is available today.
The goal of this article is to make more people aware that our poor antivirus programs may protect you from only 20 to 30% of today’s penetration software.  Disagree?
Just today, I got an e-mail from “Hakin9 Mewsletter newsletteren@hakin9.org” with the following content. As is (no spell correction):
“Russia Hackers are pleased to announce RH2.5 KIT ver 2011
that people can use to hack & secure computer systems by
knowing exactly how a hacker would break into it.

Collection of Advanced Hacking Guides & Tools.
PDF Guide:

1. Advanced Hacking Guide with MEtasploit
2. Malware Development (RATS, botnets, Rootkits)
3. Convert exe into PDF, XLS, DOC, JPG
4. Exploit development guide
5. Tech Tricks (Spoofing-Sms,email,call)
6. Download any Apple Apps Free of cost
7. Credit Card HAcking
8. Netbanking Hacking-bypass Virtual KEyboard
9. Spreading guide to Infect 100K/Victims per day
10. Advanced Email Hacking Tricks
11. SET(Social Engineering Toolkit) module
12. Links for other russian hacking sites
Hacking Marketplace

Tools/Services:

{Value more than 1500 USD}

1. Polomorphic Crypter's (to make Files undetectable- bypass all AV Scantime,runtime)
2. Java Driveby FUD (deploy your exe by URL on target)
3. Immunity Canvas (Hack remote pc with IP address)
4. Paid Botnets (Spyeye,etc)
5. IRC Bots(Ganga, niger,etc)
6. Yahoo messenger zeroday exploit (run exe on target)
7. Ice pack Enterprise (execute exe using php script)
8. Bleeding_Life_V2_pack /Other Packs
Service's:
1. One Linux Based VPS with Root access for Lab Setup (Safe & Secure)
2. VPN Double + Triple Encrypted (Hide your real Ip Address)
3. Fake Emailer with attachment
4. Email Bomber (Send 1 million emails into Inbox)
5. DDOS Attacks Shells
Hire a Hacker
for Offensive and Defensive services, Internal on-site penetration testing gives
the business the assurance it needs to conduct safely in the Internet and with business partners.

Email at: root@russiahackers.ru or russiahackers@mail.ru
Visit Site
First of all, I am a subscriber of Hackin9 IT Security Magazine, and I am getting the news about new development in the world of IT Security. Normally, the e-mail address field “FROM” looks like this:
Hakin9 Magazine newsletteren@hakin9.org
This time, it was slightly different:
Hakin9 Mewsletter newsletteren@hakin9.org
As you see above (and I have no doubts considering miss-spells and ignorance of normal technical English) , the content of e-mail was pure advertisement with a link to the live web site that offers the both sets of tools correspondingly for $100 and $250USD.
My guess is that my e-mail account was hacked along with many others, and the Russian hackers e-mailed the information about their “products”.
Let me be honest, I am not so worrying about hacking of my e-mail account but about the “products” offered on the web site.
Let’s review some.
Convert exe into PDF, XLS, DOC, JPG
This one is the most troubling “products”. Just imagine that you are getting the file attached to your e-mail with one of the named above extensions and are trying to open it. The file immediately executes the built-in code, and voila! Your PC is infected. Does anti-virus or firewall can prevent it? I honestly doubt…
Polymorphic Crypters (to make Files undetectable- bypass all AV Scantime, runtime)
No need to give an explanation – this code will bypass all Antimalware programs.
Spreading guide to Infect 100K/Victims per day
Tutorial on how to infect hundreds of thousands of PC users per day!
SET(Social Engineering Toolkit) module 
Welcome to infected Facebook and Twitter!
Netbanking Hacking-bypass Virtual Keyboard
Do you use online banking? I do, and most of my friends do, and most of their friends do, too! Now, imagine you have opened one of the infected e-mails (or e-mails with infected attachment), and you will be faced with a nasty surprise: your account has zero balance! It also could happen on-the-fly, while you are logging into your banking account.
Immunity Canvas (Hack remote PC with IP address)
If the hacker knows the IP address of your PC, it can be hacked with this tool. You are no longer a single Administrator of your computer. You will share it with “nasty boys” who can speak not only English but also Russian or Chinese! A simple IP scanner (like free LanSpy) will help to identify your computer’s hardware, operating system, many installed programs, computer domain and NetBios names, MAC address, remote control, time, discs, transports, users, global and local users groups, policy settings, shared resources, sessions, open files, services, registry and event log information. Nothing on the remote computer is hidden from them now…
Welcome to the hacking world!
Should I continue?
You may want to ask “what should I do?” I’d be very much glad and happy if I could give you a definite answer but I don’t have one. The minimum of what you can do is to EDUCATE – yourself, your family and friends, friends of your friends, and, of course, corporate users if you are responsible for secure computing at your organization. So, instead of reading stupid chain e-mails that try to scare you if you don’t resend them immediately to another 10 people (nice way to spread the malware!) your fellow citizens will read and forward the information about how to conduct the secure computing and not to become the victims of cyber-gangsters.
As for the tools that I have suggested in my previous article, they are still vital. It’s better to have some basic protection + knowledge of secure computing than to ignore it completely because those tools do not provide 100% security.
Happy and secure computing in 2011!

Monday, April 19, 2010

What is Antivirus RAP Testing And Why Is It Important?

Why am I still a fan of Sunbelt's VIPRE Antivirus+Antispam software?

 As I mentioned in my blog earlier, VIPRE has numerous advantages over competitors, and another independent testing has proven the value of this software. In fact, I have replaced all of free and commercial anti-malware products on my home network, recommended to all my friends and several small business owners, and installed VIPRE. I have no regrets.
 You might know that Virus Bulletin is the world's most prestigious antivirus lab. They have been testing antivirus products for years. Apart from their VB100 certification, they have another interesting test called RAP. It's for "Reactive and Proactive", and helps you form an impression of the heuristic -and- generic proactive detection capability of security software products - in particular how well products perform against malware that appears after vendors have submitted their products to Virus Bulletin for testing. They create a quadrant a few times a year, and compare all products they have tested. And as you see, VIPRE does EXCELLENT in this test in April 2010, compared to all the other products out there. Top right in the quadrant is highest quality. http://www.sunbeltsoftware.com/alex/gblog/rap_detections_2.jpg

 As I have noted in another blog (The cyber-gangsters' "weapons" and the state of Internet security), there is no anti-virus program that can protect your PC from 100% of all malware, however, it should be an important part of your defense system, and it is where Sunbelt Software’s VIPRE engine (as one among the top AV products for reactive and proactive detection) shines. Virus Bulletin's RAP Testing measures products' reactive and proactive detection abilities against the most recent malware that has emerged around the world. The test measures virus/malware detection rates utilizing 4 specific sets of malware samples (look at the axles X and Y). The first three test sets reflect malware first seen in each of the three weeks prior to product submission. Shown results reflect how quickly product developers react to the steady flood of new malware emerging every day across the world. The last test set consists of malware samples first seen in the week after product submission. This test set is used to measure products' ability to detect new and unknown viruses proactively, using heuristic and generic techniques.

 You can read more (and see the comparison charts as well) at RTEK 2000 web site. I recommend VIPRE products based on my own experience and my own testing against competitors. Get VIPRE (pronounced "viper") now. I bet that small fee for this commercial product will pay off handsomely.

Friday, March 26, 2010

This isn't a pattern of failure. It's a surrender cult.

To add to my previous article about Chinese hackers (U.S. is losing power as the world leader), I recommend you to read the article from New York Post.  Especially, I like: "Here's the US-Israeli-Palestinian relationship in simple terms: You run a business. And you have a brother who's worked with you for decades. A group of corrupt "partners" with criminal records, notorious for flouting every deal they've made, promises to make you rich. All you have to do is kill your brother."

There is more! This is the first paragraph of the " Bibi’s Predicamentarticle from the Commentary Magazine:
"It should be clear by now that President Obama intends to pursue the “peace process” in the same way that he pursued health care — by ramming it down his opponent’s throat, in this case, Israel’s."
He lives Israel no choice but to bomb Iran's nuclear installations.

"Surely something must be terribly wrong with a man who seems to be far more concerned with a Jew building a house in Israel than with Muslims building a nuclear bomb in Iran ."
Columnist Burt Prelutsky , LA Times
 
What can I say? I wish it didn't happen in my lifetime.  I am so, so sorry for my country... :-(

Tuesday, March 9, 2010

Should we be afraid of Chinese hackers? ...Or lost cyber war (Part III)


PART I
PART II
PART III

PART III


Why U.S. is losing steam

In addition to the full access to Windows OS that proved to be vulnerable to endless exploits, China chooses FreeBSD as basis for secure OS. The Washington Times recently reported that "China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies." What a bold move! No wonder that many security specialists are seriously concerned that China rapidly getting the leading edge over U.S.
Congress discussed this issue recently but what's the result? Recall Obama's visit to China (read above). Is our government insane? Not at all! As always, money rules the world. When it comes to make a decision the corporate lobbying wins over common sense.

Even worse! The U.S. Government often downplays cyber attacks on our infrastructure. As Ed Giorgio (in 60 Minutes Report on US Cyber Security (November 7, 8 & 9, 2009)) noted, there are at least 10 "reasons why cyber intrusions are ignored, denied, or not reported by government." No doubts, they will be denied by the government officials but here they are:
  1. It is downright embarrassing to admit that you do not have very good cyber defenses and it will severely hurt your brand.
  2. The targeted organization frequently has no solution to the problem as was the case when DHS "lied" to congress. In government and the military, you cannot report a problem you don't have a solution for.
  3. The administration might be worried about international political fallout because it impacts other delicate issues with China, Russia, Israel, France, etc.
  4. We don't want to open a can of worms and admit that we too have an offensive capability which we work hard to keep secret.
  5. We fear the unwanted oversight and attention.
  6. If we are forced to address the problem by making us reprogram resources from high priority mainstream mission programs which are already behind on.
  7. The bureaucracy doesn't want to be forced to hold somebody accountable and perhaps take adverse action.
  8. Adding security may get in the way of mission operations and reduce our effectiveness (like not being allowed to use a flash drive).
  9. Recognizing the problem would expand the set of stakeholders who you have to work with to solve the problem. No bureaucrat wants that as it causes a loss of control.
  10. We are skeptics and just plain don't believe it's a big problem and that's it has been blown out of proportion.
"Security? What security? What are you talking about? It's not my responsibility!"

As David Osborne and Ted Gaebler indicate:
"It is hard to imagine today, but a hundred years ago bureaucracy meant something positive. It connoted a rational, efficient method of organization - something to take the place of the arbitrary exercise of power by authoritarian regimes. Bureaucracy brought the same logic to government work that the assembly line brought to the factory. With the hierarchical authority and functional a specialization, they made possible the efficient undertaking of large complex tasks."

Since the word "bureaucracy" became a synonym to the word "government" (verify it with MS-Word grammar!) what can you expect these days? Efficiency? Smart decisions? Logical solutions? Forget-about-it!

When the highly qualified computer investigator decided to track the Chinese hackers and passed his amazing discoveries to the FBI that praised his work, as a result he was facing charges against his activity. "...they are so afraid of taking risks that they wasted all this time investigating me instead of going after Titan Rain" [very sophisticated attack - read below] - said the computer investigator.

Do you have any comments? Are you surprised? Do you see the elements of "political correctness" here?

Do you have any comments? Are you surprised? Do you see the elements of "political correctness" here?

At the same time, Chinese government is not under pressure from its corporations and it ignores any "political correctness" that has overpowered United States. China improves the security of its army (PLA) using a hardened FreeBSD operating system. Considering also more than 100 information infrastructure attacks per minute on the US Department of Defense originated from China and keeping in account that most of the DOD computers are Windows-based, now we have a clear picture: it's the face of an enemy.

Whether it's current or future enemy hard to say but I think that at this moment it is a virtual one, the enemy that is invisible, the enemy that is hard to catch. As I mentioned earlier, tracking virtual enemies can be quite a challenge to U.S. spy hunters.The FBI officials are uncompromisingly pursuing the possibility that the Chinese government is behind many cyber attacks (especially not widely discussed Titan Rain attack - "the most pervasive cyber-espionage threats that U.S. computer networks have ever faced.") considering how well it was organized.

As you may guess, it's almost impossible to determine who exactly was behind the attack: China government, PLA, or someone from private sector (aka patriot hackers) because China has not been cooperating with U.S. investigations of Titan Rain. In accordance to the TIME magazine, "TIME has obtained documents showing that since 2003, the hackers, eager to access American know-how, have compromised secure networks ranging from the Redstone Arsenal military base to NASA to the World Bank… and can be a point patrol for more serious assaults that could shut down or even take over a number of U.S. military networks".

Due to the length of this article I don't want to discuss this issue further but I highly recommend reading about the Titan Rain attack (see the link above) and who discovered it.

Similar developments can be seen on a military front. In April 2009, in Prague, President Obama gave a speech in which he pledged America would work toward a "world without nuclear weapons.". Considering China's military advancements, they have different plans. China's growing revenues helps to become the world's biggest military power, to the point where the U.S. "would not dare and would not be able to intervene in military conflict", for instance in the Taiwan where U.S. has its own interest. Their new ballistic missile is capable hitting a target at sea with the range more than 1,000 miles and could be well used to attack and sink U.S. carriers.

No wonder, the Defense Secretary Roberts Gates has expressed his concern, too: "Investments in cyber and anti-satellite warfare (by China), anti-air and anti-ship weaponry, and ballistic missiles could threaten America's primary way to project power and help allies in the Pacific - in particular our forward air bases and carrier strike groups." while the U.S. administration (faced with huge budget deficit) seized financing for upgrade of aged nuclear arsenal. All of it will lead to the reduction of our military capabilities giving China a leading edge.

History often repeats itself. You are witnessing the process of losing the world dominance by one country and shifting the power to another one.



The lost cyber war

During 2008-2009, U.S. government and military organizations reported about 200 breaches including breaches of more than 70 million records in 2009 comparing to a total of fewer than 3 million in 2008. Do you see the trend? Did our government initiatives and billions of taxpayers' money spent on improving security pay off?

"The great thing about being a pessimist is that you are constantly either being proven right or pleasantly surprised." -- George Will, News commentator.

Consider me a pessimist but I don't see the light in the end of the tunnel.

I'd love to be wrong but I guarantee that there will be greater need in more security practitioners than we have now. Cyber security became a survival skill for any organization.

Senior government officials overseeing the nation's cyber defenses told a Senate panel that agencies are doing more to coordinate their far-ranging efforts, but that even in the best-case scenario, the hackers are often one step ahead. "The harder we can make the general network environment, the easier it's going to be to detect [threats]," said Richard Schaeffer, director of the National Security Agency's Information Assurance Directorate. "We believe that if one institutes best practices, proper configuration, good network monitoring ... a system ought to be able to withstand about 80 percent of the commonly known attacks."

What about the rest 20%?



What's the situation with resistance to cyber crime?

The painful experience of the last several years, lost data, productivity, new security standards imposed by the government, humongous amount of money spent on improvement of IT security raised a red flag for many organizations. I can't say that we do nothing to fight cyber crime but as I mentioned above we are always one step behind the hackers. Let's see what's going on these days.

In February 2009, President Obama launched a 60-day investigation into cyber-security, promising to improve U.S. Internet defense. I don't know what was done after the investigation except the creation of one or more departments with more bureaucrats but the situation did not change much. I have been reading articles about new Federal law propositions, new security requirements, new initiatives, however, all of it proved to be close to useless not only at the U.S. level but also on the international level. According to InformationWeek news reports, the American and Russian governments were engaged in talks to make Internet a more secure medium and limit certain types of cyber-weapons but talks haven't progressed far due to a difference in philosophy.

Many organizations and companies who work on defense against Chinese hackers have recognized that it's close to impossible to catch and prosecute hackers who operate abroad and especially in China. Since no international legal agreement exist, even if the hacker will be traced to a particular person, it will be impossible extradite him to the U.S. considering the relationships with the communist's government of China. Lately, the relationships became even worse (the hacking of Google's story).

Meanwhile, Chinese hackers are becoming harder to monitor since they communicate and coordinate their attacks through private text-messaging rather than on blogs or Web sites, leaving no traces of their activities. So, what is left? Is there ANY way to protect our networks and data? The only learning how to defend ourselves is the way to go under current circumstances.

Again, I can't say we do nothing because:
  • We educate IT professionals responsible for protection of their IT infrastructure, and we have a number of highly experienced and certified professionals who participate in examining case studies, war-gaming various scenarios, exercises, and implementing global defense solutions.
  • We have created a whole bunch of security-related certifications to certify the expertise of IT pros (CISSP, CEH, Security+, CISA).
  • We have developed multiple government standards to protect the government networks and information.
  • We plug the endless holes in the operating systems, applications, utilities, and databases.
  • We participate in numerous webinars, read whitepapers, magazines and books; discuss the IT security on hundreds of forums.
  • We have plenty of web sites dedicated to data security.
  • We spent (and continue spending) zillions of dollars on anti-malware products and technologies ($7 billion a year).
Yet, we are still facing the same danger to be exposed to sudden cyber-attack or to become the victim of cybercrime because the standards are not perfect and not everyone is following them, the anti-malware products are only 50% effective; there are endless security holes in the operating systems, applications, web browsers, perimeter defense and more. As a result, for instance, according to FBI, an average of over 1 million computers per year is currently being hijacked by botnets; an estimated 90% of Internet access points on corporate networks are inadequately protected; and the cyber-gangsters rip estimated $100 billion worldwide utilizing silent attacks that are invisible to their victims.

What are the latest developments in cyber-defense?

There is interesting information about the new security content protocol specification that has been released by The National Institute of Technology (Special Publication 800-126. "The Technical Specification for the SCAP,"). In accordance to the Government Computer News, "SCAP comprises specifications for the standard organization and expression of security-related information, provides an overview of the protocol and on ways software developers can integrate SCAP technology into their product offerings and interfaces."

In the end of last year, the U.S. Department of Homeland Security (DHS) completed, in cooperation with other government agencies, a draft of national cyber attack response plan that is planned to be tested in September 2010 during Cyber Storm III, a cyber security drill. I am just curious why this information is available online and not restricted to those who has appropriate security clearance...

Northrop Grumman and three universities planned to form a cyber security research consortium to address emergent cyber security issues. Northrop Grumman will fund 10 research projects at MIT, Carnegie Mellon University and Purdue University. Quite a powerful combination! I hope we'll get some positive developments from the best brains in our country.

The Homeland Security seeks new ideas how to protect our networks by creating a Web 2.0 crowd-sourcing portal called IdeaFactory. House leaders have asked the chamber's security officials to implement a new cyber-security training procedure for aides and take extra steps to protect sensitive information from potential hackers and to recommend the technology updated focused on security awareness.

Microsoft detailed new botnet protection, IdM technology at RSA Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group, offers insight into the company's plans to thwart botnets, secure enterprise cloud computing and help individuals better manage their online identities.

Yes, the first step that will be the most effective is to educate computer users about potential threats from highly qualified hackers, what needs to be done and how to operate computers safely.

Here is what one fellow said in his blog:
"I run a computer service shop, and...we drop Avast [anti-virus program] on ALL computers that come in, while simultaneously telling every single customer that it will do nothing to prevent them from brand new threats...and neither will anything else on the market today! Quoting myself, "viruses are a cat-and-mouse game, and antivirus vendors are always the cat doing the chasing." Software firewalls are also junk because any virus that does take root can easily bypass such a program. In reality, the only two things that are needed to keep a secure network are (A) a hardware firewall between you and the Internet and (B) well-educated, cautious, skeptical users. Education seems to fly out the window when an erection or free music is involved… Computers and software stopped being the weakest link over a decade ago. The most commonly exploited security hole on a computer is the device which sits between the keyboard and the chair, not the IP stack or WMF rendering libraries."
Posted by: cryptikonline on: 07/14/09

Step number two should be proactive defense, the type of defense that actively fights hackers with their own weapons. I was glad to find information that there are some white-hat hackers that actually do just that!

In accordance to F-Secure, a white-hat hacker (a good guy) using the avatar 'Catch-Em' hacked into the Pakbugs.com web site (the underground site that re-sells stolen credit cards), compiled a list of registered users with their email addresses and passwords and then posted the list to the Full Disclosure security mailing list. He also forced the web site to shut down for several days, and later (when the web site was online again) activated the DDoS (distributed denial of service attack).

DNSSEC introduced a new encrypted domain technology designed to protect the domain name system from spoofing and other hacks.

Lockheed Martin has formed an information security alliance with several technology providers to focus on self-healing systems to solve some of the information security problems.

There are also some successful operations on the grand scale. Eighty (80) people worldwide were arrested in connection with a major international banking ID phishing scam. "Operation Phish Phry" has been described as the biggest cybercrime investigation in US history.

I'd like to see more news like these ones:
There is a known technique to build "Honeypot" servers that attract hackers by lack of any protection and avert them from sensitive servers that have various layers of protection. Since the hackers usually take the easy route, those servers serve well by not only turning the attention away from important computers but also allow learning how the servers are being hacked and what needs to be done to protect the sites against becoming a part of botnets. For instance, a new open-source honeypot project called Glastopf dynamically emulates vulnerabilities attackers are looking for" and can auto-detect and allow unknown attacks.

Recently introduced technique, perhaps limits the number of security holes in the software by using the application Whitelisting techniques like from Faronics. If any executable file is not on the white list, it's not permitted to run!

On another note, if you have the critical infrastructure with strategic importance, why not isolate it physically from the Internet and use, perhaps, dedicated lines of communication? Not possible? I doubt it. With amount of money wasted on security that does not protect there is always a way to find the method of managing the infrastructure without exposing it to attacks originated from the Internet.


What can we do about cyber-terrorism?

Let's be honest, the facts are against us. Those who defend the networks are faced with a huge range of cyber-weapons to protect the infrastructure. At the same time, the cyber-gangsters can reach the goal by exploiting only a single vulnerability. Cyber-gangsters are usually fanatics who would do anything to cause the mass destruction, whereas security experts are not the fanatics to work tirelessly endless hours.

U.S. Federal agents have thwarted planned terror attacks on Fort Dix, N.J. by uncovering a terror ring in Lackawanna, N.Y. and plots against the nation's financial centers, the World Bank, ten airliners landing in the U.S. (the liquid-bomb plot), JFK airport, the Brooklyn Bridge, the New York subway system, the Los Angeles airport, the Israeli consulate in Los Angeles, and the Prudential Building in Newark, N.J., among others. They fought real terrorists. But how do you fight cyber terrorists?

The Internet is not a secure media. Those security professionals who passed CISSP exam (commonly respected security certification) learned about the model for security policy development or so-called "CIA triad" (Confidentiality, Integrity, Availability). The problem with the Internet security lays in the fact that the Internet was not initially designed for confidentiality or integrity. It was designed for availability and resiliency by providing a packet switched network with alternate paths meshed together. The security services of confidentiality and integrity usually must be implemented at the application and end-point levels (computer, mobile phone, PDA, etc.).

There were some voices to re-design the Internet and to make it more secure. Wouldn't it be great? It makes sense for some of the people who are responsible for security. This drastic measure cannot be taken without the government intervention due to possibly imposed taxes on the Internet usage and huge expenses. As you may guess, this measure will obviously rage many people (including myself, perhaps on this stage) who would oppose it using all available civil rights. I am not talking only about the U.S. citizens but also about world's net-citizens since it must be a common effort after a commonly accepted agreement.

Maybe the future incidents will push more people toward this measure but we must act now - as a government and as individuals - to fully meet the challenge of cyber terrorism. Some methods we may use include:
  1. Implementing strong access control systems to ensure that only authorized individuals can access cyber systems.
  2. Using strong encryption to ensure confidentiality and integrity of information stored, processed, and transmitted on and through cyberspace
  3. Keeping policies up to date, and ensuring they are strictly enforced
  4. Implementing effective detection systems to recognize currently known and future cyber attacks quickly
  5. Closely monitoring all cyber activity by using log files and log analyzers
  6. Implementing a real-time national defense strategy
  7. Deep analysis and forward thinking on possible future technologies and prediction of attacks (based on current trends) that may occur as those technologies are implemented to address the security requirements of the future

1. END-POINT PROTECTIONS FOR ORGANIZATIONS

Here are the "BIG SEVEN" rules that reflect the major steps to be taken to protect the end-points in the corporate and government networks:
  1. Create an Internet use policy and use the web content filtering with scheduled updates.
  2. Train employees on cyber security and enforce it vigorously.
  3. When administer the access rights, reduce privileges as much as possible on a "need-to-know" basis.
  4. Login to the system with administrator rights only when you need to change the configuration or install/remove the applications. Otherwise, login as a regular user with no administrative rights. (Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts)
  5. Take care about updating your software (OSs and applications patches) religiously.
  6. Use the best possible Anti-malware product on each piece of hardware. Besides that, implement application "whitelisting", heuristic and behavioral detection additionally to detection by signatures to mitigate zero-day threats.
  7. Consider implementing new technologies such as cloud and virtual computing by centralizing the hardware for distributing the applications down to user's PCs (or terminals).
Using application and OS streaming based on specific needs and storing the images in one, central location will increase the security level and lessen the burden of maintaining the security locally, on each node since all the patches and security protection will be concentrated in one place rather be distributed all over the network - hosted security (assuming that the application/OS streaming will be tightly secured and encrypted).

Such a solution may dramatically lessen the number of attack vectors with many additional benefits. In fact, server versions of Windows typically have a lower infection rate on average than client versions. Servers have a tendency to have a lower effective attack surface (or vectors) than computers running client operating systems because they are more likely to be managed by experienced administrators and to be protected by several layers of security.

2. ANTI-SPAM PROTECTION

MessageLabs Intelligence Top Tips to Stamp out Spam:
  • Protect your email address - using your primary email address anywhere on the web puts it at risk of being picked up by spammers so be careful where you use it
  • Watch out for the checkboxes - when you buy or sign up for something online, opt out of being contacted by third parties, you don't know where your address will end up.
  • Don't use the reply, remove or forward options - acknowledging the spam email using any of these options only validates your email address and can lead to more spam.
  • Use an unusual name - if you use an email address with numbers in it for instance, you are less likely to receive spam. Spammers often use directories of common names to guess email addresses, e.g. ajones@company.com, bjones@company.com, etc.
  • Avoid clicking on any links in spam messages - the addresses of links are frequently disguised and often serve only to confirm your existence to spammers. Same with unsubscribe links.
  • Avoid downloading pictures in spam email - these can identify you as a recipient even if you just view the message in the preview pane. You can view your email as text to prevent this, or you can set your email security to block external images.
  • Use a spam filtering service

3. HOME PC PROTECTION

a) First of all, educate yourself about information security even if you are not involved in the Information Technologies.

b) Consider dedicating one PC exclusively for online banking. Restrict other browsing or services like email of web surfing.

c) Use the combination of the best security utilities. My "four favorites" that I have on EVERY PC that I use at home and recommend to my clients:
In addition, if you download a zipped or executable file from the Internet web site, please use the Virustotal.com web site. Upload your file to that web site and verify it against 32 virus scanners. There is a big chance that only one anti-virus scanner will detect the malicious content. The service is free.

d) Do not expose your personal information on social networking web sites. It's easy to follow the crowd and proudly post your photos and personal information about yourself and your family. Keep in mind that it is exactly what the hackers need to steal your identity.

e) Remember that "there's no patch for human stupidity". Do not click on suspicious e-mails that you don't expect to receive. Do not open e-mail attachments (even such "innocent" as PDF or PPT files) because they may contain the malicious code. In fact, the PDF files, in particular, are responsible for about 80% of all infections in accordance to some sources. Such the files can take a form of fake codec or videos and poisoned search results continue tricking users into on purposely disabling the security programs that they had at the first place.

No Internet security suite can protect you from yourself, so do yourself and the Internet a favor - patch all your insecure applications - it's free with F-Secure and Secunia.

Through a combination of a fully patched OS (operating system) running the latest versions of the software installed, least privilege accounts and a well-configured personal firewall, a big percentage of the malware that penetrates through the client-side will be mitigated well before it reached the antivirus scanner.

f) Sometimes, you may travel (abroad or just out of your office). Please be cautious about public PCs/kiosks:
  • Check how the PC is set up. It shouldn't let you access the system settings such as the control panel and user accounts. It is a case when the less you can do on the PC, the better - it's well-locked down. I would also recommend to look around the PC for any kind of plug-in devices. It can be hardware-based keylogger attached to the keyboard cable or USB port. For more on keyloggers, read the Bright Hub article, "Risky business, using kiosk computers."
  • When you HAVE TO perform online banking and credit card purchases that might leave sensitive information on public PC and have to chance to avoid it (what is highly recommended), uncheck any box offering to remember your information and change your passwords as soon as you are on a PC you know is secure (home/your office). I have setup special access to my online PayPal account using the security fob that generates random digits to be used for passwords. It allows me to access the web site with a different password every time I use it. You may request it from PayPal, too.
  • If you have access to browser options that let you clear the cache and wipe out cookies, you should use them. The best systems warn you that they will clear stored information such as cookies when you exit.
  • If you need to save a file - do not do it to the local drive but rather to Flash drive. Also, you may want to e-mail the file to yourself and then delete it from the public PC. Make sure you emptied Windows Trash can.
  • If you access the Internet through Wi-Fi networks available in public places, remember, there might be hackers that wait for your free, password-free access. Today's Wi-Fi security protocols are proven to be weak and can be easily broken within minutes with a tool freely available on the Internet.




The future of cyber space. Be aware!

Since this is the last chapter of this article, I'd like to summarize my concerns. In accordance to Liu Migfu (People's Liberation Army (PLA) Senior Col., "The China Dream" book), "China's big goal in the 21st century is to become world number one, the top power."

China's population is growing by 21 million a year and currently houses 1.2 billion people that represent 22% of the world's population. At the same time, their territory is only 7%. The law that restricts Chinese citizens to have only one child doesn't work because poverty breeds children in spite of the danger to be put in jail. This limited territory cannot provide enough food for such a dramatically growing population forever. Many poor Chinese citizens will be faced with starvation.

Of course, I am speculating but think about it. What would be the solution to this problem if you are one of the Chinese government officials? The answer is the immigration (legal and illegal) of a large number of people to the every corner of this world. It's the most inexpensive solution that will have the most lasting effect. China thinks in longer terms. The gradual (and peaceful!) takeover of the territory could be a long-term plan. Legal immigrants can buy or open businesses in whichever country they settle in and have the political power earlier or later. The illegal immigrants will flood the businesses with cheap labor. Given enough time, all of it may lead to serious political and economical influence all around the world especially if Chinese immigrants will preserve close ties with their motherland.

I am taking about a peaceful invasion that you cannot fight because it will be a fight against unarmed people. Taking into consideration long-term plans and almost enormous financial resources of China, the Chinese immigrants will be supplied with enough money from the Chinese government to keep the businesses strong. Of course, they will have to repay the loan what will tie them to China even more.

The same financial resources concentrated in the hands of Chinese government can surely be used (and probably are used) to finance the cyber-gangsters who conduct cyber espionage (economic and military), to secretly stockpile the gold and invest in oil-rich regions out of China, to bribe government officials in various countries and to gain the advantage in trade and politics. Just try to arrest any Chinese anywhere in the United States and the Chinese government will raise a hell with the White House. I am taking about boycotts of trade goods and various sanctions. The growing power of China will be used easily to tight our hands. Now, can we arrest any Chinese hacker in China even if he is an originator of the cyber attack?

The trade and cyber war between the People's Republic of China and the United States, in particular, is a war for extraordinary power and wealth for the winner, and therefore China uses all available resources openly or secretly for winning down the road.

Regardless of whether cyber terrorism is a serious threat to safety, our critical infrastructures, or just an annoyance, we must be forward-thinking to meet future challenges regarding cyber security.

As you understand, many countries' governments consider cyber security and cyber- weapons very seriously. Our government, in fact, not only continuously worked on improvement of cyber-security but also successfully used cyber attacks during Iraq war in May 2007 when George W. Bush authorized the NSA attack on the cellular phones and computers that insurgents in Iraq were using to plan roadside bombings. The attack not only prevented successful communication and coordination efforts but also supplied enemy with false information by leading them directly under fire of U.S. soldiers.

There were several cyber tsars to lead the U.S. efforts in cyber defense as well as several major initiatives aimed to improve and protect our infrastructures against cyber attacks. The new reality of computer age is taken so seriously that the Obama administration's former White House chief of cyber-security, Melissa Hathaway, has called for international cyberspace agreements (with similar proposals from Russian government).

However, the chances of such an agreement are quite slim. And here is why. The senior U.S. Army officials identify the wireless communications networks used by insurgents and terrorists as their No. 1 target, and after the Russian government's attempt to propose a treaty limiting the use of cyber-weapons, the State Department has rejected the idea preferring to focus on improving defenses and summon cyber attacks as crimes. In addition, the officials are against any move that could undermine our own cyber security by limiting the options and ability to attack because the advantages of having a cyber-warfare capacity are simply too great in the computer era world.

The cyber-war tactics are also advancing. The United States has already learned that it makes no sense to hit an enemy's infrastructure if it disables an ally's, and possibly America's own since many networks are interdependent. "If nations begin attacking one another's banks and power grids, the next step is exchange of bombs and bullets". In spite of the fact that China rapidly moves to the leading position of cyber-war master, most likely, it has no desire to knock-out Wall Street, because it owns large piece of it. Russia should be hesitant to begin a cyber-attack on the United States because, unlike Estonia or Georgia, the U.S. could quickly response with massive conventional force.

As you see the Cold War still exists but it moved underground or, to be precise, "underwire".

In fact, in accordance to McAfee's annual Virtual Criminology report, many nations are secretly stockpiling tools and techniques in preparation for sophisticated cyber warfare against each other So, expect the cyber-weapons to be enhanced, the cyber-war capacity to be increased and improved, and methods of penetration or DoS attacks to be technologically advanced.

Here is a "dirty 13" prediction for 2010 by Larry Barrett:
  1. Antivirus is not enough
  2. Social engineering as the primary attack vector
  3. Rogue security software vendors escalate their efforts
  4. Social networking third-party apps will fraud targets
  5. Windows 7 will come in the crosshairs of attackers
  6. Fast Flux botnets will increase
  7. URL-shortening services become the phisher's best friend
  8. Mac and Mobile Malware Will Increase
  9. Spammers breaking more rules
  10. As spammers adapt, volume will continue to fluctuate
  11. Specialized malware on the rise
  12. CAPTCHA technology will improve
  13. Instant messaging spam will surge
Russians have an excellent proverb that when being translated to English sounds like this: "Those drowning - save thyself". It can be very well applied to the situations described in this article.

Got computer? Start with security!

Please share this article on your network (Tweeter, Facebook, etc - more social networking links can be found on top of the page in the right corner)

References:

http://community.middlebury.edu/~scs/docs/Lee%20Lai%20To,%20China,%20USA,%20and%20the%20South%20China%20Sea%20Conflicts.pdf
http://english.peopledaily.com.cn/home.html
http://hsgac.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore_id=e1005399-d98b-4aff-bb60-2c1884949700
The commercial malware industry.
http://blogs.zdnet.com/security/?p=3673
http://blogs.zdnet.com/security/?p=4791&tag=nl.e539
Janczewski, L. & Colarik, A. (2008). "Cyber Warfare and Cyber Terrorism". Page xiii. Information Science Reference, Hershey, New York
http://www.financialsense.com/stormwatch/geo/pastanalysis/2009/0717.html
http://www.microsoft.com/downloads/details.aspx?FamilyID=037f3771-330e-4457-a52c-5b085dc0a4cd&displaylang=en
http://www.cnn.com/2008/TECH/03/07/china.hackers
http://www.popsci.com/scitech/article/2009-04/hackers-china-syndrome
http://money.cnn.com/magazines/fortune/fortune_archive
http://tinyurl.com/llcdcc
http://www.investors.com/NewsAndAnalysis/Article.aspx?id=522689

Friday, February 19, 2010

Should we be afraid of Chinese hackers? ...Or lost cyber war. (Part II)

PART I

PART II
PART III


Average PC user in China or were the hackers are growing...

Internet users in China aged below 25 spend on average 50 percent of their leisure time online, according to this survey. Those surveyed in China demonstrated high levels of social media activity. Nearly 9 out of 10 Chinese respondents indicated that they actively read or contribute to blogs and 85 percent said they participate in chat rooms.

New opportunities for self-expression, communication and interaction in China made the Internet a part of their everyday routines. The number of intelligent 20+ youngsters is increasing. Their computer skills reached sophistication allowing them to gain access to the world's most sensitive sites, including the Pentagon. In fact, some of them claim that they are sometimes paid secretly by the Chinese government -- a claim the Beijing government denies. There is a number that circulates the web (not confirmed data) that the Chinese government pays to up to 50,000 highly skilled military hackers to use the Internet for specific purposes that are defined by the government officials (cyber expert James Mulvenon told a congressional commission in 2008). Considering the population of China, this number may not seem threatening at first.

Sure they don't have a special facility with high-tech equipment; they operate from small apartments. Don't underestimate them - they are hardcore hackers who claim that "no web site is 100% safe". In spite of high level security, every web site has a specific weakness that can be exploited. Some of the hackers are self-educated programmers and some of them came from the People's Liberation Army, either way they know how to approach the task. Carefully studying the web pages, they determine the underlying programs used on a particular web site and then exploit the known weakness or test it to find the new one. The language differences are not the barriers for hacking. Many of them study English to the degree that serves them well in their activities. Young hackers are persistently trying to prove themselves against some of the most secure Web sites in the world.

There are many hacking tools are available on Chinese web sites for free and for a few bucks. For instance, for $150, youngsters can buy decent tools for hacking, design of Trojans or tool to evade anti-virus programs in addition to interactive tutorials and the support through chat or IM, i.e., the infamous software known as Grey Pigeon. Some days ago, the software was used for remote control (similar to GotoMyPC.com) but as it was discovered, it is an ideal tool for hacking that can easily be purchased in China.

Some experts believe many individual hackers are joined together to form small and large groups such as a civilian cyber militia that launch attacks on government and private web sites around the world. Some sites reach more than 10,000 registered users and offer special tutorials (sometimes even interactive) about hacking. There are hacker magazines, hacker clubs and online movie serials about hackers. About 43 percent of elementary-school students say they adore China's hackers and 33 percent say they want to be one! Imagine that future army of hackers.

As the Chinese economy improves, you can see more cars on the streets, plenty of construction sites, and numerous brand names ads and shopping centers. More and more citizens become wealthy, or at least move to the middle class level. Those who still can't find the way to make more money (and the young generation, in particular) try different methods utilizing the computer technology.

For instance, they build the web sites that are selling counterfeit items and attract customers by the low price. Usually, after getting money they either mail cheap imitations or nothing at all.

There is another side of hacking: not for money but to make a political statement.

The young generation knows how the government can suppress the democracy movements (Tiananmen Square), so rather than proceed on the road of democracy many young people (or China's Internet patriots) identify themselves in opposition to the West. These "red hackers" may not be acting on behalf of their government directly but the effect of their activities is the same.

If you'd knew the Mandarin language and tried to Google the word "hacker" using its characters, you'd find hundreds and hundreds web sites dedicated to the Chinese art of computer hacking. Some of the web sites are highly organized with detailed tutorials, history and logs of actual hacking, documentation, links, and even technical support. Some Chinese hackers are being trained at schools like the Communication Command Academy in Wuhan (the capital of Hubei province). Based on some research by the U.S. intelligence, the total number of registered hackers in China is approaching 400,000.

The hackers of all sorts can be found in the organized clubs whose members meet regularly. There are kid hackers, women-only hackers, hacker novices, and, of course, gurus. The most amazing and disturbing is the fact that most of them have the unifying characteristic: nationalism. Most of the Chinese hackers are not the individuals or anarchists but rather "tend to get more involved with politics because most of them are young, passionate, and patriotic." This stylish nationalism of hackers with laptops and Internet connection is dangerous for all countries but it is the most harmful to China itself since their government is inclined not to prosecute hackers unless they attack within the country.

These loose government restrictions are more frightening than state sponsored cyber-warfare. The government perhaps tolerates hackers and sometimes encourages them. Their government might task these hackers in turn gain control of them. Homegrown hackers might just as easily be recruited to write viruses or software for the People's Liberation Army.

If you are interested in learning more about the top Chinese hackers, check out the The Dark Visitor web site (in English).

In 2002, a scholarship student, Peng Yinan and two other hackers broke into the web site of Lite-On Corporation and replaced the Taiwanese firm's home page with the message "[F-ck] Taiwan's pro-independence!" In December 2003, similar message reemerged on the U.S. Navy Chartroom site. "[F%ck] usa.gov," read the defacement, which was signed by coolswallow and four others (the same Peng hacked the FoxNews web site after U.S. invasion into Iraq). In fact, they have not only defaced many web sites in the U.S. but also shared the hacking tool on the Internet.

Web site defacement is a very unpleasant thing when your web site is defaced! I remember when I got a call from California from a man who informed me about a U.S. teenager who hacked several web sites including my company's default web page (with a similar message about the U.S. government). It's good that I have the habit not to use the default page on the Microsoft Internet server (IIS) as a home page but rather any secondary. It saved my company from potential shame.

Based on Peng Yinan's following activities after 2003, I would compare him with infamous hacker Kevin Mitnick with the only a difference that Peng was somehow connected to the Shanghai government and since he was qualified enough, could be paid to do some freelance work. There are speculations that he was permanently hired by the Chinese government since he has disappeared from the hacker's world and that in itself is very disturbing.

The Chinese hackers became so experienced and recognized worldwide that MI5 hired Asian teenage hackers in fight against cyber terrorism in China, Russia and Pakistan.

In spite of the huge Internet activity in China, the country's Internet censoring is well known to the world (didn't KGB do the same with the phone calls and letters?). The government wants to have the control of the information flowing in and out of the country. It's not easy to do without sophisticated technology. It's a fact that Chinese entrepreneurs returning from working in Silicon Valley were requested to provide the filtering technology to China's Internet police. These police are actually very successful not only with censoring the communications but also with quick and effective shutting down the sites that they also do not hesitate to pursue for classified information inside of China or similar rogue sites.



How Microsoft armed Chinese hackers

When it comes to money, many (if not all) companies intend to forget about any possible consequences and lose conscience. Microsoft is not the exclusion. The prospect of a sweet piece of pie (e.g. China market) was reflected in the first move that Microsoft made in 2003 when Microsoft signed source code browsing agreement with China.

With the known weak security of Microsoft's operating systems and with the source code not open to the public, many countries, including China, adopt the open source code Linux operational system, a rival of Microsoft. To avoid it, Bill Gates signed an agreement with the Chinese government stating that the new Source Code Browsing Lab can browse the source code of the Microsoft operating system and engage in information security related research.

Almost 15 years of learning about how to do business with China, Microsoft decided to share the source code as a first significant step in penetration into Chinese market through the cooperation with the communist government. Liu, a member of the political bureau of the CPC Central Committee, said that China has great number of software talents and regarded software sector as one of its backbone industries. As a result, Microsoft offered China and later, 59 other countries the right to look at the fundamental source code for its Windows OS and to replace some sections with their own code. Now when China uses Windows in President Hu's office, or perhaps in its missile systems, it can install its own cryptography.

Let's look at this from another point of view. Microsoft makes money by selling its software to China and China has access to the source code of the operating systems that are used by the majority of the computer users around the world. Imagine that you are the computer hacker. What would you want most of all in order to break into the Windows PC?

You probably heard about "reverse engineering" used by hackers when the program they want to hack is taken apart into pieces in order to build the piece of code used for hacking. It is a very complicated and challenging process and not many hackers are able to do it. With the source code available as a gift from Microsoft, isn't it easier to hack Windows?

For instance, the latest report from Google is troubling: "Google detected a "highly sophisticated and targeted attack" last month which originated from China, and resulted in the theft of intellectual property from the search engine, according to Google's corporate development and chief legal officer David Drummond.

It later transpired that the attack was not limited to Google, but infiltrated 20 other large companies from a wide range of businesses - including the internet, finance, technology, media and chemical sectors." More.

Since the Chinese government directly or indirectly supports its own hackers, they might have access to the source code as well. Let's recall how many times Windows - based OS was hacked. In accordance to Shane Harris, who wrote an article about Chinese hackers, they "pose a clear and present danger to U.S. Government and private-sector computer networks and may be responsible for two major U.S. power blackouts." The U.S. government "officials believe that the intrusion may have precipitated the largest blackout in North American history. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected."

Needless to say, Chinese hackers are surely in the state of war with the U.S. Do you need more proof? Just read the daily news.
"China's big goal in the 21st century is to become world number one, the top power," People's Liberation Army (PLA) Senior Col. Liu Migfu writes in a newly published book, "The China Dream." This dream could rapidly become America's nightmare.




A cyber-war in action?

The U.S. Defense Secretary R. Gates said in a recent speech to the Air Force Association: "Investments in cyber and anti-satellite warfare (by China), anti-air and anti-ship weaponry, and ballistic missiles could threaten America's primary way to project power and help allies in the Pacific - in particular our forward air bases and carrier strike groups." The Pentagon recently admitted that last year many computer networks in the United States, Germany, Britain and France were hit by multiple intrusions, many of them originating from China. However, U.S. officials have been cautious not to directly accuse the Chinese military or its government of hacking because it is difficult to prove.

Due to the nature of botnets (distributed networks of infected computers spread out across the globe) the cyber-defense experts are faced with a problem to prove the origin of a cyber attack. Another reason the U.S. hasn't made any claims against China is previously mentioned necessity to be politically correct. 

When David Sedney, the deputy assistant secretary of defense for East Asia mentioned, "The way these intrusions are conducted are certainly consistent with what you would need if you were going to actually carry out cyber warfare." Beijing hit back at that, denying such an allegation and calling on the U.S. to provide proof. "If they have any evidence, I hope they would provide it. Then, we can cooperate on this issue," said Qin Gang, a spokesman for the Chinese Foreign Ministry, during a regular press briefing... "I am telling you honestly, the Chinese government does not do such a thing".

India's security advisor said that Indian government network was attacked on December 15, 2009, the same day that some US companies reported having been attacked. The attack on the Indian computers came through a maliciously crafted PDF file that arrived from China as an attachment to an email. As always, the Chinese foreign ministry called their claim "groundless".

However, there is some evidence data about China as the base land of various attacks that have slowly come on to surface. For instance, a security researcher says he has found evidence linking the recent attacks on Google to China (January 2010). Analysis of the software used in the attacks revealed that it contained an algorithm from a Chinese technical paper that was published only on Chinese-language web sites. 

Some experts believe that those hackers are not agents of the Chinese state even if they claim to be paid by Chinese government. All of it is quite sensitive information and no one would openly publicize it. However, I believe that with China's goal to achieve world dominance, it fits the picture. Military and economic espionage are an integral part of these carefully planned actions. As our recent Nobel Prize winner Mr. Obama mentioned in his speech, "We must begin by acknowledging the hard truth ... There will be times when nations - acting individually or in concert - will find the use of force not only necessary but morally justified."
Recent events related to the Islamic fundamentalism proved, different people have different morals. In China's goal for world dominance, everything is "morally justified". Chinese communists can be trusted the same way we trust Russian leaders.

In May 2001, several U.S. government web sites were hacked or brought down with DDoS attack by the Chinese. The White House, U.S. Navy, the Interior Department's National Business Center, and more than 1,000 American sites experienced an unprecedented situation of massive offense.

As qualification of Chinese hackers grows, the successive attacks have become more serious. In the past two years, Chinese hackers have intercepted critical NASA files, breached the computer system in a sensitive Commerce Department bureau and launched assaults on the Save Darfur Coalition, pro-Tibet groups and CNN. Sadly, those are just the attacks that have been publicly acknowledged.

What was the cause of these massive and sudden attacks in 2001? As later discovered, it was a coordinated effort of Chinese hackers whose rising Internet-driven nationalism pushed them to declare an anti-American protest after the death of a Chinese pilot who was killed in an accident when a U.S. EP-3 reconnaissance aircraft flying off the southern coast of China had collided with a Chinese F-8 fighter jet. 

In its 2008 report to Congress, the U.S.-China Economic and Security Review Commission called Chinese cyber-espionage a major threat to U.S. technology. "China is aggressively pursuing cyber warfare capabilities that may provide it with an asymmetric advantage against the United States," the commission warned. U.S. defense officials called it "patriotic hacking". Hey, this patriotic thing presents real danger for the most vulnerable targets in our country such as air traffic control, the electric grid and waste facilities, banking and Social Security systems, and it cannot be taken lightly. Whether it was paid by the Chinese government or it was an act of hacker patriotism, our government should take this very seriously. We live in the digital age and all the information that is used in our networks and resides on the servers is at risk.

President Bush correctly understood this issue and before leaving the Oval Office authorized the creation of a National Cyber Security Center under the Department of Homeland Security. The current government proposed $355 million to secure private and public sector cyber-infrastructure.

James A. Lewis who helped develop cyber-security policy recommendations for the Obama administration, a senior member at the Center for Strategic and International Studies (CSIS), shared that concern. He said, "The U.S. government had a number of serious computer incidents in 2007, most of which were attributed to China," he says. "The focus in Washington is on what appear to be state-sponsored activities. That, of course, is only a part of what's going on in China." I wish the U.S. would take cyber-security in relation to China more seriously.

In reiteration for past failure when the U.S. military employed cyber-tactics in Iraq war, the insurgents recently hacked the US Military Drone Surveillance Video (RQ-1, MQ-1 Predator MQ-9 Reaper drones). As it was discovered, they have been doing it for a while (the U.S. military personnel found files on the detained Shiite militant's laptop in 2008). All they had to do is to use the Russian-made SkyGrabber, a program freely available on the Internet for less than $26. The event itself is so shocking that I hope it will be an eye-opener for those U.S. officials who are still blindfolded about cyber-terrorism.

There is a real war in the East region but it's not anymore the war with religious but uneducated mujahidin, but with highly sophisticated in computer technology enemy. I don't think it was done without any "outside" assistance from those who would love to bring the U.S. to the knees but the fact itself is disturbing.

Let me remind you that China's neighbor Russia is "singing the same song" with China pretty often when it comes to vote for sanctions against rogue governments. Generally, both countries veto almost every U.S. proposition and both countries hate the fact that USA is a major power in the world (perhaps, still the major). They are dreaming about shifting the axle of power to their own countries, away from Americans.

Unfortunately, they're not only dreaming but rather are taking multiple, carefully planned steps to overpower U.S. on the military front, economically, and financially by rising of own influence in all corners of the world. We learned from history that when the power players are in the battlefield of a global scale, all methods are good - don't expect that the players will play honestly, especially from the regimes ruled by current and former communists.

With kind permission of an author of the article "Marina Kalashnikova's Warning to the West", Jeffrey. R. Nyquist, I want to share with you the information below. Forgive me for inclusion of quite a large piece of this article but I consider this information is so important that I cannot squeeze it further. 

"Russia has built an alliance of dictators, what Marina Kalashnikova (mentioned above) calls an "alliance of the most unbridled forces and regimes." Extremists of all kinds serve the purpose of breaking the peace, damaging Western economies, and setting the stage for a global revolution in which the balance of power shifts from the United States and the West to the Kremlin and its Chinese allies. "Among the ideas that animate general staff analysts in the Kremlin, there is the idea of diffusion," says Kalashnikova, "It is not that the Kremlin should strive for territorial expansion and the dissemination of its [political] model. The critical thing is power and the fulcrum of an overall strategic context. In that case, even if the Americans appear influential in the post-Soviet countries, Moscow remains in charge. The [Russian] General Staff therefore has successfully expanded Moscow's position beyond and above the old Soviet position in Africa and Latin America." What prevails, she says, is Moscow's "assertiveness and determination without fear of a reaction from the West."

In other words, the West has already been outmaneuvered. The KGB and the Russian General Staff have taken our measure, and they are laughing at us. Our leaders [read the U.S. Government] do not realize the sophistication of their enemy. They cannot see or understand what is happening. They blink, they turn away, continuing to use concepts gifted to them long ago by Soviet agents of influence. As a nation we are confused and disoriented, believing that the world is beholden to the West's money power - and therefore, peace can be purchased.

"The Kremlin has activated a network of extremists in the Third World," wrote Kalashnikova. "[At the same time] Russia has managed to shake off nearly all international conventions restricting the expansion of its military power." In this situation, the only counter to Russian power is American power. Yet the American president is preparing to surrender that power in a series of arms control agreements that will leave the United States vulnerable to a first strike. Placing this in context, nuclear weapons are ultimate weapons, so that the West's superiority in conventional weapons is therefore meaningless. Whoever gains strategic nuclear supremacy will rule the world; and the Russian strategic rocket forces are in place, ready to launch, while America's nuclear forces are rotting from neglect.

The Russian historian sees that the West relies on the greed of Russia's elite to keep the Kremlin in line. But this is a foolish conceit... the Kremlin's logic is ironclad: Let the West keep its worthless currency. Moscow will have weapons, and in the end Moscow and its allies will control everything. The liberal may believe that protests and appeals to humanity are the ultimate trump cards. The financiers may believe that money makes the world go 'round. Let them try to stop a salvo of ICBMs with liberal sentiment and cash. As far as the laws of physics are concerned, their favored instruments cannot stop a single missile.

According to Kalashnikova, "It is clear that the [Kremlin] regime has no restraint and will commit any crime, break any rule, surpass any benchmark in order to consolidate its already illegitimate power..." Even the old KGB chief, Vladimir Kryuchkov, was appalled: "Putin and others have to answer for what they are doing today to the country," he said. But the West sleeps. The West doesn't want to hear about the danger that rises in the East - from the Kremlin and its Chinese allies."


Recent attack simulation by the Pentagon officials reveled that "The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What's more, the military commanders noted that they even lacked the legal authority to respond - especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war." (New York Times).

If you didn't believe in the cyber-wars and attributed them to the movies only, what else can convince you more?



Cyber-espionage

As you may guess, stealing sensitive information from U.S. corporations is a part of a big plan for many Chinese conglomerates and the government. Considering a long history of the economic and military espionage, cyber-hacking is relatively new one, and the U.S. government officials are worried about China plans and actions.

In accordance to Brenner, the U.S. counterintelligence chief, perhaps once the Chinese used the strategic information gathered by cyber-espionage about large the American company during business negotiations. "The delegation gets to China and realizes, 'These guys on the other side of the table know every bottom line on every significant negotiating point.' They had to have got this by hacking into [the company's] systems." Brenner mentioned that even one case like this proves that Chinese will work very hard when they need to achieve the goal. It surely puts the national security (and eventually prosperity of our country) at serious risk.

Chinese target any high-level official, senior officers of the large companies or strategic institutions. Even the contractor working abroad can be the target of cyber-espionage. The laptop, USB memory module, the smart phone or PDA - all of it is under risk. "China is indeed a counterintelligence threat, and specifically a cyber-counterintelligence threat" said Brenner.

The cyber-espionage attempts are very difficult to register and prove since today's cyber world includes botnets that can be easily used let's say by Russians who are masking as Chinese. However, several proven cases of cyber-espionage by Chinese should raise the awareness to a higher level and stop making friends with those who want to overrun us at every corner.

Try to "google" the key phrase "china hackers" in English and you will be surprised with a number of article like these:
  1. Britain could be shut down by hackers from China, intelligence
    Mar 29, 2009 ... China has the ability to shut down Britain's vital services, including food or power supplies, because its companies are involved in ...
  2. Hackers in China break into PCs of Dalai, Indian embassy
  3. International hackers, many from China, are attacking NYPD computers
    Apr 22, 2009 ... A network of mystery hackers, most based in China, have been making 70000 attempts a day to break into the NYPD's computer system, ...
  4. Hackers put China flag on Australian film site - Security- msnbc.com
    Jul 27, 2009 ... Hackers posted a Chinese flag on the Web site of an Australian film festival in an escalation of protests against the planned appearance by ...
  5. China's hackers stealing US defence secrets, says congressional ...
    Nov 20, 2008 ... Beijing's spending on rocket science turns outer space into 'commanding heights' of modern warfare and could chill relations with America, ...
  6. Block China Web Traffic IP Addresses and Chinese Hackers
    Protect your web site from Chinese hackers by preventing traffic from IP address ranges originating in China.
Based on 7 year study, Mandiant describes how Chinese cyber-gangsters launched sophisticated attacks and were able to penetrate the government and corporate computer networks while being practically undetected. They describe so-called advanced persistent threat (APT) model and reveal the fact that the majority of APT attacks attributed to China. The shocking truth: existing anti-malware software was able to detect just 24% of the malware used in the attacks. Mandiant describes several stages of APT attacks:
  1. Reconnaissance (getting the identify of individuals they will target in the attacks);
  2. Intrusion into the network using known methods like phishing;
  3. Establishing a backdoor through injection, registry modification, or scheduled services;
  4. Installing multiple hacking utilities; obtaining user credentials and escalation of privileged access up to the administration level;
  5. Data extraction, encryption, compression, storing on stage servers, and following deletion after successful upload to own network.
  6. Maintaining persistence by adjusting the malware.
While APT-type attacks are usually silent, low profile attacks designed for long-term espionage, the recent attack on Google and 20 other large companies is more like open-war type.


Continue to PART III
Back to PART I