homepage Welcome to WebmasterWorld Guest from 54.161.192.61
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Search Engines / Asia and Pacific Region
Forum Library, Charter, Moderators: bill

Asia and Pacific Region Forum

    
Report Details Hacks Targeting Google, Others
bill

WebmasterWorld Administrator bill us a WebmasterWorld Top Contributor of All Time 10+ Year Member Best Post Of The Month



 
Msg#: 4073994 posted 1:31 am on Feb 4, 2010 (gmt 0)

This is downright spooky.

Report Details Hacks Targeting Google, Others [wired.com]

Now a leading computer forensic firm is providing the closest look so far at the nature of the attacks, and attackers, that struck Google and others. The report never mentions Google by name, or any other companies, but focuses on information gathered from hundreds of forensic investigations the firm has conducted that are identical to what we know about the Google hack.

What the information indicates is that the attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other U.S. companies and government agencies since 2002 and are rapidly growing. They represent a sea change from the kinds of attacks that have commonly hit networks and made headlines.

"The scope of this is much larger than anybody has every conveyed," says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. "There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now."

 

gethan

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4073994 posted 2:17 am on Feb 4, 2010 (gmt 0)

Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.
[wired.com...]

Really interesting article; the term APT is very appropriate - reminiscent of cold war espionage, sleeper moles. Disable one threat in a few hours more sophisticated versions appear. Two things seem to be at the heart of these attacks;

Windows insecurity and China.

(OT - love the ctrl+c ctrl+v + Read More URL - that wired has js doing!)

Erku

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4073994 posted 3:50 am on Feb 4, 2010 (gmt 0)

How could this type of attack effect the traffic of a us based news site? We have lost a lot of traffic recently and would like to have an idea if this type of attack could effect it.

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4073994 posted 4:13 am on Feb 4, 2010 (gmt 0)

Really scary stuff. So how does one defend against such attacks? They did emphasize Microsoft products, but I assume an APT could target any OS.

This makes me more concerned than ever about buying any hardware that was made in China or has components that were made in China, because the easiest way to hide the stub malware and back doors would be in the hardware itself.

Green_Grass

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4073994 posted 5:48 am on Feb 4, 2010 (gmt 0)

I should say it is very smart and long term thinking of Chinese (govt.?) to put sleepers inside the hardware. Maybe they forgot, that once revealed, these kind of activities will lead to the DEATH of their hardware industry? Or will they claim innocence and all will be forgiven for 'low prices' and 'cheap (govt. controlled and wage regulated) labor'.

JS_Harris

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4073994 posted 7:33 am on Feb 4, 2010 (gmt 0)

Green_Grass, as long as people want the product production will be expected to continue which can be construed as forgiveness. I was surprised Google took a stand against a country with the political clout China has but I will be more surprised if Google doesn't stay in China ultimately because there is profit to be made both for China and for Google.

The real question is... who's privacy is being trampled on and how much will it cost them to defend? It's not unlike 9/11 when we lost a few thousand people and some buildings only to take a course of action that led to the loss of tens of thousands of lives and enough money to buy hundreds of buildings. Will too much money be thrown at this in an over-reaction?

bill

WebmasterWorld Administrator bill us a WebmasterWorld Top Contributor of All Time 10+ Year Member Best Post Of The Month



 
Msg#: 4073994 posted 8:47 am on Feb 4, 2010 (gmt 0)

There is no mention in the article at all of hardware being used in these attacks. Let's try to stay on topic.

If you'd like to rehash the politics of this we have running thread here: Google Hacked and No Longer Willing to Censor Results in China [webmasterworld.com]

These APT attacks go after zero-day exploits in software via social engineering. They avoid most all detection of current AV/Malware scanners.

scotland

5+ Year Member



 
Msg#: 4073994 posted 9:19 am on Feb 4, 2010 (gmt 0)

Did the cold war ever go away or did it just change technology? There is probably several governments involved plus criminal elements.

When Governments in the UK and US probably monitor Internet traffic and most communications then one way they will go about it is by compromising security of the networks involved.

... so it may not just be China that is involved in hacking companies, look closer to home.

lammert

WebmasterWorld Senior Member lammert us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4073994 posted 1:36 pm on Feb 4, 2010 (gmt 0)

As a programmer for many years, I would say that this software is extremely well engineered using one of the main vulnerabilities in modern large computer networks: upgrades and cleanups are implemented incrementally. As long as one computer in a corner of the company contains an infection, it will spread again over the complete network, even if all other computers have been cleaned or replaced. The only remedy is to replace the complete internal network infrastructure at once, without letting it communicate with old possible infected machines. And even then the network will only stay clean until one of the many weak parts in the chain called "human being" circumvents strict security rules and opens one infected email or visits one infected website.

hutcheson

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4073994 posted 5:37 pm on Feb 4, 2010 (gmt 0)

>How could this type of attack effect the traffic of a us based news site?

This isn't a mug-the-peasants-for-their-straw-hats operation. They're going after companies that handle financial transactions on the web, or that have valuable information (databases or software) that could be stolen.

And it isn't about redirecting URLs. It's about tapping into communications with specified websites.

Now, the straw-hat-bandits are still loose, some of them doubtless operating from inside the bamboo cage. But this is not the same thing at all.

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4073994 posted 6:26 pm on Feb 4, 2010 (gmt 0)

>How could this type of attack effect the traffic of a us based news site?

This isn't a mug-the-peasants-for-their-straw-hats operation. They're going after companies that handle financial transactions on the web, or that have valuable information (databases or software) that could be stolen.


True, but we could still be collateral damage and/or stepping stones to the ultimate target.

lammert

WebmasterWorld Senior Member lammert us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4073994 posted 7:09 pm on Feb 4, 2010 (gmt 0)

I don't think so. The goal of this attack does not seem to be making direct damage. Instead it is about gaining knowledge and survive in stealth mode as long as possible. To do this they have to make sure that their visible footprint is as small as possible and the only safe harbors are in the secured company networks because that is where no-one expects these infections to hide. Widespread infection of public servers would make them to visible.

If you read the article, the main difference experts see with normal attacks is that with normal attacks front-end servers are compromised (mostly web-servers etc) while with these attacks social networking strategies were used to infect only targeted computer systems and key-users behind the fences in the center of knowledge.

artek

5+ Year Member



 
Msg#: 4073994 posted 7:24 pm on Feb 4, 2010 (gmt 0)

I think they are after every server in US so they can sort out later which one will be useful.

Last Tuesday, our hosting provider had to reconfigure our semi-dedicated server because someone from China IP hacked into it. Yesterday, I watched our dedicated server being attacked for three hours straight. All attempts, repeated every 8-12 minutes, were made from single IP in China. Finally, I got tired of it and blocked IP.

I am seriously thinking about blocking China altogether. I hear lots of other people do it now in US.

J_RaD

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4073994 posted 8:20 pm on Feb 5, 2010 (gmt 0)

Yes I block the whole country as well.

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4073994 posted 9:53 pm on Feb 5, 2010 (gmt 0)

I've considered blocking China all together as well, unfortunately I can't really block them effectively until after Apache has handed the request off to PHP. I could block them prior to opening any SQL connections, but that is it.

bill

WebmasterWorld Administrator bill us a WebmasterWorld Top Contributor of All Time 10+ Year Member Best Post Of The Month



 
Msg#: 4073994 posted 11:28 am on Feb 7, 2010 (gmt 0)

Blocking Chinese IPs won't do anything to prevent an attack like this.

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4073994 posted 1:22 pm on Feb 7, 2010 (gmt 0)

Blocking Chinese IPs won't do anything to prevent an attack like this.

True, but it could reduce run of the mill scrapers, badbots and website cracking attempts. Basically it would help conserve server resources and reduce injection string attempts.

lammert

WebmasterWorld Senior Member lammert us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4073994 posted 3:47 pm on Feb 7, 2010 (gmt 0)

In that case I would advice you to block the range 0.0.0.0 netmask 0.0.0.0, it will certainly stop all scrapers, badbots and your server resources won't be exhausted anymore...

Having more Internet users than the US, it is normal that a large percentage of undesired Internet activity is also coming from China. If your site won't benefit from users from that part of the world it is your free decision to block traffic from that origin. But it won't stop the specific type of attacks discussed in this thread. These attacks use social engineering to pass the first obstacles in network defense. The attacks are not pointed at software flaws or badly chosen passwords, but at flaws in the interaction between humans where people trust information if it is coming from a trusted person, even if that person obtained the information from an untrusted source.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Asia and Pacific Region
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved