Welcome to WebmasterWorld Guest from 50.19.53.104

Forum Moderators: bill

Message Too Old, No Replies

Report Details Hacks Targeting Google, Others

     

bill

1:31 am on Feb 4, 2010 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



This is downright spooky.

Report Details Hacks Targeting Google, Others [wired.com]

Now a leading computer forensic firm is providing the closest look so far at the nature of the attacks, and attackers, that struck Google and others. The report never mentions Google by name, or any other companies, but focuses on information gathered from hundreds of forensic investigations the firm has conducted that are identical to what we know about the Google hack.

What the information indicates is that the attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other U.S. companies and government agencies since 2002 and are rapidly growing. They represent a sea change from the kinds of attacks that have commonly hit networks and made headlines.

"The scope of this is much larger than anybody has every conveyed," says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. "There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now."

gethan

2:17 am on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. What’s more, the intrusions grab a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.
[wired.com...]

Really interesting article; the term APT is very appropriate - reminiscent of cold war espionage, sleeper moles. Disable one threat in a few hours more sophisticated versions appear. Two things seem to be at the heart of these attacks;

Windows insecurity and China.

(OT - love the ctrl+c ctrl+v + Read More URL - that wired has js doing!)

Erku

3:50 am on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



How could this type of attack effect the traffic of a us based news site? We have lost a lot of traffic recently and would like to have an idea if this type of attack could effect it.

KenB

4:13 am on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Really scary stuff. So how does one defend against such attacks? They did emphasize Microsoft products, but I assume an APT could target any OS.

This makes me more concerned than ever about buying any hardware that was made in China or has components that were made in China, because the easiest way to hide the stub malware and back doors would be in the hardware itself.

Green_Grass

5:48 am on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I should say it is very smart and long term thinking of Chinese (govt.?) to put sleepers inside the hardware. Maybe they forgot, that once revealed, these kind of activities will lead to the DEATH of their hardware industry? Or will they claim innocence and all will be forgiven for 'low prices' and 'cheap (govt. controlled and wage regulated) labor'.

JS_Harris

7:33 am on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Green_Grass, as long as people want the product production will be expected to continue which can be construed as forgiveness. I was surprised Google took a stand against a country with the political clout China has but I will be more surprised if Google doesn't stay in China ultimately because there is profit to be made both for China and for Google.

The real question is... who's privacy is being trampled on and how much will it cost them to defend? It's not unlike 9/11 when we lost a few thousand people and some buildings only to take a course of action that led to the loss of tens of thousands of lives and enough money to buy hundreds of buildings. Will too much money be thrown at this in an over-reaction?

bill

8:47 am on Feb 4, 2010 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



There is no mention in the article at all of hardware being used in these attacks. Let's try to stay on topic.

If you'd like to rehash the politics of this we have running thread here: Google Hacked and No Longer Willing to Censor Results in China [webmasterworld.com]

These APT attacks go after zero-day exploits in software via social engineering. They avoid most all detection of current AV/Malware scanners.

scotland

9:19 am on Feb 4, 2010 (gmt 0)

5+ Year Member



Did the cold war ever go away or did it just change technology? There is probably several governments involved plus criminal elements.

When Governments in the UK and US probably monitor Internet traffic and most communications then one way they will go about it is by compromising security of the networks involved.

... so it may not just be China that is involved in hacking companies, look closer to home.

lammert

1:36 pm on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



As a programmer for many years, I would say that this software is extremely well engineered using one of the main vulnerabilities in modern large computer networks: upgrades and cleanups are implemented incrementally. As long as one computer in a corner of the company contains an infection, it will spread again over the complete network, even if all other computers have been cleaned or replaced. The only remedy is to replace the complete internal network infrastructure at once, without letting it communicate with old possible infected machines. And even then the network will only stay clean until one of the many weak parts in the chain called "human being" circumvents strict security rules and opens one infected email or visits one infected website.

hutcheson

5:37 pm on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



>How could this type of attack effect the traffic of a us based news site?

This isn't a mug-the-peasants-for-their-straw-hats operation. They're going after companies that handle financial transactions on the web, or that have valuable information (databases or software) that could be stolen.

And it isn't about redirecting URLs. It's about tapping into communications with specified websites.

Now, the straw-hat-bandits are still loose, some of them doubtless operating from inside the bamboo cage. But this is not the same thing at all.

KenB

6:26 pm on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



>How could this type of attack effect the traffic of a us based news site?

This isn't a mug-the-peasants-for-their-straw-hats operation. They're going after companies that handle financial transactions on the web, or that have valuable information (databases or software) that could be stolen.


True, but we could still be collateral damage and/or stepping stones to the ultimate target.

lammert

7:09 pm on Feb 4, 2010 (gmt 0)

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I don't think so. The goal of this attack does not seem to be making direct damage. Instead it is about gaining knowledge and survive in stealth mode as long as possible. To do this they have to make sure that their visible footprint is as small as possible and the only safe harbors are in the secured company networks because that is where no-one expects these infections to hide. Widespread infection of public servers would make them to visible.

If you read the article, the main difference experts see with normal attacks is that with normal attacks front-end servers are compromised (mostly web-servers etc) while with these attacks social networking strategies were used to infect only targeted computer systems and key-users behind the fences in the center of knowledge.

artek

7:24 pm on Feb 4, 2010 (gmt 0)

10+ Year Member



I think they are after every server in US so they can sort out later which one will be useful.

Last Tuesday, our hosting provider had to reconfigure our semi-dedicated server because someone from China IP hacked into it. Yesterday, I watched our dedicated server being attacked for three hours straight. All attempts, repeated every 8-12 minutes, were made from single IP in China. Finally, I got tired of it and blocked IP.

I am seriously thinking about blocking China altogether. I hear lots of other people do it now in US.

J_RaD

8:20 pm on Feb 5, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Yes I block the whole country as well.

KenB

9:53 pm on Feb 5, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I've considered blocking China all together as well, unfortunately I can't really block them effectively until after Apache has handed the request off to PHP. I could block them prior to opening any SQL connections, but that is it.

bill

11:28 am on Feb 7, 2010 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



Blocking Chinese IPs won't do anything to prevent an attack like this.

KenB

1:22 pm on Feb 7, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Blocking Chinese IPs won't do anything to prevent an attack like this.

True, but it could reduce run of the mill scrapers, badbots and website cracking attempts. Basically it would help conserve server resources and reduce injection string attempts.

lammert

3:47 pm on Feb 7, 2010 (gmt 0)

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



In that case I would advice you to block the range 0.0.0.0 netmask 0.0.0.0, it will certainly stop all scrapers, badbots and your server resources won't be exhausted anymore...

Having more Internet users than the US, it is normal that a large percentage of undesired Internet activity is also coming from China. If your site won't benefit from users from that part of the world it is your free decision to block traffic from that origin. But it won't stop the specific type of attacks discussed in this thread. These attacks use social engineering to pass the first obstacles in network defense. The attacks are not pointed at software flaws or badly chosen passwords, but at flaws in the interaction between humans where people trust information if it is coming from a trusted person, even if that person obtained the information from an untrusted source.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month