BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Scary Night Dragons Fall from Sky

Posted February 10, 2011    Marc Maiffret

Reading the headlines today one could not help but notice the latest installment of “scary Chinese hacker press” making the headlines. And who can blame the news media for latching on to this story as it has all the right ingredients: foreign governments targeting U.S. interests, catchy nicknames like Night Dragon, connections to a previous scary threat “Operation Aurora” and a timely announcement leading up to one of the security industry’s biggest conferences in San Francisco next week, RSA. Wait, what?

Some of you might be experiencing déjà vu when you read about this latest series of Chinese attacks targeting U.S. Oil and Gas companies. You may recall that it was in January of 2010 that news actually broke about the FBI investigating extensive targeted attacks that took place against Oil and Gas companies during the 2008 and 2009 timeframe. The attacks described then are not much different than the attacks described now. I will leave the debate to others on whether the attacks in 2008 and 2009 are different attacks or if some security companies are just now getting around to shedding extra technical light on years old attacks. Either way, the answer would be uninteresting, but I digress…

Night Dragon might remind you of another series of attacks, Operation Aurora, which if you do not remember, was the series of attacks that became public around this same time last year. In the case of Aurora, it was a series of targeted attacks against a variety of organizations, but most notably against Google. The thing that made Operation Aurora unique was not the technical aspect of the attack itself, but Google coming forward to talk openly about the breach they suffered.

In the case of Night Dragon, the attacks were of varying levels of sophistication. In some cases public attack tools, which have been known for many years, were used by the attackers behind Night Dragon. Over five months ago, eEye research was monitoring conversations on an Iranian message board which is hosted in the United Kingdom. On the message board, hackers openly discuss the usage of one of the attack tools that was used within Night Dragon.
This was of course not interesting because the attack tool is well known and commonly used to attack systems throughout the world. Nor is it interesting that the discussion was taking place on an Iranian message board. Attacks happen all the time to many organizations and countries. Today even the most straightforward attacks are considered sophisticated when contrasted against the outdated approach organizations and governments take to protect their systems. Not to mention that tracing back the origin of an attack is far from an exact science and one that allows for attackers to easily manipulate the attribution of whom is behind an attack.

Another example of how old and known components of Night Dragon are is in the case of the malware components that were being embedded on systems. Anti-virus companies have been detecting these malware components for more than 5-6 months, most of which have been protecting generically for these classes of malware long before that. This is another stark contrast to Operation Aurora, which even after Google went public, was still lacking detection by most anti-virus companies. More importantly, the fact that so many components within the Night Dragon attacks are publicly available and known in hacking circles, it makes it even harder to really say with any authority which attacks were related or not. This is again very different than the extremely targeted and customized nature of Operation Aurora or even more so Stuxnet.

There are however things similar about Operation Aurora and Night Dragon. Both of them made their big splash in the beginning of the year only weeks ahead of the security industry’s largest conference, RSA. Both of them also, like most attacks covered in the news, were simply more of the same in that they did nothing to further our dialogue on what to do about these attacks but rather only serve some security company’s interests in product sales and continue a crippling effect on what policy the United States, and other countries, might enact to combat a most clear and present danger.

You see it is not that Operation Aurora or Night Dragon are not problems; they very much are. But they are simply the tip of a massive iceberg which any modern country is quickly sailing into in a way that makes the Titanic disaster seem minor. Given the political deadlock in Washington at the moment, it is unlikely that we will see government step forward to solve this problem for us and in a lot of ways they are probably not the ones that should have to solve it.

The role of government should not be to have to do the job that corporations should be doing themselves in trying to prevent the theft of intellectual property, but rather to do as law enforcement and our military have done since their inception: to identify criminals and those who would threaten our freedom to prosper and either bring them to justice or draw a line in the sand of what will no longer be tolerated without facing retribution.

If China is the aggressor that it appears to be in cyberspace, then it is time to elevate this conversation and debate to one of substantial action, instead of wielding it as another weapon of fear for security industry sales and budget increase requests.

As the security industry gathers in San Francisco for RSA next week, let’s hope we can for once shift the conversation beyond the latest scary threat and the new silver bullet technology to solve the problem. We should engage in a serious conversation about what it will take at a policy level to make lasting improvements that impact the future security of our technology-engrained way of life.

The answer will not be the latest desktop security software for $44.99.

Signed,
Marc Maiffret
Co-Founder/CTO
eEye Digital Security
Follow Marc on Twitter >>

Leave a Reply

Additional articles

asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,

Bad POODLE, Don’t Bite!

Posted October 16, 2014    BeyondTrust Research Team

Researchers at Google (Bodo Moller, Thai Duong, and Krzysztof Kotowicz) have discovered that the encryption schemes used by SSL 3.0 are exploitable (CVE-2014-3566). Although the majority of web servers implement Transport Layer Security (TLS), the majority of clients will downgrade to SSL 3.0 in an attempt to maintain interoperability between protocols. For example, when a…

Tags:
,