Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Scary Night Dragons Fall from Sky

Posted February 10, 2011    Marc Maiffret

Reading the headlines today one could not help but notice the latest installment of “scary Chinese hacker press” making the headlines. And who can blame the news media for latching on to this story as it has all the right ingredients: foreign governments targeting U.S. interests, catchy nicknames like Night Dragon, connections to a previous scary threat “Operation Aurora” and a timely announcement leading up to one of the security industry’s biggest conferences in San Francisco next week, RSA. Wait, what?

Some of you might be experiencing déjà vu when you read about this latest series of Chinese attacks targeting U.S. Oil and Gas companies. You may recall that it was in January of 2010 that news actually broke about the FBI investigating extensive targeted attacks that took place against Oil and Gas companies during the 2008 and 2009 timeframe. The attacks described then are not much different than the attacks described now. I will leave the debate to others on whether the attacks in 2008 and 2009 are different attacks or if some security companies are just now getting around to shedding extra technical light on years old attacks. Either way, the answer would be uninteresting, but I digress…

Night Dragon might remind you of another series of attacks, Operation Aurora, which if you do not remember, was the series of attacks that became public around this same time last year. In the case of Aurora, it was a series of targeted attacks against a variety of organizations, but most notably against Google. The thing that made Operation Aurora unique was not the technical aspect of the attack itself, but Google coming forward to talk openly about the breach they suffered.

In the case of Night Dragon, the attacks were of varying levels of sophistication. In some cases public attack tools, which have been known for many years, were used by the attackers behind Night Dragon. Over five months ago, eEye research was monitoring conversations on an Iranian message board which is hosted in the United Kingdom. On the message board, hackers openly discuss the usage of one of the attack tools that was used within Night Dragon.
This was of course not interesting because the attack tool is well known and commonly used to attack systems throughout the world. Nor is it interesting that the discussion was taking place on an Iranian message board. Attacks happen all the time to many organizations and countries. Today even the most straightforward attacks are considered sophisticated when contrasted against the outdated approach organizations and governments take to protect their systems. Not to mention that tracing back the origin of an attack is far from an exact science and one that allows for attackers to easily manipulate the attribution of whom is behind an attack.

Another example of how old and known components of Night Dragon are is in the case of the malware components that were being embedded on systems. Anti-virus companies have been detecting these malware components for more than 5-6 months, most of which have been protecting generically for these classes of malware long before that. This is another stark contrast to Operation Aurora, which even after Google went public, was still lacking detection by most anti-virus companies. More importantly, the fact that so many components within the Night Dragon attacks are publicly available and known in hacking circles, it makes it even harder to really say with any authority which attacks were related or not. This is again very different than the extremely targeted and customized nature of Operation Aurora or even more so Stuxnet.

There are however things similar about Operation Aurora and Night Dragon. Both of them made their big splash in the beginning of the year only weeks ahead of the security industry’s largest conference, RSA. Both of them also, like most attacks covered in the news, were simply more of the same in that they did nothing to further our dialogue on what to do about these attacks but rather only serve some security company’s interests in product sales and continue a crippling effect on what policy the United States, and other countries, might enact to combat a most clear and present danger.

You see it is not that Operation Aurora or Night Dragon are not problems; they very much are. But they are simply the tip of a massive iceberg which any modern country is quickly sailing into in a way that makes the Titanic disaster seem minor. Given the political deadlock in Washington at the moment, it is unlikely that we will see government step forward to solve this problem for us and in a lot of ways they are probably not the ones that should have to solve it.

The role of government should not be to have to do the job that corporations should be doing themselves in trying to prevent the theft of intellectual property, but rather to do as law enforcement and our military have done since their inception: to identify criminals and those who would threaten our freedom to prosper and either bring them to justice or draw a line in the sand of what will no longer be tolerated without facing retribution.

If China is the aggressor that it appears to be in cyberspace, then it is time to elevate this conversation and debate to one of substantial action, instead of wielding it as another weapon of fear for security industry sales and budget increase requests.

As the security industry gathers in San Francisco for RSA next week, let’s hope we can for once shift the conversation beyond the latest scary threat and the new silver bullet technology to solve the problem. We should engage in a serious conversation about what it will take at a policy level to make lasting improvements that impact the future security of our technology-engrained way of life.

The answer will not be the latest desktop security software for $44.99.

Marc Maiffret
eEye Digital Security
Follow Marc on Twitter >>

Leave a Reply

Additional articles

Are Your Data Security Efforts Focused in the Right Area?

Posted January 28, 2015    Scott Lang

Vormetric Data Security recently released an insider threat report, with research conducted by HarrisPoll and analyzed by Ovum. Based on the survey responses, it is apparent that there is still a great deal of insecurity over data. However, the results also show that there may be misplaced investments to address those insecurities. I will explain…


GHOST Vulnerability…Scary Indeed

Posted January 28, 2015    BeyondTrust Research Team

A vulnerability discovered by Qualys security researchers has surfaced within the GNU C Library that affects virtually all Linux operating systems. The vulnerability lies within the various gethostbyname*() functions and, as such, has been dubbed “GHOST.” GHOST is particularly nasty considering remote, arbitrary code execution can be achieved. In an effort to avoid taxing DNS lookups, glibc developers introduced…


Your New Years Resolution: Controlling Privileged Users

Posted January 27, 2015    Dave Shackleford

Is 2015 the year you get a better handle on security? The news last year was grim – so much so, in fact, that many in the information security community despaired a bit. Really, the end-of-the-year infosec cocktail parties were a bit glum. OK, let’s be honest, infosec cocktail parties are usually not that wild…

, , ,