Support

Blog

Flattr this!

(This is a rough draft, so excuse the lack of editing and / or coherence at points)

The news this week is full of alleged government interference with a certain exiled government leaders computers.

While there is sufficient evidence of  targeting by state sponsored actors, I don’t necessarily agree with  everything they wrote in the report, or all their findings.  While there is merit to discussion about that, its probably safer to avoid the topic, and examine how the attacks worked, and what we can do to avoid or mitigate events like that.

The actual report can be read here in PDF format – http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html

As the attack was through multiple vectors I thought it would be interesting to do a little actual research, on current techniques.

The report showed that there were a myriad of ways the attackers obtained access.

The first (and most likely to actually have been used) was via simple password cracking.
The targeted mail servers were hosted in the USA, and passwords were obtained using either sniffing or dictionary attack methods.

Once access was obtained,  emails were monitored simply by logging into the mail server and downloading mails.

What can be done to mitigate against that?

The first option, is to use decent passwords for your email, and use encrypted communication between points.
It also helps to actually read the logs on the servers and check for failed logins.

On our email servers here, I get a daily report on failed logins, and can quickly tell if someone is attempting to break in.
We also block further login attempts for a short period of time after a certain number of failures.

This stops dictionary attacks, but won’t stop a concerted attacker, who can spread attacks over a longer period of time.

In the above case, it would have been fairly easy for officialdom to tell the local ISP up in the Autonomous province to put a filter in the network to search for connections to the target mail server, and log communications.  As communications were going over the network in the clear (encryption wasn’t in use), the user names and passwords were available to anyone sitting in the right place in the network.  That that wasn’t done, and different vectors of attack were used is more telling.

Encryption would solve that kind of monitoring though.

There are 2 types of encryption that can be used.  Network encryption, or service encryption.
Mail is usually encrypted using TLS or SSL, we support both styles in our email systems.

If you’ve setup mail on a Mac using Leopard, you’ll find that Leopard will automatically detect and set this up for you on our systems.

Encrypted mail would still be visible on the network as headed to the target server though, and given enough time and money, could be decrypted.

One thing to note though is that service encryption only works if the service is encrypted (obviously!).  If you offer multiple ways to access a service, then you are only as secure as the weakest link.

In our setup we offer webmail over unsecured http access.  This means that user name and passwords go over plain text over the internet to our server.    We also offer unencrypted access to POP / SMTP ports, which again travel in plain text over the internet.

I will be taking a look at using SSL encryption for webmail in the near future, although there are a number of issues with that also, mainly to do with the way a handful of companies have sown up the SSL key market (thats a whole other story), making it cost prohibitive.

A better way to communicate would be to use network encryption – or as its more commonly known – VPN.

If a VPN was used, all communication from point A -> B would be encrypted.  This is still not infallible though, a VPN wouldn’t be much use if they used a point to point VPN to a known target, as more advanced techniques could be used to gain access to the VPN (man the middle, replay attacks etc).    VPN’s are more often used in China to allow access to sites otherwise blocked.

All this talk of encryption though is moot when people have access to one of the computers in the equation.

I’ll digress for a moment, and take a quick look at the case of banks.

With internet banking, you have a situation where you have an untrusted computer attempting to access a secure system.
Encryption stops people in the middle from snooping, but it doesn’t prevent someone who has already hacked into a computer from access.  So, how do banks solve this issue?

The solution to unauthorized access lies in the use of multiple access tokens.   The smarter banks are using keyfob random number generators which are used in conjunction with a transaction to verify that its true.  Having multiple contributory authentication mechanisms (google two factor authentication) solves the issue of password theft, as transactions or logins also need to be verified by the random number generator.  Its a shame more banks don’t use this.

Its interesting to see that Chinese banks (although big fans of ActiveX technology) are ahead of the curve here regarding this, compared to their Western equivalents.

Chinese banks will also send you SMS’s on transaction completion, and payments, so you get an immediate notification if something is amiss.

More talk about that here for the interested

If we head back to our original topic again, you’ll see I mention attack via access to one of the computers.

How do people get access to computers these days?

Spyware / Malware

The prevalence of insecure computers and a lack of security has led to people taking advantage of this fact.  While most infected computers are running Windows, there are a surprising number of servers that are compromised, assisting with the infections.

If we look toward the report regarding the attacks, there is mention of compromised computers being used from Hong Kong, California, and China. (Not so) Strangely enough, this ties in nicely with a large service provider.
http://blog.fireeye.com/research/2009/02/bad-actors-part-4—hostfresh.html

China unfortunately has a huge number of compromised servers and desktops used by spammers.  Last time I did some calculations I guesstimated something like 10-20% of all international network traffic in China was spyware related.

For some hard figures on infected servers see here – http://www.scribd.com/doc/5244100/Atrivo-white-paper-082808ac

(figures are on Pages 17 and 18)

Infected computers (not servers) in China number in the millions.

If we take a look at the hostfresh report above on the rather good FireEye blog, you’ll see mention of a number of different attack mechanisms.

PDF vulnerabilities.
Social Engineering (Mac’s are starting to see Malware via people installing Trojans masquerading as legit software)
The standard IE vulnerabilities (sad state of affairs really…)
Javascript exploits.

Worryingly, Mac’s are starting to be targetted for spyware.   Network monitoring appears to be the easiest method of detection at this point.  See Little Snitch et al.

Control of multiple computers requires a botnet server.   While there was talk about a server in Sichuan which was retrieving documents this in the article and the PDF, there was no real talk of Botnet’s, when clearly >1200 computers under control implies use of a botnet.

While it would be interesting to explain more about those points in detail, I’ll skip over that for now (if there is interest, let me know and I’ll probably write something about it).

This is where I disagree with the report however – they say that use of Chinese computers proves government involvement.  This is not necessarily the case.   There was a similar report last year about China’s alleged hacking of UK companies, and yet another one claiming attempts at Australian computers.  And yet another one about the World Bank here.

It is a whole lot more likely, that hacked Chinese computers were used by Malware / Botnet’s to infect other computers.

Therein lies the crux of the matter, or as we say Correlation does not imply causation

Location does not imply involvement.   What it does imply, sadly, is a systemic lack of system monitoring and security updates at most Chinese hosting providers, which effectively means most attacks will come from Chinese computers.

That said, there is overwhelming evidence of targeted attacks from interested parties in the report.

We’ve seen a resurgence of attacks again our own servers recently against common applications.  While we can monitor things relatively closely due to our relatively small server base (< 6 machines on 2 continents), its an ongoing threat that isn’t getting any easier to protect against.
Most of the attacks we see against us are web based scanning of vulnerabilities, or SSH dictionary attacks.   We are seeing a substantial increase in SQL injection attacks though in the last month.

Most of the attacks appear to be from compromised machines in China.   While we try to contact the compromised servers admins, we’re not always successful.  I usually have to end up using iptables to blacklist their servers from continually trying to scan ours.

An example of this would kind of attack would something like be scan attempts from this ip address 202.108.212.39 (owned by the Institute of Theoretical Physics), which is uh-oh – a government agency.    We have been seeing a low level of sustained scans from that ip address on one of our servers for at least a year.  Sadly though, the attacker doesn’t appear know the difference between Windows and Unix, and continually scans for ASP / IIS related holes.
While I’ve tried to contact the owners of the ip space, their email bounces.

In another fairly recent case an attacking computer was in the same data center as ours, and was causing a denial of service attack to one of our servers with a flood of ARP requests to anything on the same subnet.  We were seeing  up to 10M/sec ARP traffic, which was saturating our bandwith link for that machine.  I was sorely tempted to unplug it to stop it from DDOS’ing ours as I had physical access to it.  In the end our upstream provider agreed with me, and unplugged it before I got frustrated enough to do that!

Other random thoughts –

I’m also thinking about an article regarding chinese name registrations.  As a good number of spam / malware sites use Chinese domain names, due to ease of registration  (US based registrars are invalidating domains with incorrect registration details) it would be interesting to see if there is any correlation between spammers and registrars, and see if there is a preferred registrar.

Eg registrars for 2 recent malware domains mentioned at FireEye (one appears to be russian registered, the other american)

whois givemelog.cn
Domain Name: givemelog.cn
Sponsoring Registrar: 厦门华融盛世网络有限公司
Registration Date: 2009-01-15 03:08
Expiration Date: 2010-01-15 03:08

whois bulletproofmonk.cn
Domain Name: bulletproofmonk.cn
Sponsoring Registrar: 广东时代互联科技有限公司
Registration Date: 2009-02-16 17:59
Expiration Date: 2010-02-16 17:59
Some additional domains here – http://www.bluetack.co.uk/forums/index.php?s=3d12699cd5acbc5eabf0b7bd40c585e3&showtopic=18064&pid=91545&st=240&#entry91545

Would be interesting for someone over at 广东时代互联科技有限公司 ( now.cn ) to do a search for RoderickKiewiet@gmail.com, and see just how many domains they’ve bought, considering the majority are being used for spam / malware purposes.  Sufficient evidence for someone at Google to cancel that email account anyway..

Another registrar to look at is BizCN.com, they have a substantial amount of malware site registrations.

Things to think about –

Why are so many of China’s computers vulnerable?
Should the be government involvement in cleaning it up?
What can we do to prevent malware?
Should companies be responsible for their inaction when it causes issue for others?

I welcome comments.

Further reading:

http://realsecurity.wordpress.com/2008/11/26/finding-the-unknown-on-your-network/

http://www.contentverification.com/man-in-the-middle/index.html

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=24&rss=Y#sID202

http://www.itpro.co.uk/610182/should-the-bbc-botnet-have-hijacked-22-000-computers

http://garwarner.blogspot.com/