RE: [ISN] Alert issued for China's next cyber attack

From: InfoSec News (isnat_private)
Date: Wed May 22 2002 - 02:05:46 PDT

  • Next message: InfoSec News: "[ISN] Security scare puts Pa. power plants on alert"

    Forwarded from: Marc Maiffret <marcat_private>
    
    | -----Original Message-----
    | From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
    | Of InfoSec News
    | Sent: Tuesday, May 21, 2002 2:30 AM
    | To: isnat_private
    | Subject: [ISN] Alert issued for China's next cyber attack
    |
    | http://atimes.com/media/DE21Ce01.html
    |
    | By James Borton
    | May 21, 2002
    |
    | WASHINGTON - Washington's War Situation Rooms are abuzz these days
    | with a score of major flashpoints scattered across the globe, from the
    | Middle East, Afghanistan, Iraq, Iran, Libya, Central Asia and North
    | Korea to Cuba, and has now an issued alert of China's readiness to
    | launch a cyber attack targeting key government computer systems.
    <snip>
    | The insightful findings that China is gearing up for a cyber attack on
    | defense and civilian computer networks in the United States and Taiwan
    | is being dismissed outright as not potentially injurious to any
    | computer networks.
    
    Its not being dismissed...
    
    | The paradox is startling. The Institute for Strategic Studies, run by
    | the US Army War College, released a classified report as an early
    | warning directed to all government policy shapers, the Defense
    | Department, US diplomats and law-enforcement agencies to be vigilant
    | for Chinese student hackers' efforts some time in early summer to
    | spread computer viruses to deface sensitive government Internet sites.
    | This is a disturbingly similar message to that which was issued to
    | intelligence agencies a month before the devastating attacks on the
    | Pentagon and the World Trade Center.
    
    Computer virus's and defacements don't mean a whole lot of anything in the
    "real world". The type of attacks people are worrying about, or should be,
    are the ones that lead to information gathering capabilities rather than
    bringing down a web server which has nothing to do with nothing.
    
    | "We do use our website for outreach and we are sensitive to its
    | security. But it's important to put the defacing of Web pages in
    | perspective. Admittedly it can be done, even with security measures in
    | place, but it's more akin to vandalism than a security threat," said
    | Dr Steven Metz, director of research and chairman of the Regional
    | Strategy and Planning Department at the Strategic Studies Institute at
    | the US Army War College.
    
    Exactly.
    
    | It is precisely this kind of denial of any clear and present danger
    | from senior sources at the Pentagon and even the CIA that is causing
    | an increasing firestorm among congressional leaders. This week,
    | Washington's top lawmakers will be pushing for tougher inquiries about
    | last year's breakdown in intelligence communication between the CIA
    | and Federal Bureau of Investigation (FBI).
    
    There was no denial quote being made by Mr. Metz. Metz was right on the
    money in what he said. Now if he went and said, there is no threat at all
    from china, or foriegn governments to penetrate our trusted computer systems
    to gather information that can _TRULY_ damage the united states, then ya he
    would be full of it. but thats not what he said...
    
    | In testimony presented to the US Senate Armed Services Committee last
    | month, Tenet revealed, "I think we have a deep concern that the
    | Chinese are also engaging in activities that continue to be inimical
    | not just to our interests, but that their activity stimulates
    | secondary activities that only complicate the threat we face."
    |
    | Code Red: No longer just a threat
    
    I'll consider myself knowledgable on CodeRed since myself and Ryan Permeh
    (also of eEye) gave the first analysis of codered, therefore naming the
    worm, codered. Hey Pepsi, we still want more free mountaindew, please. ;-]
    http://www.eeye.com/html/Research/Advisories/AL20010717.html
    
    | No one in Washington has forgotten when Chinese anger spilled over
    | from the streets into cyberspace to protest the North Atlantic Treaty
    | Organization's (NATO) bombing three years ago of the Chinese Embassy
    | in Belgrade resulting in the deaths of three Chinese journalists. At
    | that time, most of the major Chinese media organizations, including
    | the People's Daily, CCTV, Xinhua News Agency, Guangming Daily, China
    | Youth Daily, and Beijing Youth Daily, published extensive coverage of
    | the street demonstrations against the bombings on their websites.
    |
    | As a direct result of that international incident, Chinese hackers
    | broke into the US Department of Energy's website and replaced its
    | homepage with a note written half in English, half in Chinese, which
    | read: "We are Chinese hackers who take no cares about politics. But we
    | can not stand by seeing our Chinese reporters being killed. Whatever
    | the purpose is NATO, led by the USA, must take absolute
    | responsibility. You have owed Chinese people a bloody debt which you
    | must pay for. We won't stop attacking until the war stops."
    
    Once again, these were website attacks, who cares. Also, they were probably
    14 year old chinese american kids living in Oregon. To say the chinese
    government uses its capabilities to deface websites (THAT MEAN NOTHING) is
    to insult and underestimate. Two things I wouldnt suggest ;-]
    
    | Only a year ago, a successful Chinese cyber attack aimed directly at
    | the heart of America's political pulse knocked out the White House's
    | website for almost four hours.
    
    Actually no one knows that codered was truly written by the Chinese. It
    could have been anyone. Also it never did anything to the white house
    website, for four hours. It was about 15 minutes while a couple DNS mappings
    changed. The worm failed on that front.
    
    Could codered have been written by Chinese? Yes. Do I personally think the
    Chinese government would do it? No. That would equate them to terrorists and
    I think they are smarter than loser terrorists. If you have the information
    warfare capabilities then you wouldn't write a worm, there is "nothing"
    advantageous about it. Nothing in the sense that by releasing a worm you
    loose more than you gain. More systems become secure as a result of a worm.
    So maybe it was a test to see how the world reacts to internet worms? How
    quickly we can shut worms down? But then what is the use? Take down the
    internet for a day and that affects the economy how? Does it hurt the US
    that much? Does it hurt China and everyone else just as much or more? For
    military purposes its better to be able to get critical information to use
    against your enemy. Therefore it makes more sense to be silently hacking
    systems to gain information that you can later use. This does not
    necessarily mean breaking into government/military systems for information.
    This can mean breaking into software vendors, creating backdoors, to then
    later use to gain access to that government/military data (Microsoft for
    example was broken into a while back and source code stolen, who knows what
    maybe was altered). Data which is much more useful to use against your
    enemy, instead of doing something as trivial as bringing down the internet,
    which wont affect a lot of the classified networks anyways, where the real
    information is.
    
    | A White House spokesman at that time
    | refuted the seriousness of the action, stating that "there was no
    | security breach, and the attack remains under review". Never mind that
    | it was exactly a year ago, almost in a memorial salute to the Belgrade
    | bombing of the Chinese Embassy, that Chinese hackers defaced more than
    | 660 sites in the US, according to Michael Cheek from the security firm
    | iDefense.
    
    Ahhh iDefense is mentioned... well that explains part of why this author has
    no idea what he is talking about, otherwise he wouldn't have contacted
    iDefense. Oh but wait, let me rephrase, or otherwise he would have known
    when iDefense contacted him and pitched him on such an asinine story, that
    he should have done some homework.
    
    | US technologies of surveillance, encryption, firewalls, and even
    | viruses have been willingly transferred to Chinese partners in the
    | past several years as part of China's budding efforts to enter the New
    | Economy. Rand Corp's James Mulvenon maintains that such US companies
    | as Network Associates (McAfee Anti Virus), and Symantec (Norton Anti
    | Virus) gained entry to China's market by voluntarily providing China's
    | Public Security Bureau with more than 300 computer viral strains.
    
    Definitely a good part of the article. This is in fact true. A lot of U.S.
    based companies have been providing the Chinese with all sorts of malicious
    code samples and exploits, which the Chinese are saying they need to test a
    product to certify that it "works as advertised" so that it can be sold
    within China. So U.S. companies help the Chinese learning curve on malicious
    code/exploit writing, and in exchange they get to make money in the Chinese
    market. Hmmm that doesn't sound to nice... especially since the u.s.
    government pays larges sums of money to a lot of these u.s. based security
    companies ... so does that in a way mean the united states is actually
    paying to fund the Chinese information warfare research being done against
    the U.S.? Well I didn't say that but someone could possible construe things
    to that level.
    
    | Although senior Chinese Internet network officials maintain even today
    | that a Code Red worm is far too sophisticated for China to have
    
    What bullshit. Some of the bigger IIS vulnerabilities (IIS being Microsofts
    Internet Information Web Server software) have been discovered by the
    Chinese. Unicode and double decode, two vulnerabilities used in a couple of
    the IIS web server worms (Nimda for example) were both vulnerabilities
    discovered and released by a Chinese research firm.
    http://online.securityfocus.com/archive/1/184543
    
    | produced, several senior US analysts strongly disagree and confirm
    | that the technology to launch cyber attacks has already been
    | successfully deployed by China. After all, China has already developed
    
    and to further push the point home that they (Chinese) would easily have
    capabilities to write codered.... they've already gotten similiar worm
    source code from most of the U.S. security companies that are now selling
    their software in the chinese market, after handing over their malicious
    code to the Chinese government.
    
    <snip>
    | "The Chinese military views cyberwarfare as a way to overcome
    | America's superiority," claims Toshi Yoshihara, a research fellow on
    | security issues with the Institute for Foreign Policy Analysts and
    | doctoral candidate at Fletcher School of Law and Diplomacy.
    
    ;-] Thinking ahead... have to give them credit for that much.
    
    <snip>
    | Some close observers of America's intelligence community believe it is
    | precisely this kind of mixed information, laced with naivete and
    | denial, that fits squarely into the demands made by Senator Richard
    | Shelby, the Alabama Republican who serves as vice chairman of the
    | Senate Intelligence Committee, that a leadership shakeup may be
    | required soon at the CIA.
    |
    | Just as America experienced in 1993 at the World Trade Center a
    | shocking preview of what the entire world gravely witnessed a few
    | years later on September 11, 2001, the next Code Red worm may prove to
    | be much more than just a mere nuisance to government websites.
    
    well see...
    
    These are my own personal opinions.
    
    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 22 2002 - 04:10:59 PDT