An amateur Chinese hacking group infiltrated several of the world's largest petrochem companies (BP, Exxon Mobil, Shell, and others). McAfee, no stranger to creating cute names for anything that can bring them a little media, dubbed the attack "The Night Dragon", and says they were "very unsophisticated" and "incredibly sloppy". They admit that the group has pwned the systems in question for as long as 5 years. And how were these naive slow-witted clods were able to maintain their pwnership of said systems with McAfee on hand monitoring them? McAfee, in their infamous defeatist style, suggest the reason is that "the environments and security controls these days are so complex it is very easy for them to slip under the radar of visibility".
Really, McAfee? Maybe we should all just give up now then. Perhaps the reality is that the petrochem industry simply do not have their security controls in check, with knowledgeable people supporting an effective set of standards, policies and procedures. Someone's been paying a lot of money for McAfee to hang around doing nothing but watching a bunch of Chinese kids hacking their customer's network.
In the 3 years Mcafee has been monitoring them, all they can really say about them is that the "sloppiness" that exposed the hacker's Asian heritage was the use of known chinese hacker tools, and the attacks all occurring during Beijing's 9-5 business hours. Brilliant sleuthing!
Surely they could have fixed the security issues instead, and helped built them a real security capable governance team. How about putting a stop to the attack back in 2009 when it was discovered, instead of waiting for the story to become newsworthy?
I call it a failure for both McAfee and the PetroChem industry.
Saturday, February 26, 2011
Creator of the fake water-witching bomb buster has finally been arrested
Get this. Some guy converts a star trek water gun with a wobbly antenna into a water dousing rod meant to sniff out bombs and anything else you want it to. And the forces in Iraq spend $120M to purchase these useless toys, jeopardizing the lives of all who were forced to put their belief in woo ahead of their will to live.
Well that guy has finally been arrested. That this device was known to be useless pretty much from the moment it was first publicized says a lot about military spending.
Well that guy has finally been arrested. That this device was known to be useless pretty much from the moment it was first publicized says a lot about military spending.
Tuesday, February 22, 2011
Why Penetration Testers Need To Remember The Good Old Days
As a penetration test trainer to fortune 500 companies, I often see a few students in the class phase out and stare off with glossy-eyed disinterest when I cover legacy systems and protocols. Examples of these "boring" topics include Windows NT, WEP, and ancient attacks like the 'Ping of Death'. They ask me "Why do we need to learn this stuff when it was fixed years ago?"
The answer is simple: History repeats itself. Just like these students aren't interested in learning from the past, there is a world of developers out there that exhibit the same disinterest. They're churning out vulnerable code with all kinds of old-school vulnerabilities, and the testers, having also slept through that part of the class, barely know how to detect them.
A subject I almost never see covered in Penetration Test / Hacking type courses in general, is the lowly modem. The rationale seems to be that modems are rarely used within the corporate environment, and when they are, a VPN is deployed. VPN security is well understood, and most (definitely not all) companies that use VPN do utilize them reasonably well. But the VPN does not cover all the layers. The modem is still just as vulnerable to attack as always.
To demonstrate why ignoring technical pieces of our computing legacy is tragic, one just has to look at a recent case in New Hampshire. Asu Pala resurrected an ancient idea: use malware to reconfigure modems to dial through a premium rate service.
The damage? In the nearly 5 years his attack ran, Pala made himself a neat $8 million.
The fact is, old equipment and operating systems abound on the Internet, and they nearly always can be found even within organizations who push policies on eradicating them. On top of that, younger developers who do not know their security history tend to repeat the mistakes that were made before their time.
0-day attacks nearly always have some relationship to the old attacks that we like to think don't occur anymore. Penetration testers who are not acquainted with the legacy security issues are likely to be blind to them when they occur.
The answer is simple: History repeats itself. Just like these students aren't interested in learning from the past, there is a world of developers out there that exhibit the same disinterest. They're churning out vulnerable code with all kinds of old-school vulnerabilities, and the testers, having also slept through that part of the class, barely know how to detect them.
A subject I almost never see covered in Penetration Test / Hacking type courses in general, is the lowly modem. The rationale seems to be that modems are rarely used within the corporate environment, and when they are, a VPN is deployed. VPN security is well understood, and most (definitely not all) companies that use VPN do utilize them reasonably well. But the VPN does not cover all the layers. The modem is still just as vulnerable to attack as always.
To demonstrate why ignoring technical pieces of our computing legacy is tragic, one just has to look at a recent case in New Hampshire. Asu Pala resurrected an ancient idea: use malware to reconfigure modems to dial through a premium rate service.
The damage? In the nearly 5 years his attack ran, Pala made himself a neat $8 million.
The fact is, old equipment and operating systems abound on the Internet, and they nearly always can be found even within organizations who push policies on eradicating them. On top of that, younger developers who do not know their security history tend to repeat the mistakes that were made before their time.
0-day attacks nearly always have some relationship to the old attacks that we like to think don't occur anymore. Penetration testers who are not acquainted with the legacy security issues are likely to be blind to them when they occur.
Canadian Dept of Finance almost knocked over by Chinese Hackers
Chinese hackers gained control of senior exec systems within the Canadian Department of Finance. Some systems remain offline until the investigation remains completed. CSIS is apparently on the job, and have been warning them for some time about the threats and risks.
It probably comes as no surprise that since the attack originated in China, the first responders immediately accused the Chinese government. Apparently they believe the millions of Chinese hackers all hack in support of their governing body. Jumping to conclusions in order to make a good news story is hardly a way to bolster relationships between the two governments.
It probably comes as no surprise that since the attack originated in China, the first responders immediately accused the Chinese government. Apparently they believe the millions of Chinese hackers all hack in support of their governing body. Jumping to conclusions in order to make a good news story is hardly a way to bolster relationships between the two governments.
Sunday, February 20, 2011
God Hates Lousy Hackers
As much as I hate PDF files, this one is worth your time.
Westboro Baptist Church has openly challenged notorious Anonymous hackers to BRING IT! In their famous rambling style, the church sees any attack from Anonymous on their websites as a way to promote Westboro's message in the media.
Doesn't publicly requesting a group of hackers to hack your web sites instantly make it legal for them to do so?
Westboro Baptist Church has openly challenged notorious Anonymous hackers to BRING IT! In their famous rambling style, the church sees any attack from Anonymous on their websites as a way to promote Westboro's message in the media.
Doesn't publicly requesting a group of hackers to hack your web sites instantly make it legal for them to do so?
Wednesday, February 16, 2011
HBGary pretty much calls it quits
The backlash caused by Anonymous' release of HBGary emails has caused the security consulting firm to cancel public speaking engagements and shut down their trade-show booth. I'm sure security companies all over the world are checking their own security posture and avoiding saying really stupid things in public.
And we're back!
My apologies for being offline the past few months. I was dealing with surgery and recovery. I'm all good now, and will resume updating this blog. W00t!!
Subscribe to:
Posts (Atom)