On 1/15/10 5:52 PM, Steven Bellovin wrote:
On Jan 15, 2010, at 10:43 AM, Jared Mauch wrote:
On Jan 15, 2010, at 10:37 AM, Jon Lewis wrote:
Does anyone really believe that the use of targeted 0-day exploits to gain
unauthorized access to information hasn't been at least considered if not used
by spies working for other [than China] countries?
I think only those not paying attention would be left with that impression.
Spying has been done for years on every side of various issues. Build a more
complex system, someone will eventually find the weak points.
Personally I was amused at people adding cement to USB ports to mitigate against the
"removable media threat". The issue I see is people forget that floppies posed
the same threat back in the day.
The reality is that the technology is complex and easily used in asymmetrical
ways, either for DDoS or for other purposes.
The game is the same, it's just that some people are paying attention this
week. It will soon go back to being harmless background radiation for most of
us soon.
The "difference" this week is motive.
In the 1980s-1990s, we had joy-hacking.
In the 2000s, we had profit-motivated hacking by criminals.
We now have (and have had for a few years) what appears to be nation-state
hacking. The differences are in targets and resources available to the
attacker.
And indeed, what do we even know of this incident _for_sure_ so far?
The reports, depending on vendor, blame either PDF files via email as
the original perpetrator, or lay most of the blame on an Internet
Explorer 0day. Both are likely vectors which have been seen used before.
Regardless of what really happened, which I hope we will know more on
later, these things are clear:
1. Unlike GhostNet, which showed an interesting attack but jumped to
conclusions without evidence that it was China behind them -- based on
Ethos alone I'd like to think that when Google says China did it, they
know. Although being a commercial company with their own agenda, I am
saving final judgement. Did Google ever say it's China rather than from
China?
2. The 0day disclosed here shows a higher level of sophistication, as
well as m.o. which has been shown to be used by China in the past
(consider 0days patched by Microsoft and reported by the Taiwanese
government).
3. If this was China, which some recent talk seems to make ambiguous,
but still likely; they would have more than just one weapon in their
arsenal. The attack would not have been against all these corporations,
but rather multiple attacks, and possibly multiple tools.
4. This incident has brought cyber security once again to the awareness
of the public, in a way no other incident since Georgia has succeeded,
and to political awareness in a way no incident since Estonia has done.
As to "everyone does it", here is an example I wrote of the German
experience (not my best writing, but good analysis):
http://www.darkreading.com/blog/archives/2009/03/german_intellig.html
Gadi.
--
Gadi Evron,
g...@linuxbox.org.
Blog: http://gevron.livejournal.com/
