06/6/11

China linked to new breaches tied to RSA | InSecurity Complex – CNET News

Recent attacks on three U.S. defense contractors could be tied to cyber espionage campaigns waged from China, several security experts told CNET.

The incidents at Lockheed Martin, L-3 Communications, and Northrop Grumman appear to stem from a breach at RSA in March in which data was stolen related to RSA’s SecurID two-factor authentication devices–widely used by U.S. government agencies, contractors, and banks to secure remote access to sensitive networks.

China Cyber Blue Team

Lockheed confirmed to The New York Times on Friday that hackers had used data stolen in the RSA breach and other methods to figure out the coded password of a Lockheed contractor, but that Lockheed had blocked the attack before any sensitive data could be exposed. The company said it was replacing 45,000 SecurID tokens.

L-3 told employees in April that it was targeted using information acquired from the RSA breach, Wired reported. And Northrop Grumman, meanwhile, unexpectedly shut down remote access to its network last month, leading to speculation that there had been a SecurID-related incident, according to FoxNews.com.

When RSA warned customers that their SecurID deployments could be affected by the intrusion, the industry was waiting for the proverbial other shoe to drop. Thus, word of the defense contractor attacks came as no surprise. And the timing is such that it seems unlikely to be coincidental, the experts said.

Two-and-a-half months is plenty of time for whoever stole the data to sell it to interested parties in underground channels and for buyers to prepare attacks that take advantage of the pilfered information–basically figuring out which key on the key chain goes to which door. But it’s also a small enough window of time to let those attackers catch some RSA customers before they can change the locks.

Having the key, or token, isn’t enough to break into a system. Attackers also need to have the passcode that token holders use when they are logging in to a network. Phishing e-mails that trick recipients into revealing their log-ins and e-mails bearing malware that infects the recipient’s computer are commonly used to get that information. Having done their homework, the attackers know to craft an official-looking e-mail coming from a person or organization the recipient would trust.

Such sophisticated attacks on a specific target that are designed to steal credentials in order to get into the network to access critical data are known as Advanced Persistent Threats, or APT.

The RSA breach was accomplished using an APT, and Google cited APT in early 2010 as the method used in an attack on its network in which intellectual property was stolen. Google specifically said the attack originated in China and that Gmail accounts of human rights activists in the U.S., China, and Europe were separately compromised. Yahoo, Symantec, Northrop Grumman, and Dow Chemical were reportedly among the 30 or so other targets.

“APT is a euphemism for China,” said Rich Mogull, chief executive of Securosis. “There is a massive espionage campaign being waged by a country. It’s been going on for years, and it’s going to continue.”

Chinese representatives in the U.S. could not be reached for comment Friday, but government officials denied any involvement in the Google attacks last year. They also denied any responsibility in phishing attacks targeting Gmail accounts of officials in the U.S. and Asian countries, political activists, and journalists that Google announced last week. In fact, a Chinese official turned the tables and accused the U.S. of launching an Internet war against other countries, according to The Associated Press.

Meanwhile, the Pentagon is now saying it plans to issue new strategy declaring that in certain circumstances it will view cyberattacks from foreign nations as an act of war meriting military response.

“The reality is, part of the basis of U.S. hegemony…has been the ability to leverage command of signals intelligence to have perspective on the motivations and activities of others. Cyberspace has equalized that, so all of a sudden we’re in a competitive intelligence environment,” said Rafal Rohozinski, a principal at SecDev who did research on targeted attacks on Tibet and others with supposed links to China. Those attacks were detailed in a “GhostNet” report in 2009.

Espionage is common among the major nations, but reports of cyberespionage from China have increased over the past decade, campaigns that are ostensibly focused on silencing dissidents and other detractors, or reducing China’s technology gap with the U.S. and other major countries.

“China has made no secret that they see cyberspace as the domain that allows them to compete with the U.S.,” Rohozinski said.

It’s easy to connect the dots between the various attacks, particularly considering what the motivation may be behind them. However, there is often no way to know for sure where a cyber attack originated because attackers can easily hide their tracks.

“I think [the attacks on the contactors] are completely related” to the RSA intrusion, said Chris Wysopal, chief technology officer at Veracode. “While I think they’re related, I don’t necessarily think it is the same group” that’s responsible.

Just like in the financially motivated credit card criminal underground, there is an ecosystem around information that can be used for corporate or government cyberespionage, according to Wysopal. “The RSA attackers knew that what they were stealing could be sold to lots of governments,” he said.

“If it’s any kind of military espionage, military adversaries are going to be high on the list,” Wysopal said. “The question then is who in China–is it government agents or independent contractors selling to the Chinese government?”

via China linked to new breaches tied to RSA | InSecurity Complex – CNET News.

06/6/11

Cyber-Attacks on Gmail, Defense Industries Linked to China: Investigators – Security – News & Reviews – eWeek.com

News Analysis: Recent cyber-attacks against Google Gmail, Lockheed Martin and other U.S. defense contractors came from Chinese Military Vocational Academy, investigators say. China blames the United States.

Cyber-Attacks on Gmail, Defense Industries Linked to China: Investigators

The hackers that launched attacks againstGoogle’s Gmail system, Lockheed Martin, L3 and Northrup Grumman may have been based at a vocational school run by the People’s Liberation Army in Jinan, China, investigators say.

The investigators from Google have passed their evidence along to the FBI, which is performing a follow-up investigation. Jinan is also the headquarters of the Chinese intelligence service, and both that organization and the PLA have repeatedly said that China is beefing up its cyber-war capabilities.

The attacks against Google focused on U.S. government employees and members of the U.S. military, according to statements by Google. Other news reports say that the victims’ Google Gmail boxes have been secured since the attacks were discovered. Further more security software company Trend Micro has reported thatYahoo and Hotmail Web email services also have been hit by similar attacks.

The accusations of Chinese involvement in the attacks on Google and U.S. defense contractors appear to surprise no one. China’s military threatened to take sanctions against Lockheed Martin if the company went through with a sale of F-16 fighter jets to Taiwan. In addition, two scholars from the Chinese Academy of Military Sciences wrote in the China Youth Daily newspaper that the military is making preparations to fight the Internet war.

The Chinese government has a long history of hacking the computer systems of enterprises and governments it is in dispute with. It did its best to hack the Gmail accounts of Chinese activists, it hacked Google and stole some of the search engine code, and hardly anyone in the U.S. government or IT security business doubts that China is behind the recent attacks on the government contractors.

China, of course, strongly denies this, just as the Chinese government denies all unfavorable news. In fact, Chinese denials have come so frequently and about so many different topics that they’re not taken seriously. The International Business Times points out that Chinese denials of the intentional weakness of the Yuan are just as vehement, even though the business world acknowledges the fact that the Yuan is undervalued.

So what will the U.S. government do about this hacking? Probably nothing. Even if it’s proven beyond any doubt that the attacks came from the Chinese school in Jinan, it’s impossible to prove that the Chinese government was behind it. The PLA might have done it and the intelligence service might have done it.

Remember that in China, the civilian control of the military and intelligence apparatus isn’t like it is in the United States. The Chinese military is essentially autonomous. Chinese generals can ignore orders from political leaders if they decide to with no consequences.

So why doesn’t the United States demand that China stop these actions? The United States can and has made such demands. Until the United States is ready to ramp up the demands to the point where it appears that there might be concrete action, China will probably continue to ignore them. The problem is that the United States isn’t in a position of strength here. The fact that China owns a large part of our national debt and the fact that China is a major trade partner make really aggressive action unlikely.

Adding to the problem is the fact that some of China’s accusations appear to be true. China has accused the United States of starting a global Internet war, specifically in conjunction to the uprisings in the Middle East. It’s impossible to know whether the United States is currently conducting a cyber=war against Arab governments in support of rebels, but the United States has done so in the past, notably targeting data systems in Iraq prior to the invasion several years ago.

In response to the current string of attacks on U.S. interests, the U.S. government will probably air its grievances in public, hoping to embarrass the Chinese government. The Chinese government will issue ever more strongly worded denials. The attacks will continue, at least for a while.

Eventually, the United States will amass enough evidence that can quietly be shown to the Chinese government to make it clear that the United States can prove what’s going on. But the United States won’t just retaliate with an attack of its own because it would lead to a series of escalations that would go completely out of control almost as soon as it started. The Chinese, seeing the evidence, will dial back the attacks.

What this means to you is that you can’t let your guard down even a little. When you’re in a battle between giants, it’s really easy to get stepped on and that can certainly happen here.

Instead, your only real course is to build up your defenses and make sure that you’re not the easy target that the Chinese (or whomever) goes after when they want to break into a network that they think might contain useful information. So the best answer is to make sure that your security is sufficiently strong that would-be hackers will try someplace else first. Build your defenses in depth just like Lockheed Martin did and use that as a way to encourage the Chinese to leave you alone.


via Cyber-Attacks on Gmail, Defense Industries Linked to China: Investigators – Security – News & Reviews – eWeek.com.

06/6/11

Defense minister denies China behind cyber attacks

SINGAPORE – China’s defense minister on Sunday denied that Beijing was behind cyber attacks on foreign targets and said the country was also a victim of Internet hackers.

“It is hard to attribute the real source of attacks and we need to work together to make sure that this security problem won’t be a problem,” Defense Minister Liang Guanglie told a security forum in Singapore.

“Actually in China we also suffered quite a wide range (of) and frequent cyber attacks,” he said through a translator.

“The Chinese government attaches importance also on cyber security and stands firmly against all kinds of cyber crimes,” he said.

“It is important for everyone to obey or follow laws and regulations in terms of cyber security,” said Liang, who joined calls for global coordination to deal with cyber security.

The United States and Britain called Saturday for international cooperation against threats to cyber security following a fresh spate of attacks on government and corporate targets.

A few days before, Internet giant Google said a cyber spying campaign originating in China had targeted Gmail accounts of senior US officials, military personnel, journalists and Chinese political activists.

China said Thursday it was “unacceptable” to blame it for operation.

US aerospace giant Boeing said Friday on the sidelines of the Singapore conference that it was under “continuous” cyber attack but there had been no breach of its databases.

via Defense minister denies China behind cyber attacks | Inquirer News.