DCAWD.com

A new approach to China
1/12/2010 03:00:00 PM
Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more here about our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this U.S. government report (PDF), Nart Villeneuve's blog and this presentation on the GhostNet spying incident.

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China's economic reform programs and its citizens' entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that "we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China."

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Posted by David Drummond, SVP, Corporate Development and Chief Legal Officer

Google Hackers Targeted Source Code of More Than 30 Companies

By Kim Zetter January 13, 2010 | 2:28 am | Categories: Cybersecurity, Hacks and Cracks

A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense.

The hackers used a zero-day vulnerability in Adobe Reader to deliver malware to the companies and were in many cases successful at siphoning the source code they sought, according to a statement distributed Tuesday by iDefense, a division of VeriSign. The attack was similar to an attack that targeted other companies last July, the company said.

A spokeswoman for iDefense wouldn’t name any of the other companies that were targeted in the recent attack, except Adobe.

Adobe acknowledged on Tuesday in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

The company didn’t say whether it was a victim of the same attack that struck Google. But Adobe’s announcement came just minutes after Google revealed that it had been the victim of a “highly sophisticated” hack attack originating in China in December.

Neither Google nor Adobe provided details about how the hacks occurred. Google said only that the hackers were able to steal unspecified intellectual property from it and had focused their attack on obtaining access to the Gmail accounts of human rights activists who were involved in China rights issues.

But according to iDefense, whose customers include some of the 33 companies that were hacked, the attacks were well targeted and “unusually sophisticated” and aimed at grabbing source code from several hi-tech companies based in Silicon Valley as well as financial institutions and defense contractors.

The hackers gained access to the company networks by sending targeted e-mails to employees, which contained a malicious PDF attachment. The malicious code exploited a zero-day vulnerability in Adobe’s Reader application.

Zero day vulnerabilities are security flaws in software for which there is currently no patch. Adobe announced in mid-December that a new zero-day vulnerability in its Reader and Acrobat programs was being actively targeted by attackers. The company made the announcement after security researchers not affiliated with Adobe discovered attacks being conducted against the vulnerability.

In the case of the Google hack, once a recipient clicked on the malicious PDF attachment, a backdoor Trojan program was installed on their machine in the form of a Windows DLL, according to iDefense.

IDefense says that when Google discovered the malware on its systems in December, it found that the code was communicating with a server set up to receive information stolen from the targeted companies.

“It was configured in such a way that it was able to receive a massive amount of data being exfiltrated to it,” says an iDefense spokeswoman who asked not to be named.

Google was able to determine, by examining the server, that the hackers had struck numerous other companies, she said. Google said in its Tuesday announcement that 20 other companies had been hacked. But iDefense found evidence that at least 33 were targeted.

The recent attacks bear a strong resemblance to another attack that occurred in July 2009, which targeted about 100 IT companies, iDefense says. In that earlier attack, the hackers also sent targeted e-mail to companies with a malicious PDF attachment, but it’s unclear how successful that attack was.

iDefense obtained samples of the malicious code used in the July attack and the more recent one and found that although the malware was different in the two attacks, the programs both communicated with similar command-and-control servers. The servers each used the HomeLinux DynamicDNS to change their IP address, and both currently pointed to IP addresses belonging to a subset of addresses owned by Linode, a US-based company that offers Virtual Private Server hosting.

“The IP addresses in question are . . . six IP addresses apart from each other,” iDefense said in its statement. “Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the [recent] Silicon Valley attacks have been compromised since July.”

The spokeswoman told Threat Level that her company waited a week to disclose details about the attack until after Google went public with the news that it had been hacked. She said it’s her understanding that Google’s source code was targeted in the hack attack.

Google did not immediately respond to a request for comment from Threat Level.

Adobe’s announcement didn’t discuss specifically whether hackers had stolen its source code but said that it had “no evidence to indicate that any sensitive information — including customer, financial, employee or any other sensitive data — has been compromised” in the attack.



Read More http://www.wired.com/threatlevel/2010/0 ... z0cVGOLGdb

Mr Kleen wrote:'bout time a major company held the Chinese government accountable. too bad the US Government won't (can't???).

Statement on Google Operations in China
Hillary Rodham Clinton
Secretary of State
Washington, DC
January 12, 2010

We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation. The ability to operate with confidence in cyberspace is critical in a modern society and economy. I will be giving an address next week on the centrality of internet freedom in the 21st century, and we will have further comment on this matter as the facts become clear.


PRN: 2010/038

zaxrex wrote:

Mr Kleen wrote:'bout time a major company held the Chinese government accountable. too bad the US Government won't (can't???).

And they never will

WRXWagon2112 wrote: If we anger them, they might call in the debts.

Google Hack Attack Was Ultra Sophisticated, New Details Show

By Kim Zetter January 14, 2010 | 8:01 pm | Categories: Breaches, Cybersecurity, Hacks and Cracks

Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details released by researchers at anti-virus firm McAfee.

“We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack,” says Dmitri Alperovitch, vice president of threat research for McAfee. “It’s totally changing the threat model.”

In the wake of Threat Level’s story disclosing that a zero-day vulnerability in Internet Explorer was exploited by the hackers to gain access to Google and other companies, Microsoft has published an advisory about the flaw that it already had in the works. McAfee has also added protection to its products to detect the malware that was used in the attacks and has now gone public with a number of new details about the hacks.

Google announced Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack had originated from China, the company said.

Minutes later, Adobe acknowledged in a blog post that it discovered Jan. 2 that it also had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

Neither Google nor Adobe provided details about how the hacks occurred.

The hack attacks, which are said to have targeted at least 34 companies in the technology, financial and defense sectors, have been dubbed “Operation Aurora” by McAfee due to the belief that this is the name the hackers used for their mission.

The name comes from references in the malware to the name of a file folder named “Aurora” that was on the computer of one of the attackers. McAfee researchers say when the hacker compiled the source code for the malware into an executable file, the compiler injected the name of the directory on the attacker’s machine where he worked on the source code.

According to Alperovitch, the attackers used nearly a dozen pieces of malware and several levels of encryption to burrow deeply into the bowels of company networks and obscure their activity.

“The encryption was highly successful in obfuscating the attack and avoiding common detection methods,” he said. “We haven’t seen encryption at this level. It was highly sophisticated.”

Although the initial attack occurred when company employees visited a malicious web site, Alperovitch said researchers are still trying to determine if this occurred via a URL sent to employees via e-mail or instant messaging or some other method, such as Facebook or other social networking sites.

Once the user visited the malicious site, their Internet Explorer browser was exploited to download an array of malware to their computer automatically and transparently. The programs unloaded seamlessly and silently onto the system, like Russian nesting dolls, flowing one after the other.

“The initial piece of code was shell code encrypted three times and that activated the exploit,” Alperovitch said. “Then it executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted. The encrypted binary packed itself into a couple of executables that were also encrypted.”

One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network, Alperovitch said, to search for login credentials, intellectual property and whatever else they were seeking.

McAfee obtained copies of malware used in the attack, and “quietly” added protection to its products a number of days ago, Alperovitch said, after its researchers were first brought in by hacked companies to help investigate the breaches.

Although security firm iDefense told Threat Level on Tuesday that the Trojan used in some of the attacks was the Trojan.Hydraq, Alperovitch says the malware he examined was not previously known by any anti-virus vendors.

iDefense also said that a vulnerability in Adobe’s Reader and Acrobat applications was used to gain access to some of the 34 breached companies. The hackers sent e-mail to targets that carried malicious PDF attachments.

Alperovitch said that none of the companies he examined were breached with a malicious PDF but he said there were likely many methods used to attack the various companies, not just the IE vulnerability.

Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan. Alperovitch wouldn’t identify the systems in the U.S. that were involved in the attack, though reports indicate that Rackspace, a hosting firm in Texas, was used by the hackers. Rackspace disclosed on its blog this week that it inadvertently played “a very small part” in the hack.

The company wrote that “a server at Rackspace was compromised, disabled, and we actively assisted in the investigation of the cyber attack, fully cooperating with all affected parties.”

Alperovitch wouldn’t say what the attackers might have found once they were on company networks, other than to indicate that the high-value targets that were hit “were places of important intellectual property.”

iDefense, however, told Threat Level that the attackers were targeting source code repositories of many of the companies and succeeded in reaching their target in many cases.

Alperovitch says the attacks appeared to have begun Dec. 15, but may have started earlier. They appear to have ceased on Jan. 4, when command-and-control servers that were being used to communicate with the malware and siphon data shut down.

“We don’t know if the attackers shut them down, or if some other organizations were able to shut them down,” he said. “But the attacks stopped from that point.”

Google announced on Tuesday that it discovered in mid-December that it had been breached. Adobe disclosed that it discovered its breach on Jan. 2.

Aperovitch says the attack was well-timed to occur during the holiday season when company operation centers and response teams would be thinly staffed.

The sophistication of the attack was remarkable and was something that researchers have seen before in attacks on the defense industry, but never in the commercial sector. Generally, Alperovitch said, in attacks on commercial entities, the focus is on obtaining financial data, and the attackers typically use common methods for breaching the network, such as SQL-injection attacks through a company’s web site or through unsecured wireless networks.

“Cyber criminals are good . . . but they cut corners. They don’t spend a lot of time tweaking things and making sure that every aspect of the attack is obfuscated,” he said.

Alperovitch said that McAfee has more information about the hacks that it’s not prepared to disclose at present but hopes to be able to discuss them in the future. Their primary goal, he said, was to get as much information public now to allow people to protect themselves.

He said the company has been working with law enforcement and has been talking with “all levels of the government” about the issue, particularly in the executive branch. He couldn’t say whether there were plans by Congress to hold hearings on the matter.

Will Google stand up to France and Italy, too?

The stand against China will rightly be lauded. But western states also imperil internet freedom

Rebecca MacKinnon
guardian.co.uk, Wednesday 13 January 2010 22.30 GMT

Google's stand against Chinese censorship and surveillance – triggered by suspicions that China had been trying to hack activists' accounts – will be rightly lauded by defenders of human rights. But when it comes to upholding Google's vow not to "do evil" by its users, China is by no means the company's only headache. Before those of us in western democracies get too high on our horses about Google and China, we should remember that the Chinese are not the only ones putting pressure on Google in ways that are arguably harmful to freedom of expression, even when intentions are honorable. A growing number of governments – many democratically elected – share an attitude that internet companies should be expected to act as "net nannies" for their citizens.

In the past several years, internet censorship has spread rapidly throughout a range of political systems. According to the Open Net Initiative, a consortium of academics and computer scientists who track censorship trends, the number of countries that censor the internet has gone from a handful a decade ago to almost 40 today – and the censorship club's fastest growing membership segment consists of democracies.

...

China Slams Clinton's Internet Speech: 'Information Imperialism'
CHRISTOPHER BODEEN

BEIJING — Beijing issued a stinging response Friday to Hillary Rodham Clinton's criticism that it is jamming the free flow of words and ideas on the Internet, accusing the United States of damaging relations between the two countries by imposing its "information imperialism" on China.

Foreign Ministry spokesman Ma Zhaoxu defended China's policies regarding the Web, saying the nation's Internet regulations were in line with Chinese law and did not hamper the cyber activities of the world's largest online population. His remarks follow those made by the U.S. secretary of state, who in a speech Thursday criticized countries engaging in cyberspace censorship, and urged China to investigate computer attacks against Google.

"Regarding comments that contradict facts and harm China-U.S. relations, we are firmly opposed," Ma said in a statement posted Friday on the ministry's Web site. "We urge the U.S. side to respect facts and stop using the so-called freedom of the Internet to make unjustified accusations against China."

In her speech in Washington, Clinton cited China as among a number of countries where there has been "a spike in threats to the free flow of information" over the past year. She also named Tunisia, Uzbekistan, Egypt, Iran, Saudi Arabia and Vietnam.

A state-run newspaper labeled the appeal from Washington as "information imperialism," and Ma insisted that China had "the most active development of the Internet" of any country.

Washington, meanwhile, carried its message on Internet freedom directly to Chinese bloggers. The U.S. Embassy in Beijing and consulates in Shanghai and Guangzhou hosted Internet-streamed discussions with members of the blogging community on Friday afternoon – the latest example of Washington's outreach to Chinese bloggers as a way of spreading its message.

The bloggers met with U.S. diplomats from the political, economic and public affairs sections, who held discussions and answered questions about Clinton's speech. The meetings were similar to a session organized during Obama's visit to China in November.

Zhou Shuguang, who blogs under the name "Zuola," attended the session in Guangzhou and said Clinton's speech resonated deeply with Chinese bloggers frustrated by the content controls.