RE: Alert issued for China's next cyber attack

[InfoSec News <isn () c4i org>]

Forwarded from: Marc Maiffret <marc () eeye com>

| -----Original Message-----
| From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf
| Of InfoSec News
| Sent: Tuesday, May 21, 2002 2:30 AM
| To: isn () attrition org
| Subject: [ISN] Alert issued for China's next cyber attack
|
| http://atimes.com/media/DE21Ce01.html
|
| By James Borton
| May 21, 2002
|
| WASHINGTON - Washington's War Situation Rooms are abuzz these days
| with a score of major flashpoints scattered across the globe, from the
| Middle East, Afghanistan, Iraq, Iran, Libya, Central Asia and North
| Korea to Cuba, and has now an issued alert of China's readiness to
| launch a cyber attack targeting key government computer systems.
<snip>
| The insightful findings that China is gearing up for a cyber attack on
| defense and civilian computer networks in the United States and Taiwan
| is being dismissed outright as not potentially injurious to any
| computer networks.

Its not being dismissed...

| The paradox is startling. The Institute for Strategic Studies, run by
| the US Army War College, released a classified report as an early
| warning directed to all government policy shapers, the Defense
| Department, US diplomats and law-enforcement agencies to be vigilant
| for Chinese student hackers' efforts some time in early summer to
| spread computer viruses to deface sensitive government Internet sites.
| This is a disturbingly similar message to that which was issued to
| intelligence agencies a month before the devastating attacks on the
| Pentagon and the World Trade Center.

Computer virus's and defacements don't mean a whole lot of anything in the
"real world". The type of attacks people are worrying about, or should be,
are the ones that lead to information gathering capabilities rather than
bringing down a web server which has nothing to do with nothing.

| "We do use our website for outreach and we are sensitive to its
| security. But it's important to put the defacing of Web pages in
| perspective. Admittedly it can be done, even with security measures in
| place, but it's more akin to vandalism than a security threat," said
| Dr Steven Metz, director of research and chairman of the Regional
| Strategy and Planning Department at the Strategic Studies Institute at
| the US Army War College.

Exactly.

| It is precisely this kind of denial of any clear and present danger
| from senior sources at the Pentagon and even the CIA that is causing
| an increasing firestorm among congressional leaders. This week,
| Washington's top lawmakers will be pushing for tougher inquiries about
| last year's breakdown in intelligence communication between the CIA
| and Federal Bureau of Investigation (FBI).

There was no denial quote being made by Mr. Metz. Metz was right on the
money in what he said. Now if he went and said, there is no threat at all
from china, or foriegn governments to penetrate our trusted computer systems
to gather information that can _TRULY_ damage the united states, then ya he
would be full of it. but thats not what he said...

| In testimony presented to the US Senate Armed Services Committee last
| month, Tenet revealed, "I think we have a deep concern that the
| Chinese are also engaging in activities that continue to be inimical
| not just to our interests, but that their activity stimulates
| secondary activities that only complicate the threat we face."
|
| Code Red: No longer just a threat

I'll consider myself knowledgable on CodeRed since myself and Ryan Permeh
(also of eEye) gave the first analysis of codered, therefore naming the
worm, codered. Hey Pepsi, we still want more free mountaindew, please. ;-]
http://www.eeye.com/html/Research/Advisories/AL20010717.html

| No one in Washington has forgotten when Chinese anger spilled over
| from the streets into cyberspace to protest the North Atlantic Treaty
| Organization's (NATO) bombing three years ago of the Chinese Embassy
| in Belgrade resulting in the deaths of three Chinese journalists. At
| that time, most of the major Chinese media organizations, including
| the People's Daily, CCTV, Xinhua News Agency, Guangming Daily, China
| Youth Daily, and Beijing Youth Daily, published extensive coverage of
| the street demonstrations against the bombings on their websites.
|
| As a direct result of that international incident, Chinese hackers
| broke into the US Department of Energy's website and replaced its
| homepage with a note written half in English, half in Chinese, which
| read: "We are Chinese hackers who take no cares about politics. But we
| can not stand by seeing our Chinese reporters being killed. Whatever
| the purpose is NATO, led by the USA, must take absolute
| responsibility. You have owed Chinese people a bloody debt which you
| must pay for. We won't stop attacking until the war stops."

Once again, these were website attacks, who cares. Also, they were probably
14 year old chinese american kids living in Oregon. To say the chinese
government uses its capabilities to deface websites (THAT MEAN NOTHING) is
to insult and underestimate. Two things I wouldnt suggest ;-]

| Only a year ago, a successful Chinese cyber attack aimed directly at
| the heart of America's political pulse knocked out the White House's
| website for almost four hours.

Actually no one knows that codered was truly written by the Chinese. It
could have been anyone. Also it never did anything to the white house
website, for four hours. It was about 15 minutes while a couple DNS mappings
changed. The worm failed on that front.

Could codered have been written by Chinese? Yes. Do I personally think the
Chinese government would do it? No. That would equate them to terrorists and
I think they are smarter than loser terrorists. If you have the information
warfare capabilities then you wouldn't write a worm, there is "nothing"
advantageous about it. Nothing in the sense that by releasing a worm you
loose more than you gain. More systems become secure as a result of a worm.
So maybe it was a test to see how the world reacts to internet worms? How
quickly we can shut worms down? But then what is the use? Take down the
internet for a day and that affects the economy how? Does it hurt the US
that much? Does it hurt China and everyone else just as much or more? For
military purposes its better to be able to get critical information to use
against your enemy. Therefore it makes more sense to be silently hacking
systems to gain information that you can later use. This does not
necessarily mean breaking into government/military systems for information.
This can mean breaking into software vendors, creating backdoors, to then
later use to gain access to that government/military data (Microsoft for
example was broken into a while back and source code stolen, who knows what
maybe was altered). Data which is much more useful to use against your
enemy, instead of doing something as trivial as bringing down the internet,
which wont affect a lot of the classified networks anyways, where the real
information is.

| A White House spokesman at that time
| refuted the seriousness of the action, stating that "there was no
| security breach, and the attack remains under review". Never mind that
| it was exactly a year ago, almost in a memorial salute to the Belgrade
| bombing of the Chinese Embassy, that Chinese hackers defaced more than
| 660 sites in the US, according to Michael Cheek from the security firm
| iDefense.

Ahhh iDefense is mentioned... well that explains part of why this author has
no idea what he is talking about, otherwise he wouldn't have contacted
iDefense. Oh but wait, let me rephrase, or otherwise he would have known
when iDefense contacted him and pitched him on such an asinine story, that
he should have done some homework.

| US technologies of surveillance, encryption, firewalls, and even
| viruses have been willingly transferred to Chinese partners in the
| past several years as part of China's budding efforts to enter the New
| Economy. Rand Corp's James Mulvenon maintains that such US companies
| as Network Associates (McAfee Anti Virus), and Symantec (Norton Anti
| Virus) gained entry to China's market by voluntarily providing China's
| Public Security Bureau with more than 300 computer viral strains.

Definitely a good part of the article. This is in fact true. A lot of U.S.
based companies have been providing the Chinese with all sorts of malicious
code samples and exploits, which the Chinese are saying they need to test a
product to certify that it "works as advertised" so that it can be sold
within China. So U.S. companies help the Chinese learning curve on malicious
code/exploit writing, and in exchange they get to make money in the Chinese
market. Hmmm that doesn't sound to nice... especially since the u.s.
government pays larges sums of money to a lot of these u.s. based security
companies ... so does that in a way mean the united states is actually
paying to fund the Chinese information warfare research being done against
the U.S.? Well I didn't say that but someone could possible construe things
to that level.

| Although senior Chinese Internet network officials maintain even today
| that a Code Red worm is far too sophisticated for China to have

What bullshit. Some of the bigger IIS vulnerabilities (IIS being Microsofts
Internet Information Web Server software) have been discovered by the
Chinese. Unicode and double decode, two vulnerabilities used in a couple of
the IIS web server worms (Nimda for example) were both vulnerabilities
discovered and released by a Chinese research firm.
http://online.securityfocus.com/archive/1/184543

| produced, several senior US analysts strongly disagree and confirm
| that the technology to launch cyber attacks has already been
| successfully deployed by China. After all, China has already developed

and to further push the point home that they (Chinese) would easily have
capabilities to write codered.... they've already gotten similiar worm
source code from most of the U.S. security companies that are now selling
their software in the chinese market, after handing over their malicious
code to the Chinese government.

<snip>
| "The Chinese military views cyberwarfare as a way to overcome
| America's superiority," claims Toshi Yoshihara, a research fellow on
| security issues with the Institute for Foreign Policy Analysts and
| doctoral candidate at Fletcher School of Law and Diplomacy.

;-] Thinking ahead... have to give them credit for that much.

<snip>
| Some close observers of America's intelligence community believe it is
| precisely this kind of mixed information, laced with naivete and
| denial, that fits squarely into the demands made by Senator Richard
| Shelby, the Alabama Republican who serves as vice chairman of the
| Senate Intelligence Committee, that a leadership shakeup may be
| required soon at the CIA.
|
| Just as America experienced in 1993 at the World Trade Center a
| shocking preview of what the entire world gravely witnessed a few
| years later on September 11, 2001, the next Code Red worm may prove to
| be much more than just a mere nuisance to government websites.

well see...

These are my own personal opinions.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.