A new approach to China
1/12/2010 03:00:00 PM
Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.
First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.
Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.
Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers
These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.
Unfortunately China has also “Baidu”, a local search engine that has already 65% market share in China, and complying with any government censorship requirement…
Google and Adobe came under attack by hackers seeking after source code. They finally admitted this: http://www.wired.com/threatlevel/2010/01/google-hack-attack
The hackers now use unpatched Adobe holes and prepared PDF-documents, GData already warned PDF is a a priori unsafe extension. Google admitted to the attack as the above poster here, Chris Thomas, cites.
Advisory against the hacks here: http://www.adobe.com/support/security/bulletins/apsb10-02.html
The attacks differed from those in June but the same command and control servers have been used to perform them,
I don’t think that’s doable, but following this it would be nice to find a way to prevent Baidu from indexing anything out of China ;D or do that clicking on any EU/US link in a Baidu search bounces back to…Baidu.
Analysts say hackers around the world, especially from China, frequently attack Taiwan companies' computers by installing software through Trojan horses and backdoors. The attacked computers are referred to as "zombie computers" or victims of a "botnet," which let hackers control them remotely. Taiwan's robust Internet network has also made it appealing to international hackers. "Taiwan's internet infrastructure is well established, and computers are highly popular, which means [hackers] can easily find problematic computers to attack," said Steven Tsai, senior engineer of Taiwan's National Center for High Performance Computing
(if you launch the link to this article from Google news, you’ll get the entire article without having to be a subscriber)
With the ongoing succesful attacks on Google and Adobe companies may consider blocking all Internet traffic from and to China, this is the vision of security expert Timothy “Thor” Mullen, who wrote an article one and a half years ago on completely blocking certain countries on the Internet. Now China is hot news again, he points to this. “I like to point out tools to you one could get from the site Hammer of God to have some party block all traffic from and to China or whatever country via ISA/TMG.” He himself has been blocking China for years and years because the whole of the Chinese network is full of cyber criminals and hackers." (N.B. his vision - not mine).
OK fine but as mentioned in the article I linked to above, they’re using Taiwanese proxies so ??? ;D
People familiar with the attacks say the hackers tried to mask their identity by routing their efforts through six Internet addresses located in Taiwan, a common tactic used by Chinese hackers.
Five of the six addresses were owned by Era Digital Media Co., a company that provides television programs and movies through the Internet. Era Digital, which has some 800,000 daily viewers, said it wasn’t aware of the attack and declined to comment further. The sixth address is owned by Qi Wei Technology Co., a financial software provider. Qi Wei said it had stopped using the relevant address in June.
Lee Hsiang-chen, director of Taiwan National Police Agency’s High-tech Criminal Center, said the two companies were likely victims themselves. “The two companies were probably attacked,” he said, adding that Chinese hackers prefer to infiltrate Taiwan Web sites because they use the same language
also, and a French article mentioned Balmer didn’t acknowledge that yet, but MS was considering the possible flaw in IE:
Operation “Aurora” Hit Google, Others...
McAfee Labs has been working around the clock, diving deep into the attack we are now calling Aurora that hit multiple companies and was publicly disclosed by Google on Tuesday.
We are working with multiple organizations that were impacted by this attack as well as the government and law enforcement. As part of our investigation, we analyzed several pieces of malicious code that we have confirmed were used in attempts to penetrate several of the targeted organizations.
New Internet Explorer Zero Day
In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer. We informed Microsoft about this vulnerability and Microsoft published an advisory and a blog post on the matter on Thursday afternoon.
Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks. Today, Microsoft issued guidance to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. Additionally, we are cooperating with Google and other companies, as well as authorities and other industry partners.
edit: see here too:
IE zero-day used in Chinese cyber assault on 34 firms
Chinese government-backed search engine blocks access to Google company blog
Baidu, China's dominant search engine, has apparently cut off access to Google's company blog, after a post appeared there detailing the latter company's decision to cease cooperation with the Chinese government over concerns with censorship and cyber crime
someone on another forum where I post mentioned this, but gave no source and no link:
Alright, according to some news from China, Google had broke up with China government: No more google.cn, NO more Google China. Every employee of Google China will have a half year salary as severance pay and willing to find them jobs in other branch office of Google.
The code samples obtained by iDefense from the July attack and the present attack are different, but they contact two similar hosts for command-and-control communication. The servers used in both attacks employ the HomeLinux DynamicDNS provider, and both are currently pointing to IP addresses owned by Linode, a US-based company that offers Virtual Private Server hosting.
The IP addresses in question are within the same subnet, and they are six IP addresses apart from each other. Considering this proximity, it is possible that the two attacks are one and the same, and that the organizations targeted in the Silicon Valley attacks have been compromised since July
Through these links that you have provided for us we can gradually depict the overall situation and it looks grim and it has various apparent and hidden implications, corporational interests play an important role, I think the privacy issue is being used more or less as an excuse or pretext. Apart from what really is at stake, there are the security issues also. It means the Internet is a place where threats raise their ugly heads everywhere, it does not matter from what angle they come in - zombie bot herder, malcreant cyber crime exploit user, targeted hack developer, cyber army skirmishes, malcode is “on the wire” everywhere all over the Internet, and the unaware aren’t really helping the situation and those in charge turning a blind eye, we are in a predicament. Again we need China in the world and its century old culture and wisdom,
… and weren’t you mentioning yourself yesterday web sites suggesting that servers should IP block China?