Hi Logos,

Yes I have posted about how to block all of China and Korea as such if parties would think this would help. Also reckon that a lot of malcreants outside of China operate there, that is what I meant with that rephrase.

Internet Explorer has a very serious zero-day security hole
The vulnerability through which the attackers on Google used, works on all flaws of IE and works on each and every platform. As far as we know they used the attack via Internet Explorer 6 an a malicious website. Internet Explorer 8 in combination with Data Execution Prevention (DEP) prevents the attack. Well Microsoft thinks about launching an emergency patch. According to the software vendor the attack has only be seen in very targeted attacks, but every firm should reckon with the threat’s danger.

“Complex attacks for specific corporational networks are often seen”, says Microsoft Security Response Center (MSRC)'s Mike Reavy. He says that the Protected Mode inside IE 7 on Windows Vista and beyond limits what attackers can do. Users also could enable Data Execution Prevention (DEP)here. Or use Firefox with NoScript and Request Policy extensions installed, because again and again Javascript is at the culprit of mentioned attack.

Trojan horse
The attack itself was launched using, yes again folks, JavaScript code abusing the zero-day holek in Internet Explorer, acoording to MacAfee’s Craig Schmugar. As soon as the OS was infested, the exploit installed a file drom a website, know taken offline. This file that installed a remote access Trojan (RAT), loading at start up. Malware also contacted a remote server, enabling the attacker access to the infected system. Schmugar confirms the attack cannot work with DEP installed,

polonus

yeah my mistake, I forgot they indeed mentioned IE 6 was mainly used…this said a majority of users don’t have, as they suggested, security set to “high” in IE8. DEP yes.

as mentioned earlier, Adobe has been under attack too, see article link posted by Pondus here:
http://forum.avast.com/index.php?topic=52252.msg453321#msg453321
http://www.v3.co.uk/v3/news/2256152/adobe-hit-chinese-google-attack

so it’s not just Adobe as a company that’s been attacked, but may be vulnerabilities used in pdf attachments that may have been another vector of attack against Google as stated here:

Security experts beg to differ, however. F-Secure chief research officer Mikko Hyppönen wrote in a blog posting yesterday: "We believe the attack was launched via a convincing email with an exploit-ridden PDF attachment."

http://www.f-secure.com/weblog/archives/00001854.html http://www.youtube.com/watch?v=nFw9ZHy0V3c

not sure if this link has been posted yet:

Researchers identify command servers behind Google attack

VeriSign iDefense researchers have identified the source of the recent cyber-assault against Google and have found the command-and-control servers that were used to orchestrate the attack.

http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars

Hi Logos,

More news here: Update today
After Yahoo, Symantec, Northrop Grumman and Dow Chemical have been attacked, also network giant Juniper was to be hacked. The company does not deny nor confirm this info of an attack.

Update today
To prevent detection of the malware on the company network the attackers made use of encryption, according to McAfee as they told Wired. “We never saw encryption on this level. It was rather cleverly done”, according to Dmitri Alperovitch, vice president threat research. How the Google worker was taken to the malcoded site, will be published later. This could have been via e-mail,
Instant Messaging or Facebook.

At the end of the day a dozen instants of malware were placed on the system. One of the malicious software was a backdoor and an encrypted “covert channel”, posing as a SSL-connection to prevent detection. The infected machine was then used to attack the rest of the Google company network. Just like Kurtz does, Alperovitch affirms that McAfee is sitting on information it is not allowed yet to disclose,

polonus

Info on the trojan used in the attacks:
http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html

Damian

hey Polonus,

that’s very interesting info as usual…

edit: what I’m actually wondering right now is how far is Google ready to push that, are they gonna take down Google.cn or not…there’s a lot of speculation going on.

Hi Logos,

You got your answer here: http://www.theregister.co.uk/2010/01/15/us_google_china/
Google is doing their own form of ad policing at home:
http://www.theregister.co.uk/2010/01/15/google_bans_thirty_thousand_from_adwords/

The browser issue - Important is to look at the number of unpatched advisories. Internet Explorer always has a large number still open (highly critical ones) those in Firefox do not take that long to get patched:

source Secunia
IE8 unpatched 4 50% Vulnerability Report: Microsoft Internet Explorer 8.x

Unpatched 50% (4 of 8 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 8.x, with all vendor patches applied, is rated Extremely critical

Firefox unpatched 0
Vulnerability Report: Mozilla Firefox 3.5.x

Unpatched 0% (0 of 6 Secunia advisories)

Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.

But the used hole in the attacks was for IE6
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

And Chinese exploited this hole before: http://blog.trendmicro.com/zero-day-ie-flaw-being-actively-exploited/

How long has this hole been there unpatched (independent of using UAC and/or DEP that came in as additional solutions with Vista and later with W7) Another conclusion is that users cannot use XP SP3 anymore without additional security measures like a normal user account for using applications on the Internet and/or javascript blocking inside browsers (not available in IE so far)…again a lot of corporations did not make the switch from IE6 or XP on a network scale. Will this and other threats be a way to enforce the mitigation a bit, pure speculation of course on my part, well what is it then?

polonus

yeah I knew the issue became/is/was very political, and an intervention of the US gvt was indeed expected. A Google rep said today that Google.cn (well, obviously not down yet…) still filters what it use to until now. Next days…or may be next week will be interesting.
As to IE, running IE6 even patched today sounds so mad… I always have a laugh when I see my Secunia summary showing “no fix” for Internet Explorer 8 ;D

edit: a first reaction may be (on Thursday night already…)

China blocks number-one movie site IMDb

http://www.techradar.com/news/internet/china-blocks-number-one-movie-site-imdb-663458 source: http://www.theregister.co.uk/2010/01/14/china_firewall/

Hi Logos,

Good reporting means to report on both side of this issue.
Please, read here, hypothesis from the past:
http://pubservant.blogspot.com/2007/10/chinese-cyber-army-myth-or-reality.html

So, is there really an army of PLA hackers that are blatantly attacking western government's computer networks, or is this just paranoia and China bashing?

I mean, could you imagine senior western government officials browsing the net and downloading dodgy software during their working hours on their government computers? Well, maybe you can, but then the problem wouldn't really be the hackers, would it?

that implicates that the Google employee was searching the Internet with IE6 (in a Google internet environment where everyone uses Google Chrome, renowned for it virtual tab security, a bit strange as we analyze the fact, or this employee was opening e-mail attachments or was using Twitter, Facebook etc.)

The more important question is then how many hackers does it take to exploit the security hole of a networking software? My answer would be ... just 1 actually.

conclusion:

Therefore, the idea of armies of PLA hackers launch coordinate software exploit attacks on western government networks is not really plausible.

Seems orchestraded like it says here:
(http://www.reuters.com/article/internetNews/idUSL2225757020071022?sp=true):

So what we could have here is is a piece of software that scans a network of systems for an existing vulnerability which can be exploited, allowing the host to be compromised WITHOUT REQUIRING ANY ACTION FROM THE USER.

Then we are back at base one and Chinese CyberCrime again exists and it goes against the lone malcreant theory of the author. The truth is out there, but what one? We have seen the future, and it does not belong to you... http://www.theregister.co.uk/2009/12/31/the_out_of_control_decade/

“There’s always free cheese in a mousetrap, baby.”

polonus

The Obama administration is one of the weakest administration that ever existed in American history.

They only talk and complaint like small kids.

It is urgent that the yfree world have a ver good CYBER DEFENSE

The Chinese economy only grow through espionage…

It is amazing that only 23% of the corporate world in America use SSL

yeah Polonus, it’s indeed very difficult to find out how it happened with Google. One million theories are possible, from the attacked user downloading malware without being aware of anything (and it’s not just porn or cracks like the author of the article you mentioned said to prove his point…we all know it could just as well be stuff that sounds legit) to the infiltated user running IE6 purposely and what else…we’ll never know, and it’s not usual that a company discloses the details of such an attack after an investigation.
I don’t even know if a majority of users are running Chrome in Google offices. That’s a cliché and a journalism…humm…cliché ;D Now if a majority does indeed run Chrome, strange a hacker (from China) did just find the one running IE6…sounds quite improbable…unless as said (by me) the IE6 user is an infiltrated Chinese agent who tried to conceal the attack means by looking like a victim himself. Everything is possible Secret services didn’t wait for the Internet to happen to use all sorts of means, everything in this area is allowed we know that and we also know that we never get to know the truth in most cases, at least not a detailed truth.
I for one would believe and accept for now some sort of very global truth: Google as well as tens of other companies and western gvt networks have been attacked again and again by intelligence services working directly for the Chinese authorities.
Yeah, not saying that “we” (the West) don’t have such practices…don’t tell me that Israel the US, UK and the French are not spying, they do it all the time… but, at gvt level with enemies and not commercial allies like China does. This is all theory…I admit I can’t make any factual statement in this area. Too many rumors, and I’m not an insider.
What does interest me to be honest is whether Google yes or no will stick to its word… and we don’t know yet. I have doubts…I can well imagine that in a few months from now Google will be posting on their blog that they’re still having talks with the Chinese and Google.cn will still be up and running and filtering…

may be a beginning of something happening, see here:

Google.cn is going rogue Jan 16, 2010 17:16

http://asia.cnet.com/blogs/sinobytes/post.htm?id=63016204&scid=hm_bl

http://asia.cnet.com/u//028/226/fe864f7c4b517fe8400x.jpg

as to the details of the cyber attack perpetrated against Google, those guys should know a few things:
http://www.mandiant.com/
they’re in charge of Cyber security for Google
http://www.computerworld.com/s/article/9145279/Chinese_authorities_behind_Google_attack_researcher_claims

Hi Logos,

There are also speculations that because of the weak overall security status of the Chinese networks that hack was performed THROUGH China, a kind of a false flag cyber attack. This because the stories of a vulnerability in IE6, sophisticated encryption being used for the first time for this level of an attack. And who to know more about the Chinese network than Google.cn? Too many unryhmed things here. Can you come up with any links about these speculations? Malcreants from outside China also use China as a homebase for their malcode re-directs (gumblar etc.). In the latest attacks there were Chinese and American servers involved…
Again more questions than answers here,

polonus

@ Polonus: interesting, that also is possible, following this path Google itself could be behind everything to justify today’s moves. I’ll try to find out more…the problem with the Internet is when you’re non-objectively looking for something you’ll always find it… so that’s not easy.

I saw that already yesterday…
http://translate.google.com/translate?u=http%3A%2F%2Fwww.lepoint.fr%2Factualites-technologie-internet%2F2010-01-15%2Fcoup-de-bluff-google-va-t-il-vraiment-quitter-la-chine%2F1387%2F0%2F414031&sl=fr&tl=en&hl=&ie=UTF-8

I now really doubt whether cloud is safe

How can you trust Google doc and other places?

Impossible!

Hi Chris Thomas,

But this what happened just after the hacks, where GMail accounts were involved:
Just hours after Google disclosed it and at least 20 other large companies were the targets of highly sophisticated cyberattacks, the online giant said it would enhance the security of its email service by automatically encrypting entire web sessions.

The change, which Google is in the process of rolling out now, means Gmail sessions will be automatically protected from start to finish with the SSL, or secure sockets Layer, protocol, even if a user doesn’t specifically ask for it. Up until now, users had to check a setting in their Gmail options to get always-on encryption.

The change bolsters Google’s already significant lead in protecting web users against so-called man-in-the-middle attacks, which allow miscreants to read and modify web traffic by sitting in between victims and the sites they surf. Yahoo Mail, eBay, MySpace, Facebook, and a wide variety of other sites continue to offer https encryption only when users are logging in, making email and other sensitive pages that are visited later susceptible to so-called sidejacking and similar attacks.

The change, which many security advocates had demanded, was announced a few hours after Google accused China-based hackers of carrying out highly sophisticated attacks designed to ferret out human rights advocates. Exploits targeting Gmail services largely failed, but Google said “dozens” of accounts had been routinely accessed by unauthorized parties through phishing or malware attacks on the users themselves.

Google didn’t elaborate on those attacks, so there’s no way to know if always-on encryption would have prevented those account holders from being compromised. Still, the automatic use of https makes good sense and allows Google to rightfully claim even more higher ground relative to its peers. (Twitter is one of the few other popular services to offer start-to-finish https).

“We initially left the choice of using it up to you because there’s a downside: https can make your mail slower since encrypted data doesn’t travel across the web as quickly as unencrypted data,” Gmail Engineering Director Sam Schillace wrote. “Over the last few months, we’ve been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.”

Those who want to disable the feature may do so by checking a “Don’t always use https” box in Gmail settings. Even then, Gmail login pages will continue to be encrypted.

polonus

P.S. Do not forget we have National Cybersecurity Awareness Month:
http://www.america.gov/cybersecurity.html

D

off topic: whatever, hacking or not hacking, I’ve always believed it was mad to store sensitive data on the cloud. At least Google can access it, or any other site owner on another cloud. Wouldn’t store anything without strong encryption, but then the downside is that the data you stored isn’t as quickly accessible as desired.
Another example would be Mozilla Weave: first they offer that you can use the software to store the data (Firefox data) wherever you want, on your own server if you want, and they say if you choose the Mozilla server it’s encrypted there, and themselves cannot access it. This is impossible to check of course.
Again, I’d never store anything sensitive/private without encrypting it first. There are enough free and good tools for that.

Btw, I’ve been on HTTPS for Gmail for ages, long before the setting was offered in the interface. It always supported ssl, and that was set for me permanently in CustomizeGoogle extension, with a very short connection to non-ssl before rerouting to ssl, so not a hundred percent secure at the time. Anyway good to know you can also browse Google doc in sll mode. You can also use NoScript options to force https on a few sites, like Twitter or facebook… (careful with Twitter otherwise, even if started in https, it can switch randomly to http; as to facebook, some pages won’t display at all in https).

Hi Logos,

If you are aware of what you (have/will) put online and you are not a victim of Identity Theft or your data haven’t been stolen, using the Google services might be rather convenient. Make sure you flush the (search-DNS-etc.) content, the super cookie content, the cache content or use a webproxy when needed. We are so accustomed to the Google formula that we do not feel the need of having the panick button ready at hand to Secure Delete Immediately.
But going back on topic let us take a google-china poll here:
http://wordpress.3dn.nl/2010/01/14/google-china/
9source facebook user)
polonus

Google Users in China Fear Losing Important Tool

BEIJING — At the elite Tsinghua University here, some students were joking Friday that they had better download all the Internet information they wanted now in case Google left the country.

http://www.nytimes.com/2010/01/17/world/asia/17china.html

Now we found one disadvantage of cloud
Off topic:Hope they won’t attack me ;D
I’m a innocent child with only a firewall ;D