Forgot your password?
typodupeerror
China

South Korea Backtracks On China As Source of Cyberattack 125

Posted by timothy
from the could-have-been-anyone-really dept.
hackingbear writes "The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim. The Korea Communications Commission said that after 'detailed analysis,' the IP address used in the attack is the bank's internal IP address — which is, coincidentally identical to a Chinese ISP's address, among the 2^32 address space available."
This discussion has been archived. No new comments can be posted.

South Korea Backtracks On China As Source of Cyberattack

Comments Filter:
  • Hanlon's (Score:5, Insightful)

    by gmuslera (3436) on Sunday March 24, 2013 @09:17PM (#43266681) Homepage Journal

    The bank used public IP addresses (existing, used elsewhere) for their internal network? The one that designed that should be considered a bigger security threat that any current cyberattack.

    BTW, the CNN editorial "Why cyber attacks threaten our freedom [cnn.com]" is another piece of art of more or less the same magnitude. I'd say that is on a par with this one [dailymail.co.uk]

    • by noh8rz10 (2716597)
      I thought all IP addresses are unique?
      • by cigawoot (1242378)

        In an Intranet that isn't the case. However, the bank really failed if it wasn't using subnets allocated for private use...

        • by Anonymous Coward

          Nor really. Probably due to some organisational and political reason they exhausted all available private space... so they assigned some random block for private use. Not saying that it's good, but I can understand that.

          • Re:Hanlon's (Score:5, Informative)

            by icebike (68054) on Sunday March 24, 2013 @10:47PM (#43267101)

            Define Exhausted all private Address space?

            In just the 10 block alone there are 16,777,216. This bank isn't that big.

            • by Luckyo (1726890)

              They may however need wide subnets for some administrative reason. IPs are rarely assigned on single basis inside a large corporate network. Usually they're split in blocks of various sizes which are given to various parts of the corporation.

              In this case, corporation probably grew out of the old system at some point, and instead of having to reconfigure everything they just added a public block as a private one on their own intranet. It's not impossible, but it's definitely not the wisest approach.

              • by wvmarle (1070040)

                That'd still show poor IT management. I can imagine you want to spare some addresses for potential future growth (making your subnets say 3-4 bits wider than necessary), but if you run out of a complete A-class network you're definitely doing something wrong.

                • by Luckyo (1726890)

                  Well, they mapped non-private addresses to intranet machines. So I think we're past the question "were they doing something wrong" here.

                  • by Anonymous Coward

                    Well, they mapped non-private addresses to intranet machines. So I think we're past the question "were they doing something wrong" here.

                    You're assuming that's what they did. I find it more likely that whoever got into the network was spoofing addresses or just flat out tampering with log data, as opposed to them using non RFC1918 space for internal network purposes. Or perhaps that was actually part of the hack.

                    But no, there's nothing fundamentally wrong with using non RFC1918 space on a network which is never supposed to be able to reach the Public Internet. In fact, if you are careful to select address space which is not yours, not only w

                • by rwa2 (4391) *

                  Yes, that, and I thought I saw on Fark a week ago that one of the supposed "cyberattacks" was just some internal machine with an outdated antivirus. But maybe it was just one of those snark-to-be-true headlines that happen to fluke sometimes.

                  But yeah, let's go to war over our own incompetence.

              • Then maybe they should look at using something other than a /24. Usually this is just laziness, where it's easier/more-convenient to assign a /24 to every little unit. There is an advantage in that it's easier to read the addresses, but this comes at the drawback of using up private address-space much quicker.

                Using public address-space for private subnets is just an overall terrible idea. A mis-configured firewall, change-over of gear with default settings, routing issue, or any number of things and you hav

            • by AK Marc (707885)
              10.0.0.0/8 is for servers, 172.0.0.0/8 is for equipment (printers, routers, switches), and 192.0.0.0/8 is for users. Don't laugh, I've seen similar done in multi-billion dollar company.
      • Re:Hanlon's (Score:5, Insightful)

        by icebike (68054) on Sunday March 24, 2013 @09:41PM (#43266833)

        They are supposed to be.
        But read what gmusiera said in his first sentence.

        For your internal address (inside your router, you typically use a Private Network Address [wikipedia.org] from one of the common ranges specifically set aside for this per RFC 1819.

        This bank instead chose a public address range that was not theirs and used that as their private range. You can get away with this in a NAT situation, because only YOUR OWN ROUTER knows about this.

        But it is monumentally dumb to do this.
        I've seen noob admins do this in the past just to avoid an RFC1819 address space internally, usually as a means to avoid a routing error that they didn't understand. Its never justified. And there are security implications and mind bogglingly hard to figure out routing errors if you have to actually deal with the real owner of the address space.

        • Re:Hanlon's (Score:4, Informative)

          by Anonymous Coward on Sunday March 24, 2013 @10:50PM (#43267107)

          its RFC 1918...

          They will grab your geek card on the way out.

        • I've seen noob admins do this in the past just to avoid an RFC1819 address space internally, usually as a means to avoid a routing error that they didn't understand. Its never justified.

          Please explain why it is never justified to use a public IP internally.

          What, exactly, do you suppose we're shooting for with IPv6?

          • Re: (Score:3, Informative)

            by Anonymous Coward

            With IPV6 you would be using your own public address internally, perfectly legitimate and no problem. The problem here is using someone elses public address internally. Among the minor gotchas, it becomes hard for your internal users to reach that external site, should they ever need to.

            Should you inadvertently start to advertise someone elses IP address to your ISP, they will probably and quite correctly shut you down.

            anonymous CCNP!

            • Perhaps I misunderstood parent, but he seemed to be making a blanket statement that the only acceptable internal IPs are RFC1918 addresses (which I assume he meant rather than the actual RFC1819, "Internet stream protocol").

              I was not saying that it is ok to use other people's public IPs (which I have seen, and railed about for the reasons you say), I was simply stating that NAT is not a requirement for security or access to the internet. Incidentally, your ISP wont generally shut you down; if you are NATti

              • by AK Marc (707885)

                Perhaps I misunderstood parent, but he seemed to be making a blanket statement that the only acceptable internal IPs are RFC1918 addresses (which I assume he meant rather than the actual RFC1819, "Internet stream protocol").

                This isn't a technical whitepaper. Read it as if he's right, and I read it as "Don't use someone else's IPs, ever." If you need IP addresses, and don't own your own, then you use private addresses and NAT. Well, and you could probably get away with 169.254.0.0/16, it's not RFC 1918, but it is private. And I've seen a number of private networks running 1.0.0.0, or 192.0.0.0 or 172.0.0.0 improperly.

          • by thegarbz (1787294)

            This thread is confusing a public IP as an IP that is supposed to be addressable to the internet with an IP address that is owned by yourself as a private entity.

            There's no reason why you shouldn't be able to use a publicly addressable IP address internally. Many companies which own big blocks do just this. The problem is when you use in your own network an IP address owned by someone else. This causes obvious problems i.e. if I use 8.8.8.x in my internal network and isolate it at the router I will have pro

        • Re:Hanlon's (Score:5, Interesting)

          by Anonymous Coward on Sunday March 24, 2013 @11:17PM (#43267221)

          I agree that it seems insane that a major bank would do this, however I've seen it in practice. A very major financial firm (who shall remain nameless) that I did some work for actually uses the public IP address range of the US dept. of defense as their internal IP space. It's never caused them any problems - since there's no need for them to connect to the US military, but it definitely left me and several colleagues scratching our heads when we first started looking at the network.

          • by AK Marc (707885)
            DOD? I worked some place that used 192.0.0.0/8, and I remember huachuca.army.mil being one of the collisions, so I'd guess it was someone using the 192.168.0.0 RFC 1918 range with the wrong mask. I saw it done at a multi-billion-dollar company as well. The guy who did it was still there, though I didn't know it when I ran the fuck-up up the pole and pissed of the manager of IT operations (the guy who did it).
        • I recently worked at a very large telco in a developing country almost all of whose internal networks were NOT private RFC1918 addresses.
          There were 3 blocks that they'd 'inherited' from the Korean company that had helped them get set up.
          There were blocks like 10.100.0.0 or 10.200.0.0, there were blocks like 192.169.0.0, there were blocks like 193.168.0.0 so clearly this was being done by people who were GUESSING about network addresses.

          The place was a gigantic retarded mess. And is one of the biggest telcos

          • Not sure you understand rfc1918, as 10/8 is listed right there as private IP space at the top of page 3... I mean the others are wrong unless bainbridge island recently became it's own country, but let's not confuse things more than they need to be!
            • Not sure you understand rfc1918, as 10/8 is listed right there as private IP space at the top of page 3... I mean the others are wrong unless bainbridge island recently became it's own country, but let's not confuse things more than they need to be!

              yes sorry you are right about 10.100

          • by cyfer2000 (548592)
            or maybe a typo.
        • by dissy (172727)

          Before the big IPv4 crunch the start of 2011, there used to be a pretty big number of /8 blocks listed as "reserved" by ARIN, with a last modified date of 1975. Something like 30+ of them.

          Quite a few people used such blocks as their internal addressing without ill effect up until the 2011 "IP crunch" when those blocks were finally allocated.

          I have to admit I did the same for my tiny home network too.
          From the mid 90s up until 2010 I was using the 42.x.x.x/8 space internally, however I did this with full kno

        • by AK Marc (707885)
          Yeah, but then what do you do when you work for a company with 192.168.0.0 merging with another company using the same range? Does it matter if they already both had 10.0.0.0 reserved and in use? It was painful, but NAT/DNS tricks can get you to map 172.16.0.0 for the other company's IPs (if you go to 192.168.1.12, you get your company's 192.168.1.12, if you go to 172.16.1.12, you get the other company's 192.168.1.12). It would have been easier if one of the two improperly used public addresses. As it i
          • by icebike (68054)

            Yeah, but then what do you do when you work for a company with 192.168.0.0 merging with another company using the same range? Does it matter if they already both had 10.0.0.0 reserved and in use?

            You are merging. Its time to do it right, as disruption is expected at this time.

            Back in the day, this was a tough nut to crack, but not anymore. I've actually had to do this a few times in my day job.

            If you have already NATed both sites (the most probable case), you simply look to your DHCP server, and manually fix any reservations that were made for things that need statics (an ever decreasing number of things these days), then simply revise the DHCP server to use a new range in 10.x.x. Do it at midnig

      • yes and no. sometimes on an internal network, they use private IPs, especially, with IPv4 exhaustion, they don't have an IP for every machine on the network, or they don't want most machines to be accessable directly from the outside. You can the use Network Addresss Translation(NAT), which has the router automaticly route incomming traffic to the right local IP.

        example, on your home network, you only get one IP per house, and all computers use it. Locally your hom network uses 192.168.0.something, and some
    • by vagn (2168)

      I inherited a site with the internal network at 192.X.0.0/16 a long time ago (can't remember what X was). It was set up by some vendor's consultants, I believe. It only became a problem when we finally got a network connection to the outside. Re-IPing the whole site was considered risky by TBTB. The only downside was thsat 192.X/16 was closed to them, which didn't matter since there was nothing in that block at the time. So, maybe it's like that. How old is this bank?

      • by PAjamian (679137)

        If it was 192.168.0.0/16 that's fine as it is reserved by RFC1918 for private use.

        • by vagn (2168)

          Point is, we didn't care what network numbers we had internally. Then one day we had to connect to the outside. I'm pretty sure that was happening all over.

          • Re:Hanlon's (Score:4, Interesting)

            by TwineLogic (1679802) on Monday March 25, 2013 @12:42AM (#43267617)
            Point is, PAjamian's comment went way over your head. If X=168, there was nothing wrong with the configuration. If you had trouble with it, that might be explained by this sequence of comments.
            • by AK Marc (707885)
              Yeah, but I've worked more than one place where 192.1.0.0/16 or 192.100.0.0/16 was in use, so I thought he was implying it was x != 168, because if it was 168, it wasn't interesting.
      • Thats nothing like whats describe here; while 192.X may not be assigned to you, traffic from the outside would not be able to directly address you since the ISP wont route that traffic to you.

        You could merrily assign 1.2.3.0 / 24 to your home network and it would work just fine as long as you NAT, and noone would be able to directly route to you.

      • Ours was 192.0.x.y. Took me about 5 years to finally get us swapped over to the 172.16.x.y - 172.31.x.y range. Seems like a lot of companies didn't grasp that only 192.168.x.y was valid for private use. The main reason we finally switched was that the old 254 address space was too small for our growing needs so we upgraded to a 2046 size address space.
    • The bank used public IP addresses (existing, used elsewhere) for their internal network? The one that designed that should be considered a bigger security threat that any current cyberattack.

      You realize that it is possible to firewall without NAT, right?

      You realize that a number of very well secured places use public IPs internally right?

      • by gmuslera (3436)

        There are a lot of things that could go very wrong using public IPs (that are being used actually) for internal networks. You eventually could want to access or send mail to one of those public IPs. Or if you have an internal site, the public IP could be used to deploy a fake site so if you try to connect from outside (i.e. dropped vpn connection) or inside (i.e. proxy to access outside). Or you have a firewall that enables certain internal IPs to access a resource that could be accessed from outside too. T

        • by chihowa (366380)

          For crying out loud. Could a bunch of computer geeks be any worse with consistent terminology??

          gmuslera: When you say "public IP", you're talking about using someone else's assigned IP addresses internally with NAT.

          LordLimecat was talking about not using NAT and using your own assigned IP addresses internally (securing your network with a firewall).

          Reading this discussion, where everyone is using their own definitions for words and nobody is reading anyone else's post for comprehension, is like listening to

        • Because when IPv6 comes out, all of your assumptions about "im safe if im non-routable" will go out the window along with NAT.

          Why spend all these years growing complacent on something thats similar-to-but-isnt security, when you can just deploy security?

          • by welshie (796807)
            er, IPv6 is already out. It's been out for years, and you don't have any of that silly NAT nonsense, and conflicting private address space. You just need to make sure that if you want to block incoming sessions, that you configure up a firewall that blocks incoming sessions by default, you'll get about the same half-baked security that NAT does for IPv4.
        • I just re-read your post; as chihowa pointed out, I was NOT saying "use someone elses public IPs".

          There are a number of organizations who have thousands of public IPs, and use them internally, without NAT. There is nothing inherently wrong with it, and it does not break the internet.

          Obviously you would be correct that it is idiotic to use someone else's public IPs, in all but the most niche circumstances.

          • by gmuslera (3436)
            As someone else already pointed out, the problem started that way, the 1.0.0.0/8 was in used by one of those organizations/reserved, and in 2009 or 2010 was given to APNIC to mitigate the ipv4 exhaustion problem, so it started to be "someone's else public IP". So something that wasn't inherently wrong became wrong, because happened things that were outside your control.
      • by mwvdlee (775178)

        Yes, we're all well aware that the Great Firewall of China is very well secured and uses public IP's internally.
        If, on the other hand, you want to communicate with the outside world, it wouldn't work quite so well.

      • You have no idea the number of technical people that cannot distinguish between NAT and a stateful firewall. They believe that the "obscurity" that NAT provides somehow provides actual security, rather than the fact that a NAT or PAT enabled router is necessarily operating as a stateful firewall and that is what's providing the security benefits of NAT. NAT appears secure and simple because the stateful firewall has a default allow for outgoing connections and default deny for incoming connections. NAT's

        • by AK Marc (707885)

          You have no idea the number of technical people that cannot distinguish between NAT and a stateful firewall.

          I remember when home routers were being sold as "firewalls" because they did NAT. There was no packet inspection, it was a firewall because it wouldn't forward packets in unless they looked like they belonged to a return for an outbound stream.

      • by AK Marc (707885)
        Yeah, but isn't it harder to hack a bank that uses 4.2.2.2 for their internal server address? You'll end up hacking a DNS server instead, right?
    • by lucm (889690)

      Saw the same thing once. I was setting up an intranet web server for a client (big telco in North America) and the IP address I was given was a public one. At first I figured they wanted to setup some kind of DMZ so I asked the network guy if they were planning on doing some kind of NAT but he said: no, it's internal only. Out of curiosity I ran a whois on the address and it belonged to an APNIC public block. I then noticed that my laptop was also getting an IP address in that range via DHCP.
      I was not there

    • Re:Hanlon's (Score:5, Informative)

      by Spazmania (174582) on Sunday March 24, 2013 @11:55PM (#43267407) Homepage

      Until a couple years ago, it was common practice to squat on 1.0.0.0/8 for internal use when 10.0.0.0/8 ran out. Then IANA allocated the space to APNIC which subsequently allocated most of it to China.

      • by gmuslera (3436)
        Ok, that make sense. Is not right, but at least didn't looked as a very bad idea some time ago, as some of those low ranges looked like internal networks for big companies (an actual list [wikipedia.org]). But using the standard, meant for internet networks ranges, is more future proof.
        • Hmm, looking through that list I was struck by this: 47.0.0.0/8 Bell-Northern Research 1991-01 1989-01-06 Bell-Northern Research, now absorbed into Nortel. Since Nortel is no more what happens with this address range? It should go back into the address range available for public use but has that happened?
    • My guess would be that the machine that launched the attack was simply spoofing its IP.

  • ntr (Score:2, Insightful)

    by shentino (1139071)

    Who wants to bet that China instigated some North Korean pressure to back off?

  • by Nanoda (591299) on Sunday March 24, 2013 @09:19PM (#43266695)

    On my home network, I use the private 24-bit block 10.x.x.x, in case I buy more than 16 million devices. Is the article saying that they decided to map public IPs they didn't own to internal devices? Notwithstanding the confusion such cases like the above would cause, this bank could conceivably leak banking data out to that Chinese ISP!

    All the articles I can find are equally uninformative.

    • Re: (Score:3, Insightful)

      by Narcocide (102829)

      Yes, you are right, whoever did this was not qualified to be setting up networks for their own personal use, much less production banking servers. Seems like the type of novice-level engineering mistake pretty typical of the hiring practices of the US IT industry lately, actually.

      Why pay me 150$/hour when there is some teenager who will feel lucky to get the gig for 10$? This is why.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      If I were to guess, the bank had an old assignment and used the addresses internally. Then they gave up the assignment and the addresses were reallocated to somebody in China, but the bank continued to use their assigned addresses internally.

    • by JASegler (2913)

      Unfortunately this isn't a huge shock to me. Back in the 90's I remember trying to hook up a fortune 500 company to the internet. They were using public IPs on their internal network.. They complained when I told them they had to readdress their network.. I even dug up the various RFCs, who owned the public blocks they were using, etc.

      There was actually a discussion along the lines of will we ever need to communicate with those companies? i.e. can we just ignore the problem.. In the end the argument that

      • by whoever57 (658626)
        I have seen this at a remote office of a former employer. I think they were using addresses that were allocated to Sun and I think that the reason they used those addresses was that Sun used them in their training. Somewhere in the 129.x.x.x range, if I am not mistaken.
    • by rwyoder (759998)

      On my home network, I use the private 24-bit block 10.x.x.x, in case I buy more than 16 million devices. Is the article saying that they decided to map public IPs they didn't own to internal devices? Notwithstanding the confusion such cases like the above would cause, this bank could conceivably leak banking data out to that Chinese ISP!

      All the articles I can find are equally uninformative.

      At at previous job we found some idiot had done this. We didn't know this until troubleshooting a complaint of not being able to reach a certain portion of the Internet. It really isn't a security issue, because a corporate network will first route to it's internal networks, and only if the destination is not internal will it fall back to the default route to the Internet. The default route will always have a shorter mask, therefore it will be the last chosen. The biggest problem is that doing this stup

      • It is a very bad security risk (especially for a bank) if for some reason that router starts trying to send that data outside. A simple misconfiguration could do it easily.

        Then all your secret internal bank data is being sent to the Chinese.

      • by chihowa (366380)

        It really isn't a security issue, because a corporate network will first route to it's internal networks, and only if the destination is not internal will it fall back to the default route to the Internet.

        In this day of phones, laptops, and other devices that enter and leave the network, it could be a real security issue, too. Leaving the network with hard-coded IPs for internal bank systems may leave software on the laptop connecting to (or blindly sending data to) the real owners of the IP addresses. Rejoining the network with a screwed up routing table may lead to the same situation from inside the bank network.

    • by linatux (63153)

      "an internal IP address from one of the banks that was infected by the malicious code" - not a lot of detail there, but perhaps the malware changed the address? Perhaps crap firewall rules (or compromised hardware) mean that address was capable of being externally managed?

      • I would no longer communicate with the rest of the network, I think they just used routable IPs internally...
    • by icebike (68054)

      this bank could conceivably leak banking data out to that Chinese ISP!

      This seems unlikely because their own router would prevent that, because it thinks those addresses are internal.
      However, something arriving from the outside from the REAL owner of that range would appear as a martian source, and not all routers handle this properly. Some log it and let it thru, others reject it. Its a mess.

    • If they did not own the IPs, one of two things would have happened.

      If they were NATting, it would function in most cases identically to using a private range. They would simply lose access to those IPs which they "hijacked". As their ISP would not route traffic to them, there would be no security threat and probably minor loss of functionality.

      If they were not NATting, noone would be able to reach them, nor would they be able to reach anyone else. No security threat; their ISP simply would drop incoming

  • Mod SK up! (Score:5, Interesting)

    by AmiMoJo (196126) * <mojo@world3. n e t> on Sunday March 24, 2013 @09:31PM (#43266761) Homepage

    How Mani other countries would admit this instead of just continuing to blame the big bad boogyman?

    • Yeah, but the problem is that every major news media out there has reported that it came from China and the awful ones (most) a) stated as a fact b) won't update the news because it doesn't have as much appeal.

    • "Boogeyman" implies a threat that doesn't exist. China certainly is engaging in hacking and has a long track record of doing so. Are you a denialist?
      • by mwvdlee (775178)

        Do you deny that China was innocent in this particular attack? Are you a denialist?

    • Yeah, this is probably also why the US military keeps complaining about Chinese hackers...
  • So who is the joker that configured that bank's system? They probably have many other issues.
  • You know, someone keeps calling her saying he will kill her? And then the police trace the call to find that it is coming from inside the house?

    "Get out of the house, the calls are coming from upstairs!"

    In this case, they have traced the attacks to be coming from IP address 127.0.0.1

  • What.. are 17.8m raw reserved LAN IP addresses not enough? Hell.. I bet even the PR dept. in the US knows how to subnet. I'll just leave this here.. : http://www.youtube.com/watch?v=EYWZZlVlFb4 [youtube.com]
  • As much as techies would love to believe that some other techie made a monumental error, it is more likely that this is a by-product of the attack. Either politically, to shift the blame or just plain and simple messing with network to make things harder to trace.

To write good code is a worthy challenge, and a source of civilized delight. -- stolen and paraphrased from William Safire

Working...