South Korea Backtracks On China As Source of Cyberattack 125
hackingbear writes "The suspected cyberattack that struck South Korean banks and media companies this week didn't originate from a Chinese IP address, South Korean officials said Friday, contradicting their previous claim. The Korea Communications Commission said that after 'detailed analysis,' the IP address used in the attack is the bank's internal IP address — which is, coincidentally identical to a Chinese ISP's address, among the 2^32 address space available."
Hanlon's (Score:5, Insightful)
The bank used public IP addresses (existing, used elsewhere) for their internal network? The one that designed that should be considered a bigger security threat that any current cyberattack.
BTW, the CNN editorial "Why cyber attacks threaten our freedom [cnn.com]" is another piece of art of more or less the same magnitude. I'd say that is on a par with this one [dailymail.co.uk]
Re: (Score:1)
Re: (Score:3)
In an Intranet that isn't the case. However, the bank really failed if it wasn't using subnets allocated for private use...
Re: (Score:1)
Nor really. Probably due to some organisational and political reason they exhausted all available private space... so they assigned some random block for private use. Not saying that it's good, but I can understand that.
Re:Hanlon's (Score:5, Informative)
Define Exhausted all private Address space?
In just the 10 block alone there are 16,777,216. This bank isn't that big.
Re: (Score:2)
They may however need wide subnets for some administrative reason. IPs are rarely assigned on single basis inside a large corporate network. Usually they're split in blocks of various sizes which are given to various parts of the corporation.
In this case, corporation probably grew out of the old system at some point, and instead of having to reconfigure everything they just added a public block as a private one on their own intranet. It's not impossible, but it's definitely not the wisest approach.
Re: (Score:2)
That'd still show poor IT management. I can imagine you want to spare some addresses for potential future growth (making your subnets say 3-4 bits wider than necessary), but if you run out of a complete A-class network you're definitely doing something wrong.
Re: (Score:3)
Well, they mapped non-private addresses to intranet machines. So I think we're past the question "were they doing something wrong" here.
Re: (Score:1)
Well, they mapped non-private addresses to intranet machines. So I think we're past the question "were they doing something wrong" here.
You're assuming that's what they did. I find it more likely that whoever got into the network was spoofing addresses or just flat out tampering with log data, as opposed to them using non RFC1918 space for internal network purposes. Or perhaps that was actually part of the hack.
But no, there's nothing fundamentally wrong with using non RFC1918 space on a network which is never supposed to be able to reach the Public Internet. In fact, if you are careful to select address space which is not yours, not only w
Re: (Score:2)
Yes, that, and I thought I saw on Fark a week ago that one of the supposed "cyberattacks" was just some internal machine with an outdated antivirus. But maybe it was just one of those snark-to-be-true headlines that happen to fluke sometimes.
But yeah, let's go to war over our own incompetence.
Wide subnets (Score:1)
Then maybe they should look at using something other than a /24. Usually this is just laziness, where it's easier/more-convenient to assign a /24 to every little unit. There is an advantage in that it's easier to read the addresses, but this comes at the drawback of using up private address-space much quicker.
Using public address-space for private subnets is just an overall terrible idea. A mis-configured firewall, change-over of gear with default settings, routing issue, or any number of things and you hav
Re: (Score:3)
I'm not the one making these decisions. I'm merely trying to figure out WHY someone would do something describe in the article.
why (Score:1)
Because they were lazy/incompetent?
Re: (Score:3)
Thank you captain obvious! :D
Re: (Score:2)
Re:Hanlon's (Score:5, Insightful)
They are supposed to be.
But read what gmusiera said in his first sentence.
For your internal address (inside your router, you typically use a Private Network Address [wikipedia.org] from one of the common ranges specifically set aside for this per RFC 1819.
This bank instead chose a public address range that was not theirs and used that as their private range. You can get away with this in a NAT situation, because only YOUR OWN ROUTER knows about this.
But it is monumentally dumb to do this.
I've seen noob admins do this in the past just to avoid an RFC1819 address space internally, usually as a means to avoid a routing error that they didn't understand. Its never justified. And there are security implications and mind bogglingly hard to figure out routing errors if you have to actually deal with the real owner of the address space.
Re:Hanlon's (Score:4, Informative)
its RFC 1918...
They will grab your geek card on the way out.
Re:Hanlon's (Score:4, Funny)
DOH! Can I get a pass for being lisdexic?
Re: (Score:3)
on
Re: (Score:2)
I've seen noob admins do this in the past just to avoid an RFC1819 address space internally, usually as a means to avoid a routing error that they didn't understand. Its never justified.
Please explain why it is never justified to use a public IP internally.
What, exactly, do you suppose we're shooting for with IPv6?
Re: (Score:3, Informative)
With IPV6 you would be using your own public address internally, perfectly legitimate and no problem. The problem here is using someone elses public address internally. Among the minor gotchas, it becomes hard for your internal users to reach that external site, should they ever need to.
Should you inadvertently start to advertise someone elses IP address to your ISP, they will probably and quite correctly shut you down.
anonymous CCNP!
Re: (Score:2)
Perhaps I misunderstood parent, but he seemed to be making a blanket statement that the only acceptable internal IPs are RFC1918 addresses (which I assume he meant rather than the actual RFC1819, "Internet stream protocol").
I was not saying that it is ok to use other people's public IPs (which I have seen, and railed about for the reasons you say), I was simply stating that NAT is not a requirement for security or access to the internet. Incidentally, your ISP wont generally shut you down; if you are NATti
Re: (Score:2)
Perhaps I misunderstood parent, but he seemed to be making a blanket statement that the only acceptable internal IPs are RFC1918 addresses (which I assume he meant rather than the actual RFC1819, "Internet stream protocol").
This isn't a technical whitepaper. Read it as if he's right, and I read it as "Don't use someone else's IPs, ever." If you need IP addresses, and don't own your own, then you use private addresses and NAT. Well, and you could probably get away with 169.254.0.0/16, it's not RFC 1918, but it is private. And I've seen a number of private networks running 1.0.0.0, or 192.0.0.0 or 172.0.0.0 improperly.
Re: (Score:3)
This thread is confusing a public IP as an IP that is supposed to be addressable to the internet with an IP address that is owned by yourself as a private entity.
There's no reason why you shouldn't be able to use a publicly addressable IP address internally. Many companies which own big blocks do just this. The problem is when you use in your own network an IP address owned by someone else. This causes obvious problems i.e. if I use 8.8.8.x in my internal network and isolate it at the router I will have pro
Re:Hanlon's (Score:5, Interesting)
I agree that it seems insane that a major bank would do this, however I've seen it in practice. A very major financial firm (who shall remain nameless) that I did some work for actually uses the public IP address range of the US dept. of defense as their internal IP space. It's never caused them any problems - since there's no need for them to connect to the US military, but it definitely left me and several colleagues scratching our heads when we first started looking at the network.
Re: (Score:2)
Re: (Score:2)
I recently worked at a very large telco in a developing country almost all of whose internal networks were NOT private RFC1918 addresses.
There were 3 blocks that they'd 'inherited' from the Korean company that had helped them get set up.
There were blocks like 10.100.0.0 or 10.200.0.0, there were blocks like 192.169.0.0, there were blocks like 193.168.0.0 so clearly this was being done by people who were GUESSING about network addresses.
The place was a gigantic retarded mess. And is one of the biggest telcos
Re: (Score:2)
Re: (Score:2)
Not sure you understand rfc1918, as 10/8 is listed right there as private IP space at the top of page 3... I mean the others are wrong unless bainbridge island recently became it's own country, but let's not confuse things more than they need to be!
yes sorry you are right about 10.100
Re: (Score:2)
I went over the report I wrote, it was 100.10.0.0 that they were using as well as 100.20.0.0 etc
Re: (Score:2)
Re: (Score:3)
Before the big IPv4 crunch the start of 2011, there used to be a pretty big number of /8 blocks listed as "reserved" by ARIN, with a last modified date of 1975. Something like 30+ of them.
Quite a few people used such blocks as their internal addressing without ill effect up until the 2011 "IP crunch" when those blocks were finally allocated.
I have to admit I did the same for my tiny home network too.
From the mid 90s up until 2010 I was using the 42.x.x.x/8 space internally, however I did this with full kno
Re: (Score:2)
Re: (Score:2)
Yeah, but then what do you do when you work for a company with 192.168.0.0 merging with another company using the same range? Does it matter if they already both had 10.0.0.0 reserved and in use?
You are merging. Its time to do it right, as disruption is expected at this time.
Back in the day, this was a tough nut to crack, but not anymore. I've actually had to do this a few times in my day job.
If you have already NATed both sites (the most probable case), you simply look to your DHCP server, and manually fix any reservations that were made for things that need statics (an ever decreasing number of things these days), then simply revise the DHCP server to use a new range in 10.x.x. Do it at midnig
Re: (Score:2)
example, on your home network, you only get one IP per house, and all computers use it. Locally your hom network uses 192.168.0.something, and some
Re: (Score:1)
I inherited a site with the internal network at 192.X.0.0/16 a long time ago (can't remember what X was). It was set up by some vendor's consultants, I believe. It only became a problem when we finally got a network connection to the outside. Re-IPing the whole site was considered risky by TBTB. The only downside was thsat 192.X/16 was closed to them, which didn't matter since there was nothing in that block at the time. So, maybe it's like that. How old is this bank?
Re: (Score:3)
If it was 192.168.0.0/16 that's fine as it is reserved by RFC1918 for private use.
Re: (Score:1)
Point is, we didn't care what network numbers we had internally. Then one day we had to connect to the outside. I'm pretty sure that was happening all over.
Re:Hanlon's (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Thats nothing like whats describe here; while 192.X may not be assigned to you, traffic from the outside would not be able to directly address you since the ISP wont route that traffic to you.
You could merrily assign 1.2.3.0 / 24 to your home network and it would work just fine as long as you NAT, and noone would be able to directly route to you.
Re: (Score:2)
Re: (Score:3)
The bank used public IP addresses (existing, used elsewhere) for their internal network? The one that designed that should be considered a bigger security threat that any current cyberattack.
You realize that it is possible to firewall without NAT, right?
You realize that a number of very well secured places use public IPs internally right?
Re: (Score:3)
There are a lot of things that could go very wrong using public IPs (that are being used actually) for internal networks. You eventually could want to access or send mail to one of those public IPs. Or if you have an internal site, the public IP could be used to deploy a fake site so if you try to connect from outside (i.e. dropped vpn connection) or inside (i.e. proxy to access outside). Or you have a firewall that enables certain internal IPs to access a resource that could be accessed from outside too. T
Re: (Score:2)
For crying out loud. Could a bunch of computer geeks be any worse with consistent terminology??
gmuslera: When you say "public IP", you're talking about using someone else's assigned IP addresses internally with NAT.
LordLimecat was talking about not using NAT and using your own assigned IP addresses internally (securing your network with a firewall).
Reading this discussion, where everyone is using their own definitions for words and nobody is reading anyone else's post for comprehension, is like listening to
Re: (Score:2)
Because when IPv6 comes out, all of your assumptions about "im safe if im non-routable" will go out the window along with NAT.
Why spend all these years growing complacent on something thats similar-to-but-isnt security, when you can just deploy security?
Re: (Score:1)
Re: (Score:2)
I just re-read your post; as chihowa pointed out, I was NOT saying "use someone elses public IPs".
There are a number of organizations who have thousands of public IPs, and use them internally, without NAT. There is nothing inherently wrong with it, and it does not break the internet.
Obviously you would be correct that it is idiotic to use someone else's public IPs, in all but the most niche circumstances.
Re: (Score:2)
Re: (Score:2)
Yes, we're all well aware that the Great Firewall of China is very well secured and uses public IP's internally.
If, on the other hand, you want to communicate with the outside world, it wouldn't work quite so well.
Re: (Score:2)
If you're using your own public IPs, it works just fine.
Re: (Score:2)
You have no idea the number of technical people that cannot distinguish between NAT and a stateful firewall. They believe that the "obscurity" that NAT provides somehow provides actual security, rather than the fact that a NAT or PAT enabled router is necessarily operating as a stateful firewall and that is what's providing the security benefits of NAT. NAT appears secure and simple because the stateful firewall has a default allow for outgoing connections and default deny for incoming connections. NAT's
Re: (Score:2)
You have no idea the number of technical people that cannot distinguish between NAT and a stateful firewall.
I remember when home routers were being sold as "firewalls" because they did NAT. There was no packet inspection, it was a firewall because it wouldn't forward packets in unless they looked like they belonged to a return for an outbound stream.
Re: (Score:2)
Re: (Score:2)
Saw the same thing once. I was setting up an intranet web server for a client (big telco in North America) and the IP address I was given was a public one. At first I figured they wanted to setup some kind of DMZ so I asked the network guy if they were planning on doing some kind of NAT but he said: no, it's internal only. Out of curiosity I ran a whois on the address and it belonged to an APNIC public block. I then noticed that my laptop was also getting an IP address in that range via DHCP.
I was not there
Re:Hanlon's (Score:5, Informative)
Until a couple years ago, it was common practice to squat on 1.0.0.0/8 for internal use when 10.0.0.0/8 ran out. Then IANA allocated the space to APNIC which subsequently allocated most of it to China.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
My guess would be that the machine that launched the attack was simply spoofing its IP.
ntr (Score:2, Insightful)
Who wants to bet that China instigated some North Korean pressure to back off?
I... don't understand this at all. (Score:4, Interesting)
On my home network, I use the private 24-bit block 10.x.x.x, in case I buy more than 16 million devices. Is the article saying that they decided to map public IPs they didn't own to internal devices? Notwithstanding the confusion such cases like the above would cause, this bank could conceivably leak banking data out to that Chinese ISP!
All the articles I can find are equally uninformative.
Re: (Score:3, Insightful)
Yes, you are right, whoever did this was not qualified to be setting up networks for their own personal use, much less production banking servers. Seems like the type of novice-level engineering mistake pretty typical of the hiring practices of the US IT industry lately, actually.
Why pay me 150$/hour when there is some teenager who will feel lucky to get the gig for 10$? This is why.
Re: (Score:2)
When the problem has caused your business to lose work, or some other equally conceivable problem.. then it definitely hasn't cost less than $140.
In the worst case, your teenager might almost start a war with China.
Re: (Score:2)
Re: (Score:2, Interesting)
If I were to guess, the bank had an old assignment and used the addresses internally. Then they gave up the assignment and the addresses were reallocated to somebody in China, but the bank continued to use their assigned addresses internally.
Re: (Score:3)
Unfortunately this isn't a huge shock to me. Back in the 90's I remember trying to hook up a fortune 500 company to the internet. They were using public IPs on their internal network.. They complained when I told them they had to readdress their network.. I even dug up the various RFCs, who owned the public blocks they were using, etc.
There was actually a discussion along the lines of will we ever need to communicate with those companies? i.e. can we just ignore the problem.. In the end the argument that
Re: (Score:2)
Re: (Score:3)
On my home network, I use the private 24-bit block 10.x.x.x, in case I buy more than 16 million devices. Is the article saying that they decided to map public IPs they didn't own to internal devices? Notwithstanding the confusion such cases like the above would cause, this bank could conceivably leak banking data out to that Chinese ISP!
All the articles I can find are equally uninformative.
At at previous job we found some idiot had done this. We didn't know this until troubleshooting a complaint of not being able to reach a certain portion of the Internet. It really isn't a security issue, because a corporate network will first route to it's internal networks, and only if the destination is not internal will it fall back to the default route to the Internet. The default route will always have a shorter mask, therefore it will be the last chosen. The biggest problem is that doing this stup
Re: (Score:2)
It is a very bad security risk (especially for a bank) if for some reason that router starts trying to send that data outside. A simple misconfiguration could do it easily.
Then all your secret internal bank data is being sent to the Chinese.
Re: (Score:2)
It really isn't a security issue, because a corporate network will first route to it's internal networks, and only if the destination is not internal will it fall back to the default route to the Internet.
In this day of phones, laptops, and other devices that enter and leave the network, it could be a real security issue, too. Leaving the network with hard-coded IPs for internal bank systems may leave software on the laptop connecting to (or blindly sending data to) the real owners of the IP addresses. Rejoining the network with a screwed up routing table may lead to the same situation from inside the bank network.
Re: (Score:2)
"an internal IP address from one of the banks that was infected by the malicious code" - not a lot of detail there, but perhaps the malware changed the address? Perhaps crap firewall rules (or compromised hardware) mean that address was capable of being externally managed?
Re: (Score:2)
Re: (Score:2)
this bank could conceivably leak banking data out to that Chinese ISP!
This seems unlikely because their own router would prevent that, because it thinks those addresses are internal.
However, something arriving from the outside from the REAL owner of that range would appear as a martian source, and not all routers handle this properly. Some log it and let it thru, others reject it. Its a mess.
Re: (Score:2)
If they did not own the IPs, one of two things would have happened.
If they were NATting, it would function in most cases identically to using a private range. They would simply lose access to those IPs which they "hijacked". As their ISP would not route traffic to them, there would be no security threat and probably minor loss of functionality.
If they were not NATting, noone would be able to reach them, nor would they be able to reach anyone else. No security threat; their ISP simply would drop incoming
Mod SK up! (Score:5, Interesting)
How Mani other countries would admit this instead of just continuing to blame the big bad boogyman?
Re: (Score:3)
Yeah, but the problem is that every major news media out there has reported that it came from China and the awful ones (most) a) stated as a fact b) won't update the news because it doesn't have as much appeal.
Re: (Score:1)
Re: (Score:2)
Do you deny that China was innocent in this particular attack? Are you a denialist?
Re: (Score:2)
Routable IPs on a LAN (Score:2)
Re: (Score:2)
Now we need a superhero who goes and fixes issues like this. We can call him NATman.
Re: (Score:2)
Fighting the evil villain Mister MxyzIPtlk? (http://en.wikipedia.org/wiki/Mister_Mxyzptlk)
Re: (Score:2)
He should be easier to get rid of. Maybe make his Achilles Heal a tomato [polarcloud.com] or something. He could also be attracted to Cheetos dust but that might make him too easy. His signature "move" could be altering the keyboard layout to Dvorak or something. Next we'll need an artist. Also a writer 'cause I suck at it.
It's the old babysitter crank call ghost story (Score:2)
You know, someone keeps calling her saying he will kill her? And then the police trace the call to find that it is coming from inside the house?
"Get out of the house, the calls are coming from upstairs!"
In this case, they have traced the attacks to be coming from IP address 127.0.0.1
That's the most rediculous thing i've ever heard.. (Score:1, Offtopic)
It's not what you think. (Score:2)
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
Uhh - the article suggests that the attack has been traced to a bank's own IP address. That doesn't seem to suggest the bank's IT department made some stupid mistake. To me, it sounds like that bank's server was compromised, then used to make the attack. Further investigation of that machine may demonstrate that it was an inside job, done by someone with physical access to that machine. Or, that NK or China accessed the machine via the internet. At this point, it's anyone's guess.
Re: (Score:2)
They traced it back to an internal IP that happened to be the same as some public IP.
Surely an IT department has to be rather stupid if they managed to do this
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Err wtf? There is no 2^64 address space and we have been moving to 2^128 for over a decade already.
Re: (Score:2)
My Dear Friend, I have it on good authority that Natalie and her father had EVERYthing to do with your Internets.