Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Squirrels spread their attacks conveniently (Score 1) 138

At the nation state level, I don't think it operates the same way. That is, I don't think they rely on a few dumb operators. Looking at what the NSA does, they're able to attack the supply lines and send you pre-compromised hardware. They have advanced exfiltration systems that don't need to touch your network at all. They have malware that cannot be decrypted by any machine other than the target that makes you think there's nothing wrong. It's also custom, just for you, so AV programs aren't going to see it.

Those statements are mostly true, but only to a certain extent.

The APT teams aren't operating at a nation-state level. They are nation-state funded, but they're still operating more like an experiment, mostly due to the lack of available expertise in the field. Think more along the lines of the Manhattan Project. A very small number of people are doing the real work, and a lot of people figuring out how to apply this new weapon strategically.

Yes, the intelligence agencies have lots of fancy tools, and they're shared among the APT teams as needed, but usually the attacks are boring script-kiddy stuff. Most of the time, pass-the-hash and Word macros will get the job done, so there's no reason to risk exposing the elite tools and zero-day vulnerabilities.

I know they labeled the DNC hack as an APT, but it appears to be an ordinary criminal gang. It simply doesn't match the profile of nation state level attacks. They want long-term access without getting caught. Sending an email like the one to Podesta got someone ~2 days of access, as best we can tell. Enough to download a few emails, only to end up locked out. When nation states do spear phishing, they have a custom written piece of malware disguised as a legitimate attachment. It won't be noticed by any AV programs. They will use that to make sure they have long-term access to your systems.

The Podesta hack and the DNC hacks were separate events, by related teams. They used different tactics, but shared some (but not all) infrastructure. Both teams were involved in the DNC hack, but apparently weren't aware of each other's presence, since they'd attack servers that the other team had already penetrated.

In the DNC hack, they did have long-term access. One group had been active on the network for over a year, and the other was sloppier, and was detected after only a month of activity.

The Podesta attack wasn't particularly specialized. It was a wide attack using automated tools. There was no attachment, just a link to a URL that wouldn't be caught by the spam filter. There was nothing downloaded from the phishing site, either. It just decrypted the Base64-encoded parameter in the emailed URL, and displayed that. Again, don't fall into the mental trap that nation-state attacks must be highly-sophisticated next-generation hacks. In hacking, if it's stupid and it works, then it isn't stupid.

They just don't operate the same way because they don't have the same goals. It's not like Russia is the only possible culprit here, either.

Russia isn't the only possible culprit, but they are the only likely culprit. Their same infrastructure ( account, phishing site host, and mail-sending botnet) had previously been used to attack 1800 accounts in 2015. Those accounts were overwhelmingly non-Russian military personnel. There's a great analysis of the hack by pwnallthethings on Twitter. I highly recommend expanding the thread and reading.

As for goals, the goal is simple: Gather any useful access. Hacking Podesta's email was probably a lucky stroke for the attackers, but they were more likely looking for anything useful. If not Podesta, then someone else might have made a good victim. If they got someone's account, but it wasn't particularly useful at the time, they don't care. The automated tool is cheap and easy to run. In fact, the campaign that hit Podesta targeted around 4,000 GMail accounts over the course of eight months.

I wouldn't be surprised if they had hacked such a soft, juicy target like this--no doubt along with many other countries--but it seems like a crazy risk. There was nothing in there that looked like it would sway the election. So why risk all those state sanctions on a long-shot like Trump?

The sanctions are an interesting development, as they're the most severe repercussions we've seen yet for a hack. I expect the same phishing emails went out to hundreds or thousands of government officials, and Podesta happened to be the one that took the bait. No, none of his leaked messages were particularly damaging, but it's probably the best that the attackers got. To use their information to possibly get an ally in the White House is worth a risk, especially if they didn't expect the sanctions. Without the sanctions on the table, if their favored candidate lost the race, it didn't really cost them anything to try.

Comment Re:I'M OUTRAGED!! Oh wait, no I'm not. (Score 2) 411

This is Slashdot. We light hair on fire every time anybody sneezes in a way we don't like. Of course, you could always read the bill itself.

It actually does look pretty bad for renewable fuel efforts. I don't see any obvious loopholes, and it effectively imposes a tax on renewable energy by 1 cent per kWh, that the utilities can't pass on to customers. Pretty much, the only way to run a renewable energy installation in Wyoming is to pay for a nonrenewable energy facility somewhere outside the state, or make sure all of your energy is going out of the state.

Comment Re:Squirrels spread their attacks conveniently (Score 1) 138

I apologize for the length of these posts... Weekends get boring, and I tend to ramble about these things.

It doesn't really take much. For a nation-state attacker, it takes almost no resources in comparison to a foreign-based physical operation.

First, understand that there are two different kinds of attacks being discussed here. The DNC hack was a general APT penetration, while attacks on SCADA systems (like Stuxnet) are usually more targeted and require more expert knowledge. Since they work hand-in-hand, I'll describe a mix of the two in a major hypothetical attack.

Let's suppose Strong Badia wants to attack Elbonia. Strong Badia first launches a campaign against several technology companies in Lower Slobbovia, with phishing bait emails trying to get internal credentials. They use those credentials to compromise public-facing servers, and use those servers to launch more attacks against Elbonian companies. That second round of attacks looks like it comes from Lower Slobbovia, so it's more difficult to investigate. This multi-stage effort relies on automated tools (available for a few thousand dollars) to exploit common software. Since the phishing mails are sent in bulk and do indeed rely on luck to get hits, they're automated for scale. They can be run by one social engineer working part time, who usually just needs to wait until he gets a few particularly useful credentials.

With credentials in hand, Strong Badia turns to making their presence persistent. A small number of experts (two or three, even) establish more permanent access credentials, and plant malware that they can use to restore access if it's ever disrupted. This effort is targeted to a specific network infrastructure, but again most of the tools are automated. This time, they aren't automated for scale, but rather to hide their presence better. Attack packages can be uploaded and held, hiding their traffic from monitoring systems. Again, this is only a couple of people to decide which servers (and users) are worth attacking and map out the Elbonian network.

In the case of the DNC hack, that was about all that happened. The attackers gained access to the DNC, became persistent, and copied out documents. As I recall, there is evidence (in writing style, level of expertise, and preferred attack patterns) that the DNC hack had up to a dozen operatives. Other attacks get more complicated.

If a target is "special", it might need a more customized approach. For the sake of analogy, this is the point in the heist movie where the crew realizes that the bank's security is something new, and they need to recruit that quirky specialist to get the job done. They'll go out and buy a copy of the bank's vault, posing as a wealthy individual who just has to have the best protection for their widgets. Similarly, in out hypothetical attack, this is where Strong Badia claims they need the latest and greatest in Elbonian technology, and purchases a SCADA system just like what their target has. While the purchase of such equipment does indeed take some effort, I don't count it as part of the attacking force. The purchasers would likely think they're actually purchasing equipment for a legitimate construction project, so it's a little unfair to count them against the trained spies.

With equipment, an expert in that system (our fourth Strong Badian team member) can begin reverse-engineering it to find new zero-day vulnerabilities, and perhaps with the aid of another Strong Badian, he can turn it into a malware package for that target.

That malware can then be handed back to the APT team, who have the understanding of the Elbonian bureaucracy. They can create fake problem reports that require a call to tech support, and the social engineer can assist in making it seem legitimate. To jump an airgap, they might need a participant in Elbonia, but that could be a simple matter of attacking the Elbonian support subcontractor in a similar manner, and such an attack could be executed by the very same five-man band.

What's sarcastically great about APTs is that they can wait. Unlike saboteur employees, they don't have to show up to work every day. While their SCADA expert is working on the malware kit, the social engineer is phishing the technician contractor, and the persistence guys are establishing a presence in another Elbonian company. Meanwhile, the malware in their primary target sits and waits for their next instruction.

The team can repeat this process over and over again. As the Elbonian support tech gets calls from around his country, he installs system updates as they appear in his FTP site. They look legitimate to him, and he's happy to be getting calls from so many different customers.

Eventually, a critical number of systems are infected. At the predetermined time, the logic bomb goes off, and the systems shut down. In a grid sytem like the electrical supply, other systems would normally take over, but they've all been timed to shut down at once. The remaining systems can't handle the load, and they shut down out of preservation.

It took Strong Badia a few years, but Elbonia goes dark, because of the work of five people. The subsequent investigation stops at the technician, because his computer has been nicely loaded up with documents declaring anti-Elbonian sentiment and expressing a strong desire to move to Lower Slobbovia. Meanwhile, the Strong Badians are celebrating (quietly) a job well done, and they're ready to apply their talents to the next target on the list.

In contrast, consider the cost of this attack being done with a more hands-on approach. First, Strong Badia would have to have some kind of Elbonian presence to recruit Elbonian spies. While recruiting could be done online, the Strong Badian recruiters wouldn't have any way to tell if their conversations were being played right in front of a room full of Elbonian investigators. Having a physical presence also means Elbonia knows exactly who to watch.

If they can escape scrutiny, they can start grooming a spy. Insider threats are extremely capable, since they rarely have to worry about gaining initial access, but they're also risky, partly because decades of James Bond movies have made espionage into a pick-up line. Training a good spy means a lot of one-on-one coaching to sufficiently alter their morality until they want to do the job, and moving slowly enough that they aren't so excited to be a spy that they'll go tell someone. To convince the Elbonian to even do anything against their home country requires several months. To ask them to perform major acts of sabotage like planting a bomb would require more effort.

The Strong Badian brainwashing/indoctrination/radicalization process involves having the handler be available to talk, to convert the Elbonian's loyalty. It needs (roughly) a handler for each spy, and that spy has to go to work. That means that for each targeted site, Strong Badia has to pay a handler and bribe the spy, and hope that the spy's induced disloyalty doesn't get them fired before the planned attack.

For one or two sites, having a physical attack is reasonable, but it quickly becomes more efficient to run an APT attack, instead, since such targets can be controlled and kept waiting for years with basically no upkeep. Weakly-protected targets (no airgaps, unpatched software) can be fully compromised by APTs in a matter of hours, and can be useful for years. Mid-range sites can take a few weeks, but then they're completely compromised. Airgaps make the attacks significantly more expensive, but a proper airgap is exceedingly rare. Physical presences require ongoing support, and take months or years to groom.

Comment Re:Squirrels spread their attacks conveniently (Score 5, Informative) 138

How many spies and saboteurs with well-placed bombs (or high-powered rifles) would it take to disable the power grid? Not many, I would think. There are a lot of threats besides 'the cyber.'

Far more than it takes to set a flag on a C&C server. Those spies and saboteurs also have to be physically present around the time of the coordinated attack, increasing the risk they'll be caught, and the opportunity for them to double-cross the attacker and reveal the plan to the target.

On the other hand, malware can lurk for years undetected from a single entry point. A small team of sub-sub-sub-contracted service technicians can deploy malware to an embedded system, and walk away. Sufficiently advanced threats can hide their traffic inside the normal monitoring operations of the utility, cross through the network, and even add personnel records, effectively making their actions look like legitimate employee operations until they shut everything down.

Targeting infrastructure has been a military strategy for as long as there have been militaries. Modern tactics, however, focus on efficiency. If five malware-assisted spies can take down a target country's utilities with no risk, why spend the budgeted resources to recruit and train (and possibly extract) fifty to do the same job? That budget can then go toward hiring cryptographers to decrypt the target's movement orders, so you spend less budgeted resources trying to find the enemy units. That leaves more budget to use on building better bombs and guidance systems, and so on.

Ultimately, the goal is to win the war. With modern society relying on border-crossing communications, it is no longer really important who can put supplies into what territory, as was important until around 1960. Now, it's important to convince the locals that you're protecting them from the evil oppressive enemy, and doing that means minimizing civilian deaths. Better targeted bombs, better intel, and attacks that don't involve blowing up a power plant full of civilian workers, are all ways to reduce your side's death count.

Security is something for professionals like us to think about always while we're working, but it's not something to panic about. A lot of these news stories like this one are designed to spread panic...

There's very little panic, except for a few uninformed headlines where a laptop with malware became a complete takeover of the US power grid. On the other hand, the DNC hack is a great example of how information-based warfare will be conducted, and the news article you linked explains it well. Unlike Watergate, there was never a Russian physical presence in the DNC. There's nobody in the US that can be arrested for it. After the initial breaches, there was almost no evidence of the digital presence. The reality of the situation once it was discovered was met with skeptics like you, who underestimate how useful such an attack could be.

While that holds true, the attacks won't likely escalate. As soon as an enemy attacks the American power grid, every American company will treat information attacks more seriously, and the low-hanging fruit will disappear.

...and to increase power to those who are spreading panic.

There's nobody really getting more power from this, though, except for a few hucksters who are selling fraudulent security systems. The threats have been real and the attacks have been ongoing for the past few decades, and the people who have been wise enough to care have found that there are solutions available. There are backup generators and UPSes protecting vital systems from outages of the power grid. There are airgaps and mitigations protecting secret information. There are encryption algorithms and opsec protocols protecting identities... Security is cheap, but it is very user-driven. The user has to care for security to be effective. They have to install the generators, they have to work over the airgap, and they have to follow the protocols.

The DNC hack is different in only one way from every other attack since the mid-90s: The attacker chose to make it public, exposing the shadowy world of espionage to the public eye. The people who don't know any better will panic, because it's an attack on American infrastructure. The ones who've been working in it for long enough will sigh, because it's yet another attack on American infrastructure.

Comment Re:Options (Score 1) 502

Let's rephrase this a bit more realistically:

  1. Use Windows 7, and everybody with access to malware techniques from the last decade can get in, or
  2. Use Windows 10, and only the nation-state threats with access to the latest techniques or legal avenues will be able to get in.

Windows 10 integrates a lot of the malware mitigations that were either add-ons or unavailable for Windows 7. The default configuration also requires stronger security, and the system internals are much better hardened against malware compromising system integrity. In effect, whole classes of malware that could affect Windows 7 are ineffective on Windows 10.

I know it's Slashdot's fetish to think that the NSA really cares what websites you're visiting, and to think that you're all protecting the rights of freedom fighters around the globe, but really, using antiquated software just means that the barrier for entry is lowered. The NSA might not be able to pull your telemetry directly from Microsoft, but their regular old RATs and spyware will work just fine, along with the same kit from every hacker group around the world. Not only will the NSA still have access to your data, but so will everyone else.

If you actually want a secure system, opsec is still your best bet. Start with an isolated system for processing, keep it isolated, and use an airgapped (preferably with several walls and rooms between) system for communication. Never transfer electronic data, change service providers occasionally, relocate erratically, and follow all of those other paranoid guidelines that are more effective than "use old software".

Comment Re:Remember kids! (Score 2) 405

$DEITY forbid they should have a marketing department.

The casino doesn't know (and may in fact not be allowed to know) who has a gambling problem. All they know is that a long-time customer has stopped coming, so they fire up the marketing machine and incentivize future business. To use your analogy, the bartender might pass a known regular on the street, say "I haven't seen you in a while", and offer a drink on the house next time the customer comes in.

Yes, some people think they're lucky. Some people are addicted. That doesn't change the legality of the casinos' operations, and doesn't make them liable.

Comment Re:Look to history (Score 1) 296

That's intentional, even necessary. There is no data on antibiotic-resistant infections prior to the discovery of antibiotic-resistant infections. Since my whole point is that historical data is absolutely critical when making comparisons to historical practices, that's the best data we have available.

Comment Re:Look to history (Score 1) 296

"Each year in the United States, at least 2 million people become infected with bacteria that are resistant to antibiotics and at least 23,000 people die each year as a direct result of these infections."

Well, that sucks. Now, how do those numbers compare to historical measurements, accounting for the significant improvement in reporting reliability? The reality is that infectious disease rates were about three to five times worse in the 30s and 40s, because we were still at the beginning of a large-scale improvement process in general sanitation throughout daily life, not just hospitals.

"Antibiotic-resistant infections can happen anywhere. Data show that most happen in the general community; however, most deaths related to antibiotic resistance happen in inpatient healthcare settings, such as hospitals and nursing homes"

Let's say that again, simplified: "most deaths occur in care facilities". That's a great talking point, but what about where most fatal infections were acquired? If you get infected with a resistant bacteria in your kitchen, and go to the hospital for it before dying, it still counts as a hospital death.

Lusting for the good old days is a very dangerous habit. You have to remember that you are only able to recall the stinging pain because you were one of the survivors. The people whose lethal infections weren't cleaned by iodine can't speak up to remind you of their story, except as historical statistics.

The problem is also far more complicated than just "clean things". Over-use of antibiotics contributes to the prevalence of AR strains, but careful management is actually mostly what protects vulnerable patients. That is hindered by the stupid humans in the mix, who don't trust doctors and undermine their practice (for example, by bringing home-cooked desserts into a hospital isolation room). That in turn is a symptom of poor medical knowledge among the public, partly due to the confirmation bias you've shown here.

Comment Re:The Backasswards solution (Score 3, Interesting) 196

Joseph Bramah's lock was considered secure for 67 years, until Alfred Charles Hobbs picked it after a 51-hour effort in 1851. Now, modern tools and techniques can pick such a lock in a matter of minutes.

So let's suppose you had purchased one of Bramah's locks in 1850, with a 65-year history of perfection. If you were robbed in 1853, who bears the liability? Is it Bramah (actually his sons who inherited the business) for making an insecure lock that was sold as being secure? Is it you, for not replacing the lock as soon as a picking technique had been proven? Or is it the thief who actually exploited the vulnerability and broke the law?

Comment Re:Leave. (Score 1) 433

From my own experience, it's an exercise in professionalism, extinguishing the bridges that are burning without your knowledge.

The key (that is apparently missed elsewhere in this discussion) is to maintain absolute professionalism. The letter is not just whining. It is a dissection of the factors that forced you out of the company. It serves as an explanation of your actions to the people who would otherwise be left with questions that would be answered with rumors, often spread by the bully himself.

Until you walk out the door (or otherwise enact termination), you still work for the company. Your job doesn't end when you decide you're leaving. Right up to that last minute, you're still a part of the team, and they're still expecting you to help the company improve. While it can also be cathartic to say "fuck you all" and sit idly waiting for that two-weeks-notice paycheck, that leaves a very bad final impression on your colleagues. While they might end up being your opposition next month, they might also be your reference (or recruiter) next year.

When that time comes that others think back on you, will they recall a embittered man who just gave up and left, or will they remember the guy whose last act was a professional attempt to point out the proverbial elephant in the room? While the managers are ultimately responsible for the decisions (right or wrong), very few are actually all-knowing, even in their own minds. Rather, they have their particular perception, and a sufficiently manipulative employee can control their perspective and prevent them from ever seeing the unethical behavior. While it is not your place to tell management what they're doing wrong, it is your place to ensure that they accurately see the effects of their decisions. They can decide for themselves if it matches their expectations and other employees' descriptions.

It is not enough to "leave with a smile" any more. Now recruiters look at LinkedIn to see if you play well with others, and referrals from past colleagues is the easy way through the HR bureaucrats. Now, the best way to ensure your bridges aren't burning is to try to leave your colleagues with the understanding that you hold no hard feelings toward them, but only the environment you worked under.

Comment Re:The Backasswards solution (Score 3, Insightful) 196

The problem is defining "secure" and "insecure". In the US, the standard is "perfect tender", where the company just has to produce a product that is perfect to the best of their ability, and acceptable to the customer. The product may have been insecure from the start, but nobody knew it, because the vulnerabilities weren't known yet.

Three years ago, we had no idea that the rowhammer effect could corrupt data. Two years ago, we didn't think it had security implications. Now we know better, but my desktop was built four years ago.

There are some vulnerabilities that can be resolved, like default passwords... but those are comparatively rare. For production and installation ease, the devices are usually shipped with a default password and the user is provided instructions to change the password. The problem is that the users don't read the instruction manual for their new lightbulbs. In this case, the product is designed and sold to be secure, but the user's inaction caused the insecurity.

Ultimately, the liability for an attack lies (legally) with the attacker. It's been that way for several thousand years, and is fundamental to the legal framework in this country. Trying to change that will have many unintended consequences.

Comment Re:Leave. (Score 1) 433

On the other hand, with no documented explanation, it's very easy to blame the problems on the guy who is "no longer with the company", blackball him, and move on with no improvement. Saying just a name to HR does nothing, as it doesn't provide any context in which to investigate. In a large company, it may be the first time the interviewer has heard the name, and the guy leaving tomorrow will work with a different interviewer, so it'll never be correlated.

Comment Re:Politically incorrect solution: free/open softw (Score 1) 196

That's why all android devices automatically get updates, right? Even the decade-old ones that can't run new versions?

The OS doesn't matter. What's missing is the infrastructure to support patch development, testing, and delivery. Once the initial vendor goes out of business (or discontinues that product), there's no mechanism to continue development, no way to test the patch, and no way to get the new software into the devices.

An open-source mandate fixes the ability to develop new patches, but it becomes much more difficult to thoroughly test on all versions of affected devices, and there's no easy channel to get the new software to the end users.

Slashdot Top Deals

"Why waste negative entropy on comments, when you could use the same entropy to create bugs instead?" -- Steve Elias