Comments on: New Clues Draw Stronger Chinese Ties to ‘Aurora’ Attacks http://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/ In-depth security news and investigation Fri, 30 Jul 2010 04:29:12 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Microsoft patches as fraudsters target IE flawhttp://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-4212 Microsoft patches as fraudsters target IE flaw Thu, 18 Mar 2010 12:19:08 +0000 http://www.krebsonsecurity.com/?p=632#comment-4212 [...] have also reportedly focused on Chinese users, which account for much of the population of Internet Explorer 6 [...] [...] have also reportedly focused on Chinese users, which account for much of the population of Internet Explorer 6 [...]

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Privacy Source » Pentagon Searches for ‘Digital DNA’ to Identify Hackershttp://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-1533 Privacy Source » Pentagon Searches for ‘Digital DNA’ to Identify Hackers Fri, 05 Feb 2010 07:01:53 +0000 http://www.krebsonsecurity.com/?p=632#comment-1533 [...] how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But [...] [...] how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But [...]

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Chashttp://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-1523 Chas Thu, 04 Feb 2010 21:52:53 +0000 http://www.krebsonsecurity.com/?p=632#comment-1523 Here's another issue with this "China code" allegation.Joe Stewart contends, in addition to being an obscure algorithm (not true), it also has an optimization that's uniquely Chinese.However, upon further examination of his Google search on "crc_ta[16]", it appears the code snip passed around in China are mostly an unoptimized veriation that relies on division to obtain top 4 bits:da=((uchar)(crc/256))/16While the 12-bit-shift code optimization fingered as "Chinese code", has been demonstrated to exist as early as 1988, in the Novell Programmer's Guide according to the Register article. Here’s another issue with this “China code” allegation.

Joe Stewart contends, in addition to being an obscure algorithm (not true), it also has an optimization that’s uniquely Chinese.

However, upon further examination of his Google search on “crc_ta[16]“, it appears the code snip passed around in China are mostly an unoptimized veriation that relies on division to obtain top 4 bits:

da=((uchar)(crc/256))/16

While the 12-bit-shift code optimization fingered as “Chinese code”, has been demonstrated to exist as early as 1988, in the Novell Programmer’s Guide according to the Register article.

Like or Dislike: Thumb up 1 Thumb down 0

]]> By: Chashttp://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-1517 Chas Thu, 04 Feb 2010 19:12:21 +0000 http://www.krebsonsecurity.com/?p=632#comment-1517 Agree with David that the logic leap Joe Stewart employed in linking a variable name to machine code is insufficient.Especially in light of the fact the nibble CRC algorithm has been widely available in embedded application area for a decade according to the Rigister article.Following clues in above article I was able to find the same nibble CRC code in a 2003 listserv archive:http://osdir.com/ml/systems.archos.rockbox.cvs/2003-08/msg00002.html Agree with David that the logic leap Joe Stewart employed in linking a variable name to machine code is insufficient.

Especially in light of the fact the nibble CRC algorithm has been widely available in embedded application area for a decade according to the Rigister article.

Following clues in above article I was able to find the same nibble CRC code in a 2003 listserv archive:

http://osdir.com/ml/systems.archos.rockbox.cvs/2003-08/msg00002.html

Like or Dislike: Thumb up 1 Thumb down 0

]]> By: Aurora Attack « The Flabbercasthttp://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-1313 Aurora Attack « The Flabbercast Mon, 01 Feb 2010 09:59:57 +0000 http://www.krebsonsecurity.com/?p=632#comment-1313 [...] for information on the now famous “Google” attack, which has since been named “Aurora” on account of some file names used. For a lot of people they will understand what went on at [...] [...] for information on the now famous “Google” attack, which has since been named “Aurora” on account of some file names used. For a lot of people they will understand what went on at [...]

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Digital forensics takes on new life tracking attackers across the matrix | Cybernitionshttp://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-1225 Digital forensics takes on new life tracking attackers across the matrix | Cybernitions Fri, 29 Jan 2010 02:23:18 +0000 http://www.krebsonsecurity.com/?p=632#comment-1225 [...] how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But it’s hard [...] [...] how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But it’s hard [...]

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Pentagon Searches for ‘Digital DNA’ to Identify Hackers | Republic Broadcasting Networkhttp://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-1203 Pentagon Searches for ‘Digital DNA’ to Identify Hackers | Republic Broadcasting Network Thu, 28 Jan 2010 17:46:31 +0000 http://www.krebsonsecurity.com/?p=632#comment-1203 [...] how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But it’s hard [...] [...] how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But it’s hard [...]

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: tristramhttp://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-1129 tristram Wed, 27 Jan 2010 01:23:17 +0000 http://www.krebsonsecurity.com/?p=632#comment-1129 I think I agree with you, but to clarify, I would accept it as circumstantial evidence if there was only published source that, using one of a likely set of compilers, produced an exact copy of the binary code used in the Aurora attack. One would assume that an attacker wouldn't bother to change the code but just use it as is. If this particular source was only discussed or referenced in Chinese language sites than it might indicate a Chinese attack. Again, that would only be circumstantial, not proof in itself. An article today in The Register points out that one or more alogorithms using a 16 constant table certainly does exist in the non-chinese world and casts doubts that this particular binary code wasn't likely to have been compiled from non-chinese source code. I would hope that Joe Stewart would take the time to see if the various non-chinese examples of source code will produce the same binary output. I think the Register greatly exaggerates by saying it had been a smoking gun but anyway here is the URL http://www.theregister.,co.uk/2010/01/26/aurora_attack_origins/ I think I agree with you, but to clarify, I would accept it as circumstantial evidence if there was only published source that, using one of a likely set of compilers, produced an exact copy of the binary code used in the Aurora attack. One would assume that an attacker wouldn’t bother to change the code but just use it as is. If this particular source was only discussed or referenced in Chinese language sites than it might indicate a Chinese attack. Again, that would only be circumstantial, not proof in itself. An article today in The Register points out that one or more alogorithms using a 16 constant table certainly does exist in the non-chinese world and casts doubts that this particular binary code wasn’t likely to have been compiled from non-chinese source code. I would hope that Joe Stewart would take the time to see if the various non-chinese examples of source code will produce the same binary output. I think the Register greatly exaggerates by saying it had been a smoking gun but anyway here is the URL
http://www.theregister.,co.uk/2010/01/26/aurora_attack_origins/

Like or Dislike: Thumb up 1 Thumb down 0

]]> By: The Digital DNA Speaks | ... BreakingtheNewsBarrier.com ...http://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-1125 The Digital DNA Speaks | ... BreakingtheNewsBarrier.com ... Tue, 26 Jan 2010 22:36:17 +0000 http://www.krebsonsecurity.com/?p=632#comment-1125 [...] how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But it’s hard [...] [...] how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But it’s hard [...]

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: ZDE Microsoft : Experts Fail - CNIS maghttp://krebsonsecurity.com/2010/01/new-clues-suggest-stronger-chinese-role-in-aurora-attacks/#comment-967 ZDE Microsoft : Experts Fail - CNIS mag Mon, 25 Jan 2010 21:24:42 +0000 http://www.krebsonsecurity.com/?p=632#comment-967 [...] bec et ongle l’hypothèse de l’origine Chinoise et de l’attaque coordonnée. Propos que Brian Krebs vulgarise avec sont talent habituel. Une thèse que Graham Clueley de Sophos défend du bout des lèvres, en [...] [...] bec et ongle l’hypothèse de l’origine Chinoise et de l’attaque coordonnée. Propos que Brian Krebs vulgarise avec sont talent habituel. Une thèse que Graham Clueley de Sophos défend du bout des lèvres, en [...]

Like or Dislike: Thumb up 0 Thumb down 0

]]>