May 4, 2011

This is the second installment of a multi-part series examining the tools and tactics used by attackers in the RSA breach and other recent network intrusions characterized as “ultra-sophisticated” and “advanced persistent threats.”  If you missed the first piece, please check out Advanced Persistent Tweets: Zero-Day in 140 Characters.

The recent data breach at security industry giant RSA was disconcerting news to the security community: RSA claims to be “the premier provider of security, risk, and compliance solutions for business acceleration” and the “chosen security partner of more than 90 percent of the Fortune 500.”

The hackers who broke into RSA appear to have leveraged some of the very same Web sites, tools and services used in that attack to infiltrate dozens of other companies during the past year, including some of the Fortune 500 companies protected by RSA, new information suggests. What’s more, the assailants moved their operations from those sites very recently, after their locations were revealed in a report published online by the U.S. Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security.

In RSA’s explanation of the attack, it pointed to three domains that it claimed were used to download malicious software and to siphon sensitive data taken from its internal networks: Good[DOT]mincesur[DOT]com, up82673[DOT]hopto[DOT]org and www[DOT]cz88[DOT]net. But according to interviews with several security experts who keep a close eye on these domains, the Web sites in question weren’t merely one-time attack staging grounds: They had earned a reputation as launch pads for the same kind of attacks over at least a 12 month period prior to the RSA breach disclosure.

What’s more, the same domains were sending and receiving Internet connections from dozens of Fortune 500 companies during that time, according to Atlanta-based Damballa, a company that mines data about malware attacks using a network of sensors deployed at Internet service providers and large enterprises around the world. Damballa monitors the domain name system (DNS) servers at those networks, looking for traffic between known good hosts and known or suspected hostile locations.

Gunter Ollmann, Damballa’s vice president of research, said that for more than a year his company has been monitoring the three malicious sites that RSA said were involved in the theft of its intellectual property, and that many other major companies have had extensive communications with those hostile domains during that time. He added that his company is not in a position to name the other companies impacted by the breach, and that Damballa is helping federal authorities with ongoing investigations.

“There is lots of malware that have relied on those domains for command and control,” Ollmann said. “We know who the victims are, roughly how many devices within those victim organizations were compromised, and are still compromised.  RSA was not the only victim of these attacks.”

RSA said attackers stole information related to its SecurID two-factor authentication products. The company has kept mum on what exactly was taken, and it remains unclear how much sensitive data was swiped from other organizations compromised by the same infrastructure used to attack RSA.

But the methods used in the intrusions — which began with the targeted exploitation of previously undocumented “zero-day” security flaws — bear the signature of those chronicled in a series of recently leaked U.S. State Department cables. Those communiques detail more than a half-decade worth of incessant and sophisticated cyber attacks attributed to Chinese state-sponsored efforts to extract commercial and national security secrets from the U.S. government and private sector.

The apparent compromise of so many organizations at the hands of an adversary that launched one attack after another from the same infrastructure raises the question: If these domains were known to be so bad for so long, how could so many organizations — including those that specialize in providing Internet security services — have failed to simply block all communications to and from those malicious sites?

“In this case, the malware and their associated domains were known about for a very long time,” Ollmann said. “There is no excuse for organizations not blocking [access to] those sites and communications channels.”

Timely information sharing about new, sophisticated cyber threats has been and remains a major weak spot for both the government and the private sector. Part of problem, experts say, is that some victim organizations aren’t aware of systemic compromises on their networks until they are alerted months later by law enforcement officials. By that time, attackers will have had ample time to move laterally through the target’s network and steal intellectual property and other proprietary data. Other victims may merely be afraid that sharing information about such attacks could lead to the requirement for public acknowledgment of a security breach.

“What a lot of people need to understand is that there is a concerted and organized national level strategy being orchestrated against our country and others,” said one security expert who has helped a number of organizations respond to these sophisticated attacks, but who spoke on condition of anonymity because he was not authorized to speak to the press. “Not many security companies out there are highly focused on this threat. We’re at risk of being completely overwhelmed and outmatched [if we don’t] work together in a collective defense.”


46 thoughts on “RSA Among Dozens of Firms Breached by Zero-Day Attacks

  1. Catfish

    “What a lot of people need to understand is that there is a concerted and organized national level strategy being orchestrated against our country and others”

    This statement is, in my personal experience, an absolute fact. Our response is fractured but improving. Sharing of information, like that within Brian’s blog, is esential. We also need a more coordination between our 13 executive branches of govenrment than ever before in history. As a taxpayer I don’t want to pay multiple times to defeat the same threat.

  2. finack

    If Google can maintain a malware block list, why isn’t Cyber Command or State maintaining an advanced threat IP & DNS block list for industry? If you built a factory on the border and were constantly being shot at across it, the USG would do more than helping you pick up the bodies. The scale and breadth of industrial espionage that’s going on has the potential to sap the innovation and competitiveness of an entire generation.

    1. Clive Robinson

      @ finack,

      You raise a valid point that is a subset of a broader issue.

      Is it “cyber-war” or “cyber-crime”?

      The distinction between crime and war is important for a number of reasons.

      On the home side in the tangable ordinary world crime is dealt with at two levels, the private entity and the state law enforcment.

      That is as a citizen you are expected to take certain preventative measures (locks & bolts) and some mitigation measures (insurance) to deter crime. You are also required (via taxation) to make payment to law enforcment.

      Law enforcment are there to remove the nuisance of the criminal and pass them on with the appropriate evidence such that the criminals can be put through the due process and then removed from society for a period of time.

      The same processes of deterant and mitigation applies to “legal entites” such as shops businesses and corporates, only the levels are set commensurately higher based on size, turnover and nature of activity.

      Importantly in the tangible physical world “distance” has real meaning and because of this we have geopolitical areas we call nation states who have jurisdiction in that geopolitical area. Importantly for tangible asset crime, the criminal has to be local to the scene of the crime and this has given rise to some fundemental assumptions in our legal processes. There is little or no law in any juresdiction to deal with the intangable world of information where distance only has meaning in time thus for criminals working in the intangible “information world” everywhere is effectively local whilst not being geopoliticaly local. This gives cyber-criminals huge advantages (as do the zero cost “force multiplier” effects of information tools).

      Thus cyber-crime is working mainly in a legal vacuum and is dependent on other juresdictions cooperation to prosecute these criminals.

      War on the other hand is an activity carried out not between people or legal entities but between nation states. It can be carried out in a number of ways either directly as state-v-state on one of their geopolitical areas, or as happened during the cold war by proxie where the super powers would back small nation states and or terrorists to gain some advantage over the other super power irespective of the long term issues (remember Korea, Vietnam or the Russian invasion of Afghanistan with the CIA training the likes of Osama bin Laden etc).

      The incorrect assumption is that war is the “dispute resolution” process of “last resort” unforttunatly it usually is not.

      A further incorrect assumption is that war is usually “state unto state” and is about teritorial incursion.

      Where as the reality for the past hundred or so years, is it has been State against another states economy not there territory (unless natural resources such as oil and minerals are involved).

      By and large the way we deal with economic warfare is by espionage and all in all it is nearly a zero sum game. Distance often limits the effects unless there is large disparity in manufacturing costs.

      The problem is the boundries have become blurred, some large corporates actuall wage war both against people and economicaly (though in the case of against people this is done by proxy usually by the state or mercenaries / terrorists).

      The two issues of the lack of cross geopolitical boundry legislation and the bluring of the boundries of who can prosecute war has caused a major problem.

      In the tangible physical world distance and the cost of producing weapons has limited who can comit acts of war.

      In the intangible world of information distance is an irelavence and the cost of producing weapons is negligable.

      Thus in the information world you can have an “army of one” attacking the whole world.

      This has unfortunatly allowed the “war hawks” to try to gain a significant “cyber-foothold” by pushing the APT “cyber-war” view, not the more logicaly appropriate “cyber-crime” viewpoint.

      A quick look at the “mission statments” for soldiers and policemen will show why this “cyber-war” view point is so dangerous.

      Unfortunatly some nation states are adding high octane fuel to the fire.

      Although cyber attacks come from both China and Russia the difference is that from Russia it is generaly regarded as “cyber-crime” where as from China it is regarded as “cyber-war” even though it is well known that the Russia state does indead (just like the US and most other nations) carry out cyber attacks.

      Part of the reason is that China has seen “information warfare” as a normal part of both internal (law enforcment) and external (military / espionage) security. They have been known for instance over Taiwan to cut under sea telecommunications cables and perform other acts of state-v-state saber-rattling via information systems since the 1980’s. They simply have a directness about what they do, and apparently do not particularly care if the citizens of other nations know this. Which is unlike nearly all other nations involved with cyber-attacks.

  3. Nick P

    The man talking in the last paragraph is looking at things in the wrong way. We shouldn’t be worrying about nation states attacking our businesses and start collaborating some cyberdefense or whatnot. We should simply practice sound information security principles and buy from vendors that do. Problem largely solved. Note that even the RSA “APT” used a common approach to hack their systems. Companies are calling plenty of things APT these days to avoid embarassment, but the truth is simple: low assurance software, systems and networks = ease of compromise.

    And for the fix, it’s should NOT be in the hands of the government, at least as it is. The government, especially DOD and NSA, are the ones that killed the development of high assurance platforms, directly & indirectly. The best description of this is from Bell, co-inventor of the Bell-Lapadula security model. He sums the entire problem up pretty well.

    Looking back: An addendum 2008
    http://iaarchive.fi/papers/Bell%20addendum.pdf

    Another sounding voice on this is Brian Snow of the NSA in his paper “We Need Assurance,” linked below. He gives a specific process that greatly increases assurance without a huge cost increase.

    We Need Assurance
    http://www.acsac.org/2005/papers/Snow.pdf

    I’ll add Fagan’s Software Inspection Process and Cleanroom methodology to that. Most recent, low-defect middleware was made with Cleanroom. Praxis’s Correct by Construction takes longer but built many low-defect systems, including MULTOS smart card (EAL7 equivalent).

    I like what Bell said in his 2005 paper. He mentioned DARPA isn’t throwing so many huge contracts at computer security research because we already know how to solve the major security problems. We learned that (and built secure systems that did it) in the 70’s, 80’s, and early 90’s. It’s currently an expensive engineering problem. We need “selfless acts of security” whereby companies accept a bit lower bottom line to increase the assurance of their offerings and a government that mandates higher assurance products for their contracts. Otherwise, what you [currently] see is what you [will always] get: a reason to be paranoid.

    1. Infosec Geek

      Nick, paranoia will be required until human nature changes. The real problem is not technical so following whatever best practices are current will never be enough. The real problem is that adversaries will attempt to subvert systems to gain advantage over the system owners. As long as there are big advantages available adversaries will seek to gain them. They’ll look for new abuse cases, the only way to stop that is to take aggressive countermeasures, that requires cooperation and consensus support.

      You’re also off base about not worrying about hostile nation-states attacking. That’s like saying don’t worry about Pearl Harbor.

      Saying RSA “used a common approach” is just wrong, a Flash zero-day embedded in an Excel spreadsheet is novel. Maybe if you mean it used x86 machine code it was common, but you’re trivializing something that was non-trivial in a number of ways.

      The government needs to take a lead role, otherwise the selfish individual interests of the private sector will perpetuate the present problems. You make some good points about problems in the government’s present posture on cybersecurity, but you’re wrong about what that means. Instead of taking the problem out of the government’s hands (which ensures defeat) we must fix the government’s approach (which will lead to success).

      Look at the reluctance of private firms to disclose any breaches, without government involvement it will be worse not better. Things like the Director’s Desk breach would be covered up entirely if the victim firm had it’s preference. So please, re-think your position!

      1. DeborahS

        @Infosec Geek

        “Instead of taking the problem out of the government’s hands (which ensures defeat) we must fix the government’s approach (which will lead to success).”

        I’m sorry, but I simply do NOT have the same confidence you seem to that government has the competence to do much of anything right. Big government limps along, doing a very few things extraordinarily well, some things acceptably well, but it gets most of everything else wrong.

        It’s possible that if we could get our government slimmed down so that it would focus on only doing those things that truly provide for the common good, then we could turn to it for aid and support with this horrendously huge problem. But that would be the government that we need to have, not the government that we actually have – now, or any time in the foreseeable future.

        Government managed internet security would be an issue that would require the scope and scientific precision of an agency like NASA. Maybe then, if the best minds our country can muster were tasked with solving this problem, it could happen. But it won’t happen that way any time soon. What we have now, what we’ve had all along, and what we’re likely to have into the foreseeable future is a bureaucratic approach that basically feeds off of private sector talent and, most sadly, has the power to shut them down.

        No, government management of internet security is a bad idea so long as we have the government we have today.

      2. Nick P

        “As long as there are big advantages available adversaries will seek to gain them. They’ll look for new abuse cases, the only way to stop that is to take aggressive countermeasures, that requires cooperation and consensus support.”

        Certainly. The point is that we have the methods to defeat most vulnerability classes and have for decades. With the “consensus support” you mention, they might actually implement them more than they currently do. Microsoft’s use of SDL is a good example.

        “You’re also off base about not worrying about hostile nation-states attacking. That’s like saying don’t worry about Pearl Harbor.”

        That’s a false comparison and the evidence isn’t in your favor. I’ll make it easy for you by giving my specific stand. The nation-state hackers compromise systems by exploiting the same kinds of vulnerabilities as attackers in general. They’re just better at it. This is why I, as well as most security experts, say the solution is improving computer security and reducing/mitigating attack vectors.

        The alternative is a “cyberwar” command that will implement “cyberdefense” technologies and policies to stop “cyberattacks” by hostile nation states and “cybercriminals”. (Whatever all that is. I swore they were just people with computers hacking and conning companies like everyone else.) They also want to redesign the internet for total traceability and provide backdoors for warrantless monitoring by unaccountable parties. The main groups that promote this nonsense are defense contractors vying for 1+ billion contracts to build and manage these cyberdefenses. There’s also a bunch of authors making millions selling fear-mongering books. Wired’s Threat Level has covered their propaganda very well, including a comment by Krebs debunking them.

        http://www.wired.com/threatlevel/2010/03/cyber-war-hype/

        However, there is no cyberwar, cyberthreat, cyberdefense. That’s a money-making, fear-mongering myth. There’s simply computer vulnerabilities, practices that create them, practices that reduce/remove them, and people that exploit them. The solution to the cyberwar problem is simply to USE SECURE PLATFORMS AND TECHNOLOGIES. We don’t need a military angle or anything.

        Besides, the government is the reason we don’t have many high assurance systems. They demanded high assurance, then bought low assurance & even built competiting low assurance products, putting high assurance vendors out of business. (See Bell’s Looking Back Addendum). They also labeled A1/EAL7 OS’s as munitions, restricting exports and ability of companies to get return on investment. Why spend $25 million development on secure OS platform if you will only have 20 customers in US Govt? (e.g. Honeywell’s SCOMP)

        Bell on Government Killing High Assurance
        http://selfless-security.offthisweek.com/presentations/Bell_LBA.pdf

        A combination of private commitment and government mandates/funding can make this happen. Government will need to lift their restrictions and allow selling secure tech to friendly countries, esp. those that already have Type 1 equivalent crypto technologies. Patent reform will also be a necessity because many legacy & secure tech’s are patent-protected. For instance, Type Enforcement (e.g. SELinux) and ECC crypto are patented. RSA’s has expired, so I’ve suggested using it a plenty. 😉 The Type Enforcement patent might have expired or be nearing expiration.

        “Saying RSA “used a common approach” is just wrong, a Flash zero-day embedded in an Excel spreadsheet is novel. Maybe if you mean it used x86 machine code it was common, but you’re trivializing something that was non-trivial in a number of ways.”

        Ok. I’ll consider that. This attack combined a flaw in Flash with Excel’s overprivileged functions. Flash is a known security risk with a long series of problems. Macro and embedding features on MS Office products are a known security risk with a long history of vulnerabilities and newsworthy uses like Melissa virus. Companies with poor security practices often have both on an internal computer with internet access. What’s novel about exploiting a flaw in two high risk programs with tons of previous flaws? Maybe it is, so let’s compare it to previous developments.

        So, let me look at malware development. Virus authors of the 90’s and early 21st century used boot sectors, BIOS’s, processor flaws, buffer/heap overflows, source level attacks, self-modifying code, attacks on middleware (esp. flash), macro/embedding attacks on MS Office, covert channels in real APT’s, social engineering support, and escalation attacks. Run of the mill malware today often employs several stages of infections, can spot analyst’s VM’s, stealthily blend into the system, and employ sophisticated, decentralized command-and-control systems.

        Compared to all of this, the RSA attack was anything but novel. Hackers routinely try to leverage multiple attack points on a system. If anything, RSA has demonstrated the “Risk Management Instead of Mitigation” and “Features & Legacy Compatibility Over Quality/Security” paradigms can’t provide assurance. They must be modified or abandoned.

        “The government needs to take a lead role, otherwise the selfish individual interests of the private sector will perpetuate the present problems.”

        “Instead of taking the problem out of the government’s hands (which ensures defeat) we must fix the government’s approach (which will lead to success).”

        Sure. I mentioned how they failed us in the past. They are currently failing us now trying to make it a military issue and certain gov.’t people are paid well by defense contractors to do so. The level of corruption and Cold War era thinking in the defense sector makes me unconvinced they can lead this effort. Even when they understand the issues, they have conflicts of interest. But, please do tell me if you’ve found a way to get military-industrial complex to do what the people need them to do rather than what benefits politicians, contractors and militarists. Nobody has accomplished this to date except the Computer Security Initiative and its purchasing policies, but they killed even that (see Bell).

        Anyone saying “government lead” should also look at the government’s security problems. They are currently advocating low assurance solutions like HAP and NetTop when they know these won’t work. They also have shown an inability to keep their own secrets and data protected. The fact that Wikileaks can get millions of cables without the government having a clue who moved all that data is mind-boggling. The guy had to admit to it *and* be turned in by a trusted associate (Lamo).

        Currently, the government is regularly breached by regular hackers, nation states, and espionage by Wikileaks. If they can’t protect their own systems, I don’t want them in control of ours. Many commercial setups are *way* better. A results-oriented mandate with commercial incentives, like the CSI did it in old days, would be a good start. The government can leverage their buying power to force developers to produce products built on secure foundations using low defect development processes. Anything past that needs a lot of thought as to the potential consequences of putting things in their hands.

  4. Abram

    That’s because you have too much money. And now it’s time to share your goodies to people from other side of planet.

    1. DL

      Be patient. Obama is working as fast as he can.

  5. Francis Turner

    The Damballa guys are correct that these domains were known, but it is in fact really really simple – just block the IP addresses the domains resolve to on the firewall and you stop the attack. Alternatively put an IP reputation service in part of the analysis of your SIM/SEM/SEIM and see if you get hits – particularly outbound “calls home”.

    When the details about the RSA attack came out I quickly showed that had RSA used our IP reputation service they would have caught the attack the first time there was a call home. See http://blog.threatstop.com/2011/04/03/the-rsa-spearphish-attack-and-ip-reputation/

    For certain organizations, it is in fact really simple to vastly improve your protection: just block access to/from the IP addresses of certain foreign countries (e.g. Defense contractors should block the PRC as well as Syria, Iran etc.).

    China is about 1500 networks the last time I looked. The others are smaller (much much smaller in the case of, say, N Korea) and almost any modern firewall can block at least 20,000 networks without working up a sweat. In fact they can typically do that far more efficiently and with far less load than they can do signature analysis, DPI etc. etc.

    1. Silemess

      Part of the problem is getting the information out to the rest of us about those domains. While security researchers, or sharp eyed log reviewers, may discover particular IP addresses popping up, the question is where do the rest of us go to find this list of bad addys so that we know whom to add to our filters on our firewalls and block lists on our servers?

    2. JCitizen

      Malwarebytes Anti-malware has a good outbound IP blocking feature in its real-time protection module. When I see it pop up, I note the IP, and run CCleaner to delete the miscreant.

      Seems like an enterprise equivalent like yours could do same.

      As far as the news story; I think many here on KOS predicted more breaches after the first news release.

    3. Jim C

      Blocking IPs is whack-a-mole when you’re dealing with dynamic IPs. You need proxies to block hostnames or blackhole via DNS.

      1. Jim C

        Sorry – Dynamic DNS, not dynamic IPs.

        1. JCitizne

          I wasn’t talking about non-internet addresses – they wouldn’t waste time with those. I use Comodo DNS myself. It blocks plenty of fishy addresses all by itself. If you have an ISP with a bad rep, why not just block the whole ISP or perhaps sub-domains related to bad sources?

          1. Jim C

            Because they’ll just move to another ISP or pwned machine that isn’t blocked. If their binaries have hostnames hard coded then you’ll exhaust more resources blocking IPs (so block the hostnames). If they have IPs hardcoded, then it would make more sense to block by IP.

            1. DeborahS

              @Jim C

              Ideally, I think you’d want a firewall or other tool to be configurable to block by either IP or by hostname, whichever can be identified the fastest.

              1. Jim C

                @DeborahS

                Application aware firewalls can block by IP or hostname as well as most host-based firewalls.

                That being said, if the malware is programmed to use hostnames, there is no need to deal with IPs if you have infrastructure that allows you to block based on hostname.

                If you have malware that is programmed to use hostnames but you don’t have firewalls to block based on hostname, you could always blackhole the hostname using DNS.

                If the malware uses IPs to communicate (sometimes used as an emergency backup) then you would have no choice but to block on those IPs.

                This only covers blocking (or attempting to). You still need to discover the C2 channel in the first place which is a whole other discussion 🙂

                1. DeborahS

                  @Jim C

                  Good stuff to know. I just may be shopping for a new firewall in the near future. I really haven’t had any problems with ZoneAlarm, or felt the need for more, but it does seem like the malware/cyber-attack problem could get a lot worse before it gets better.

                  Any good recommends for a PC firewall? TIA

            2. JCitizen

              I think Comodo does both – IP and domain names. If I remember correctly, I’ve looked at them by IP and occasionally they are not net translatable, so they would have had to have been by host name.(domain)

              I like using their service to avoid DNS poisoning also.

    4. Infosec Geek

      nice discussion, but too bad those are all solved problems as far as the bad guys are concerned it’s easy to defeat all of those countermeasures. The adversaries will adjust to whatever level necessary. As one poster observed, it’s just playing whack a mole to go down this road.

  6. Jim J.

    In light we are in a cyber war of destructive proportions. This being true, U.S. based hackers are as intellectual as those of Countries condoning attacks on U.S. Government and businesses. U.S. hackers should mount an all stops pulled assault on all foreign Governments, banks and mega-businesses in those countries hostile toward the U.S..

    1. Infosec Geek

      The attackers are not disrupting our operations, so what you are suggesting is a major escalation. We would lose if we escalate because we can’t handle what they’re doing now – if we can’t handle what they are doing now how do you think we would do better with their response if we escalate?

      Realistically we have more to lose, there are other parts of the world that are less dependent on computers and networks than we are. So if we attack their cyber infrastructure and it doesn’t hurt them, then they retaliate by attacking our cyber infrastructure and it hurts us, this is a good idea how?

  7. DavidM

    China is one of the nations that is using cyber capabilities for more than just monitoring what their people do on the net.
    The Chinese goverment has long engaged in cyber espionage and for approriating technology and information to use for their own gain, this isn’t new.

    Russia has also been involved to this but not anywhere near the extent that China does…. does that mean they are less a threat… No they aren’t!

    The fact that the U.S. goverment was warned about this by almost 50 of the top professors and industry people in a letter to then President George Bush that basically said that there is a real problem here and we see it and we offer you our help to try and mitigate it…. and several people in and out of goverment said “they didn’t see this as a problem… not right now anyway” .

    I almost fell out of my chair when I hear that snippet! There seem to be a culture of “it isn’t happening to us, so we don’t have to worry about it” complacency with people when it comes to the security end of looking out for cyber threats.

    Software makers need to put better checks and balances into the product they are puting out to market, especially when it’s widely used Adobe is for example… and make sure they have as many of the vulnerabilities out of it before it hits the market.

    Companies as well need to up their vigilance on their own sites and networks, as they have a responsibility to have IT security up to snuff, but there are a lot of companies out there that don’t see pouring money into that as a great way to spen their cash, they seem to have a notion of doing as little as they can do get by, and that is a real problem… How many companies out their have trimmed back their companies IT department budgets on the security end of things? more than people know.

    While the goverment needs to think ahead on their cyber security, they have a vast network to protect they have a lot of people that are complacent in their practice of what should and should not be done on their networks, and they need to educate their people better on what they can do to mitigate the risks.

    The fact that these domains used in the RSA attack and others for over a year screams out to me that ICANN , Up stream providers, Hosts /ASNs/registrars, need to do their job (i.e. enforce their AUP/ToS) and take action against abuse…period!

    The fact their are so many that will not enforce the regulations is a real problem, if they got off their duffs and did what they were supposed to do, it would make life more difficult for the bad guys and make it more difficult for them to operate and hurt them in the wallet.

    Goverment and companies along with the providers who are the so called backbone of the internet need to work together on cyber security and defence.

    As we develop more dependance on technology, we also increase our own vulnerability. The threat is more than possible, it is inevitable.

  8. Michael Rowley

    Brian,

    I could not agree with you more.. This article, as well as the 1st one .

    http://krebsonsecurity.com/2011/05/advanced-persistent-tweets-zero-day-in-140-characters/ are both spot on.

    IMHO Foreign Countries, including those that appear to be our friends are constantly undermining our cyber infrastructure and security.

    Have you heard in your circles if the US Gov has identified those other fortune 500 companies.. approached them… and are working with them on tightening their security?

    Since we are consumers of many of these potential companies, should we not have heard yet about potential data breaches and exposure?

    Thanks again fore your fine work!

    1. Infosec Geek

      You asked “Have you heard in your circles if the US Gov has identified those other fortune 500 companies.. approached them… and are working with them on tightening their security?”

      What kind of political firestorm do you think would ensue if that were to happen and become known to the Tea Baggers?

      1. Infosec Geek

        I should make it clear that I referenced “Tea Baggers” as a generic proxy for all the crazies from all corners.

        Tea Party folks have some good points, so do the folks who will scream about government take-over of the internet, government telling business what to do, government favoritism, unconstitutional expenditures, and Lord knows what else – they all have a few good points, accompanied by lots of hogwash. This would be yet another example, with the media throwing lots of gasoline on the fire to fan the flames, incite controversy and sell lots of advertising.

        Any more questions why the government is not doing such a program?

  9. Maureen

    “how could so many organizations — including those that specialize in providing Internet security services — have failed to simply block all communications to and from those malicious sites?”

    Was this answered? All of you understand the technology side of this better than I, but I would like to know if there are consequences (other than bad PR) for firms, especially security firms, that are negligent. And if they have long known about it, then they were negligent. I hear the word “simply” quite a lot when discussing preventive measures and solutions, so I’m wondering…what is the root cause? Financial bottom line? Not enough resources? It can’t be stupidity.

    As someone else said, we are depending more and more on technology. It’s quite frightening to think that firms thought of as reputable are actually turning a blind eye to the associated risks.

    1. JCitizen

      Many of us in our cooperative group, have had their intellectual property not only stolen, but are being surveilled for more ideas, and harassed no end. It seems only Microsoft may be the only one interested in pursuing criminal leads on these events. Rather ironic considering Redmond was the world’s biggest “borrower” of good ideas!

      Many of our colleagues who were once doing well are now poor from ID theft, electronic sabotage, and fighting big corporations over theft of intellectual property. It is a wonder we have been able to keep our technical standing in the world!

      The sad part is – even if you are gifted and way smart – that doesn’t mean you practice good security – both physical and electronic.

  10. AlphaCentauri

    And what happened to all the information obtained from Fortune 500 companies via this industrial espionage?

    It seems to me people in the US are the ones financing it when we buy cheap knock-offs of tech products developed in the US and Western Europe. It’s easy to make things at a lower price when you don’t have to pay for the R&D.

    We’re not talking about people buying high quality products that have been developed in Asia; we’re talking about people buying products that violate the patents of our own fellow citizens. Too many people are willing to do what is essentially selling out their own country to get the latest electronic toy if it saves them a little money.

    1. JCitizen

      One of the biggest problems is the need to totally overhaul the United States Trademark and Patent Office. Seriously! I don’t even think they have joined the 21st century over there! We can’t expect the US to hold onto our 1st world standing much longer if they don’t wise up and fix that problem.

      They seem to be willing to help Hollywood and the musical artists, but the rest of us get to suck wind!

  11. Pj

    If Damballa knew who the bad-actor IPs were, surely everyone else with a whizzy-cloud-crowdsourced-reputation database knew too. Or are the vendors so balkanized that there isn’t enough information sharing to get the best intelligence to everyone equally?

    Intelligence sharing deficiencies have played out in government over and over, and it looks like we’re in much the same boat in the security industry.

    1. KFritz

      The balkanization of the IT Security Industry begins w/ Microsoft, and tangentially w/ lax enforcement of securities and monopoly law.

      Microsoft used ruthlessly, monopolistic, anti-competitive tactics and strategy to become the dominant operating system. Lax enforcement of commerce law by the Feds enabled Microsloth’s conquest. Then the Feds turned around, accepted the monopoly as fait accompli and installed “The Sloth” on every govt machine.

      It’s monopoly position and (here I rely on experts) its architecture made Micros…t an ideal target for thieves to exploit. Microsloth’s attitude toward security was, “You bought it. Security is YOUR responsibility.” *

      Microsloth’s irresponsible abdication of responsibility created a “competitive market” (read Balkanization) in IT Security. Sort of like having a menu of competing police departments to call if armed thieves show up at your door.

      There would probably have been competition within and balkanization of security in the US, as a function of our inherent tendencies, in any event, but the Microsloth dominated, laissez faire 90’s certainly enabled and cemented the situtation.

      *That attitude only began to change the day Bill Gates found 40 samples of malware in HIS machine.

      1. JCitizen

        I hear you, but I feel with Apple taking a big chunk of the market now, and actually outperforming Microsoft; plus the huge share of mobile devices taking a big bite outta Microsoft’s soft underbelly. MS isn’t the 900 lb gorilla in the room anymore. Complaining about it is pointless, when Apple and Google are major threats to Redmond now.

        Competition is good.

  12. Azrael

    What is needed is a forward leaning potently aggressive cyber national strategy that goes beyond defense, looks our adversaries in the eyes and says. If you do this, you will pay the consequences. Politically, economically, financially, or technically. People need to see this as a wake up call and focus on the Centers of Gravity where this activity takes place. Congress has already come out and said in Testimony that the Chinese Computer Network Exploitation TRBs are behind much of this activity. What more of an answer do you need. The next steps for anyone and everyone who gives a dam is to search for and mine / publish in open source fashion as much technical detail and intelligence on this organizations as possible and make it available to the public so that the next time these attacks occur, which is “tommorrow” everyone can get past the BS FUD and look your enemy in the eye, have his name, email address, telephone number, and GEOLoc so that something might be done about it. The very likely distopian future for the west will see a empowered, hungry, overpopulated, aggressive, technically advanced civilization that has stolen every bit of innovation that we have generated through blood sweat tears and hard work. That innovation will be used to create exact carbon copies of our processes, and facilities and then they will replicate entire industries as their own with a big communist sticker on it (trademarks be damned). Then after that they will simply strong arm, blackmail or forcibly evict our multinational corporations from their country if we dont play by their rules. Then as we react militarily to their aggressive moves with our seemingly advanced best in the world military, they will use assymetric warfare techniques to neuter our strategic differentiators. This stuff will all be done years from now and by that time it will be too late. Sitting, watching, monitoring, blacklisting and blocking does not work. They move like quicksilver. They attack from your backyard. Getting people to improve their products or be more secure doesnt work. You need to force a change in their national strategy and if you cant then you need to make them pay a price for it with the little bit of National Power we have left before we go completely bankrupt. This is a carrion call. Dismiss at your own risk.

    1. Infosec Geek

      If you want to look your enemy in the eye it is easy, find the nearest mirror.

      Big part of the problem is that our free enterprise system rewards encourage selfish behavior. Someone mentioned the US PTO as serving only the interests of Hollywood and large corporate media producers. That’s money talking, innovations by large corporations don’t need the PTO for protection they have in-house legal beagles who will use trade secrets effectively. It’s the small fry, individual inventors, that need protection from the corporations that rip them off, anyone wonder why the PTO does not fill that role?

      As mentioned earlier, we all buy the least expensive even if it means supporting a hostile supply chain. Corporations skimp on protecting their IT because it is expensive and hard, so they value quarterly bottom lines over the long term future of their businesses and our economy.

      Corporations do not disclose breaches or share information because of potential negative effects.

      etc etc.

      We have met the enemy and they is us.

  13. Matt

    A lot of comments are suggesting how very easy it is to comprehensively block known bad netblocks, domains, etc. While that might be true on a small network with no mobile users, it is an entirely different challenge on a global network with various types of mobile users. Very few companies have the same controls being applied to mobile users once they leave the “safety” of the enterprise network. Once compromised and back on the enterprise network, any notion that your controls are going to provide effective containment is pretty naive. Just as one small example, attackers often use dynamic DNS…is your firewall going to block that new IP address automatically?

    1. JCitizen

      No, but Comodo is adding new bad domains almost as fast as the crooks do. Is this perfect? No – but you gotta start somewhere.

  14. DeborahS

    As many of you have pointed out, recognizing and blocking IP addresses issued by dynamic DNS could be extremely difficult. At least I can say with certainty that I wouldn’t know how to do it without considerable study of the problem.

    But there is another point that I think is getting lost here. RSA knows the 3 domain names of their attackers, and evidently these domain names “had earned a reputation as launch pads for the same kind of attacks over at least a 12 month period prior to the RSA breach disclosure.”

    So while you may not know what IP addresses those domains are going by at any given time, it is possible to recognize and block domain names. I don’t know of an existing firewall that does this, but in principle it should be possible, and maybe not that difficult to implement. Unless the dynamic DNS points back to phony domain names, but somehow these domains were identified. If the identification took a lot of research (which Brian’s article didn’t say), then it might not be possible to do it in real time. But it certainly seems that whenever an IP address does point back to one of these domains, that would be enough information to use to block them.

    1. Infosec Geek

      It is not easy to block, or even detect, DNS traffic for such domains – in a large enterprise environment.

      If such capabilities are deployed it is easy to extend the malicious sets to single-use domains (domain.bad becomes domain1.bad, domain2.bad, domain3.bad…).

      Another whack a mole game.

      The adversaries have to love it when they entice us into playing those games, non-productive drain on our assets at little cost to them.

      Keeps us busy solving the wrong problems though.

      1. DeborahS

        @Infosec Geek

        “Keeps us busy solving the wrong problems though.”

        In general, I tend to agree with you, although I do see value in discussing the problems and possible options for solving them that we can see now, even if they won’t work. Brainstorming 101 – most ideas will go on the trash heap, but you increase the likelihood of coming up with some good ones if you put all of them on the table.

        As an Infosec Geek, do you have any insights into what might be truly good countermeasures? (The subject at hand is protecting internet servers from direct external attacks, and the answers there probably won’t be the same as answers for protecting individual computers.)

        1. Infosec Geek

          I just answered another of your posts with comments about not trusting any systems, I’ll now say I think it is possible to get an acceptably trustworthy system, but it is not easy.

          It means taking extreme pains, being very diligent, checking and monitoring and investing lots of time and effort in design, implementation, testing and operations.

          It is hard, and it is expensive.

          Resources are limited. Priorities conflict.

          So what it comes back to is risk based decisions.

          What is the risk if my website is compromised? What does it cost me?

          Surprisingly, it costs me very little, in most cases. If anybody ever notices I clean up the Zeus or whatever botnet code and that’s it. The folks who got exploited by being redirected to my server pay the price, not me as SA. My boss may never know, if he does he probably won’t see it as serious unless our corporate reputation gets trashed (it won’t, we didn’t lose any customer data, if every website that served malcode was shamed there wouldn’t be enough shame to go around).

          I could go on, but it’s late and I don’t need any more discouragement tonight so I’ll wrap for now.

          Last thoughts, there needs to be a paradigm shift in society. The root cause is the incongruency between who creates the problem and who suffers the consequences. It’s like the Love Canal pollution, a company makes money and shareholders love it but the neighbors get sick and die. Think about how the online experience, fancy graphics like Flash that make sites sexy but infect visitors – the software developers and site owners aren’t hurt. New features and new software are like crack, they’re addictive and destructive. The whole paradigm these days is more bigger faster, look at media content, games, the ‘net. We will continue to pay the price until we realize that it’s all just distracting us from principles of fairness and equality. Nobody wants equality, everyone wants to be on top, and this is the result. Repent, sinners! 🙂

          1. DeborahS

            @Infosec Geek

            “Nobody wants equality, everyone wants to be on top, and this is the result. Repent, sinners! :-)”

            Aye, aye, and there you have it. 😉

            (But if we don’t do something to stop them – they’ll eat us for breakfast and come back for 2nds and 3rds!!)

  15. DeborahS

    @Infosec Guy

    “If such capabilities are deployed it is easy to extend the malicious sets to single-use domains (domain.bad becomes domain1.bad, domain2.bad, domain3.bad…).”

    True, and this would be a slight hindrance in coding for protection, but not an insurmountable barrier. It is possible to filter for the root domain name, “bad”, so that all of its subdomains are also blocked. It would take more sophisticated code, so there’d be a performance hit for it, but that’s why we keep inventing faster hardware.

    I can’t think of any instances where you would want to allow any subdomain of a root domain access to your server, so blocking them all seems like a good idea.

    There is the problem of the same bad guys using several root domains, but I think we’ve discussed that earlier.

    1. Infosec Geek

      I can trivially extend the concept to non-predictable series.

      I’ve often said that if I were running the adversary the attacks we are seeing would be orders of magnitude behind what I’d be doing. I assume they have equal talent, so I assume we just aren’t yet detecting their best stuff.

      The current thinking is that no system can be defended so we have to adapt to working within a compromised environment.

      Another way to say that might be that we are always going to have some flawed elements, malicious exploits, evil-doers among us.

      So we have to stop designing and implementing and operating as though anything can be trusted.

      Stop trying to do whatever it takes to be able to trust your system and accept that you cannot trust it.

  16. DeborahS

    “I can’t think of any instances where you would want to allow any subdomain of a root domain access to your server, so blocking them all seems like a good idea.”

    Oops, sorry for the typo – I meant to say “I can’t think of any instances where you would want to allow any subdomain of a *known bad* root domain access to your server”

Comments are closed.