|Home » Learning Curve » Red Hat Diaries
The Internet Should Be a Quiet Place
Time for neighbourhood watch?
The Internet should be a quiet place. It really should. There should be a lot of activity - hopefully - but people shouldn't be constantly distracted by talk of dangers and exploits and rifled accounts and so forth. People should have the opportunity to relax and see for themselves what opportunities are out there.
Up to now they've never had it. Not once. Not a single day.
The original Internet - ARPAnet - was quiet. In fact it was built to be redundant as well. In the event of a nuclear holocaust. Knock out one server and the others come to its aid. Communications continue.
Today you knock out one miserable PC and the whole thing falls apart. That's not what the Internet's 'forefathers' had in mind. That's not what anyone had in mind.
Banks, airports, vessels, automobiles, hospitals - none have redundant systems; all are regularly crippled.
The Google story is exploding everywhere. Google were hacked to bits over the winter break. An estimated 34 companies in the US were hacked. This wasn't an accident or a loosely organised prank. This was well planned - planned so well in fact that one can suspect the perpetrators had George Kurtz' Hacking Exposed on their night tables for months.
There's the footprinting part. After choosing the targets of course. Scan IP ranges, use tools like nmap to suss out what OS is running on each IP, see if you can correlate these IPs to real names by researching other (often paper) documents. Seek out the key targets you need and match these with the dumbest machines you can find. And as always: look for Microsoft Windows.
Just ask Gary McKinnon. It's amazing what you can find if you set your mind to it.
Then there's the timing. Kurtz recommends concentrating on companies in disarray - startups and mergers for example. Lacking that opportunity, see if you can coordinate things, for example, over the December winter break when everyone is halfway out the door and stumbling from all the eggnog.
Play the odds.
Kurtz, formerly of Ernst & Young and later CEO of Foundstone, is today worldwide CTO for McAfee. It's his report on the Google attack which began to open the story.
In our investigation we discovered one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer.
As with most targeted attacks, the intruders gained access to an organisation by sending a tailored attack to one or a few targeted individuals.
They did their homework.
We suspect these individuals were targeted because they likely had access to valuable intellectual property.
These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That's when the exploitation takes place, using the vulnerability in Microsoft's Internet Explorer.
What a shocker. Who could have suspected?
Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.
The underlined part is key. Now get ready for another gut punch.
Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7.
Now for the discreet retreat.
There very well may be other attack vectors that are not known to us at this time.
Bill will be pleased. Now Kurtz' conclusions.
All I can say is wow. The world has changed. Everyone's threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information, and anything else of intangible value.
What's obvious is that the attackers didn't try to hack through crappy Microsoft web software - they footprinted the organisations and attacked through Windows PCs. And once they got on the inside, they rifled entire organisations. And, it appears, wiped their tracks on the way out.
Tenzin Seldon was inadvertently one of the ways Google found out what was going on. A student at Stanford, she was in her Gmail account when Google noticed someone else was in there as well.
That's her in the picture on the right. With her Hewlett-Packard laptop with the big Stanford 'S' on the lid.
Tenzin comes from a farming family in Tibet that miraculously found the cash to move to the Frisco bay area, and she's a PC. All the way.
That the long arm of Chinese security could reach all the way to my home here at Stanford is something I never would have suspected.
It's very disturbing when your Gmail account, which is as personal as it gets, can be hacked into and breached.
Yes, very disturbing indeed.
But similar attacks on Gmail have happened in the past and are well documented. Yet Google systematically deny complicity in what's happened.
The real shocker here is that Tenzin is a regional coordinator of Students for a Free Tibet. That she would - under these circumstances - be running Microsoft software leaves concerned people speechless.
Google knocked on Tenzin's door and asked for her nifty Windows laptop. They congratulated her for choosing Windows and then took it away for forensic testing.
The Googlers held onto Tenzin's box for six days and never found a thing. But an 'industry source' familiar with the case said the malware might have been smart enough to erase itself once the dirty deed was done.
Tenzin herself doesn't remember opening any dodgy mail attachments and insists she doesn't share her Gmail password.
The cringe factor pins the needle.
Sifting Through It All
As always with stories such as this, one has to dig a bit to get to the true essence - the truth. This is necessary because behind the scenes, the major players are already out there trying to spin the story away from themselves.
This is exactly what happened ten years ago when the story of the ILOVEYOU worm started to break. Microsoft representatives around the world brought immense pressure on local media to not reveal Microsoft products were involved in the attack. BBC's online news service got roasted good and proper for giving into Microsoft's Reading-based 'chief security czar'. The same thing happened in Sweden and other countries. But finally the story came out.
So what do we actually know about the Google attack?
√ At least 34 companies got hit. Googlers are pretty awake, so they traced the whole thing back to its source. And they held an emergency meeting on Xmas eve. It was that serious. Other companies that got hit include Yahoo, Adobe, Juniper Networks. This was no random prank. This was a well organised attack.
√ The hackers went in with a laundry list. They weren't after just one thing - they were after a whole slew of different things. This attack was very well planned.
√ The attack was targeted. This wasn't a worm per se - it was the result of proper systematic textbook (Hacking Exposed) footprinting. The preparations for this attack were not trivial.
√ They hit the classic weakest link - Microsoft software. Microsoft's Internet Explorer is not only a shitty browser - it's also the #2 worst application on the Internet today in terms of security. (Microsoft's Outlook is the #1.)
How Bad Is It?
As Microsoft work overtime on damage control, others will once again have to ask themselves why the planet has to suffer through such nonsense when proper secure technologies are available.
Some will ask themselves why Google's Windows systems weren't properly sandboxed; others will ask about the legendary Gmail hacks that Google refuse to talk about; still others will ask what kind of security is practiced at these companies when the state of security for Microsoft products is well known; still others will ask - again - why Microsoft products are allowed on the Internet at all.
The case against Microsoft is not a close one. What happened to the 34 is going to happen again. It's been happening ever since people got on the World Wide Web. The first ten years of the New Millennium have been a fucking mess with Microsoft hack after Microsoft hack stealing the headlines and distracting people from what they really want to do online.
And it's always so Windows-centric - no one's forcing the idiots to use Windows and most people really don't want to hear about their misery when they get hacked again.
People don't want to be reminded that critical surgical operations have been sabotaged because of Microsoft Windows. They don't want to hear that battleships have been left crippled at sea because of Microsoft Windows. They don't want to hear that pinstripes have been locked in their automobiles because of Microsoft Windows. They don't want to be reminded that almost all SMTP (email) traffic on the web today is spam generated by Microsoft Windows.
They don't want to hear about Windows at all. And the smartest amongst them just want Windows - and Microsoft and Bill Gates and Steve Ballmer - gone.
Because the situation is very bad indeed. No matter that George Kurtz is totally Windows-centric - when he says 'oh wow', you can know he means it. The Google attack is the 'Hacking Exposed' worst nightmare - it's the book's teachings taken to the field and implemented as never before.
What Should We Do?
Obviously we have to proselytise against the use of Microsoft products online. The only safe way to run Microsoft software is to stay disconnected from the Internet.
Which is coincidentally the only way the security of Microsoft products has ever been formally tested. (Floppies, CDs, and DVDs are excluded as well.)
And whilst we can perhaps convince a few friends and acquaintances to abandon Windows (as the gurus have been recommending for years) there's quite a lot more that has to be done - and not by us. But by the corporations.
√ Mark Shuttleworth. Mark has to get down off his hobbyhorse and stop idolising a furball hermit who boasts of having sex with his potted plants. Mark has to turn over major design decisions to people who know what the fuck they're doing. He has to stop racing to push out updates of his 'buntus' that never really work right.
Mark Shuttleworth has to realise - or be taught - that better icons aren't making his makeshift platforms more popular. That success is instead about usability and market saturation. And that if he wants to succeed, then he's going to have to compete on the same terms as everyone else.
√ GNUstep. GNUstep are the people behind the oldest open source Unix graphical user interface going. And they're still not ready. They keep telling everyone how difficult it is to get their system working properly. Someone has to work with them, take the code they have, and turn it into something that works.
√ Apple. Apple had the ultimate Windows killer a dozen years ago. It ran on everybody's hardware and on everybody's system software too. But what did they do? They pulled the ultimate 'bait and switch': lured NeXT's third party developers into the new project with the express promise that support for Windows would continue - and then silently and in incomparable fashion just dropped the whole thing.
Apple need to get out of this 'whole banana' mindset that's been driving the company and the CEO since the 1970s, since the 'blue box' even. They need to learn to collaborate with the other industry players - the FreeBSD group and the rest - and learn to use those excellent products 'out of the box'.
They need to learn to keep their components up to date. They need to pull in people who understand system security. They need to get rid of the knobs who override security decisions in the name of 'user friendliness'.
Above all, they need to recognise what their strengths are. They need to understand that it's their GUI technology that's the only thing they've ever had.
And they need to get this technology out there and start licensing it.
The state of the Internet in the year 2010 is ridiculous - more ridiculous than it was ten years ago when the mess that is Redmond software started shitting down on everyone. Microsoft have long ago drawn their line in the sand. And the hackers get only better, more sophisticated, more deadly. Hacking Windows today is 'Hacking 101'. You break in through an extended perimeter like a web browser and the whole system - a whole network - goes down.
That's not an operating system. That's a joke. A ridiculous joke.
The operating system war is not over. The planet is done for in such case. Windows and Microsoft products have to be abandoned and replaced. And it's up to the other corporations and us netizens to stop being so fucking lame and finally start doing something about it.