China vs. Google

Google a anuntat pe 12 ianuarie un atac provenind din China.

Google Dragon

Conform blogului Google, nu este prima oara cand este detectat un atac din China:

“Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.”

Atacurile au urmarit accesarea conturilor Gmail ale unor activisti pentru drepturile omului. Doar doua conturi au fost accesate:

“We have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.”

O analiza a incidentului recomandata de Google este cea facuta de Nart Villeneuve:

“iDefense has stated that they were able to investigate these attack since some of their customers were also hit:

IDefense was called in to help some of the victim companies that Google had uncovered. According to Jellenc, the hackers sent targeted e-mail messages to victims that contained a malicious attachment containing what’s known as a zero-day attack. These attacks are typically not detected by antivirus vendors because they exploit a previously unknown software bug.

“There is an attack exploiting a zero-day vulnerability in one of the major document types,” Jellenc said. “They infect whichever users they can, and leverage any contact information or any access information on the victim’s computer to misrepresent themselves as that victim.” The goal is to “infect someone with administrative access to the systems that hold the intellectual property that they’re trying to obtain,” he added.

The attack vector is very similar to GhostNet, but, it is a very common form of attack. Mikko Hypponen (who is awesome) told the BBC:

“This wasn’t in my opinion ground-breaking as an attack. We see this fairly regularly. said Mikko Hypponen, of security firm F-Secure.

“Most companies just never go public,” he added.

“Human-rights activists are the biggest target,” said Mr Hypponen. “Everyone from Freedom for Tibet to Falun Gong supporters and those involved in Liberation of Taiwan are hit.”

I tend to agree. It is not the method of attack that is the story here, its the high profile of the victims and public disclosure by Google as well as Google decision to challenge China’s censorship that have made it so interesting. Really, we investigate these kind of attacks (usually on human rights activists) all the time.”

Am mai gasit una foarte buna facuta de Sam si Sydney Liles:

There are a variety of examinations on details within the attack. The path to an attack is fairly simple to discuss and much harder to actually do;

1. Determine a scope and objective for the attack.
2. Create an acquisition mechanism.
3. Determine a delivery and propagation mechanism.
4. Using a varied path (heterogeneous) select targets of opportunity.
5. Place the exploit code into the wild with the propagation and acquisition mechanism in place.
6. Diversity of the delivery mechanism across the largest target population is important.
7. Exfiltration of information and tuning of the attack after contact with targets increases the risk substantially.