Hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used a potent vulnerability in all versions of Internet Explorer to carry out at least some of the attacks, researchers from McAfee said Thursday. The previously unknown flaw in the IE browser was probably just one of the vectors used in …
Flip the switch.
Let's just take China off the Internet.
It's not as if we would be missing any great pr0n or anything.
...I don't get a huge amount of email from China -- or from the rest of Asia, for that matter -- but any email I _have_ gotten from there has _always_ been spam. I long ago reached the point where I've set my filters to automatically shit-can anything from China, Taiwan, Hong Kong or Japan -- or anyplace else with a non-Roman character set, for that matter.
I'm on the editorial board of the Indymedia site in my city (Washington DC), and we've just finished cleaning up the mess from a massive spam flood from China, and for the millionth time, I've suggested to the resident geeks that we just block anything from Asia, or with non-Roman character sets, but the more militant PC types still give me grief about it. It's not "inclusive", they say, or some shit like that, while totally ignoring the fact that every post we've gotten with Asian or other non-Roman character sets has either been dating-site spam (Asian) or been packing a malware payload (Russian, usually in the form of a .pdf file).
Oh the irony of Indymedia trying to censor...
Who's "we"? For the major network operators to "flip the switch" would cause a major shitstorm.
On the other hand, it strikes me as an absolutely fabulous idea for individual users to be able to say to their PC (or ISP) "I don't want to accept any email from outside my own country, I don't want to visit any web-sites from outside my own whitelist of trusted countries, and I don't want to use encrypted links to anywhere outside my own legal jurisdiction.". It's a pity that IP address allocation makes it quite difficult to do that, but perhaps it can be arranged that IPv6 has an address space more closely aligned to political and legal boundaries.
Re Har Irony
Not to mention the unsurprising stupdity of someone conflating the prevention of spam and censorship.
Re Re Har Irony
"I've suggested to the resident geeks that we just block anything from Asia, or with non-Roman character sets,"
Sounds like more than just spam to me, namely anything
Let's just take China off the Internet?
Not that it'd make much difference, have you seen how many chinese s-too-dense are studying computer science in the UK... Biggest income source for some universities, where they teach them coding and hacking skills...
Contrary to reports that this was just a brute force attack where malware was being installed on peoples systems through fairly mundane methods; it was actually a relatively sophisticated attack coming from competent coders who probably have an array of 0day vulns they found themselves and are keeping for a rainy day.
Juicy but probably not all that juicy. Depends whether they were only targeting human rights activists (the mundane) or if they were targeting organisations for the theft of data which could prove valuable to the Chinese Government, which by the tone of this article, they were. mmMmm yummy.
Of course - not something we here in the UK or those there in the USA would ever do, nonono. In the same way that our soldiers are perfect and do not beat up, molest and kill POW's (terrorists?) hah. Pot calling kettle black really. They are all at it. Cheeky beggers. Now, where did I put that 0day? :-D
What, the employees of Google in China were using the Microsoft IE browser instead of their own Google Chrome browser? The horror, the horror!
34 companies use Internet Explorer?
Finally something somewhat Gibsonesque
"There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China."
So, why is it a "Chinese cyber assault". Could as well be Israeli.
The C&C IP addresses were only 6 IP's apart from a previous attack and are known to be used by Chinese state or proxies of chinese state.
I think it was the Welsh.
They've been quiet. Too quiet....
Colour me surpised
A Serious Security Breach involving Microsoft Internet Explorer? Tell me it isn't so!
What were the Wee Wille Wonkers doing at the Chocolate Factory? Not eating their own dog-food one must presume.
Eh? IE? At Google? I smell fish...
OK, Yahoo, Northrop Grumman I can understand... but Google?
Why was anyone at Google using IE outside a testing environment? Isn't that why they developed Chrome?
Or was the attack of the "click here for hot chinese babes" style and sent to senior managers only? Assuming of course that senior managers are just as pointy-haired at Google as everywhere else.
Mines the one with the soup stirrer in the pocket....
corporate secrets =/= using IE
Sure, opera/firefox/etc are unlikely to be entirely free of current or future exploitable weaknesses, but even adjusting for market share, they seem far lower risk as far as exploits go.
Seriously folks - any modern company with secrets to manage with a CIO who allows anyone on one of their laptops or on their internal networks to use internet explorer 6, or for that matter, any other version needs a new CIO? This is just getting silly.
Management != Intelligent
Unfortunately the management of most of the companies thinks the Sun shines out of the orifice which is Microsoft. Microsoft can do no wrong and they will release a fix for their problems. There is an attitude "You will not fired for buying Microsoft", it used to be "You will not get fired for buying IBM" in the 1970s and 1980s.
Companies should declare their IT infrastructure platform details as part of the Financial submission in published accounts ie
Server platform breakdown
Windows Server 80%
Solaris server 10%
Linux server 10%
Desktop platform breakdown
Windows desktop 98%
Then you take your money out of business that are more than 40% Microsoft based
If you look up Norton's range of anti-virus, anti-spam, anti-rootkit, we're-so-damn-safe software, you'll see a reference to:
December 2008 Yahoo! Tech: Antivirus recommended: In defense of Norton
So that explains why Symantec and Yahoo are on the list, then.
Can't believe Google got hacked. What, is their _OWN_ browser not good enough for them? Is there something _WE_ should know if Google bods are using MSIE instead of Chrome?
You people are forgetting...
That way back when MS released IE6, they announced that it was the final form of the web browser. Not just the final form of IE, but the very concept of web browser. (Will now pause until the laughter dies down)
Unfortunately, the PHBs in charge of most companies believe what their highly paid consultants tell them (Guess who THEY worked for), plus what they read in the Better Business for Billionaires trade magazines (And guess who THEY listened to).
So the word went down from corporate high, and all internal and external business apps of most big businesses were hard-wired to work only with IE6, and then the coders were let go.
Years later, the businesses are still using those now mission critical apps, and can't drop IE6 without a costly major revamping of the infrastructure. So they stay with IE6, and trust Redmond to keep them safe. (Mixed gasps of horror and gales of derisive laughter)
I still don't believe
anyone who tells me their mission critical intranet apps would never work on anything other than IE6. Later versions of IE even have a compatibility mode, or so I hear, so there is truly no excuse. The least they could do is lock IE6 down to use a proxy that allows nothing but intranet access, and use a real browser for the internet. Trivially easy to do, but don't hold your breath waiting for it to happen.
I just assume the IT bods are too lazy to have even tested it on anything else. After all, why spend an afternoon doing some work when you can play Tetris instead?
You can act offended, but what IT department have you worked for that will actually do something to solve a problem that doesn't effect them. They're all using FireFox anyway, so who cares right?
There speaks someone who hasn't done much web development
It's not about IT bods, it's about what you're permitted to do.
The most probable scenario is that the users, testers, sysadmins and developers are fully aware that the app does not work in later versions of IE or firefox.
This is highlighted to management. Management refuse based on the fact 'it's currently working' and there are other priorities. Developers can't be bothered doing the modifications in their own time, and are not enthused by the lack of vision by management.
Given a choice between something that will not be appreciated or earn you extra money (in fact something that could *lose* you money, next annual review time) and having to confront someone to fix the app, it's understandable why Tetris might be chosen.
IE6 will never die
"""I still don't believe anyone who tells me their mission critical intranet apps would never work on anything other than IE6."""
I used to work at a rather large company, one which fancies itself to have quite the cutting edge IT 'system' or whatever they called it. What that boiled down to was multiple groups of people, separated by time, space, and management, each developing some essential software - asset tracking, training, certification, shipping, document distribution, data centralization, and who knows what else. Anyway they're all coded differently and insanely, and the only thing they have in common is pretty much the use of ActiveX.
Some of those apps did work in IE7 (8 wasn't out before the company and I departed ways,) but for a few it was absolutely necessary to use IE6. Then again there were some web apps that wouldn't even try to load in IE, so I had to have Firefox on my work machine too. And since I don't like using FF or IE if I don't have to, I had Opera as well.
The software that actually generated us revenue, which was run constantly to acquire data was originally coded for Solaris 8, but was ported to run on WinXP in an X server, with all the standard Solaris 8 look and feel that we have come to love.
Also I'd like to offer a further edit to the article:
"""Kurtz has dubbed the attack "Aurora" """ ...because it sounds fucking cool.
IE on the client side, not at google
An unpublished exploit in IE? Say it ain't so, Steve.
Maybe Google should just deprecate IE support - or gradually make it slower. Nah, Google wouldn't pull a low down dirty trick like that.
No title, this is a reply.
Google wouldn't deprecate IE support, it would surely affect their advertising possibilities.
As for making it slower... what, slower than IE already is? Think anybody would notice?
On a diferent note...
The article states that browser level DEP would have worked as a minor deterrent in this case. I'd be interested to know how well the OS/hardware level version would have worked as well. Would the workaround still be possible?
Badgers, cause I don't want any of those little critters scurring around inside my computer either.
For goodness sake, just mandate that senior people (and all "Managers") must use Lynx.
It would at least cut down some of the rubbish out there...
I'm as ready to have a pop at MS as the next person, but at some stage there must have been some muppet, who should have known better, who clicked on a link and started the ball rolling in each of these corps!
When they find these muppets it should be, "You are the weakest link, goodbye!".
Prelude To Termination
Weakest Link (re: Hold on!)
I think these attacks are not of the 'Free pr0n!!!! Click me!!!" types, but rather individually crafted mails that appear genuine.
"Click here to infect your computer"
Funny thing is, I've never seen a link that says "click here to infect your computer".
Does the fact that ANY link could be used to infect your computer means that you should NEVER EVER click on any link?
When you read a page with a headline saying that your competitor have announced that they have released something that will kill your company, you don't click the link to see what the story says? Because websites are never compromised. No-one has ever managed to change the content of a respectable web site, have they?
Add on to that the fact that MS software is just a massive orgy. Every piece of their software uses parts from all the others. I don't know how many MS apps I've got that fire-up parts of IE in the background to do things. I've even got apps from other companies that fire-up IE to open a pdf file inside a window in the app.
So, I admit it, I am a muppet. I click on links (it's how I got here). I use MS software, and other companies software. It makes me a muppet, I should just go back to my abacus.
IT savvy muppets
from a different story in today's Register, a Law firm suffered a similar attack, "Attorneys at ........ began receiving trojan-laced emails made to appear as if they were sent by other members of the firm"
Lynx is not the only way.
Mandate that all eMails are received and sent in text only format.
Just say no to reading/sending HTML messages.
Hold on to what?
I wouldn't be too hard on them, if these were targeted attacks then we're not talking about the typical "Warming! There is a problem of your account. Please clicker here so we can be conferming your information. You account may be terminated!" phishing emails.
If an attacker is willing to put some time into it, I don't think it would be that hard to create an email convincing enough to fool all but the most paranoid. It needn't be a hit-and-run either. They could exchange a few apparently legitimate and relevant messages to build up trust first. I'm only speculating, but from everything we've heard they're much more sophisticated than the average phishing scam.
Definitely no HTML
My mail server bounces email with an HTML section. It's a security risk and even though I run Linux, I'd still prefer to know what's happening.
MS::real world interface fail
technology leaders != techies
Otherwise, what were "senior technology leaders that had access to core pieces of intellectual property, source code" be doing running IE?
Tut tut users should not be allowed to run with admin rights this would of prevented the attack. Not to mention training these 'high' up staff NOT to open any old attachement.
And in a Variation on Publicly Unknown ZerodDay Vulnerability Exploit BetaTesting ....
"In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer," Kurtz wrote. "Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."
Err, all the best exploits of a vulnerability in any System, are always privately known and carefully discussed with publicity unwelcome for there is always the matter of Danegeld to be paid in order to ensure that the vulnerability does not morph into an attack vector because of non-payment of the insurance premiums, which would be the Danegeld, which would have allowed the exploit policed by those who would have discovered it, able to advise and build defences around it to deflect away anyone else who would also stumble upon/suddenly realise the fundamental flaw which might be, in the holiest grail of holy grails of exploit search and destroy missions, the unpatchable vulnerability which will always require Danegeld Policing ..... as opposed to Random Beautifully Exorbitant Ransom Demands, which if not Regularly Paid to Unscrupulous and/or Rightly Aggrieved Souls, will Lead to Systems Total Collapse rather than Total Systems FailSafeGuard.
For as sure as Eggs are Eggs, anything which can be found once, and is not patched and policed against further discovery with a misleading false trail deflecting interest and attention elsewhere to nowhere vulnerable, will be easily found again and maybe definitely probably certainly more ruthlessly exploited to create Collapse with no possibility of Preventative Measures with Insurance Payments to Assure against the Devastation.
Find those Flaws and Vulnerabilities in a System and you will be in Key and NEUKlearer Trigger Command and Control of the System and those who would presume themselves to be in Control of its Powers ..... Remotely and Virtually. And in a Position to Dictate Terms and Conditions if your New Rights to such a Position are Abused or Doubted rather than Recognised and Rewarded.
It is a Well Known Fact, even in the World of the Unknown, that the Best Gamekeepers are Expert Poachers ...... the Best Cops, Smarter Crooks ...... the Best Spies, Excellent Actors ..... the Greatest Programmers , Cracking Code Hackers?
The bods in Sales and Accounts, and many tech types will consider it onerous to be forced to use desktop tools which differ from the ones on their home computers or laptops. Security will not be a primary concern. I once read that Scott McNealy said all his staff use non M$ software, but I take that with a pinch of NaCl.
I understand how onerous it is, after spending dreary days being forced to write Word documents, usually by using other peoples docs as templates, and overwriting the text. IE infuriated me. It's different! I can't cope!
A major part of 'data processing' is now involved in converting relational datasets into corruptible spreadsheets. A company's accounts is a spreadsheet now, whatever the techies might think. So there will be an awful lot of company secrets on machines with IE.
TBH, it's not the fact that it was IE that shocked, it's that people in Google are using Windows. I really don't see any need for them to be using it at all? They won't be using Exchange and I doubt they have their whole documentation library in Word format with lots of dodgy macros so why wouldn't they all be using something like Ubuntu?
even Google has to test it's offerings with the most used plattform. Nobody would use gmail, earth, picasa whatever if it wouldn't work with Windows.
And just how many of Google's Ubuntu powered machines were compromised?
From my reading, the attack targeted developers
"It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera."
The 'sophistication' of the attack, here, seems to be at a Social Engineering level, rather than a technical one: knowing who to hit. So, yes, the targeted individuals may well have had IE6 on their computers (or, at least, *a* computer, that they had access to, sitting fairly deep inside the corporate network) - maybe as a multiple-IE install, on a virtual box, or via their own internal version of that sort of theme (indeed, the 'undocumented vulnerability' may only exist when you run IE 6 in that context, who knows, at this stage?).
Google developers generally use (or used - back when I knew these things with more certainty than I do, now) Linux laptops - typically high spec Latitudes - and are believed to use Konqueror, quite a lot (Google employees have been known to forward Google links to external recipients, where you can see, from the URL, that Google has, itself, misidentified Konqueror as "Safari" running on 64 bit Linux), but they will have had access to some sort of machine running IE 6: it's their job to do so.
If, as a developer, you got an email that appeared to be from a legitimate source, that explicitly asked you to take a look at something *in* IE 6, you might fire up a test machine or virtual box, load up IE 6 and hit the link. You might notice something was amiss, at this stage, because of the way your hard drive began thrashing like a washing machine, or the fact that your network card lit up like Christmas, but by then the exploit is running - albeit, perhaps, in some sort of memory sandbox.
It really is starting to sound like it was a question of who was hit, and how they were hit, that led to such an unequivocal response from Google.
So appart from a bit of circumstantial evidence (IP Addresses sources?) there is nothing to indicate that these attacks are launched by the Chinese government? The US Government? Russian Hackers? American Hackers?
I don't buy this, but it looks like it's gone the way of swine flu. Keep milking it reg keep milking...
Its not the CEO's at fault
Very few top-level execs either have a laptop older than 18 months, or regular access to real important stuff like code, papers etc. No, this is down to poor IT practices and regular employees like you and me. Oh the humility.
Personally I would vote for Piers Morgan in the top job at Microsoft. That really would be the icing on the cake.
Well, I never ..... Celts and Vikings Tasking Masking Trojans for In Cloud Configuration?
Hmmmm ?! It is quite spooky to watch the excellent FSecure YouTube video, "Targeted Attacks", hosted on El Reg here.... http://www.theregister.co.uk/2010/01/14/google_china_attack_analysis/ .... which advises on the same or a very similar likely targeted attack mindset scenario and progression as was shared in the earlier HyperRadioProActive post here, on this thread ..... "And in a Variation on Publicly Unknown ZerodDay Vulnerability Exploit BetaTesting ....", Posted Friday 15th January 2010 07:37 GMT [although there is, since El Reg changed the message board format , an obfuscating time differential between the time a post is submitted for display publication and the time shown should it appear in the subsequent discussion/threaded response, which suggests a later posting time because of .....??? Server Message Blocks/Snoop Activity/Active Positive Vetting/Nothing Sinister Actually, and with some delays in Moderation as to effectively Neuter some Hot Topics, which is a Shame in Registered AIdDynamically Frenetic Great Global Games?]
Certainly the latter half segments of both presentations are in Virtual Sync. and the almost identical analogous use of hobbyist, criminals and spies in the presentations would be unusually at one with each other?
Chrome has an MSIE version
Remember that you can install Google Chrome as a plugin in Internet Explorer. So developers have that reason to run MSIE, to test it on the web.
Since Chinese people can't say the letter R, I think it's unlikely that they called their hacking project Aurora. It would be like sharing an office with a hundred stammering Jonathan Rosses. After two weeks of getting no work done, they'd surely change the name to Opewation Four Poofs. (Of course, some readers won't know what this has to do with Jonathan Ross, or who he is.)
MS spokesperson said:
"Obviously, it is unfortunate that our product is being used in the pursuit of criminal activity."
NO! It's bloody scary, not unfortunate! Unfortunate is if you trip over something while not paying attention. A piece of software, that is in use by millions, that has years of history, allows the entire O/S to be compromised, that's negligence bordering on criminal.
Oh my,oh my, oh my
Vulnerability that affects all version of Windows inc. 7
I'm sure you're right Dan, I can't be bothered to argue.
Just tell me please, how the fuck am I going to get IE 6 on any of my versions of Win 7, which comes with IE 8 as standard part of the system, or to add to that count, how the fuck am I going to get IE 6, on any of my Vista versions which come with IE 7 as standard and integral part of the OS.
Not that I'm a leading technology officer at any major recently hacked leading Technology company.
So I'd have to go some to intently downgrade my IE to a sub standard version in the first place, but then like I said, I'm not a leading technology officer in a leading recently hacked technology company, or anything.
Better downgrade to IE 5.01
Since this is the only version known to be unaffected, somewhere in the basement must be an old iMac running OS9 and IE 5, might be just right for those who can't live without IE :)
I'd really lol if it was Mckinnon again...
- NASA boffin: RIDDLE of odd BULGE FOUND on MOON is SOLVED
- SOULLESS machine-intelligence ROBOT cars to hit Blighty in 2015
- BuzzGasm! Thirteen Astonishing True Facts You Never Knew About SCREWS
- Worstall on Wednesday YES, iPhones ARE getting slower with each new release of iOS
- Microsoft's Euro cloud darkens: Redmond must let feds into foreign servers