Oil companies hit by 'state' cyber attacks, says report
At least three US oil companies were victims of highly targeted, email-borne attacks designed to siphon valuable data from their corporate networks and send it abroad, according to a published report citing unnamed people and government documents. The attacks against Marathon Oil, ExxonMobil, and ConocoPhillips began with emails …
Clearly in light of this Chinese threat new communications and data laws will have to be passed to monitor and control everyone's online and offline activity.
I really hope lawmakers ignore this issue, as it's really not a public-sector problem at all. Let the private sector bear this cost themselves. If anything, the only government responsibility should be to investigate the intrusions and determine who to go after.
New laws won't prevent this sort of thing. THERE ARE ALREADY LAWS FOR INTRUSION...JUST FUCKING ENFORCE THEM, ASSHOLES!
<Sigh>OK, I feel better now.
Or to any energy company? Or any state? Or any investor or group of investors?
The 3 companies might even have sent the emails to each other for what we know. But if "The Christian Science Monitor" says it's China, then it must be, right?
The cost / pain / hassle of Linux will outweigh the cost of the loss of critical information
Now I like the penguin as much as any other non-sheeple, but I really don't think Linux would have helped in this situation, do you? If the boss was thick enough to 'click the link' then any payload would execute with her/his privileges .. and s/he's got read access to these documents, yes?
Ok, I concur that it needs to be a *nix 'trojan' but they are simple enough to write? Simple script that ftp's the contents of the home folder to the 'bad guys' ....
Regardlass of OS, the PEBKAC acronym still holds true. Linux is good, but fool-proof it 'aint. And we all know that the fools end up floating to the surface.
/2p
Rather puzzled by this comment. If I click on a link ( FF in Linux) I know a binary executable will NOT run - the only option is to download. Anybody then going on and explicitly running a downloaded binary deserves all they get (by which I mean sacking !) . Scripts, of various kinds, may run automatically but ONLY if I've authorized that type previously (which I haven't). Even documents and spreadsheets & pdfs need to be authorized.
Konqueror does offer to open a binary but only into an editor
I agree that the user and their environment constitutes the weakest link
Christian Science Monitor ?!*??!
Bless.. you do know silver bullets only kill werewolves right?
"Now... aint that what'cha call a contrarydiction in terms, pardner!?....
Christian Science as a religion may be questionable (they don't hold with conventional medicine), but the Christian Science Monitor is a respected journal and often quoted by other serious news sources.
So it is OK for the NSA to spy on EU industry but wrong for the Chinese to do the same to the US ?
Mine's the one with tinfoil hat in the back pocket.
Really, it won't do any good unless you actually wear it.
Whitelist email senders. Dissociate business emails from home, pref. with separate accounts. This stops the emails getting in.
Use digital signatures? Ensures it comes from who it claims.
Install a web proxy with whitelisted web access only. Speaks for itself.
Turn of java, javascript & flash (this is getting boring). This closes a major hole. And remove/IE totally if we're talking windows.
Run the accounts as user rather than admin. Blocks things further.
If necessary prescan emails for proper structure & a subset of functionality. Block those that don't conform.
Use a completely internal system for internal work/emails etc. Reject HTML emails.
Store critical data completely isolated from elsewhere. Provide business-only laptops with USB ports etc physically disabled, with encryption etc and no external access except whitelisted. Or don't let them take this work home with them at all - physical theft is a fine means of hacking and one that would be much higher if data management wasn't so inept.
Install anti-virus stuff, maybe.
Provide security training and shoot execs too stupid to learn.
I'm not an expert and some of the above may be misguided but just simple changes should make it orders of magnitude harder for hopeful intruders. How much more of this is going to happen before they 'get it'. I'm not sure they will.
@Matthew 13: I guess security is more to do with admin and good practices than with the OS. I've run windows for a long time and never had virii, malware or anything nasty. That's for the last 2+ years without any security software (norton etc.) at all.
Here are some hypothetical and not so hypothetical phone calls that Exec's may make to the IT department if these security measures are implemented.
"Turn of java, javascript & flash... And remove/IE totally if we're talking windows." Exec phone call: "I can't surf the internet without the 'e'." "Why can't I see my daughter on youtube?"
"Run the accounts as user rather than admin." Exec phone call: "Why can't I install this demo program from xyz company? I know it's safe because I checked it on my home computer."
"Use a completely internal system for internal work/emails etc. Reject HTML emails." Exec phone call: "My wife keeps trying to send me 'important' emails but I'm not getting them."
"Provide business-only laptops with USB ports etc physically disabled, with encryption etc and no external access except whitelisted." Exec phone call: "Why can't I load this usb stick that has confidential data that I downloaded from the office to work on this laptop when I'm traveling?" "Why can't I connect to the hotel website to get access to the internet?"
"Or don't let them take this work home with them at all." Exec phone call: "I downloaded some confidential files onto a USB stick from the office to work on while traveling but I lost it at the airport. Can you send me another one?"
"Provide security training...." Exec phone call: "I know, security training told me not to click on these kinds of links but the email was from my wife and she wouldn't send me anything bad."
...we called him God. Not in jest mind you, he surely was an incarnation of the God of the Old Testament. Lots of wrath and smiting of infidels but as we had our stuff together he mostly used his skills on the rest of the organization (five nines translates into goodwill in financial companies). We loved him dearly and regularly burnt an ox in his honor. And he was smart, one of the most intelligent people ever to make it into management in the history of mankind. No social skills though, but who needs social skills when you've got nukes.
We did a migration from <mainframe mail> to <other mail>. Most users had hardly anything stored on the mainframe so it was decided to forgo the pleasure of having to fight with a conversion tool, which was very expensive to boot. The CFO got himself into a huff and DEMANDED, in a LOUD VOICE, that we convert his 10.000 mails as they were his documentation. And God said: "Bugger off you idiot. You have 3 children. Bring them in next weekend and they can forward your mail to the new account for you. We're not converting anything". I didn't kiss him but it was a close thing.
God understood security well enough to let the security people have it their way. The above mentioned execs would have lasted mere seconds in his sight before spontaneously combusting. Sadly he pensioned himself off when our company was eaten by <even bigger company> many years ago.
All oil companies retain estimates of reserves, which are published for the benefit of investors and government. The location of these reserves is usually no secret, as most prospective geologies on the planet are known of (excepting maybe central Africa and northern Asia). These numbers tend to be conservative, being what they guarantee they can extract.
What *is* closely guarded is the less conservative internal estimates of what they believe is actually down there, which commonly is significantly larger. If I was an investor, these are the numbers I would want to see, but in the past I usually had to get most of the engineers drunk and laid. Cyber-attacks are so much more cost effective.
While foreign governments may well like to know this information, it is easy to envisage other motives for trying to get it. If I had to put money on one of them, I'd bet on the investment sector.
One is that "natural resource" corporates are targeted - this is always to be expected - especially since "he who owns the most resources controls the rest" - as it were. Second is that this is a perfect means by which to not only use China (the New Russian Threat) as the Foe - thereby causing much more irritation towards any Chinese-based interests, but also to impose, world-wide, a means by which to "legally" restrict the internet, or use the internet against the rest of the world - however it is seen fit. This, then, allows countries like the US to further impose on the rest of the world -especially the developing countries - THEIR legal ethics/values/desires (especially in copyright/patent/IP - ask Costa Rica!) - but also to allow companies, say for instance, like Microsoft, a much larger voice against competition (linux especially). Yep. Clear as mud.
... that the CSM is a bastion of computer & networking security reporting.
Oh, wait ... I was thinking about SCM ... nevermind ;-)
Well the conspiracy theorist in me suggests the UEA "ClimateGate" hack was far too convieniently timed, and was infact motivated/encouraged by "big oil", this is "their" response, (whoever "they" are) to show what they industry has been upto.
Basic security isn't as effective against an adversary with near-unlimited funding.
Whitelists won't work when they'll simply find a colleague's e-mail address already in the list. Since the e-mail was already business-oriented (colleague to colleague), the separation of business and personal is already moot. Proper research can produce an e-mail that looks sufficiently like the real colleague e-mail to block even behavioral and heuristic scanners. And even pure-text e-mails can provide a list of human instructions, such as where some important stuff may be stored. Even saying truly important stuff would be telephoned won't suffice; some social engineering tactics use the phone.
Digital signatures may help, but an adversary with vast resources may try to break the hash algorithm in order to create a collision.
Some browser exploits (especially the most novel ones) attack the browser DIRECTLY and wouldn't need a single plug-in or add-on to work. And if the adversary is sophisticated, it'll probably be a true zero-day vulnerability no one else in the world knows about. And since they're novel, no one (not even the AV/anti-malware makers) would be able to defend it; you can't defend what you can't predict.
Restricted user accounts are useless against privilege escalations. Yes, even Linux has these.
I really should not be arguing as I don't have the time and certainly don't have the knowledge, but that's me I guess.
>Basic security isn't as effective against an adversary with near-unlimited funding.
No, I guess, but it's about pushing up the costs to the adversary till it's not worth it. Cost may be more than money, it may be criminal charges, risk to reputation (could destroy a company, severely damage a country financially) etc.
> Whitelists won't work when they'll simply find a colleague's e-mail address already in the list.
Idea is that in combination with digital signatures + a totally separate network (vpn? backed up by large on-time pad?) for business emails makes that much harder. (WTF are they not using encryption here at all. Fuck. They need mincing down into dog food.).
> ...some social engineering tactics ...
okay, there's that but social engineering around major technical blocks is going to be much harder. But point taken anyway.
> Digital signatures [...] create a collision.
That's fine. Crack one layer with great effort others remain. At each point they have to probe which leads to risk of detection.
> Some browser exploits attack the browser DIRECTLY ...
But they have to then 1) know the browser type 2) gain access to it 3) compromise it 4) have it reach out over a whitelist-only proxy. etc. Break one layer, another remains, and they start becoming very noticeable. A true zero-day vuln is one crack in several layers.
Dunno about privilege escalations but I'm sure you can increase the cost so much it's not worth it to them. And there's plenty more basic stuff I could suggest before we get to anything fancy like rewriting stuff in 'safe' languages.
Now's the time to mention you're a security consultant with 30 years experience.
@AC 10:52: point well made but anticipated. look for the phrase 'get it' and the word 'shoot'. The technical is the easy stuff I grant. People are hard.
"Clearly in light of this Chinese threat new communications and data laws will have to be passed to monitor and control everyone's online and offline activity." ..... Anonymous Coward Posted Monday 25th January 2010 22:26 GMT
Which cave have you been holed up in all these past years, AC .... http://en.wikipedia.org/wiki/Stored_Communications_Act
http://en.wikipedia.org/wiki/Pen_register
Privacy and the Right to Privacy disappeared Ages ago to Complement and Support the Demise of Law and Order with the Perversion and Subversion of Freedom and Justice for the Promotion of Capital Slavery and Economic Indebtedness to Crappy Human Terrain Team Players.
Fortunately though, there has been AI Change and Renegades and Rogues/Private Pirates and Swift Buccaneers are Seeding Wild Jokers to Dominate and Overwhelm Captured Fields and Virtual Theatres of Operations.
"If anything, the only government responsibility should be to investigate the intrusions and determine who to go after." .... Captain Save-a-ho Posted Monday 25th January 2010 23:13 GMT
Good luck with that determination, Save-a-ho. Do you know of anyone who has ever caught a Shadow? And do you imagine that anyone really smart goes into governments, whenever in Private Practices, they can run them at their Leisure for their Pleasure
elitist pricks that have their heads and their copies of linux wedged so far up their arses they burp fanboi flavoured farts mainly composed of semi-insulting, meaningless rhetoric about those no it the cult.
Their even worse than the non-IT 'virus proof' cult of jobs you meet in coffee shops.
BenDwire and his sheeple comment for example.
And before anyone asks, I run windows 7 on my desktop and backtrack 4 on my laptop.
to follow !
No f*ckin wonder the world is in such a shit state and the Goovermins dunt no nuffin'.
One of the first things I learnt about ITC is that data connected to the internet can be accessed from the internet.
First thing I learned about business is how to make money by not spending money.
Put the two things together and you have a world wide orchestrated bunch of overpaid, half trained, wrongly aimed, resource syphons - connecting stuff to the internet (or leaving unencrypted discs on trains) that should never be - in the first place.
Cripplingly funny from an anarchists perspective.
Then the thought of adding to this mix, the knee jerkers, re-edutainment and beware of the burkhas and I nearly fell out of my orthopeadic office chair.
More please, more .. where is the guffaw icon ?
Christian Science?
Where have I heard that phrase used before?
Wiki tells me "Christian Scientists believe that sickness is the result of fear, ignorance, or sin, and that when the erroneous belief is corrected, the sickness will disappear."
So obviously these guys are a fantastic source of reliable information.
Its oh so easy to shout from your high horse till someone gets around to taking it down.
Don't you people think about the other costs in moving to this 'free' software?
Training of staff in using Linux
Training of staff in using open office
Training of front-line IT staff to fight off the millions of questions which will be asked by all these confused users.
Time and effort spent converting various infrastructure to work on Linux (eg the payrole may pull out details from a timesheet database that all staff enter their hours into. Those kind of links across software packages dont make themselves)
The big rollout thats going to drag everyone to a halt and lose production by the company.
Not to mention all the packages they use that do not have a Linux equivalent.
Of course, this has nothing to do with the fact that these companies have production licences for big, big oil fields in Nigeria that are currently coming to an end, that Sinopec and CNOOC currently have an interest in?
Not to mention that these companies are also direct competitors with the two Chinese NOCs in a number of other areas.
No, I can't imagine why the Chinese government would want to hack their bid offers, not at all.
"...Although the executive didn't follow a link embedded in the message...".
There are two possibilities here. First, he's hideously overqualified for the job as he's obviously not only read all the warnings and understood them but also understood that they apply to him. Second (and most likely), he was the one who clicked on the "pwn me nows" email link last time their network got the shaft and remembers the subsequent cattle prod to the goolies he got from their BOFH for doing so.
> Although the executive didn't follow a link embedded in the message, other people inside the company did, allowing attackers to install surveillance software across the company's network, according to the report ..
What Operating System did this 'surveillance software' run on. The OS that allows your computer to be compromised by clicking on a web link ?
Sign up, sign up for The Register's weekly IT security newsletter - click here
