Cyber-espionage groups are too numerous to count and are often far less skilled than their reputation suggests, according to threat-trackers. Costin Raiu, director of global research at Kaspersky Lab, estimated that anything between 100 to 200 hacking crews operate in China alone. Despite the hype abut zero-day attacks, many …
Successful is as successful does
Saying that successful attacks were not particularly elegant is rather empty. If the attack gets through, it is a powerful and dangerous attack.
Mike Tyson was not the most elegant boxer, but he won a lot of fights.
Our systems are extremely porous all around and it is *by design*. Sure, there are *tons* of bugs and errors in judgment there, but the entire infrastructure is in a shambles. Why? Because people with a great deal of control over the system need to be able to track, force their way into systems and disable systems. Making everything truly secure would secure it against them as well.
Nobody in a position to do anything about security is serious about it, but if they were, DNS would be distributed, we would be on a *successor* to ipv6 already instead of struggling to even get ipv6 adoption, encryption would be the *rule*, not the exception, encryption keys would be measured in Mbits or more instead of Kbits and less, etc.
We do not even have properly consistent universal PKI.
My browser would not rely on a set of root certificates issued by untrustworthy entities that include, it would seem after NSA revelations, attackers.
"Lots of attacks are successful but not advanced,"
Why should that surprise anyone? Where the goal of the intruder is to grab specific files or hijack a twitter feed, then keep it as simple as possible. Hold back the sneaky for when you need it.
Exactly - why unwrap the nukes when you can get the same results with a custard pie?
Seems like poor security...
I don't quite understand how they can equate using the lest amount of effort for achieveing the same goal as being crap. I don't doubt many tools have made "hacking" less skill based but really I don't know why you'd go through the effort to drop zero days when you can simply type admin:irsmart (yes, taken from expereince) at the login window.
I guess its kind of obvious that with more groups hacking only a select few are going to be real threats to major corporations and governments, but if they are crap hackers by proxy there are a lot of crap security boffins which couldn't "secure" the network against what they are essentially calling script kiddies.
And if they are crap hackers how and the hell do they have zero days? If they are capabile of producing zero days I'd say there is atleast some talent on board. Maybe I'm overthinking this...
Re: Seems like poor security...
Great, now I need to change my password! I haven't had to do that since SpaceBalls told everyone the combination to my luggage.
Channeling the spirit of Donald Rumsfeld : there are unrecognised unsuccessful attacks, recognised unsuccessful attacks, unrecognised successful attacks and recognised successful attacks.
Of course, you only ever have any kind of metrics for  and . whereas it's really  and  you need to concern yourself the most about.
PR for your honey pot?
The only ones that will fall for that are the really dumb ones. Which sort of proves your original point. Like a prof once said, "What we measure, we increase. So, be careful what you measure."
Brewskies 'cause it's always appropriate.
Would I be right in thinking....
...some of the basic ground rules for hacking these days would be -
Don't do it from your own home.
Don't do it on a machine you use for anything but hacking.
Don't use your own credit card...
Don't let them know you've been.
Don't keep going back.
Don't leave sarcastic/nasty comments behind that just make you sound like a vindictive d*ck to a jury.
I just see so many cases on the news that don't appear to have thought through what and how they are doing it.
Best rule is probably not bother in the first place.
There is good news however
A prison cell awaits every hacker.
Re: There is good news however
Or a medal. Depends on which three letter agency you're hacking for, no?
Personally, I had no idea that turning a couple of old heatsinks and a peltier element into a bottle cooler could land me in prison. I hope the Judge and Jury look kindly on me. I was just being curious!
So the ongoing cavalcade of human stupidity that enables most penetrations to succeed (poor patching, executable content, etc) continues unabated.
In fact if sysadmins did their job (or perhaps were allowed to do their job) and all staff were even minimally educated I suspect most of these crews would be history because they'd be blown away. These guys may be prolific but SFW? Do they all have mad skills? I doubt it.
Shock news. Why use a (presumably) undiscovered zero day when Dumbo McStupid will open anything sent to them headed "Dear Colleague?"
Don't just blame businesses. Home users and small businesses are notoriously ignorant on security.
"Don't just blame businesses. Home users and small businesses are notoriously ignorant on security."
But I think the term "cyber-espionage" suggests those are not the people being targeted.
Although better education for them would help as well.
Raiu said "“They are opening stolen documents on virtual machines without any internet connection to avoid exposing themselves that way,”
So how does he know that?
"Thacker added that although everyone wanted to know the source of APT attacks assigning attribution was difficult. "Everybody wants information on who’s attacking, but attribution isn’t easy," Thacker said."
That, my dear Mr. Leyden, is called PADDING. It is crude and obvious. You can do better.