Chinese Hackers Spear-Phishing for US Military Secrets

China’s digital onslaught on US systems is not new news. There have always been the lingering questions though if the attacks were from individual hacker groups or if they were state sponsored. Recent Wikileaks documents seem to point to the latter.

According to recent secret cables provided to Reuters, the attacks have been traced back to the military:

“Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches — colorfully code-named “Byzantine Hades” by U.S. investigators — to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China’s People’s Liberation Army.”

The majority of the attacks used by China have been via spear-phishing. But what exactly is spear-phishing?

Spear-Phishing is a form of social engineering. Hackers send specially crafted official looking e-mails to specific targets, with the hope that they will click on infected attachments or click on links that will take the unsuspecting surfer to malware sites. The hackers or cyber criminals scan the web looking for employees of a specific target company to send the trap e-mail messages to. In this case, Chinese intelligence and hacker groups searched for military personnel or contractors:

“Two former national security officials involved in cyber-investigations told Reuters that Chinese intelligence and military units, and affiliated private hacker groups, actively engage in “target development” for spear-phish attacks by combing the Internet for details about U.S. government and commercial employees’ job descriptions, networks of associates, and even the way they sign their emails — such as U.S. military personnel’s use of “V/R,” which stands for “Very Respectfully” or “Virtual Regards.””

And with all the United States current attempts to stop or even slow the attacks, China is actually stepping up its efforts. The social engineering attacks from China appeared to start in 2002 and according to Alan Paller, the Director of Research at SANS, “The attacks coming out of China are not only continuing, they are accelerating.”

But what could the Chinese hope to gain?

Military secrets.

Along with terabytes of data that have been stolen, the Chinese also obtained military login credentials and blue prints to some of America’s hi-tech military equipment. According to InformationWeek this includes “the quiet electric drive used by U.S. submarines to help evade detection.”

It is much faster and cheaper for the Chinese to just steal the latest military technology through low cost hacking attacks than spending the millions it would cost to develop it themselves.

When you look at the Chinese stealth fighter, that reportedly made its second test flight today, you have to wonder how much of the technology was “borrowed” from the United States.

Learn to Analyze Malware – Malware Analyst’s Cookbook Preview

I usually don’t recommend a book before I finish reading it, but once in a great while I run into one that is so good, that I feel that it is best just to get the word out. Malware Analyst’s cookbook is such a book.

Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code, written by Michael Ligh, Steven Adair, Blake Hartstein, and Matthew Richard is one of the best security books that I have seen.

Are you a computer programmer and want to learn about malware analysis? A server administrator, network guy or computer tech looking to add to your knowledge or explore a new career field? Then this book is for you.

Though it would help if you have some programming experience, Malware Analyst’s Cookbook is written so even those without programming expertise can follow along. All the programs listed in the book are included in the companion DVD, so you don’t have to type them in. The book does recommend that you have some networking knowledge and understanding of how malware works.

If you want to learn how to surf anonymously, capture malware without getting infected yourself, and analyze it using (mostly) free utilities and websites then this is the book for you.

Some of the topics covered include:

  • Honeypots
  • Malware Classification
  • Sandboxes and Multi-AV Scanners
  • Malware Labs
  • Malware and Memory Forensics
  • De-Obfuscation

This book is a great reference and learning tool, written by authors that perform malware analysis and forensics for a living. I highly recommend this book.

SSL Issues: From Man-in-the-Middle Attacks to Foreign Hackers

Very good article yesterday on The Register that talks about the issues with SSL. We have been taught over the years that if the website you are visiting uses HTTPS (instead of the standard HTTP address) and you have a little lock icon show up in your browser, then your web frolicking is safe and encrypted.

But that may not necessarily be true.

Security researcher Moxie Marlinspike has shown time and again that SSL can be intercepted and the encryption bypassed. One would just have to look at his program SLLstrip to see this in action.

It works as a man-in-the-middle attack and takes your request for an HTTPS encrypted site, and basically steps in between the process, creating the encrypted link with the target system, but communicating to your system completely unencrypted.

I saw a presentation once by Moxie where he talked about running SSLstrip on a Tor exit node (Tor is a program used for surfing anonymously online). He then mentioned all the passwords, and credit card numbers that SSLstrip was able to pull from Tor users and save in plain text (You don’t shop using Tor do you?). He also talked about the inherent weaknesses of SLL, which was also the topic of The Register’s article.

According to the article, hacker attacks aside, there seems to be little verification checking before certificates are handed out. For example, in 2008 Mike Zusman from the security firm Intrepidus Group was able to purchase a certificate for Microsoft’s domain. In the same year a separate researcher was able to purchase a certificate for

But that is just a few that slipped by right? Not necessarily:

Last week, an analyst from the Electronic Frontier Foundation found that CAs have issued more than 37,000 SSL credentials for so-called unqualified domain names, such as “localhost,” “exchange,” and “exchange01.” These are the prefixes that many organizations append to their domains and use to designate Microsoft exchange servers and other internal resources.

When you add in reports of foreign hackers stealing certificates & creating fake certificates and also hardware devices that perform SSL man-in-the-middle attacks, it sounds like SSL is really in need of an overhaul.


Securing your Desktop with Deep Freeze

Looking for an easy way to harden your Windows desktops? Look no farther than Faronic’s Deep Freeze program.

Deep Freeze is very easy to install and configure and is perfect for simply and quickly increasing the security on your desktop or workstation. Once Deep Freeze is installed, it locks your computer down and prevents changes to the system.

So if your surfing along and notice strange messages coming from your system, or you run something that you really are having second doubts about, just reboot. All the changes made will be undone and your system will be back to its fully functional state.

Deep Freeze allows you to selectively choose which drives to protect. It also always for “Thawing” which means to temporarily disable the protection so you can make necessary changes to the system. It also allows folder redirection, so users can actually save work that they are doing to a “thawed” partition.

Deep Freeze is used by numerous school systems to protect workstations from mischievous young surfers. It is also used by professional malware analysis to protect their systems from getting infected.

Interested in learning more? Want to try out the software? Check out Faronics website and download the evaluation version of “Deep Freeze”.