The cover story of the current issue of National Journal reports in depth on China’s cyber-aggression against US targets in the government, military, and business. We have discussed China’s actions on numerous occasions over the years. The news in this report is the suggestion that Chinese cyber-attakers may have been involved in major power outages in the US. “Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of US companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to US government officials and computer-security experts…”
[From China's Cyber-Militia ]
Browsing Posts published in May, 2008
CNet story about a discussion from Google’s Jeff Dean spotlighting some of the inner workings of the search giant’s massive data centers. Quoting: “‘Our view is it’s better to have twice as much hardware that’s not as reliable than half as much that’s more reliable,’ Dean said. ‘You have to provide reliability on a software level. If you’re running 10,000 machines, something is going to die every day.’ Bringing a new cluster online shows just how fallible hardware is, Dean said. In each cluster’s first year, it’s typical that 1,000 individual machine failures will occur; thousands of hard drive failures will occur; one power distribution unit will fail, bringing down 500 to 1,000 machines for about 6 hours; 20 racks will fail, each time causing 40 to 80 machines to vanish from the network; 5 racks will “go wonky,” with half their network packets missing in action; and the cluster will have to be rewired once, affecting 5 percent of the machines at any given moment over a 2-day span, Dean said. And there’s about a 50 percent chance that the cluster will overheat, taking down most of the servers in less than 5 minutes and taking 1 to 2 days to recover.”
[From A Look At the Workings of Google's Data Centers ]
While rootkits for common operating systems, like Windows, are well known, they haven’t been a security issue for Cisco’s IOS until now.
Get the most from your TomTom, Garmin, Magellan, or other GPS device by learning how to speed satellite lock, send maps from your PC, create POIs, and more from our GPS expert.
[From Top 10 GPS Tips And Tricks]
Did China’s Hackers Shut Off the Lights?— Hackers working on behalf of China’s People’s Liberation Army have penetrated networks controlling electric power grids in the United States, computer security experts believe. And that may have precipitated a massive blackout …
[From Did China's Hackers Shut Off the Lights? (Updated) (Noah Shachtman/Danger Room)]
Dr. Jim writes “The good folks over at the Gartner Group have revealed the top 10 technologies that they believe will change the world over the next four years. The usual suspects including multi-core chips, virtualization, and cloud computing are on the list. Multicore servers and virtualization will mean that firms will need fewer boxes, and apps can be easily moved from box to box (and right out the door to an outsourced data center). Workplace social networks and cloud computing means that the need for a centralized IT department will go away. Firms will no longer need to own/maintain the boxes that they use to run their firm’s apps. With no need to touch a box, there will be no need to have the IT staff co-located with the boxes.”
[From Gartner Reveals Top 10 Technologies For Next Four Years]
One of the most interesting features in Solaris is its ZFS filesystem. Read on for a quick guide to ZFS administration.
As the new 802.11n spec, with its increased speed, coverage, and reliability, intersects with a broader selection of vendor offerings, wireless is becoming a viable platform for mission-critical network connectivity.
[From 802.11n Is Here. Get Ready For A Wire-Free Enterprise]
I would link to the press release, but it doesn’t exist. New photography this week highlights the 3rd Yuan Class submarine has been launched. The first photo is a comparison of the first two Yuan class submarines launched, with the remaining photo’s of the 3rd Yuan recently launched.The 2008 Annual DoD Report (PDF) for Congress was released early this year,
The standard way to take control of someone else’s computer is by exploiting a vulnerability in a software program on it. This was true in the 1960s when buffer overflows were first exploited to attack computers. It was true in 1988 when the Morris worm exploited a Unix vulnerability to attack computers on the Internet, and it’s still how most modern malware works.
Vulnerabilities are software mistakes–mistakes in specification and design, but mostly mistakes in programming. Any large software package will have thousands of mistakes. These vulnerabilities lie dormant in our software systems, waiting to be discovered. Once discovered, they can be used to attack systems. This is the point of security patching: eliminating known vulnerabilities. But many systems don’t get patched, so the Internet is filled with known, exploitable vulnerabilities.
New vulnerabilities are hot commodities. A hacker who discovers one can sell it on the black market, blackmail the vendor with disclosure, or simply publish it without regard to the consequences. Even if he does none of these, the mere fact the vulnerability is known by someone increases the risk to every user of that software. Given that, is it ethical to research new vulnerabilities?
Unequivocally, yes. Despite the risks, vulnerability research is enormously valuable. Security is a mindset, and looking for vulnerabilities nurtures that mindset. Deny practitioners this vital learning tool, and security suffers accordingly.
Security engineers see the world differently than other engineers. Instead of focusing on how systems work, they focus on how systems fail, how they can be made to fail, and how to prevent–or protect against–those failures. Most software vulnerabilities don’t ever appear in normal operations, only when an attacker deliberately exploits them. So security engineers need to think like attackers.
People without the mindset sometimes think they can design security products, but they can’t. And you see the results all over society–in snake-oil cryptography, software, Internet protocols, voting machines, and fare card and other payment systems. Many of these systems had someone in charge of “security” on their teams, but it wasn’t someone who thought like an attacker.
This mindset is difficult to teach, and may be something you’re born with or not. But in order to train people possessing the mindset, they need to search for and find security vulnerabilities–again and again and again. And this is true regardless of the domain. Good cryptographers discover vulnerabilities in others’ algorithms and protocols. Good software security experts find vulnerabilities in others’ code. Good airport security designers figure out new ways to subvert airport security. And so on.
This is so important that when someone shows me a security design by someone I don’t know, my first question is, “What has the designer broken?” Anyone can design a security system that he cannot break. So when someone announces, “Here’s my security system, and I can’t break it,” your first reaction should be, “Who are you?” If he’s someone who has broken dozens of similar systems, his system is worth looking at. If he’s never broken anything, the chance is zero that it will be any good.
Vulnerability research is vital because it trains our next generation of computer security experts. Yes, newly discovered vulnerabilities in software and airports put us at risk, but they also give us more realistic information about how good the security actually is. And yes, there are more and less responsible–and more and less legal–ways to handle a new vulnerability. But the bad guys are constantly searching for new vulnerabilities, and if we have any hope of securing our systems, we need the good guys to be at least as competent. To me, the question isn’t whether it’s ethical to do vulnerability research. If someone has the skill to analyze and provide better insights into the problem, the question is whether it is ethical for him not to do vulnerability research.
This was originally published in InfoSecurity Magazine, as part of a point-counterpoint with Marcus Ranum. You can read Marcus’s half here.
Dr. Andrew S. Erickson is one of the premier sources on Chinese Maritime analysis, and a blog favorite. Previous coverage of his work here and here. Last year Dr. Erickson published New U.S. Maritime Strategy: Initial Chinese Responses, an examination and insightful study of China’s reaction to the new US Maritime Strategy. The following sample is but a taste of this brilliant document, a 22 page
[From Observing Chinese Reactions to the New Maritime Strategy]
How dangerous is China? Ask the Russians, who are organizing their lawyers to go after the one place China seems to take seriously, their wallet. There has been some very interesting discussions taking place over in Russia, and it turns out, while they didn’t really care that the Type 39 Song Class submarine was built based on the old Romeo design, they aren’t very happy to learn the Yuan class
[From Challenges of War and Peace]
Has China “secretly built a major underground nuclear submarine base that could threaten Asian countries and challenge American power in the region”? Thomas Harding, writing in the London Daily Telegraph early this month, has declared that it is.
According to Hardy, “Satellite imagery, passed to The Daily Telegraph, shows that a substantial harbour has been built which could house a score of nuclear ballistic missile submarines and a host of aircraft carriers.”
The threat from Chinese submarines, long touted by “hard liners” in the West, now includes the ballistic missile submarine base and protective tunnels for the craft being constructed at Sanya on the southern tip of Hainan Island in the South China Sea.
The report comes almost simultaneously with word that a Chinese Type 094 (NATO Jin-class) ballistic missile submarine was sighted at the base in satellite images. Also visible was a newly constructed pier that appears to be a demagnetization facility for submarines. Demagnetization is conducted before a submarine deploys to remove residual magnetic fields to reduce the craft’s vulnerability to magnetic mines.
The satellite image was taken by the QuickBird commercial satellite on 27 February 2008, and purchased by the Federation of American Scientists from DigitalGlobe.
China is believed to have completed two Jin-class SSBNs with at least one more unit under construction. (An older SSBN is also in service; see below.) The U.S. Intelligence Community estimates that China would probably build five SSBNs if it wants to have a near-continuous deterrent at sea. Each Jin-class SSSBN will carry 12 JL-2 nuclear-armed ballistic missiles. A “score” of such submarines — as reported in some newspaper accounts — seems highly unlikely.
While some Western defense analysts as well as journalists are touting this new Chinese capability, it should be noted that there have been submarine tunnels in southern Hainan for probably two decades or more and that similar (albeit smaller) tunnels are also found at the Northern Fleet’s Jianggezhuang naval base. Indeed, China has long constructed tunnels for military (and civilian) purposes in the even of a nuclear conflict. This writer visited some of those near the base complex of Dairen, near the Soviet-Russian border.
Further, while submarines could be “hidden” in the tunnels, they could be observed by U.S. reconnaissance satellites as they enter and leave the tunnels. This possibility, coupled with the likely noise level of the Jin-class SSBNs would increase their vulnerability to U.S. detection and surveillance methods.
Also, in wartime, any submarines in the tunnels at the outbreak of hostilities would be vulnerable to the tunnels being easily blocked by U.S. conventional or nuclear weapons.
Certainly the Chinese Navy is being modernized, although it is significantly smaller than it was during the Cold War era. The slow development pace of China’s SSBN force, the failure of the first Chinese SSBN, the Type 092 (NATO Xia) completed in 1988, to have ever made a deployment, and persistent reports that a ballistic missile for the SSBNs is not yet available, raise major questions about this aspect of the “Chinese threat.”
[From A Super Secret Sub Base?]
A Canadian law clinic has asked the country’s Privacy Commissioner to take a closer look at the deep packet inspection being used by Bell Canada and others. While the technology also raises net neutrality concerns, in this case the issue is privacy.
[From Deep packet inspection under assault over privacy concerns]
Deep packet inspection gets a major speed bump to 80Gbps of real-time traffic analysis with 96 percent accuracy. Even the largest networks can now throttle P2P with ease… even when it’s encrypted.
U.S. military to build botnet?
[From Brief: U.S. military to build botnet?]
There are new developments in the case of the counterfeit Cisco routers, which we have been discussing for some time. The NYTimes updates the story after an FBI PowerPoint presentation made its way onto the Web. It seems that experts at Cisco have examined some of the counterfeit routers in detail and proclaimed that they contain no back doors. Others don’t believe we can be so sure. “Last month, [DARPA] began distributing chips with hidden Trojan horse circuitry to military contractors who are participating in the agency’s Trusted Integrated Circuits program. The goal is to test forensic techniques for finding hidden electronic trap doors, which can be maddeningly elusive… The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor… The researchers were able to create a stealth system that would allow them to automatically log in to a computer and steal passwords.”
IBM Developerworks’ recent analysis of how the NSA built SELinux to withstand attacks. The article shows us some of the relevant kernel architecture and compares SELinux to a few other approaches. We’ve discussed SELinux in the past. Quoting: “If you have a program that responds to socket requests but doesn’t need to access the file system, then that program should be able to listen on a given socket but not have access to the file system. That way, if the program is exploited in some way, its access is explicitly minimized. This type of control is called mandatory access control (MAC). Another approach to controlling access is role-based access control (RBAC). In RBAC, permissions are provided based on roles that are granted by the security system. The concept of a role differs from that of a traditional group in that a group represents one or more users. A role can represent multiple users, but it also represents the permissions that a set of users can perform. SELinux adds both MAC and RBAC to the GNU/Linux operating system.”
