An embarrassing public exposure of a unit closely associated with the PLA had led to a temporary decrease in attacks. The Chinese government appears to have calculated that the downside of the publicity surrounding the attacks is outweighed by the benefits they are reaping.
This is likely to be a ongoing feature of the online world.
CIO Magazine estimates the value of a data breach at $184-$330 million. Given the cost to an organization's recommendation, there is a business imperative in placing adequate resources and thought behind protecting the data in our custody.
Organizations may need to take a close look at their patch philosophies, since many organizations would have difficulty testing and deploying an application server patch in such a relatively short time window. This compromise highlights the importance of defense in depth, and the importance of protecting data with the enterprise architecture, not just the capabilities of a particular product.
Exceptions are allowed for information involving privacy, security, or confidentiality. There are obvious concerns that a government agency may not be as careful about privacy-related information as we would like.
A recent Pentagon report showing significant intrusions sponsored by the Chinese government is a key contributor to the renewed interest in this issue. A recent report by Mandiant definitively tracing attacks to the Chinese PLA's doorstep exposed some of the methods used in these attacks. Experts have also noted an increased pace of attacks that may be linked to other actors such as Iran.
One provision of the bill would restrict imports of technology that is identified as having been stolen as a result of these attacks.
While it is always important to bring out the results of cyberattacks, it may be more effective to focus attention on promoting good information security practices. Current regulations and security audits tend to focus more on paperwork than on the actual effectiveness of controls.
Good examples of best practices recommendations include the SANS 20 Critical Controls and the 31 guidelines recently released by US CERT.
When one of the false passwords is entered, it would alert administrators that an attack is underway.
A similar security measure, using bogus accounts (known as "honeypot accounts"), alerts administrators when someone is trying to log into them.
Unfortunately, part of the company's damage control efforts included mis-information about the risk posed by the stolen encrypted passwords. Dictionary-based attacks on encrypted passwords only depend on having enough computing power, especially given the poor quality of most passwords. But in an environment where the Internet is swimming in easily hackable powerful computers, computing power is not much of a barrier to entry.
(Since many people use a single password across platforms, a stolen encrypted password for one account could allow an intruder to access a broad range of accounts, including bank accounts and accounts at a target's workplace.)
Ironically, QinetiQ won a bid to consult with the Department of Defense on cyber-threats.
Denials by the Chinese government have been less than convincing, given the thoroughness of the report released by security firm Mandiant.
State-sponsored cyberattacks have become more common in recent months. These attacks can be particularly difficult for a company to defend against, since the resources of a state sponsor can swamp an individual security department. Even with that, most attacks can be defended against by following basic security principles like the 20 controls recommended by SANS. The US CERT has released 31 guidelines to protect against a broad range of attacks.
In the case of QinetiQ, for example, two-factor authentication would have protected against the most damaging hacks, if it had been implemented.
UPDATE: The Pentagon has directly accused the Chinese government of cyber-spying. The Chinese response:
Although it is common sense that you cannot determine sources of cyber attacks only through IP addresses, some people in the Pentagon still prefer believing they are from China as they always bear a sense of rivalry. It is an allegation based on presupposition.
The malware attempted to install command and control software on the PCs of people who were not patched to correct the vulnerability in the malware.
The site is used by people who are applying for job-related compensation for workers in the energy field.
UPDATE: People using the IE (Internet Explorer) 8 browser are vulnerable to the exploit on the DOL web site. A module exploiting this bug is available for Metasploit. It is not clear whether this will be patched in the next Microsoft patch round, but a patch is not available as of this writing. IE8 users are urged to update to a current, fully patched version of IE.
UPDATE: The May 13 patch round will include a fix for this vulnerability for IE 8. A temporary work-around has been provided by Microsoft as well.
While there are fewer rewards for attacks against a smaller business, attackers view smaller businesses as easier targets.
This system allows ships to share location information in order to help avoid collisions.
