

Operation Shady Rat Is The Largest Cyber Attack Ever Uncovered - BioGeek
http://www.vanityfair.com/culture/features/2011/09/chinese-hacking-201109

======
mrb
The most shocking revelation IMO is that "less than 10 percent of [RSA's]
customers have requested replacement tokens". IOW, everybody knows the entire
SecurID system was compromised, yet _90% of its users decided to do nothing
about it_!

~~~
trotsky
I believe that is weasely at best, I've been given the impression previously
that over 50% of the tokens in active use had been switched out before the
public announcement of the free replacements was made. Perhaps they're doing
something like counting every company that bought a few for an eval and aren't
using them.

------
metachris
A better account of the story at the McAfee Blog:
[http://blogs.mcafee.com/mcafee-labs/revealed-operation-
shady...](http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat)

~~~
dhimes
In the comments of this the blogger notes that malware put in place to launch
the exploits were all for Windows machines. It sounds like it mostly works by
getting unwitting users to click on unknown emails. It's been 15 years and
we're _still_ doing that?

~~~
jrwoodruff
Not quite 'unknown' e-mails as I would think of them - these were e-mails that
appeared to be from co-workers and addressed specifically to another
individual, hence _spear_ -phishing, rather than just phishing. For all
intents and purposes, it probably had all the appearances of a legit e-mail.

~~~
dhimes
If I understand it, then, someone opens the initial payload which allows
malware to be downloaded- and this downloaded malware orchestrates the "spear
phishing?"

I haven't seen this as I've been out of an organization for quite a while.
Thanks for clarifying.

------
niyazpk
The sidebar can be slightly NSFW. Here is a version of the same article
without the distractions:
[http://www.vanityfair.com/culture/features/2011/09/chinese-h...](http://www.vanityfair.com/culture/features/2011/09/chinese-
hacking-201109?printable=true)

------
com
Fascinating reading - my take-home is that US corporates are going to have to
have disclosure rules whether they want to or not. The question is whether
this will come from Congress or the regulators.

------
est
> As spring gave way to summer, bloggers and computer-security experts found
> evidence that the attack on RSA had come from China

They never say what evidence, which is the most interesting part of the
article. Does anyone have a more detailed description of how they identified
it was China?

~~~
sp_
I worked on the technical side of the RSA attack analysis and not the
attribution/political side but some guy on Twitter
(<https://twitter.com/yuange1975>) who pretends to be Chinese has claimed
responsibility for the RSA 0-day and some other high profile 0-day exploits on
his Twitter feed in a way that makes him the credible original source of those
exploits.

I am sure the people on the attribution side dug deeper than this (for example
they most likely tried to verify that this guy is really Chinese and not just
pretend-Chinese) but I don't know anything about the non-technical side of
things.

~~~
est
That's cool. Much better than the blah acticle. 袁哥 is actually a very skilled
hacker and reputable in China. IIRC He works for NSFocus, NSFocus used to be
the de facto operator of China's G.F.W., it was replace by another firm after
a Taiwan spy issue.

edit: [http://jeffreycarr.blogspot.com/2011/06/18-days-from-0day-
to...](http://jeffreycarr.blogspot.com/2011/06/18-days-from-0day-to-8k-rsa-
attack.html)

------
lobo_tuerto
So much drama, handwaving and name calling in this VF's article...

------
dreww
While I support the opinions with regard to security and disclosure as
presented, the rest of the article is regrettably lacking in detail,
specifics, evidence, or attributable quotes on what has actually occurred.
It's hard to say if this is just the typical style of a piece for general
audiences on this topic, or the tail wagging the dog on attributing these
things to china in the public eye.

Frankly, what's more alarming; the dedicated resources of a single state
actor, or a complex, emergent network of self-interested individuals and
groups persuing their own aims?

I find the Chinese explanation a little too convenient and a little too
amenable to typical national defense thinking. What this article really says
to me is that if you want to hack an American company, own a Chinese box
first. Nobody will look any further.

~~~
trotsky
The truth is that both are happening. When you talk to people who are
pragmatic and watch the strategic elements they are often saying things like
"or someone operating with chinese cover". There is definitely evidence that
other actors are using chinese IPs, working hours and techniques to muddy the
water. But at the same time, a preponderance of evidence suggests strongly
that a majority of these attacks are from chinese sources. Keep in mind that
military and national security investigators - even private sector
investigators - have access to a lot more intelligence about these matters
than simply what IP launched what. So, yes, while some intrusions from china
are undoubtedly the work of non-chinese it still makes sense to focus a lot of
your efforts on the dragon in the room.

~~~
dreww
i totally believe that there is more evidence out there, it is just rarely
actually revealed.

so it seems at least possible that there is some collusion, conscious or not,
between journalists and cybersecurity spooks to name an enemy in order to get
traction in the public mind, vs. saying "well, it's from a lot of different
people, lots of stuff from china, and who knows what else."

I even think this might be a good strategy - I guess my point is i'd like to
see more real public evidence before we accuse foreign governments of
attacking us in the press. not because i don't believe it is happening, but
because i feel those assertions should be backed up if they're going to be
made.

------
NY_Entrepreneur
Let's review Computer Security 101 with a case study in Mainstream Media
Morality Play Nonsense 102:

The article is garbage. Nonsense. Brain-dead. Trying to jerk people around by
the gut.

'Vanity Fair' is for what, overly emotional, determinedly non-technical,
easily scared, fundamentally incompetent and, thus, dependent, young woman who
want to gossip about fashion and celebrities?

If the article had anything, then it would have explained something solid;
since nothing solid was explained, it must not have had anything.

So, the article starts with:

"Lying there in the junk-mail folder, in the spammy mess of mortgage offers
and erectile-dysfunction drug ads, an e-mail from an associate with a subject
line that looked legitimate caught the man’s eye. The subject line said '2011
Recruitment Plan.' It was late winter of 2011. The man clicked on the message,
downloaded the attached Excel spreadsheet file, and unwittingly set in motion
a chain of events allowing hackers to raid the computer networks of his
employer, RSA. RSA is the security division of the high-tech company EMC. Its
products protect computer networks at the White House, the Central
Intelligence Agency, the National Security Agency, the Pentagon, the
Department of Homeland Security, most top defense contractors, and a majority
of Fortune 500 corporations."

and in particular:

"The man clicked on the message, downloaded the attached Excel spreadsheet
file, and unwittingly set in motion a chain of events allowing hackers to raid
the computer networks of his employer, RSA."

Garbage. Absolute reeking, fuming, bubbling, flaming, smelly, gooey, sticky,
yucky nonsense.

So, he received an e-mail message. Okay, we're talking likely post office
protocol 3 (POP 3).

Back when I was using OS/2 and had no decent e-mail software, I took out an
afternoon and wrote my own POP 3 client e-mail software. I used it for years.
I'm about to ditch Outlook 2003 and return to what I wrote (in Rexx) on OS/2.

Gotta tell you, no way, not a chance, was there any way to infect my computer
by sending me e-mail. Not in this galaxy. Send me anything you want, pictures,
viruses, root-kits, Flash, infected, 'active' PDF files, EXE files, Active-X
files, spreadsheets, etc., and no way will my computer be 'infected'. Just
impossible.

Why: First, the data that comes via POP 3 is lines of text of just 8 bit
characters. Period.

At the beginning are the 'header lines'. The end of the header lines is
denoted by one blank line.

The rest of the e-mail is just the 'body', and it is just more lines of text
of 8 bit characters.

Harmless. It's just some simple minded data as lines of 8 bit characters. Can
put the data in an ordinary file, edit it with an ordinary editor, view it on
the screen, print it out, etc. All harmlessly.

The body may have a PDF file, a movie, some audio, some Flash, and EXE file, a
spreadsheet, etc., and still it's all just harmless data. Period.

If there is one or more 'attachments', then each of these is delimited by a
line with some text indicated in the header. Each such attachment is just more
lines of text. To permit sending any data at all, these lines of text consist
of just 65 simple-minded, old ASCII printable characters. You can print them
out, and they won't hurt you, steal your bank records, install software on
your computer, etc. They are 100% harmless.

Those 65 characters are part of a scheme called 'base 64 encoding' which is
part of the e-mail 'multi-media internet mail extensions' (MIME).

For such an attachment. can follow the base 64 rules and 'decode' the
attachment back to the original data in the file. The file, then, will be a
sequence of 8 bit bytes. Give the file any name you want and put it in any
directory ('folder') you want. Yes, you do NOT want to put the file where
other software will use that file without your knowledge; but why would you do
that? E.g., don't overwrite some important operating system DLL file.

The file may be in the format of an EXE file, JPG file, GIF file, PNG file,
XLS file, etc. Still it is just a file, just a sequence of bytes. Like any
other sequence of bytes, it's harmless, will not cause blindness, falling
hair, black toenails, or an infected computer. You can copy it, back it up,
send it as an attachment via e-mail, etc. all harmlessly.

The file can be a virus, a root-kit, a Trojan, malicious, malevolent, nasty,
etc., but STILL is just 100% harmless, safe, and innocuous. No rubber gloves
needed.

Now, if the computer is being used by a total dummy, idiot, drooling on the
keyboard, licking the screen, etc., then there might be a threat: The rube
might permit such a file to execute as software on their computer. Dumb.
Stupid. Brain-dead. Don't do that. Never do that.

First rule of computer security:

    
    
         Never, ever permit data from an untrusted
         source to execute as software.
    

Never. Ever. Don't do that.

So, if there was a computer security problem, then it was NOT the e-mail, the
attachment, or the spreadsheet but JUST some total idiot who let such an
attachment execute as software.

Any author of any e-mail program that lets data execute as software without
very explicit approval of a user should be dragged through the streets while
peasants throw garbage, two week old dead animals, night soil, upchuck, toxic
witch's brew, effluent from tanning animal skins, etc., racked, excoriated,
eviscerated, drawn, quartered, hung, dried, roasted, and fed to sick animals.

~~~
jm4
You are sorely mistaken. First, the article clearly states that the user
downloaded and opened the file. It was not some automatic process put into
motion by the mere fact that someone emailed him, as you suggest in your rant.

Second, I suggest you take a moment to reconsider your position that "a virus,
a root-kit, a Trojan, malicious, malevolent, nasty, etc., but STILL is just
100% harmless, safe, and innocuous" unless the computer is being operated by
an idiot. That is, unless you have never, on any occasion, been a victim of
malware yourself. If that is the case, I suppose it is possible that you are
superior, in every way, to the rest of the computing world. Has it occurred to
you that perhaps there is a legitimate reason for the thriving computer
security industry?

It is a fact that there are very competent people behind these attacks. You
don't slip through the security of the likes of major defense contractors and
multi-billion dollar internet companies like Google without some skill. It is
also a fact that even the most competent computer users make mistakes from
time to time. The whole scenario seemed quite plausible to me, without my
having to assume that RSA employs a bunch of idiots.

As for your gripe about the quality of the article, think about the target
audience. You are obviously not a part of it. It was directed at the
mainstream, and it would have been inappropriate to fill it with technical
details that only another hacker would understand. That said, I thought it was
a pretty decent article. It explained in relatively easy to understand terms
how the attack worked and the possible rationale behind it. The tech-savvy
readers can use a little imagination to fill in the technical gaps. You
probably already have a pretty good idea how some parts of it worked. You
don't need to trash the author for not spelling it out for you. It's not
supposed to be a howto guide.

~~~
NY_Entrepreneur
Part I

Please seriously entertain my claim that the article is not to inform computer
users about how to avoid 'malware' but, instead, is just a case of a standard
practice in journalism to distort a real situation to create uninformed fears
to grab people by the gut to get their eyeballs for the ads.

In particular, the article is very far from reality about computer security.

Next, you are just not reading; instead, you wrote:

"You are sorely mistaken. First, the article clearly states that the user
downloaded and opened the file. It was not some automatic process put into
motion by the mere fact that someone emailed him, as you suggest in your
rant."

Totally, flatly, clearly, absolutely wrong. Your "and opened the file" is just
wrong. The article never said any such thing. I just went through the whole
article and looked at every case of the string 'open', and at no point did the
article mention that the file was open or opened. And in the first paragraph
with the start of the story, nothing like 'opened' was described or even
implied.

Instead, the situation in the article was just as I quoted in the key
statement from the first paragraph of the article:

"The man clicked on the message, downloaded the attached Excel spreadsheet
file, and unwittingly set in motion a chain of events allowing hackers to raid
the computer networks of his employer, RSA."

There is nothing here about 'open' in any sense.

Indeed, if this sentence were correct, then with any decent e-mail software
his computer would have been quite safe.

Of course, "downloaded the attached Excel spreadsheet file" has to be wrong:
The e-mail message would have already been received, in total, with the
"attached" file so that the file did not need to be "downloaded". Of course,
if the file was "downloaded" from just a URL in the e-mail message, then the
file was not "attached" to the e-mail message. So, either the spreadsheet file
was attached or downloaded but not both.

With irony, your:

"It was not some automatic process put into motion by the mere fact that
someone emailed him, as you suggest in your rant."

gets at the main bad point in the article: The author is interested in drama,
just drama, to grab readers by the gut, and in the special case of drama as
some threat from some inexplicable, unfathomable, hidden evil forces of
darkness. In particular the article did NOT include your "opened" the file
and, instead, just had its:

"unwittingly set in motion a chain of events allowing hackers to raid ..."

So the threat was not from your "opened" but from its "unwittingly", that is,
synonymous with my "inexplicable, unfathomable, hidden" and, with irony, also
with your "some automatic process ...". The author IS claiming that the
'infection' was from some "automatic process" which, of course, is nonsense.

Again, the main claim early in the article is that any computer user is
vulnerable to a massively destructive infection and security breach MERELY,
"unwittingly", from an "automatic process", of receiving a bad e-mail and then
downloading an attachment. This claim is nonsense, total 100% fuming, flaming,
reeking nonsense. It's wrong, and from an effort to create confusion to scare
people.

For your

"Second, I suggest you take a moment to reconsider your position that 'a
virus, a root-kit, a Trojan, malicious, malevolent, nasty, etc., but STILL is
just 100% harmless, safe, and innocuous' unless the computer is being operated
by an idiot."

No, my statement is correct, a nice contribution, and fully appropriate for
the subject of computer security for users of e-mail and personal computers.

To repeat, the key point for the target audience is not some "unwittingly" but
just what I wrote:

    
    
         Never, ever permit data from an untrusted
         source to execute as software.
    

That's the key rule that everyone using a personal computer today needs to
commit to memory, tattoo on the back of their right hand if necessary, pray to
God each day at bedtime if necessary, and follow in all computer usage without
exception.

The rule is simple and plenty within the ability of nearly any computer user.

And the rule insists that computer users know the difference between data just
sitting in a file and data permitted to execute as software; this difference
is just crucial.

Of course, the article, out of convenient ignorance or deliberate confusion or
both, wanted to avoid mentioning your "opened", to avoid saying that the
problem was not receiving the e-mail with an attachment, was not downloading a
spreadsheet file, but WAS 'opening', and thus executing as software, data from
an untrusted source.

The poor computer user was fine, safe, secure, etc. up to the moment they
'opened' the file. Again, the problem was 'opening' the file and not just
receiving or downloading, unwittingly or not, the file.

"That is, unless you have never, on any occasion, been a victim of malware
yourself."

The usual approach of the losing side of an argument is to attack the other
person, not the other ideas. So, you are now after me, personally. I'm not the
subject here; the article and computer security are the subject.

I've never gotten an infected computer via e-mail. With any decent e-mail
software used in any decent way, it's essentially impossible for anyone to get
an infected computer via e-mail. Again, as I explained, all standard SMTP and
POP 3 e-mail is is just some lines of text of 8 bit bytes. This data is super
simple to handle safely. To get an infection from such data, have to work at
it. I made this point clear; it's good news; apparently you missed it.

~~~
NY_Entrepreneur
Part II

Sadly, last year I did have at least three infections, my first ever. All
three were from Web browser usage. I don't know the sources of the first two,
but the third infection was from one use of the Akamai download manager
software to get a PDF file from an Asus Web site. As I since discovered, that
Akamai program is a common source of viruses: There are some obscure
parameters in the program with some bugs, and passing the right string from an
HTML page to the program can infect a computer. So, again, the problem was
that the Web browser and the Akamai software permitted software from an
untrusted source to execute.

My solution:

(1) Except for a few, essential, explicitly trusted Web sites, do Web browsing
only in Windows User mode and not Windows Administrator mode.

(2) Severely restrict what Web browsers can do. For each browser, spend hours
or a few days going over each browser security option in detail and block
everything at all questionable until have a browser that barely works on
common Web sites. When on some Web sites the security options are too severe,
f'get about the sites. For the options, document each click. Of course, must
block Java and Active-X as if they were bytes of Anthrax.

(3) Disable all Web browser plug-ins except Flash. Due to the security threats
of Flash, restrict Web browsing only to 'mainstream' Web sites and hope and
pray.

In particular, never even entertain enabling anything like the Akamai download
manager. If want a PDF file from Asus, then try to get one sent as an e-mail
attachment instead of via a browser plug-in. For now and into the future,
regard essentially all browser plug-ins as never to be used. Period.

(4) For PDF files, let Adobe Acrobat read only files from relatively trusted
sources. Disable the ability of a Web browser to call Adobe Acrobat
automatically. That is, do not let any PDF reading software be an enabled
browser plug-in.

(5) After any software changes, review again what browser plug-ins are enabled
and again disable all but Flash (many software installations install and
enable browser plug-ins without permission or notification). Swat back all
those plug-ins like infected insects.

(6) Once a month download and run the latest Microsoft Malicious Software
Removal tool (MRT).

(7) Keep a copy of the boot partition when all the software on it was freshly
installed and still virus free, and be able to restore that copy of the
partition given any symptom of a virus. With some effort, some careful usage
of options, 'decoding' some really obscure Microsoft documentation, some
experiments, some guessing, some detective work, and a few days of work, maybe
two weeks full time, this saving and restoring are possible via the standard
Windows program NTBACKUP.

(8) Of course, block all automatic software updates and downloads, and
minimize all software updates. When the system is working, essentially FREEZE
it -- if it ain't broke, don't fix it.

(9) Try hard to block any automatic execution of any software on removable
media. Here, Microsoft tries really, really, really hard to keep people from
blocking such automatic execution. Microsoft really, really, REALLY wants such
automatic execution and wants to sweep under the rug the outrageously obvious
security threats. So, have to be very careful about what removable media
insert into a Windows system.

(10) Have Windows Firewall enabled with severe restrictions.

(11) Be very careful about any software source where permit its software to
execute. This means, permit third party software to execute only from
essentially impeccable sources, e.g., with signed software, etc. This also
means, for nearly all third party software, f'get about it.

So far these steps have worked.

For infections as in the article, that is, via e-mail, I am not concerned. In
particular, for some progress on PC computer security, pay attention to my 11
steps above. Also pay close attention to the first rule of computer security.
For the article and its "unwittingly" via e-mail and downloads, f'get about
those. I'm passing out stuff that is from good up to great; the article is
passing out nonsense.

You wrote:

"It is a fact that there are very competent people behind these attacks."

That statement is true but a 'non sequitur' in this discussion and, thus, off
the subject.

The issue from the article is getting infected "unwittingly" via an attachment
via e-mail, and, with anything like a decent e-mail program used in anything
like a decent way, that's nonsense even for "very competent people".

In particular, the article is pointing people in the wrong direction: The
problems were not from e-mail or downloading but, presumably, that is, taking
the minimum from the article, from 'opening' a spreadsheet file. That
distinction is key, crucial. There's nothing "unwittingly" about it. The
problem was that word you claimed was there but was not -- OPEN.

"The whole scenario seemed quite plausible to me, without my having to assume
that RSA employs a bunch of idiots."

It's not "plausible" to me: The problem had to be "open" and not e-mail or
downloading. And "unwittingly" had no role. Again, once again, still again,
over again, once more, the first rule of computer security is:

    
    
         Never, ever permit data from an untrusted
         source to execute as software.
    

The problem in the article was a violation of this rule.

Just what is it about this rule you are having such a really difficult time
understanding? Why are you so determined to believe in "unwittingly" instead
of rationality?

This rule is really good news; why are you being so determined to keep
struggling in the 31 F waters instead of reaching for the lifeboat and warm,
dry blankets of this rule?

"As for your gripe about the quality of the article, think about the target
audience."

I am: The audience needs to f'get about the article and "unwittingly" and pay
close and careful attention to the first rule of computer security. For that
rule, did I mention:

    
    
         Never, ever permit data from an untrusted
         source to execute as software.
    

"That said, I thought it was a pretty decent article. It explained in
relatively easy to understand terms how the attack worked and the possible
rationale behind it."

No: That is definitely what the article, deliberately and/or incompetently,
did NOT do. The article claimed that "how the attack worked" was via its
"unwittingly" and downloading, which are nonsense. Again, once again, to
repeat yet again, still again, the problem was OPEN and, in particular,
violation of:

    
    
         Never, ever permit data from an untrusted
         source to execute as software.
    

That's enough. If I continue to respond to your writing from not having read
what I wrote, I will be just repeating the same, simple, on target points over
a dozen times.

------
hluska
Thanks for posting this - perfect read for right before bed!

