Ah. He just decrypted the encrypted versions of his passwords by looking at them. I see.
And he "stumbled upon" a directory during his routine 6:30am check. Really? He's manually inspecting servers every morning at 6:30am?
This entire story is several levels of /headdesk.
You also assume he immediately recognised them. It could well have been someone one who later told him what he'd found.
Sloppy of the attackers to leave it in plain sight.
I think this means the hashed passwords. Microsoft have had several vulnerabilities in this area. Just entering a password to browse a server caused Windows (prior to Vista) to store the LM hash. An LM hash can be reversed in a matter of seconds.
I'm saying that - at least the way TFA describes it - the victim doesn't have enough security knowledge to tell if he's been attacked by script kiddies, a nation state, or a roll of toilet paper.
I'm sure the real story is a bit more nuanced, but nothing about the description gives me any confidence that the allegations are even broadly aimed in the right direction.
Is China a major vector of security attacks? Yes. Does that mean it has anything to do with this particular incident? I wouldn't bet serious money either way, and pocket money against.
To give you an idea of how stunningly bad conclusions can be drawn from technobabble inferences, I present this:
Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game
The most sophisticated and powerful cyberweapon uncovered to date was written in the LUA computer language, cyber security experts tell Fox News -- the same one used to make the incredibly popular Angry Birds game.
LUA is favored by game programmers because it’s easy to use and easy to embed. Flame is described as enormously powerful and large, containing some 250,000 lines of code, making it far larger than other such cyberweapons. Yet it was built with gamer code, said Cedric Leighton, a retired Air Force Intelligence officer who now consults in the national security arena.
FOX News claims that Angry Birds is a delivery vehicle for a virus because both of them are programmed in Lua. And who can blame the reporter? Her source is a former intelligence officer in the Air Force who is likely paid way more than every developer on HN to hype up such threats.
I wonder what would happen if Anonymous decided to target China over matter like this. Sure would be impossible to bring a government like that to their knees. But at least the public would gain some awareness on this matter.
Before you grabbed that little war drum, if you thought of the consequences you really wouldn't want to start such a conflict in the first place.
The quick, unorganized retaliatory response from an anonymous actor is usually such that it puts innocent services and people directly into the crossfire. Not to mention an anonymous moniker allows anyone to act on the behalf of anyone.
I was going to write that at least he got a bunch of free publicity from the article, but on the other hand the takeaway is that product is probably no more secure than his servers.
Seems like a lot of the issues would of been solved by moving to AWS. At least they would of still been making money.
Whether they would waste an AWS 0-day on some random stubborn American is another story.
Once I got to the point in the article where it was obvious that he was under some form of a coordinated attack I almost wanted to send myself back in time to be able to go over to his office and yell "AWS! AWS!" in his ear.
In addition to that, it seems it should have been obvious that bringing a team of experts to help secure the network (or transition it away) and fight the fight would have been the smartest idea. I would think that the quoted losses of some $58K per month would have covered this just fine. And, perhaps what is more important, it is likely that the technology fight wouldn't have lasted three years.
The other thing that struck me --again, don't have perfect data, don't know all the facts-- is the apparent lack of help from the likes of the FBI. You would think that they'd be there in some sustained fashion to help out.
This fellow was out of his league and paid a dear price for it. Hopefully the settlement compensated for some of it. It sounds like he might have ended-up with stress related health issues which are no laughing matter.
It'll be really sad if the Internet becomes just another weapon of war. That should not be permitted. How? Not sure. Is it too late?
Anything of value can be turned into a weapon of war. Think about what a weapon is - it is a tool to disrupt something delicate. A missile destroys a plane. A knife stops a heart. A virus stops a computer.
It really concerns me that a private US citizen was personally attacked by a sovereign nation. It seems to me that the US has an important duty to protect it's people, whether the attack is virtual or physical.
Yes, journalists are poor at providing technical coverage. That's not really their job.
Yes, this guy could have created a more secure network system, but if a government hacking group comes after you, you will likely not do any better.
> Examining the script that controlled the payment processing function in November that year, he noticed that a single character was missing from the string -- an apostrophe. That was enough to cause the page to time out, rather than to complete the credit card transaction. Customers were leaving in frustration
Am I right in thinking that this was all hack via SQL injection?
The problem is that if cybersecurity continues to be framed in this fashion, then all that shit that HN continually complains about -- security theater (via homeland security) and draconian Internet laws (remember SOPA) -- will continue to be status quo.
"Milburn contacted Matthew Thomlinson, a Microsoft Corp. (MSFT) threat expert for help. Thomlinson found the malware had downloaded software that burrowed into the company’s Microsoft operating system, automatically uploading more tools the hackers could use to control the network remotely."
Sounds like classic Chinese hacking though, this doesn't sound like the work of real pro's.
> schooling in commuter science
If this was a government sanctioned job, though, I imagine they could have stepped things up if the script-kiddie stuff didn't work. Why bring out the nuclear weapons if bottle rockets are doing the job just fine.
> high-tech spies and digital combatants seek to gain
> a brass-knuckle advantage in the global economy
Commercial hacker hunters -- who refer to the team as the Comment group, for the hidden program code they use known as “comments” .....
First, some pointers (non-exhaustive).
- Disk encryption
- Password complexity requirements
- Key-based authentication
- Firewall rules on host: explicit ingress/egress
- Run services as non-privileged users in a chroot jail
Firewall rules for network: explicit ingress/egress
Yes, that's two firewalls for your hosting infrastructure. Attackers would have to escalate privileges from a service user to a root user in order to modify the firewall rules, at which point they'll have access to the other components of your internal network. To get outbound connectivity, they'd have to gain root access to the external firewall as well. Keep in mind they can still upload data if they can execute arbitrary commands as the web service user.
Now, onto more specific items mentioned in the article.
>realizing only later that the e-mail address was a couple of letters off.
You can get certificates here:
You can even get free ones if you're on a budget! (although they do say for personal use, implement at your own risk if you're a business!)
You can do a Google search on how to get these certificates installed in your mail and mobile clients of choice.
>clicked on the attachment
>Microsoft operating system
>automatically uploading more tools the hackers could use to control the network remotely.
1. If the malware was listening for incoming connections, explicit ingress (aka no port forwarding) with a NAT (most residential routers) would have made it more difficult, as another layer must be evaded to connect to the internal machines.
2. If the malware was using a connect-back shell, explicit egress (aka outbound) traffic would make it difficult to get a shell on a compromised machine. As soon as you realize you're under attack, you should go into hardcore lockdown paranoid mode, and only allow network ranges that are absolutely necessary for business operation.
>Then the company’s e-mail servers began shutting down, sometimes two or three times a week, slowing e-mail traffic, the main way the company provides customer service
>Similar problems began plaguing the web servers -- a bigger problem since web sales of CYBERsitter supply more than half of Solid Oak’s revenue.
>Similar problems began plaguing the web servers
>figure out how the hackers might be behind it.
>But the agency shed almost no light on the situation, he says, and he was never told if the material was useful.
>alternating between four different cell phones from three different carriers.
>constantly had to reboot servers
>couldn’t trace the source of the network problems
>to find that his commercial-grade SonicWALL firewall had failed
>He spent a good part of the next day on the phone with the manufacturer, who was stumped.
>He began writing his own software to monitor the connections his computers were making to outside networks, looking for tell-tale signs of the hackers at work.
>obscure Microsoft directory
>all eight passwords
1. Use unique passwords for each service/account.
2. Store them encrypted, in a password manager.
3. Use keys/certificates whenever possible.
4. Use two-factor authentication whenever possible.
>The folder was gone two days later, he says, and in its place were several pieces of software he didn’t recognize.
>Net losses averaged $58,000 a month
>A hacker could certainly edit the script and break it so it wouldn’t work
>That would be a great way to do it without calling attention to the fact that they were in the system.
I'm quite tired and I think I'm rambling at this point. I hope this is clear enough for some people to get something out of. I'll probably come back later and make some edits for clarity/correctness.
We found evidence that a number of these blacklists have been taken from the American-made filtering program CyberSitter. In particular, we found an encrypted configuration file, wfileu.dat, that references these blacklists with download URLs at CyberSitter's site. We also found a setup file, xstring.s2g, that appears to date these blacklists to 2006. Finally, csnews.dat is an encrypted 2004 news bulletin by CyberSitter. We conjecture that this file was accidentally included because it has the same file extension as the filters.
tldr version of the article: http://tldr.io/tldrs/50b6e4acbb22039977000f5b