So what is the intent of this blog, and my posts? It is a question that some will ask and I will answer as candidly as possible: "To expose security charlatans who are creating fictitious accounts of state sponsored cyberattacks. Capitalizing on "cyberfears" and otherwise spreading cyber nonsense." Because of the seriousness of the industry and content (national security related at times), I have chosen to remain anonymous out of fear of being blacklisted by peers who are too afraid to otherwise tell the truth. Out of fear of annoying someone in the beltway so much, that any time I board a plane at JFK, Dulles, etc., I will be subjected to special treatment by the TSA. With my explanation again posted, let me move on to yesterday's news: CISPA [CSP] "Cybersecurity bill is re-born. Crafty verbiage from security charlatans will likely profit handsomely."
Imagine for a moment you sought to buy an automobile. Obviously your choices will boil down to domestic versus import at the very top of the auto-food-chain. Now imagine what the response would be if you walked into say Chevrolet and asked about the comparison of a Toyota Camry and perhaps a Chevy Cruze. You will get a distorted view; how great Chevy is, versus how horrible Toyota is. Recalls, buying outside of America is unAmerican and so forth. This is merely business. While the dealer's worker may outright have factual information that contradicts their statements, he (or she) will skew information to conform to their delight. It is about making a sale even though the dealer is likely driving a Nissan. No brainer. Same applies with security.
Imagine that you, being the President of the United States, call in the CEO of say General Dynamics or Raytheon and you ask them: "Do we need more weapons." What do you perceive their answer would be. If you said: "pie charts splattered with red-dots numbering the growing amount of enemies out to attack the United States," then you can summarize how the security technology industry has become in the past decade. The "security wizards" in their glorious "wizardry" hats with pie charts, and spread sheets, will tout off the attackers one by one as coming from pre-defined, specific places. You know, China. The information the security wizards are basing their assumptions/summations from is mind boggling.
But do not let the charlatans fool you. The bottom line is that their researchers are NOT relying on pieces of code, but IP addresses primarily. as the source of an attack. There are no magic beans to make a tree sprout here. Now, if you question the researchers, you will often be ridiculed by them, after all: "who the hell are you to take on John Doe from Super Security Corp Inc.?!" All (emphasis on every last one of these guys) will point you in a round robin, quantitative, superclusterbomb highway to nowhere. Never once coming clean on an answer. They will then turn around and state: "we can't tell you because of client confidentiality, etc."
In the United States, in fact, throughout the world, law enforcement sources usually have "wanted" posters of sorts. These are those pictures you see seeking someone who committed a crime. Enough information is given about the "criminal" to not only enable citizens to aide in apprehension, but also as a warning: "If you see this person in the picture, he is wanted for murder. Be cautious!" In the malware world, as opposed to people saying: "hey if you see this IP address, or this type of file, be cautious! Its an attacker", we see: "Warning! Just because we say so!"
Contrary to law enforcement related alerts, the security wizards keep this information privy (who is attacking.) It is only available to the highest bidder. Pretty nervy wouldn't you say? How better off the world would be if some of these guys posted to a repository visible to all that stated: "THIS type of attack is coming from THIS IP address. Use this information to protect yourself." Attacks would dwindle. But so would profits. Imagine how would you feel if say the FBI, local police department or say Interpol told you: "Well you have to pay for the wanted posters to protect yourself from bad actors." Yet here we are sanctioning and promoting this type of behavior coming from security companies. Amazing.
Security rats this week, were hard at work capitalizing on the crumbs under the United States government's GAO tables. [MAN] Be assured that every trick in the book (verbiage) wise has been well written, studied, and rehearsed by these rats. This has been a work in progress (enemy development) for years. From the security wizards and rats, right down to the media. [NYT]
Lets look at the media, and the rats over at Mandiant first: "The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by The Times. This matches the subterfuge used in many other attacks that Mandiant has tracked to China."[NYT]
Interesting concept we read about. Hackers from China compromised University computers, then intruded on the New York Times. Yet, at no point in the article does it detail how Mandiant was able to determine how and when the University machines were compromised. Lets have an ASCII view of what Mandiant and the New York Times says transpired:
(a) Chinese Attackers --> (b) Compromised University Machines --> (c) New York Times
This wording comes from Mandiant, and the New York Times [NYT] in case one would believe that I am making things up, the article is linked. In the above ASCII scenario, Mandiant staff would need to be located at (c) - New York Times premise - to analyze what is occurring. From a network analysis perspective, the attack is originating from (b) a University server. Now unless Mandiant has someone on the network premise at the University(b), then how can they make such statements: "first penetrating computers at United States universities"
At no point in the article does it mention: "Mandiant worked with University officials." In fact, most Universities would require subpoenas before giving out logs or access. This is the law as dictated by FERPA. Since this was not a law enforcement matter, they were not likely to get log information. So lets just assume for the moment that Mandiant managed to collaborate with staff at a University. Then what? Could the attackers not have come from say Germany, who compromised machines in China:
German Attacker --> Chinese Server --> US University --> NYT
See the dilemma here? Mandiant was content on naming China never once offering anything outside of "you can trust us." So I refer you now to Ronnie: "trust but verify." The New York Times is no different and just as guilty in this matter. They seemed to allow attackers to run amok inside their network but don't for a moment believe they would ever allow this to occur to promote a news story. [DAI] No news agency would ever want to promote such a thing. Better to make money some other way. After all that was said, let us not even think about how much of a cesspool University computers are when it comes to malware, virus and worm infections. We are to simply accept what we are told.
Anyhow, its not like any security researchers are focused on China. Especially not Mandiant. It is only a coincidence that out of the 46 days of the year, China/Chinese/Asian has been mentioned 53 times by Mandiant's CSO Richard Bejtlicht via Twitter. Its not like security rats are making things up out of the blue. (Honestly, one cannot make this stuff up even if they tried!) Cybergeddontastrophe is real and it is coming your way. Straight Outta Hong Kong. (Wonder if Dre will allow for a remix?)