Schneier on Security
A blog covering security and security technology.
« Do-It-Yourself Laser Spy Microphone |
| NASA Employees Sue over Background Checks »
September 4, 2007
Pentagon Hacked by Chinese Military
The story seems to have started yesterday in the Financial Times, and is now spreading.
Not enough details to know what's really going on, though. From the FT:
The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American officials.
The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, defence secretary, but declined to say who it believed was behind the attack.
Current and former officials have told the Financial Times an internal investigation has revealed that the incursion came from the People's Liberation Army.
One senior US official said the Pentagon had pinpointed the exact origins of the attack. Another person familiar with the event said there was a "very high level of confidence...trending towards total certainty" that the PLA was responsible. The defence ministry in Beijing declined to comment on Monday.
EDITED TO ADD (9/13): Another good commentary.
Posted on September 4, 2007 at 10:44 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wow, for a while there were three, count 'em *THREE* blog posts for the same news item. Corrected, now, it appears.
Maybe we should add one: "Security Blog Hacked by Unknown Military" -- the military is famous for wanting things in triplicate.
Naturally, the Chinese government is denying the claim.
It would be ironic if the affected system was part of the GOP-provided secondary e-mail loop that was brought to light during the attorney dismissal investigation. That is, a computer that should not have been there in the first place turns out to be the one that was identified and hacked.
This is so vague it could cover anything from Gates' administrative assistant getting a worm and having his/her computer join some Chinese soldier's botfarm that supplements his income with spam proceeds up to something actually having a major effect on national security.
Without more details...
I guess we'll know more when spam starts showing up from Bob Gates ...
The more interesting question with stories like this is why we are seeing it in the papers.
Ordinarily if you find a security breach, you don't trumpet it far and wide. You might want to play the honeypot game, see what the intruder is up to, etc. Or you might not want to advertise widely that your security sucks.
However, if your purpose is political (to generate more anti-Chinese hostility, get more funding out of Congress) this story might serve your interest.
I worked at the Pentagon for many years supporting the network. The Chinese we're CONSTANTLY trying to get in, followed by the Israelis, and our old friends, the Russians. Of COURSE the Chinese are going to deny this....what are they going to say, "Yeah, we did it?" It doesn't surprise me that they got it, security measures having been getting lax over the years. It takes an incident such as this to light a fire under those folks over there to take these threats seriously. Always reactive, never proactive.
Wouldn't it be ironic if they are trying to hack into tempest-based hardware (systems that among other things have lead-lined boxes)....
Joe Buck wins the jackpot.
Of course, intelligence organizations from all major nations are hacking at the systems of other nations, vigorously and assiduously. Even where the yield is low, the risk is near zero (compared to running agents, bribery, blackmail, defector operations etc.), and the cost is almost near zero.
Anyone who thinks the NSA isn't constantly trying these sorts of games (and others we may never find out about, if they're competently played) against PRC, Russia, and many others, must also think the Agency is spending 3.6G$/year on paper clips and staples.
So, if there is a constant, humming background of state-based intrusion efforts, the pertinent question is "why is this newsworthy now"? Who gains from this story getting prominent play? Might there possibly be a nascent cyber-warfare operation in the Pentagon that stands to gain from scaring a few Congresspersons by trotting out the "Yellow Peril"? Why, yes. Yes, there is. Fancy that.
I also think that Joe Buck has the right idea.
Recently, a chinese firm indicated its interest in buying Seagate Technology; this raised fears about loss of important technology to China.
Leaking this story about alleged Chinese hacking might help see off attempts by Chinese companies to buy American high technology companies. Personally, I think this news campaign might be quite sensible, from an American perspective. The US economy is an indebted mess right now and America can hardly afford to start selling off all of its best technology.
@joe Buck, Jaded Cynic et al...
...and yet Washington lets Microsloth put some of its main research and develioment labs over there, and then uses the same products on its critical government systems...
...the irony is just too delicious!
Obviously China is involved in ALL levels of espionage...
China has been collecting all they can for years.
Just as they are actively wooing our corporations.
Just as they have stolen nuclear secrets.
Just as they have stolen Aegis secrets.
I can honestly say China doesn't bother me that much.
We should ask them what they want(military secrets, space technology, food, oil), compare it to the list of things we want(freedoms, Korea, Taiwan, some help with the Middle East, non-toxic toys, etc), and then trade away.
To paraphrase Adam:
Obviously every country is involved in ALL levels of espionage (that they can manage to compete in) ...
For as long as there have been states.
The "things we want" is a propaganda list not a real list if by "we" you mean the U.S. government in pkace. "Freedom" is police state surveillance, either Korea would be interested in the fact that "we want them", I wouldn't venture to speculate on quite that means; politically Taiwan exists as a stick to poke China in the eye, and so on ...
BTW, everyone would be better off if the US produced it's own toxic toys, except there would be darn little for Christmas were this the case. (Given parenthood paranoia, it is almost imposible to produce a toy that is non-toxic to everyone's satisfaction.)
I'd like to point out that the pentagon and pretty much all of the DoD is not protected by Safe Access, StrataGuard, VAM or a Cobia based network solution. It's almost like they are having unprotected sex and that's what happens when you have unprotected sex!
If you actually think that any attack executed with any kind of sophistication was executed from the attackers home or base of operations, you obviously know nothing about network attack theory. There is no way in hell that they *KNOW* it came from china, unless they have someone on the inside or did a counter-hack. Either way it's just as likely that it was a US or European based attacker as it was China. The US has been pushing the Chinese cyberwarfare image for years and anyone in network security knows that they it's highly unlikely that all these attacks are actually from a Chinese source.
I for one welcome our new overlords.
Interesting news and interesting comments. ... I wonder how they plan to pin this on Al-Kaida...
Computers or not, these illustrations help:
(from Department of Physics, University of Cambridge)
Yesterday Africa and Latin America, Vietnam, Cuba, Nicaragua, Iraq, Yugoslavia, Serbia,... today Iraq v.2, Afghanistan, Cuba v.45,... tomorrow Iran, Corea, China... Gee, it'll be funny to be around when all these countries start using computers in everyday life and when their new and young hackers start playing hide and seek with US intelligence.
Informing the media and the public of the details of a vulnerability could attract attackers to that vulnerability. Letting it be known that a vulnerability was exploited, however, if not enough information is provided so as to be helpful to further attacks, might raise due concern that the vulnerability must be fixed rather than swept under the rug. Sometimes outside pressure, or even embarrassment, can have a desirable result.
Releasing the limited information may have been an act of duty and conscience by someone.
Wrong website dude.
"Another person familiar with the event said there was a "very high level of confidence...trending towards total certainty" that the PLA was responsible."
Is this the same level of confidence that they had regarding Saddam's WMDs being ready to deploy in 45 minutes and other sundry bullshit?
Yeah, the interesting question is why now?
Any trade talks with China coming up?
@Colossal Squid - The president said so, so it Must be true. No, really, it MUST BE true, them's the rules for this administration.
Engage the reality-distortion fields and make it so...
@ notmyrealname: Oh my god, you're right! Hundreds intel and intrusion analaysts working day and night never thought of that! Thank god for you!
They know this and don't just "whois" the IP used in the communication. For all the rejects, the US has some pretty darn smart folks, spending much more time than you on this analysis. If the conclusion is wrong, it is not due to this kind of shallow research, it is more likely due to what Colossal Squid opined.
Regarding the reason for publication, one of the hardest parts of protecting a network used by thousands is convincing all your users that they need to take security seriously. Users complain about changing passwords, multi-factor authentication, etc. and just don't follow policy unless they realize there exists a threat.
Kanly nailed it.
Also, I love quotes like "very high level of confidence...trending towards total certainty"
Really? Trending towards? How do you measure the rate of drift? Are you taking that measurement with a digital thermometer, or an old analog one? Orally, or...
Honestly, I don't have "total certainty" that I'm not a brain in a vat, and these guys are convinced that the Inscrutable Asians are hacking our idiot SecDef's office.
Alarmists! Next thing you know they will be claiming toys from china are coated with lead paint...
I personally know a person who works for the DoD and he has worked in the Pentagon at one time. His Pittsburgh Sectors Security is beyond what I thought the US Government could do for computer security technology from what he told me. Complexity is Securities big enemy but the security the Pittsburgh office had was complex but yet still was well implemented to use. So just picture the Pentagons security if that's DoD HQ. When all said and done the Chinese Crackers probably cracked declassified networks that didn't hold any real source of info that was critical to steal.
Of course the gov't didnt know about it. Do you really think that the CIA tells media contacts withing the gov't what they are up to? ...like ever? ROTFLMAO
Get ready for more of this....this that has been going on for the last 30 years. ;)
It's a good guess that they have systems that are decoys. Bunch of stuff named top secret and such that's a honeypot. The hackers think they hit it big and got a load of crap. The media reports it as a big deal and China thinks it is. The security people keep quiet and laugh in some sealed room under the Pentagon. China found all the bugs.
"Program testing can be used to show the presence of bugs, but never to show their absence!" How do you prove something never happened?
"When a new system concept or new technology is used, one has to build a system to throw away," Let China hack away at some throw away system. It's getting research done without paying them to do it. A ton of work for no pay and a better system. Save time while these guy work day and night testing your new systems for you. Thanks guys.
Way back when...
Dick Schafer, director of information assurance for the DoD. "No one here has a set of toys as neat as what we've got."
They got new toys since then. Look at the toys we get from China. Junk and recalls.
A good summary of the threats.
It turns out that Russia is better at it than China.
COMPUTER NETWORK THREATS
"The U.S. information infrastructure, which includes telecommunications, computer networks and systems and the data that resides on them, is critical to most aspects of modern life in the United States . Russia and China pose the most experienced, well-resourced and capable computer network operations (CNO) threats to the United States , but they are not the only foreign entities that do. Other nations and non-state terrorist and criminal groups are also developing and refining their abilities to exploit and attack computer networks in support of their peacetime and wartime military, intelligence or criminal goals.
The scope and sophistication of malicious CNO targeting against U.S. networks has steadily increased over the last five years. This is of particular concern because of the pronounced military advantages that the United States has traditionally derived from information networks. Potential adversaries that cannot compete head-on against the United States may view CNO as a preferred asymmetric strategy to exploit our weakness while minimizing or degrading our traditional strengths.
China became the largest exporter of information technology in 2004, surpassing the United States and the European Union. Current trends suggest that China will soon become a major supplier to the United States . O verseas production provides opportunities for hostile actors to access targeted systems by exploiting the supply chain at its origin.
Russia and China have the technical, educational and operational ability to conduct CNO against targeted networks. Russia remains the most capable cyber-threat to the United States . Several high-ranking Russian military officials have promoted CNO's potential against future adversaries. Since 2005 China has been incorporating offensive CNO into their military exercises, primarily in first strikes against enemy networks. Recent hacking activities emanating from China underscore concerns about Beijing 's potential hostile CNO intelligence collection activities."
"Russia has the most highly developed, capable, and well-resourced IO capability among potential foreign adversaries. Russian foreign and military intelligence, as well as the Russian Security Service, have active offensive and defensive CNO programs. Assessed capabilities include insider recruitment, cryptology, viruses, software and hardware attacks, and remote penetration.
China has developed an apparent large scale CNO program, including military exercises to refine and implement concepts. China's robust presence in the global IT hardware and software supply chain enhances its technical expertise and IO capability. China is the number one IT hardware provider for U.S. consumers, accounting for 42 percent of U.S. IT hardware imports in 2005. As such, U.S. dependence on China for certain items critical to the U.S. defense industry and the waning of U.S. global IT dominance are valid concerns that demand vigilance."
"U.S. dependence on China for certain items critical to the U.S. defense industry and the waning of U.S. global IT dominance are valid concerns that demand vigilance." Start making hardware here. The imported IT is a threat like the imported oil is, in that we need people who don't need us or don't care about us. We used to make all this stuff and made it to last.
Cloakware Federal Systems uses proven Cloakware technology to offer anti-tampering and reverse engineering solutions and services to Homeland Security, Intelligence Agencies, DoD organizations and Systems Integrators, enabling them to increasing the security of mission-critical applications and systems. Cloakware's specialized and Commercial-Off-The-Shelf (COTS) solutions enable the U.S. government to protect its most critical information and applications.
Cloakware, an Irdeto company, is the security solutions provider that makes security inseparable from the software it protects.
Irdeto employs over 700 people in 22 offices across the globe, including the dual corporate headquarters in Amsterdam and Beijing.
China has the Pentagon covered.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.