Bureau of Industry and Security Hacked

The BIS is the part of the U.S. Department of Commerce responsible for export control. If you have a dual-use technology that you need special approval in order to export outside the U.S., or to export it to specific countries, BIS is what you submit the paperwork to.

It's been hacked by "hackers working through Chinese servers," and has been shut down. This may very well have been a targeted attack.

Manufacturers of hardware crypto devices -- mass-market software is exempted -- must submit detailed design information to BIS in order to get an export license. There's a lot of detailed information on crypto products in the BIS computers.

Of course, I have no way of knowing if this information was breached or if that's what the hackers were after, but it is interesting. On the other hand, any crypto product that relied on this information being secret doesn't deserve to be on the market anyway.

Posted on October 11, 2006 at 7:16 AM • 22 Comments

Comments

Swiss ConnectionOctober 11, 2006 8:33 AM

More likely that asian corporations want to get at manufacturing secrets or that the CIA wants another movie plot scenario.

XOctober 11, 2006 9:08 AM

I can't believe the amount of fear mongering in the tech media. Just because someone proxy through Chinese servers, doesn't mean that they are Chinese. It just means that they are insecure and have better bandwidth than the rest of the world.

Both botnets have a rather even distribution across countries with good broadband connectivity, US, China, Korea, Taiwan, Western Europe.

Really sounds like the BIS haven't the clue who hacked them and just blaming what appears to be the source. Is the workstation so in secure that they are directed connected to the Internet, or is it already part of a botnet. You seriously wonder just how incompetent BIS tech guys really can be.

Carlo GrazianiOctober 11, 2006 9:12 AM

"Digital Pearl Harbor".

"The Chinese are waging very effectual intellectual warfare.".

'...even reformatting the disk drive and reinstalling software can't guarantee that all malicious code has been removed. "We don't know if the attackers have greater technology than we do"'

'"These reports read like accounts from a battlefield," said Stiennon. And the Chinese, he argued, are winning.'

There is an awful lot of semi-hysterical hyperventilating in this article, but not an awful lot of analysis.

For one thing, does anyone here believe for a second that the NSA isn't attacking Chinese information systems with equal or greater assiduity? Just because the PRC authorites don't issue press releases about intrusion detections doesn't mean it's not happening.

The BIOS threat doesn't strike me as particularly credible either, particularly in conjunction with the Lenovo "threat". Anyone who thinks Chinese intelligence could undetectably secrete malware on mass-produced hardware, or would even want to, is smoking crack. Such an adulteration would certainly be detected within the first few hundred units sold, well before any possible intelligence payoff, and the consequences to trade and diplomacy would be dire.

A lot of this stuff is coming from people who miss having a "main enemy". In my opinion, China is being groomed for the role that the USSR had the deplorable bad taste to abandon.

MichielOctober 11, 2006 9:44 AM

From the article:

"BIS "had identified several successful attempts to attack unattended BIS workstations during the overnight hours." Last month, reported the Post, Foulon wrote: "It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient.""

I don't get it; someone attacks from OUTSIDE, manages to bypass firewalls and attack workstations on the local LAN and they lock down internet access?
I'd probably kick my security/firewall team in the gonads, but lock down internet access?

LarryOctober 11, 2006 10:31 AM

I doubt we are getting any useful information out of the media. Any attack by, allegedly, another government will be classified. Pure and simple.

Pat CahalanOctober 11, 2006 11:29 AM

Just goes to show that security isn't a problem in just the private sector.

> So long as the government retards use Windows, this is what will happen.

This is not a problem with Windows. This is a problem with their network. Why are these machines able to talk to the public Internet in the first place?

Monkey SuitOctober 11, 2006 11:35 AM

For those of you who are sceptical about Chinese being involved in the attacks, I will repeat posting from an earlier blog (http://www.schneier.com/blog/archives/2006/09/industrial_spyi.html)

"Ira Winkler, the author of "Spies Among Us" alleges that France has well organised systems for collecting information useful for economic development. Among other things, Winkler says that France has
- Hotel staff recruited by DGSE to search the rooms of travelling business executives
- Staff placed in US companies who are expected to progress their companies careers to get access to new developments
- Bugged the first-class cabins of some Air France jets

Winkler also alleges that China and India have well organised programs to extract advanced technological information that can be used to develop their economies.

Note that industrial espionage doesn't necessarily involve hi-tech hacking or anything like that. A lot of companies give out information which they really shouldn't. Sometimes a lot of potentially useful information can be acquired by thorough research.

If you are involved in business, especially international business, then it useful to understand that foreign competitors will not think twice about collecting information to help compete with you; that is the way business is done."

Wake up! This is the way global business works.

AzeOctober 11, 2006 12:02 PM

@bruce

"On the other hand, any crypto product that relied on this information being secret"

For once I'm going to disagree with this. Of course you are right, when it comes to security. However, it's very reasonable to rely on secrecy to keep advantages in performance etc. Even if that's just up till the time when you actually deliver the product, it still lets you be first on the market and get the extra publicity that gives.

quincunxOctober 11, 2006 12:09 PM

As usual, I assume no one here will question the legitimacy of the existence of BIS in the first place.

derfOctober 11, 2006 12:37 PM

Making it "Intellectual warfare" sounds like a great way to get homeland security dollars to buy you new computers and consultants to install them.

Davi OttenheimerOctober 11, 2006 1:45 PM

What is it with Stiennon and his attempts to scare everyone about the Chinese?

The Internet has always been a place of opportunism. An open market brings good as well as evil and TCP/IP warfare has been predicted for as long as there has been an Internet. So I don't see how the fact that a Chinese IP was part of the attack is big news.

One of the worst things we can do, in terms of our own security, is to convict the wrong person/country as a pretense to retaliate.

Thus, comments like this one make me think Stiennon needs to recalibrate his risk calculator:

"Replacing systems is pretty draconian, but it really indicates that Commerce is very concerned."

Actually, replacing systems is very common and one of the simplest/least-costly ways to establish a clean/trusted state. You can control the systems that will be rebuilt and when and moreover you can improve your risk profile without any unintended or unjustified escalation that will only serve to weaken your security.

I think it is far more draconian (harsh) to immediately start bashing the Chinese government just because some IP in China was involved in an attack. They say if you look hard and long enough at something, you will see what you were trying to rather than what is there.

Don't get me wrong, this might be Chinese espionage, but jumping to conclusions so early does not seem necessary or wise in this situation.

Comments like the one below seem designed to scapegoat and goad more than generate analysis for a legitimate response:

"'These reports read like accounts from a battlefield,' said Stiennon. And the Chinese, he argued, are winning."

I would like to see how he defines winning/losing, since such absolutism seems completely out of place. Maybe he really just means to say "the Chinese scare me".

MarcinOctober 11, 2006 2:12 PM

I posted on my blog relating to an increased threat of industrial espionage and information warfare from China. http://marcin.thelinuxdiaries.com/?p=55

Three pages I linked to, first being the GCN http://www.gcn.com/print/25_25/41716-1.html about the People's Liberation Army using "any means necessary" to advance their country, including information warfare. Second, was an article in Popular Mechanics, http://www.popularmechanics.com/technology/... about a man who worked for Lockheed Martin and sold a GE F-16 engine to senior officials in the PLA for 4 million dollars and planned to acquire entire jets and other items on a laundry list. And last, was Chinese attempts at blinding our satellites, http://www.defensenews.com/story.php?... at DefenseNews.

The threat is real, and it's not just crypto devices they are after. I've worked for a defense contractor in the private sector, and I've met some very bright and very talented security engineers, who definitely know a lot about what they do. I like to think people working security for our government are not retards... though, I may be wrong :/

Scott GearityOctober 11, 2006 4:40 PM

Keep in mind that BIS does a lot more than regulate the international trade of commercial cryptography. Things like restricting exports of chemical weapons precursors, stuff that's useful if you want to build a nuke, and cattle prods perhaps not intended for bovine use. So let's not throw out the baby with the bath water folks.

As for the hacking incident, more here: http://www.exportcontrolblog.com/blog/2006/10/...

Carlo GrazianiOctober 11, 2006 4:41 PM

The point, in my opinion, is not whether the Chinese government is behind these attacks. They almost certainly are.

The point is that to describe this sort of activity -- government-based espionage -- using the siege-rhetoric terminology adopted by the author of the article is pointless. I am morally certain that we (the US) operate similarly against Chinese information systems, and that this is not out of moral depravity, but simply because nations spy on each other.

So, yes, lock down those networks, put a hammerlock on windows, do all the sensible things to protect sensitive information. But don't lock Lenovo out of government contracts, that's confused protectionism mixed with xenophobia, not security. Pushing the yellow peril button produces no benefit associated with protecting computer networks. There's a totally unrelated agenda associated with that button.

Davi OttenheimerOctober 11, 2006 4:50 PM

@ Carlo

Well, said. I agree and Marcin's reference actually proves your point (see below).

@ Marcin

Thanks for the links. I thought this part of the GCN reference was especially insightful:

"The U.S. military is familiar with China’s approach. In fact, its own strategy in cyberspace is similar to the PLA’s—the countries’ doctrines and strategies almost mirror one another. "

JKBOctober 12, 2006 8:06 AM

Some Chinese techies got sacked from a US job or couldn't get on the cool research project at a US university due to the renewed emphasis on transferring technology, "deemed" export, inside the US. They went back to China all pissed off and lashed out at the agency they blame. It seems logical that such people would end up attached to one of the Chinese hacker groups that have been beating on US networks for years. BIS would be a poor target for actual technology acquisition via computers. BIS is usually only concerned with whether a technology crosses a "required" performance spec to classify it so they are mostly looking at detailed specs of items the exporter wants classified as less capable rather than more. But should the hackers run across something on the servers, I'm sure the Chinese government wouldn't mind using it so why should they stop the traffic?

Nona MaiOctober 12, 2006 11:59 PM

> Manufacturers of hardware crypto devices ...
> must submit detailed design information to
> BIS in order to get an export license.

Actually, the export regulations cover software crypto as well. Most all software implementations get a "license exception", but one still must submit detailed design info. Only open source crypto gets a pass, though it must "freely available on the Internet by anonymous download".

A quibble, but also a reminder that the export control regime that impacted your book/disk exports ten+ years ago is still in place. It was liberalized by Clinton, in his final days in office, but the penalties for non-compliance are still quite severe.

The commenters above who doubt the severity or seriousness of the attack are probably wrong. Whatever happened there had significant operational impacts over an extended period of time.

I can't help but wonder if this would be part of a complex attack vector, perhaps with the crypto details as the target (a step to unlock protected data) or with the goal of impairing the export controls on other items long enough to get something out of the country.

Hopefully, we'll never know.

m0eOctober 13, 2006 9:20 AM

Bruce, I am surprized at some of the comments. I have been dealing directly with security issues in China, including crypto, for a long time. I recently moved back to the US after 5 years in China. I know a few PRC senior MPS (Min Public Security) folks and several of the crypto folks - Govt & Academic. It is no coincident that the BIS was hacked and all patterns suggest China was the origin, not insecure DNS servers used by non-Chinese perps. This was retaliation for changing some of the Export regs on sensitive tech going to China earlier this year.

Second, this threat is very real, I assisted directly in some of the investigations of this activity in country. The hacker community (both white and black hat) is very good and getting better. Some have indirect ties to parts of the Govt. Large scale activity such as this is coordinated and in line with the growing 'nationalism' in China - remember the hacker wars in 2001?. The PRC Govt itself is struggling between reformers and hardliners so knowing which faction(s) may directly or indirectly support/sponsor such activity is the hard part of the analysis.

This is not to say that all are bad, there are also elements of this community that want to participate in an open and secure commercial Internet. There are even senior officials that would like to see published crypto algorithms, but this will not happen for a while.

This attack did indeed cause great harm, one report indicates that the malware was pervasive and that the solution is to build a new network - I strongly agree. BIS had been aware for some time of the lack of security in their network and the inconsistency in updates, patch mgt and I speculate their architecture was flawed from the beginning. We all know there are defense in depth means to reduce the severity of such an attack and to lock down sensitive data, BIS did not take the threat seriously enough. Frankly, my first thought upon reading the new BIS regs while still in China was, 'gee what USG target will be hit because of this and I hope they are ready'.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..