China's APT10

Wired has an excellent article on China's APT10 hacking group. Specifically, on how they hacked managed service providers in order to get to their customers' networks.

I am reminded of the NSA's "I Hunt Sysadmins" presentation, published by the Intercept.

EDITED TO ADD (1/5): Another article on the same subject.

Posted on December 31, 2018 at 5:57 AM • 52 Comments

Comments

PhaeteDecember 31, 2018 8:04 AM

Very one sided politically tainted story.
They present it like China is the only one hacking and forget what cow dung NSA and other americans do.
Just what NSA did with Merkel is far more morally corrupt then anything in this story.

But if you read this article, you only need to fear Chinese, North Korean and Russian hackers....

propaganda/prɒpəˈɡandə/
1. information, especially of a biased or misleading nature, used to promote a political cause or point of view.

With Wired its like a crapshoot, some articles are good, others are propaganda articles.

TimHDecember 31, 2018 8:40 AM

@Phaete - Peacetime attacks are usually couched as preventative measures by the good guys, with one's country being the good guys of course. One rule when we do it, condemnation when they do...

At some level, a gov sponsored attack must reach "act of war" level. Personally, I regard the Israil/US attacks on Iranian centrifuges pass that line. But governments decline to define a legal meaning of the label "terrorism" because it is difficult to do so without self-inclusion. So I suspect the world will suffer free for all network accessed attacks for a long time.

Judith MillerDecember 31, 2018 8:43 AM

As media analysts like Chomsky would observe, there are a number of filtering mechanisms (e.g. corporate ownership, advertisers, source access) that ensure certain kinds of subtle bias and distortion. The outlets provide just enough objectivity to allow them to slip in propaganda every so often. Remember how the New York Times gave credibility to the "smoking gun that comes in the form of a mushroom cloud"

Then you have media amplifiers, like blogs and celebrities, which serve to echo stories without questioning the underlying assumptions.

In terms of dollars spent and scale of operations, American spies are the most prolific hackers on the planet. It's easy when Silicon Valley secretly cooperates while claiming to protect our liberty...

Impossibly StupidDecember 31, 2018 10:55 AM

It's foolish to complain about "propaganda" simply because a single article covers a single subject from a single angle. A bigger problem is media outlets that push out garbage in the name of false balance and covering "both sides" of an issue.

In fact, US companies are the ones who come off looking like idiots for the security issues involved in the article. Even the author's "all seemed very legit" commentary shows just how pathetic the whole affair was/is. In this day and age, companies should not be employing people who open attachments that come in on random emails, especially if those people work for a MSP and have a path to administrator access.

If there's a follow-on story to this it's not about the how US and other countries try to do the same. It should be about the incompetence of HR departments when it comes to finding quality employees. Heck, it almost makes me think that those are the system that hackers have secretly been targeting all along. Reducing a company's candidate pool to morons makes outperforming them a cinch. Bonus points if you can slip a seemingly qualified "friendly" candidate of your own in there, allowing you even better access to their internal operations.

WaelDecember 31, 2018 11:03 AM

The Word attachments in these spear-phishing attempts were malicious, loaded with customized remote access trojans

Attachments, attachments, attachments! Is that the only tactic they used? I doubt it.

In the case of the MSP intrusions, that malware appears to have mostly made up of customized variants of PlugX, RedLeaves.

RedLeaves → {Russia, China}; Bamboo leaves → China

They’d also delete the stolen files from the compromised computers, all in an effort to avoid detection.

I don't follow the logic there! How does deleting a stolen file help to avoid detection?

In the case of the MSP intrusions, that malware appears to have mostly made up of customized variants

"to have mostly made up of", or "to have mostly been made up of"? Is this a new construct I am not acquainted with?

One reason China persists: It may not see anything wrong with it

True!

Meanwhile, China’s hackers will continue to rob the world blind at every opportunity.

Also true!

Can’t Handle the Truce

Truce, eh? Cute!

WaelDecember 31, 2018 12:26 PM

@Phaete,

Yes a more technical description as expected from an industry player in the field. Can't expect this level of detail in an article that targets the general population.

So they target windows machines! I wonder if it'll work on Microsoft Office for Mac (question to Fire Eye.) Doesn't seems like it from the description.

Macros are evil, both in applications and in programming languages. Never ceases to amaze me the extensive functionality they add to applications! I don't think I use more than 10% of Microsoft' Word or outlook functionality. We need to find better solutions than Macros.

TimHDecember 31, 2018 1:17 PM

Has anyone come across software that will parse standard office documents (doc, xls, pdf as minimum) and sanitise them... i.e. save a version with macros and external references stripped out?

The concept is similar to the Thunderbird html viewer: text only, simple html, full html

Clive RobinsonDecember 31, 2018 2:14 PM

@ Wael,

With regards this clip from the article you selected,

    One reason China persists: It may not see anything wrong with it

There is a flip side to it.

China may well see there is something wrong with it. But also see that others (US et al) see nothing wrong with it and are simply responding in kind.

In fact I would say the Chinese have told the US on several occasions they have over stepped the mark.

Firstly they have passed legislation banning certain known to be suspect --ie NSA riddled--
technology from Chinese IT infrastructure, such as banks. But we know that has only encoraged the NSA et al.

More recently they have passed legislation aomed at those trying to obtain Chinese IP by various means.

But the US et al have carried on.

Which brings us onto the next possability I've yet to see others consider.

We believe the Chinese have the OPM database, which in all probability includes all the NSA personnel involved with "Hacking China".

We might very soon see the Chinese use this information in some way.

As the US has made it clear they will never hand over such people, and infact will send in armed forces to recover such personnel if they are taken to a foreign court then it leaves the Chinese few options.

Now with the US taking political hostages, it raises the stakes.

If I was on that OPM list I would be very frightened that the Chinese might take the Russian option. That is find them guilty in their abscence then send out an execution or similar squad to serve punishment.

The point most people outside the US see is that it is the US acting to raise the stakes at every step basicaly acting as "The World's bully" not "The World's policeman".

Take the Obama trade talks, even though they were heavily biased in the US favour many countries were going to sign up to them China included. As has been noted before "trade is the way to peace". China has invested a large amount of it's earnings from the US back into the US. In other words China has done what it can to ensure peace equitably and at each step certain persons in the US political structure have done what they can to wreck it. Pres Obama said as much over the colapse of the trade deals.

I can not say what the majority of US Citizens think but it probably won't be long before this goes kinetic in some way, and almost certainly it will be in response to US action.

John R. Bolton for instance appears to not just be playing a double handed game to play various sides of the administration off against each other, several non Americans note he appears to be very much driving the administration towards armed conflict against Iran if not either China or Russia.

It will be a New Year in just a few hours lets hope there is more common sense in the political structure in the US in 2019, because all sides need less repatriated body bags...

FaustusDecember 31, 2018 4:12 PM

@ Clive

Great points. If China wanted to ruin the U.S. they wouldn't invest so much capital there. The U.S. is so inequitable in its expectations it is absurd. I guess this is common among empires, but the result has been consistent: collapse.

Humans need to stop thinking of themselves as perfect abstract computers. Our CPUs are faulty yet we are running critical real time applications. What is the equivalent of fault tolerance in human society?

WaelDecember 31, 2018 4:48 PM

@Faustus, @Clive Robinson,

Our CPUs are faulty yet we are running critical real time applications.

Eye resolution: that many pixels, processing power of the human brain, and the bus speed of the human system is about 120 meters per second!

What is the equivalent of fault tolerance in human society?

Forgiveness!

Now my question: map the human attack surface!

FaustusDecember 31, 2018 5:25 PM

@ Wael

"Q: What is the equivalent of fault tolerance in human society?
A: Forgiveness!"

Your answer is beautiful and brilliant. And perfect. I didn't see it. When I speak of human fallibility perhaps I am mostly speaking about my own.

"Map the human attack surface!"

Oh-oh. Essay question!

WaelDecember 31, 2018 5:56 PM

@Faustus,

Your answer is...

Thank you. I knew what you're asking about but I thought this answer was good. There are many possible answers. Had you not mentioned "society" in your question, my answer might have been closer to what you're looking for. It won't be a one-word answer. I imagine it'll be in the neighborhood of three to four paragraphs long.

Oh-oh. Essay question!

Two answers: one objective, the other humorous / sarcastic:

One: Not necessarily. It's in the context of this thread. There's spearphishing, deception, physical harm, ... could be a diagram of an attack tree, or a threat-model table of some kind. A big question; one with currently uncharted class categories.

Two: So you don't like essays. Do you prefer a multiple choice question?

WaelDecember 31, 2018 8:12 PM

@Clive Robinson,

it probably won't be long before this goes kinetic

In other words, it has the potential to become kinetic!

Psst: ...

65535December 31, 2018 8:52 PM

@ Bruce, Phaete, TimH, Impossibly Stupid, Wael, Clive Robinson and others

@ Bruce S.

“…how they [China] hacked managed service providers in order to get to their customers' networks... I am reminded of the NSA's "I Hunt Sys admins" presentation, published by the Intercept.” –Bruce S.

See the intercept slides on I Hunt Sys Admins:
Ht tps://theintercept.com/document/2014/03/20/hunt-sys-admins/

Yes, it does.

It is interesting and ironic that the Chinese are following the a trail blazed by the NSA. Once you start down the aggressive hacking path others will do the same. That is the way wars get started.

I will point out the Chief Financial Officer [CFO] of Huawei, Ms Meng Wanzhou is an accountant or a "controller" of a company. Accountants or Controllers know the accounting side of things but are not experts at code cutting or hacking.

The USA has grabbed second rate individual who can provide little precise technological hacking skills. The USA has a tangential small fish and not the big fish.

Politically this could be a mistake. Having pictures of heavily armed FBI men hauling the women away in chains probably will not get the USA much positive press coverage.

This episode smells of politics. But, at the root of politics is struggle. Let the political struggle begin.

I suppose if you are going to cut down a weed you could start by nipping off the leaves first and then go for the stem. It could send a signal to other hackers in North Korea to stop or it could encourage more hardened hackers to continue the battle. We shall see.

@ Phaete

“They present it like China is the only one hacking and forget what cow dung NSA and other americans do. Just what NSA did with Merkel is far more morally corrupt then anything in this story.” –Phaete

Yes, it looks that way.

@ TimH

“At some level, a gov sponsored attack must reach "act of war" level. Personally, I regard the Israil/US attacks on Iranian centrifuges pass that line. But governments decline to define a legal meaning of the label "terrorism" because it is difficult to do so without self-inclusion…”

Probably correct.

@ Impossibly Stupid

“…US companies are the ones who come off looking like idiots for the security issues… a follow-on story to this it's not about the how US and other countries try to do the same. It should be about the incompetence of HR departments when it comes to finding quality employees…”

True. Or, outsourcing manufacturing to the cheapest country. All and all, not a good thing.

@ Wael

“Attachments, attachments, attachments! Is that the only tactic they used? I doubt it.”-Wael

I agree.

@ Clive R.

“…would say the Chinese have told the US on several occasions they have over stepped the mark… Firstly they have passed legislation banning certain known to be suspect --ie NSA riddled-- technology from Chinese IT infrastructure, such as banks. But we know that has only encoraged the NSA et al. More recently they have passed legislation aomed at those trying to obtain Chinese IP by various means… next possibility… with the US taking political hostages, it raises the stakes… OPM list I would be very frightened that the Chinese might take the Russian option [Novichok nerve agent on the door handle ?]… won't be long before this goes kinetic in some way…”- Clive R.

That is an unpleasant thought. Yes, it could happen. Let’s hope it doesn’t.

@ Wael

“Macros are evil, both in applications and in programming languages. Never ceases to amaze me the extensive functionality they add to applications! I don't think I use more than 10% of Microsoft' Word or outlook functionality. We need to find better solutions than Macros.”- Wael

I have found it you dump the contents of Word into a text editor say, Notepad it then strips out a lot of things. I am guessing you could write a script to do so in a sandbox. Or, you could just convert a docx [compressed xml of sorts with blobs] to doc file [uncompressed xml with blobs] then to a text files which may do the same… I have not tried the last one.

Returning to the big picture, this whole episode is political. I would guess the game is to grab some women, lay some trumped-up charges on her, then place yourself or your country in a better position from which to negotiate terms of Trade. Then attempt to get the best possible terms.

JimmyJanuary 1, 2019 6:35 AM

@65355, "I will point out the Chief Financial Officer [CFO] of Huawei, Ms Meng Wanzhou is an accountant or a "controller" of a company. Accountants or Controllers know the accounting side of things but are not experts at code cutting or hacking. "

China is unlike us in political structure but very much similar in terms of oligrachy. Dig a little into Huawei's past and we may find many answers to our questions involving the present ruler and its predecessors. As far as "kidnapping" goes, hackers or those who are "technologically" shrewed may not be very good in terms of stratigics. Those characters, I believe are generally groomed from a military/economy background or ones with a little more "connected" understandings.

SLJanuary 1, 2019 7:33 AM

@ Wael

> I don't follow the logic there! How does deleting a stolen file help to avoid detection?

Of course piling up GBs of files that don't belong there (on the compromised jump host) or running out of disk space might not be helpful.

CallMeLateForSupperJanuary 1, 2019 7:38 AM

@Wael
"I don't follow the logic there! How does deleting a stolen file help to avoid detection?"

I stumbled on that wording too. I paused for a moment and concluded that what was deleted was the encrypted files. Leaving those lying around would be a rude message: "You were pwned".

FaustusJanuary 1, 2019 11:05 AM

@ Wael

I was thinking of the kind of open ended questions in university exams that required multiple exam books and hours of full on scribbling.

"What was the effect of salt on the French revolution? Contrast with pepper and the American revolution. Include paragraph biographies of 10 important salt miners"

Obviously the human attack surface is immense in its chemical, pharmacological, physiological, mental and social aspects.

It makes me draw conclusions similar to the computer in Wargames: the only way to win is not to play.

I think forgiveness is exactly a major human social fault tolerance feature, protecting society from trauma from malfunctioning humans by actively refusing to react to their mistakes.

It has earned a place in my matrix of social alternatives: Coerce, kill, imprison or forgive. Let's fill in more cells!

WaelJanuary 1, 2019 11:46 AM

@Faustus,

I was thinking of the kind of open ended questions in university exams that required multiple exam books and hours of full on scribbling.

@Clive Robinson is your man, then.

Obviously the human attack surface is immense in its chemical, pharmacological, physiological, mental and social aspects.

Right. Any higher level classifications? Forgiveness is a dependent variable. What you list are independent variables.

It makes me draw conclusions similar to the computer in Wargames: the only way to win is not to play.

Na! That was a teenager in the 80's. And the computer that made the recommendation is a moron by today's standards. Let's re-evaluate (another parameter you may need to add to the list.) I wanna play, dawg!

I think forgiveness is exactly a major human social fault tolerance feature, protecting society from trauma from malfunctioning humans by actively refusing to react to their mistakes.

From a defender's frame of reference. We don't attribute these characteristics to attackers. The model needs to portray attackers in the worst possible picture -- you know, the Fox News model ;)

It has earned a place in my matrix of social alternatives: Coerce, kill, imprison or forgive. Let's fill in more cells!

I am trying to help you improve the AI project you're working on. Alright, Faustus, let's do it! The thing is we run the risk of getting into "metaphysical" discussions. And you being new here (I am guessing,) I have to warn you that the moderator can kick your ankle, and mine too.

Clive RobinsonJanuary 1, 2019 12:04 PM

@ Wael, 65535,

Never ceases to amaze me the extensive functionality they add to applications! I don't think I use more than 10% of Microsoft' Word or outlook functionality.

Amaze is not the word I would first use... As I noted to @Thoth on the friday squid the other day, we used to use Apple][ and early 8088 systems quite successfully to do word processing and other office functions (remember spreadsheets first started on the Apple][ with VisiCalc). Why on earth should we need 64bit processors with 16 and above gigabytes of RAM and what appears to be a terabyte or so of storage to do the same job?

I would say that some 99.99% of Microsoft Office is unused by the normal user. Which leaves the question of "What nasties hide in the rest of that wood pile?"

The simple logic of attack surface area does not bode well, nore does various "Turing Compleate" scripting / macro languages, oh and a flight simulator just for fun...

I have found it you dump the contents of Word into a text editor say, Notepad it then strips out a lot of things. I am guessing you could write a script to do so in a sandbox.

The problem is "once word has opened the document" it can be game over. If you think back on the Android platform, malware was hidden away inside graphics files, and the rendering engine got exploited when displaying.

The more complicated the file format the more places malware has to hide and the harder it is to detect it all.

I used to have a policy of "bouncing" "non text format" files and only accepting CSV and RTF format files[0] that would get passed by one or two scripts and stripped back to raw text.

I used to take the view that anyone who gets "cutesy" with the likes of MS Office features, has been doing so at the expense of their employer (which would technically make them guilty of "theft of time" thus morally suspect at the very least).

A view point that in part was down to having to support a "Document indexing and storage" system. In essence any document was stripped back to text and an inverted index of the words built. This then got checked into one databse, whilst the actuall text got dumped into another database (anyone remembe the Source Code Control System), with the original file and postscript print version going into an ordered file system and last but not least a paper copy in a file cabinet. It worked well for what it did and the reasons it did it, but "cutesy" people got my goat as they would just make life very unnecessarily very anoying ;-)

Do you remember back in the 1990's when "House/Corporate Style" became a thing to waste vast resources on and make a new form of "PC madness"[1]... Where committees would be formed to discuss exact placment of logo/date/salutation/etc/etc then some poor IT person would have to support the abomination of "style templates" that resulted for every application...

My solution to the problems that they created, they detested because it was beyond them ;-)

I've always used a text editor that has text file output, Wordstar being the one I've used for Oh... I forget but it's a third of a century or so. The thing was it's keybindings ended up in all sorts of things like the Borland IDE (which I still use for C and BASIC etc).

It not only did the basic editing it did simple justification and a few other things if required. This I then pushed into a Desktop Publishing package[2] to do any fancy stuff if required. As the one I used used text files with tags (think pre-HTML) it was fairly simple to write a BASIC or C program to make a basic template up and them fit the text in.

I still do similar, type up in a text editor and then use Office or whatever to do the style things. I also do "barefoot HTML" as well so importing that is no different.

The point is I'm used to doing things what others consider "the hard way" and to me realy they are not they are easier.

I guess it's more a case of "The tools you were brought up on" rather than any particular way beong any easier.

At the end of the day, a graphical interface just gives me room for more CLI terminal screens of different sizes. A very poor but very flexible IDE if you wish.

But at the end of the day I find even single line CLI's to do what I need. Thus whilst I can see the need for multi line or screen CLIs, I can only see a very limited number of genuine graphical interfaces, thus I'm happier without the alleged "convenience" of graphical interfaces...

In fact I find the alledged WYSIWYG to be at best a distraction or interferance in my thinking process.

[0] If I can not open the file with a text editor and see exactly what is going on then I can not check it for malware myself, I have to use software tools. As we know they are not any good with "unknown,knowns" and "unknown,unknowns" at least with the Mark 1 eye ball you can see things that "look hinky" and test your suspicions with "standard CLI tools".

What the "cutesy set" don't realise is "binary file" types can hide all manner of nasties. Like unlimoted "undo". I once received from a CEO's Sec a three line memo that was out rageously large as an attachment. So I copied the attachment over to a unix box and went in and gave it the hairy eyeball treatment. Boy oh boy was I ever shocked, it had just about every memo she had ever typed in there via undo and some were realy realy sensitive. Put simply all she used to do was open her last memo highlight and deleate it type in the new and increment the memo number when she did a "Save As". When I dropped by and told her she nearly died on the spot. Needless to say I told her how to change what she was doing to stop it happening. She was worried that I was going to tell her boss or others. I told her "to err is human" and we realy got on quite well after that. I did tell one other person so we could track down the memo files and clean up the masive file storage issue, but hey they were glad to have the file space back, oh and a friend in an appropriate lowly position to help out / clear up messes etc when needed.

[1] As in "Politically Correct" mentality, where "Every nit got picked by one", and people who should never be alowed to carry scissors suddenly got C-Corridor power...

[2] Who even remembers what a DTP programe even was these days. Yes I know some *nix types know what troff and nroff are but "runoff" probably not. Also some science and maths types know about TeX but, it's cantankerous to get up and running so it's kind of missed it's chance. If anyone knows a FOSS TeX that just "drops in" I guess quite a few might be interested.

FaustusJanuary 1, 2019 2:35 PM

@ Wael

I've been around schneier.com for many years. I change my handle every once in a while, last time because my ironic handle seemed to claim an achievement that I did not earn. But Faustus fits nicely. It may stay for a while.

I think that "attack surface" assumes certain things that I am trying to go beyond in my social policy matrix. Predators and prey are concerned with attack surfaces. I am wondering if our genetic predispositions unnecessarily to cause us to stay in the predator-prey dichotomy. I think forgiveness is a perfect example of an option outside that dichotomy.

Is this metaphysics? To me it is an examination of how to find more options for security than our defend and/or attack model which is pretty clearly failing. I am intending eventually to make a general social model with a "happiness" function (not a utility function in the limited way that is understood) and let my AI try to optimize happiness (and all the precursors to happiness: health, safety, peace, freedom, etc.) by discovering novel options and unconsidered trade offs.

I may apply the AI itself to identify the abstract variables (like "health" but not as familiar) from more concrete social data rather than building in conventional categories. We'll see. It is a long term question.

I can't think of a more security related question than finding abstractions and models that provide alternatives to our current failing models. Every time somebody says "we should regulate" or "we should punish" they are in the same conceptual space as I am exploring, just not recognizing that their conceptualization is not the only option.

But if @Bruce thinks I am smuggling religion, or bootlegging metaphysics, or simply exploring something he is not interested in seeing here, I am totally open to hearing that and I'll stop anything in this direction on the blog. I am already inspired and I think it is fertile ground.

Sitting on my butt meditating for days on end, and doing Jungian analysis of my dreams as well as collaborating with my AI and various human artisans to create things and solve problems may have left me in an alien mind space. I do not wish to offend. I am talking about social policy and security, not god or the Tao. I think I am conforming to Bruce's guidelines.

If I am wrong I invite correction and I won't do it again.

Clive RobinsonJanuary 1, 2019 2:52 PM

@ Wael,

In other words, it has the potential to become kinetic!

Hmm sometimes the energy your put in your jokes to come up with such joules makes me suspect you burn lots of candela through the night. Your Luminous intensity spread over such an area is of great Luminance to us all, and once would have been marked differently ...


P.S. Like slugs you can not much work out of them ;-)

Clive RobinsonJanuary 1, 2019 2:59 PM

@ Faustus,

If I am wrong I invite correction

And I thought only @Wael and I had "Harsh Mistresses" ;-)

Congratulations you have now officialy become part of a long runing gentle leg pull.

FaustusJanuary 1, 2019 3:17 PM

@ Clive, Wael

Talking about security these days is like BDSM without a safe word!

Self parody: What brilliant thoughts we could have if we sat in a circle of large high chairs in diapers attended by your harsh mistress!

Clive RobinsonJanuary 1, 2019 3:57 PM

@ Faustus,

Back to things more serious,

I am intending eventually to make a general social model with a "happiness" function

I would suggest a "wellbeing function" rather than "happiness because it removes a meaure of indeterminacy within the host.

That is you can put measurands on the various aspects of "wellbeing" at the input to the host. However the measure of "happiness" is in effect an ouput function of the host.

At the simplest level the host can be in effect designed as a series of linear first order functions similar to the MAD function in DSP which then get summed together to and suitably scaled to produce the "happiness" output from the host.

In effect it acts like a simple nuron network.

However as we know with human hosts there is a Z function that requires an implicit storage (Z^-1) and feedback function, that may not be linear.

That is for a given level of any "wellbeing" input there is both an implicit "rise" and "fall" times, that may or may not be equal. Not only is the type of rise/fall time not known there may also be a "hardening" or "resistance" function that effects them (think as in "drug resistance").

There may also be more than "dot products" Ż of "wellbeing" input vectors.

Which is where things start getting oh so slightly messy.

bttbJanuary 1, 2019 4:08 PM

@Jimmy

"China is unlike us in political structure but very much similar in terms of oligrachy...Those characters, I believe are generally groomed from a military/economy background or ones with a little more "connected" understandings."

From https://www.newyorker.com/magazine/2015/04/06/born-red (2015)
"Born Red
How Xi Jinping, an unremarkable provincial administrator, became China’s most authoritarian leader since Mao."

WaelJanuary 1, 2019 5:50 PM

@Faustus, @Clive Robinson,

Johnny Ringo is my soul brother!!

I play for blood!

Faustus fits nicely. It may stay for a while.

Good name. The Dr. who apparently gave Mephistopheles the short end of the stick (old post.)

@Bruce thinks I am smuggling religion, or bootlegging metaphysics

I was referring to myself. Security often leads to discussions about psychology, language, literature, history and religion (not the preaching sort of discussion, but the one that explains why people do what they do.) One of my regrets is I didn't invest enough time to study literature in my youth.

burn lots of candela through the night.

I've been averaging 2 - 3 hours of sleep a day for the past few weeks. I spend more time formatting the output than search for a link or dump the relative piece of info from the skull. And I have to watch all videos I recommend if I haven't done so in the past.

Clive RobinsonJanuary 1, 2019 8:00 PM

@ Wael,

I've been averaging 2 - 3 hours of sleep a day for the past few weeks.

A harsh mistress indeed. I don't want to worry you but you are getting less sleep than those subjected to sleep deprivation as a form of tourture.

But more seriously you might want to have a chat with a proffessional about your lack of sleep.

I did when I was down to less than thirty hours a week, and I was seen by someone who helps with such things. They went through a long list of medical and psychological side effects of extended poor sleep.

On the long term medical side it can be as damaging as being morbidly obese, with a sixty cigarette, twenty units of alcohol and illegal substance life style. (it's certainly helped destroy my health, but then so have sport and wearing the green).

Then there is what it does to your mental abilities, basic cognative function goes right out the window (twenty IQ points at least). Your chances of having a road accident are considerably worse than if you were over the drink drive limit.

So if you've not already done so look up "sleep hygiene".

They found my issues were due in part to having my full fracture of the lower jaw. I had developed a form of sleep apnea and PTSD. The sleep apnea issue has been partially solved with a CPAP device the PTSD I appear stuck with (just like four out of ten people do).

The stupid thing is I've been to all sorts of "hot spots" in the world whilst things have been kicking off, and appart from picking up one or two bacterial/viral illnesses I've not had a scratch outside of England and Northern Ireland. Infact nearly all the harm I've ever suffered has been well within walking distance of my front door (and twice behind it with burglers stabing me in the head).

Maybe I should move to Mount Etna or some such atleast the weather would be warmer and the sunsets oh so much better.

WaelJanuary 1, 2019 9:00 PM

@Clive Robinson,

I don't want to worry you but you are getting less sleep than those subjected to sleep deprivation as a form of tourture.

Oh, I sleep one hour in the tub with a wet towel on my face. Just practicing;)

65535January 1, 2019 11:09 PM

@ Jimmy

“China is unlike us in political structure but very much similar in terms of oligrachy. Dig a little into Huawei's past and we may find many answers to our questions involving the present ruler and its predecessors…”-Jimmy

I mostly agree with you post.

I am confused by your “Huawei’s past [history]…questions involving the ruler…”-Jimmy

Are you referring to Huawei Chief Financial Officers [CEO] History?

Or, the Chinese history of communist China and Chairman Mao’s complete take over in the 1970’s to the corporations ran by his commie cronies?

Note: The first was covered in a Krebs on Security discussion where just naming a nation like Israel which has compulsory military involvement doesn’t nessecssarly make the entire population of people or 'corporations’ “corrupt.” The same with the PRC which has mostly compulsory military involvement [they have a test where if get a certain score you can skip the military and move on to college or special training].

As to Huawei the corporation I have a very pragmatic reasons for disliking it.

I will say that two of us formed a partnership with investors. We need growth stocks. During my research into mobile handsets and their makers I found a small up-and-coming mobile handset maker in China [As you know China got a jump on us by setting up proven GSM and CDMA networks in cities avoiding a lot of old telephone wires on poles strung thought that aged country – China became quickly communication connected with less expensive cell phone towers and handsets].

Unfortunately, I found this particular cell phone handset maker’s stock was only listed on the Shanghai Stock Exchange in Shanghai China [or the Peoples Republic of China or PRC].

Thus, I had to travel to China [PRC] and find a honest Chinese representative to buy the stock for our partnership – a hard learning experience. My relatives to know people in China and suggest it would make a wonderful and cultural trip. It did not turn out to be wonderful.

I had to buy airfare, get a visa, and fly and bizarre route. The route in those days were first to the West coast USA, then to Hong Kong [Run by the British], then a small airline to China and land at a dumpy military base with Russian aircraft. As, each leg of the flight progressed I had to pay various taxes, and sign papers and so on [basically a shakedown].

When in China to my surprise there were no semi-Caucasian people, zero, zip, nata, none. I stuck out like a sore thumb. You couldn’t rent a car so I rented a bicycle.

The country was full of Japanese tourist and Korean tourist and Chinese nationals. The only way to get around was by train, bus or bicycle. The air is more polluted than LA’s worst smog. What a hassle. Because my Mandarin is not good just getting meals and a hotel was cumbersome – did use “Ching-english” and gestures successfully.

I hired a Chinese Tour Guide with a fair track record, got the tour guide to buy me a SIM card and put it in my cell phone which was “tri-band” because of the different bands used throughout China. I went to the Bank of China to convert my US dollars into RMB [or Yuan]. The RMB was for foreigners and a different color than regular Chinese money.

This proved to be not much of a hurtle because once I broke a 100 Yuan note at a restaurant it became regular color Yuan. Then I hired an intermediary to go to the Shanghai stock market to buy said cell phone handset maker’s stock as a legitimate Chinese person. At that time the 1 USD was equal to ~ 9 RMB.

We went to a Shanghai broker which had a room full of Chinese speculators watching large LCD screen with stock movements. The speculators were apparently trading mostly in Hong Kong stocks of Chinese nationality because the stock dividends were then disbursed in Hong Kong dollars or US equivalent dollars [the Yuan was pegged to HK dollar which was then pegged to USD so it was a three way conversion – and a favorable conversion at that –essentially causing Chinese people to by US dollar via Hong Kong dollars].

Unluckily, there was a minimum amount of 2000 Yuan for a brokerage account and a broker who asked a lot of questions. Although, not fluent in Mandarin I could understand parts of the conversation: “Are you a short term investor? Are you a long term investor. Do you prefer growth over dividends… are you buying these stocks for yourself or the Měiguó rén or American?” That’s where the intermediary [who was not licensed] started to talk fast.

I took the guy out of the office and basically told him to say no or give the broker some greas to do the deal. The broker was hungry for money so the intermediary did buy the stock and some other stocks and we left.

The tour guide pulled out the Mao book; showed the me the passage that says basically always listen to rich foreigners and then strip them of their cash to paraphrase it.

The cell phone handset maker’s stock just floated like Kelp for a time. Then the stock jumped in price. I thought great. We will make some money after all.

But, the jump was due to Huawei corporation buyout offer. The Nasty part was Huawei knew the real value of the handset makers net worth and gave investors 10 cents on the dollar. In short, the Huawei gave the shaft to the investors! That includes me and my partners. That is why I hate Huawei.

We did make money from investments in China Telecom and China Unicom. The China deal was not a total bust.

As for actual Chinese history, it is a mass of confusion and back stabbing warlords. Genghis Khan was a vicious tyrant. I have seen the Great Wall and it is long and tiresome. The Forbidden City and the Cconcubine’s Bathhouse with Statue of Lady Yang – big deal. I don’t believe the Chinese invented the oldest profession in the world. I will attest to the neat geothermal natural hot water and it nice warm feeling.

I have talked to pilots who flew the Hump which was challenging. General Stillwell tried to make a “Chinese army” to repel the Japanese in WW2 without much success. I have read about Frank Merrill and Merrill’s Marauders, Chiang Kai-shek and Madame Chiang. I have heard about Chennaut, "Pappy" Boyington and the famous Flying Tigers. I will note that during the final transportation and assembly of their Flying Tigers aircraft the Japanese must of caught wind of it - Pear Harbor was bombarded.

That history is all well and good. But, who cares? That was yesterday and we have trade problems today. It really doesn’t solve the Huawei dust up or the current trade deals.

@ Clive Robinson

“I would say that some 99.99% of Microsoft Office is unused by the normal user. Which leaves the question of "What nasties hide in the rest of that wood pile?" The simple logic of attack surface area does not bode well, nor does various "Turing Compleate" scripting / macro languages, oh and a flight simulator just for fun...”

I cannot disagree. I was going to see if NickP could provide an answer to this scripting-macro dot net problem.

I see a lot of programs that can act as pre-compliers, translator and so on. That would seem to be a big attack surface.

“[preprocessor program]..its input data to produce output that is used as input to another program. The output is said to be a preprocessed form of the input data, which is often used by some subsequent programs like compilers. The amount and kind of processing done depends on the nature of the preprocessor; some preprocessors are only capable of performing relatively simple textual substitutions and macro expansions, while others have the power of full-fledged programming languages. A common example from computer programming is the processing performed on source code before the next step of compilation. In some computer languages (e.g., C and PL/I) there is a phase of translation known as preprocessing. It can also include macro processing, file inclusion and language extensions…

"Lexical preprocessors are the lowest-level of preprocessors as they only require lexical analysis, that is, they operate on the source text, prior to any parsing, by performing simple substitution of tokenized character sequences for other tokenized character sequences… Syntactic preprocessors were introduced with the Lisp family of languages. Their role is to transform syntax trees according to a number of user-defined rules. For some programming languages, the rules are written in the same language as the program (compile-time reflection). This is the case with Lisp and OCaml. Some other languages rely on a fully external language to define the transformations, such as the XSLT preprocessor for XML, or its statically typed counterpart CDuce…Syntactic preprocessors are typically used to customize the syntax of a language, extend a language by adding new primitives, or embed a domain-specific programming language (DSL) inside a general purpose language…”-Wikipedia

Ht tps://en.wikipedia.org/wiki/Preprocessor

A huge attack surface? That is above my pay grade to decide.

This leads back to Clive’s Robinson's post,

“The more complicated the file format the more places malware has to hide and the harder it is to detect it all.” –Clive R

Clive you have covered all the angles. That is where things get sticky. Sure, Rich Text has some problems but how to discern the bad stuff in docx which has fiddy bits and blobs is another things. It is useful but dangerous.

Next item:

“The problem is "once word has opened the document" it can be game over. If you think back on the Android platform, malware was hidden away inside graphics files, and the rendering engine got exploited when displaying.”- Clive R

Very true.

You have to VM the thing or put it in a sandbox to be safe - still Word in both docx and doc forms are used extensively including some legal court filing. That would seem to be very problematic.

Correct me if I am wrong, but in forensic cases should not one first make a copy of the document file or multiple copies and then go about sandboxing them and disassembling them?

I still see the blobs as a sneaky or Hinky thing which could do things to hide evidence or cause damage.

Exactly, how dangerous is this “preprocessed” junk in dot net and java? It is so deeply hidden that the average Jane/Joe should not even be using Word?

I wonder.

[Excuse all the mistakes I had to bash this out]

Rach ElJanuary 2, 2019 12:16 AM

Faustus

CC: Wael


last handle.. seemed to claim an achievement that I did not earn.


Wael will summarily retrieve that gauntlet from the ground. And sooner perish than before successful fulfilment. Dawg!


WaelJanuary 2, 2019 1:10 AM

@Rach El, all,

And sooner perish than before successful fulfilment.

I've got to disappear for a few days. Have a ton of stuff to finish, and the blog needs a break from me.

Puff pieceJanuary 2, 2019 5:15 AM

@Phaete

Spot on.

This part was particularly laughable, which I have edited for accuracy:

“No country poses a broader, more severe long-term threat to everyone's national economy and cyber infrastructure than America. America’s goal, simply put, is to cement its place as the world’s leading superpower, whilst using illegal methods to stay there,” FBI director Christopher Wray said at Thursday’s press conference. “While we publicly promote fair competition, we will not hesitate to privately use illegal hacking, stealing, or cheating.”

Clive RobinsonJanuary 2, 2019 9:04 AM

@ 65535,

Exactly, how dangerous is this “preprocessed” junk in dot net and java?

As dangerous as any inventive mind with time on it's hands and an itch to create...

Whilst a VM approach is a start in making a "snake pit" we know that the walls are made of irregular stone so gaps exist.

And that's the problem we only know the snakes are out when someone gets bitten or by chance sees one.

My advice in the past was run up word on an issolated machine with no hard drive using a version of MS Windows running in RAM from a DVD[1] much as people do with Linux. Or use one of the Word "viewers" that let you print to postscript that ps2txt, ghostscript etc could convert to a text format.

If you can setup a Linux box that boots into RAM and runs a VM which you can then pull in a stripped down MS Win and word/viewer and dump the resulting ASCII to a serial port, then you can build a Data Diode and instrumented choke point to your issolated machine.

But unless you have real need to be this cautious[2] then it's both expensive and potentially overkill, whilst also a significant impediment due to not having "High Usability"[3].

It's this last point that is always the "security killer" people think short term and will take a dollar at the end of the week rather than ten at the end of the month. Worse they rarely understand ICT attack risk[4]. The result is anything that effects short term gain will get nixed no matter what the longterm risk is.

Those selling ICT Security soloutions know that is what the customer market base wants so that is what they sell... So you have an uphill battle unless you have clients that understand longterm risk.

But there is a new problem which is the "Who gives a 5h1t" issue. Back last century it was assumed that a major ICT Security breach would be the equivalent of a major fire. That is the organisation was beyond recovery and would be out of business within a year.

Well there are somany security breaches with loss of user details in the millions that a little PR and find somebody else to blaim, causes little or no damage to the organisation so why bother with anything like "best practice" as long as the work flow continues.

The problem is this sort of thinking is the wrong one when you are talking about IP. As we have seen with China, US companies will give the Chinese their IP willingly in return for a fast buck of cheap labour and cheap raw materials. The result a couple of quaters of good figures then a competitor moves into the market and not only do the figures start to drop you find it harder to get cheap labour and raw materials... Some suspect that their IP is being used against them, but can not either prove it or do anything about it, except go bust or learn a lesson.

Oh and the Chinese are not the first nation to do this and they almost certainly will not be the last. The US did it for fifty to a hundred years or so around a hundred and fifty years ago. Japan has done it, Taiwan has done it, India has done France has done it. The list goes on, which ever way the compass swings, you will find a nation that has done it or will do it in some way if you let them or one that has suffered from it. Modern communications just shortens the time they can do it in.

But it's also corporations doing it. Have a look into Amazon's shady little tricks with small companies with popular or premium products... It's got to the point where it's nolonger Taiwan causing the title "China Knock off" to be used. No we now have "Amazon Knock Off" or "Bezos Knock Off" entering the lexicon.

[1] This was back in the XP and before days, I'm realy not sure if you can still do it with MS Win these days. TomsBoot was the way to do it. Once the DVD was made it was easy for any user to use. VM's are not quite as easy in this respect.

[2] Lot's of businesses with a professional "duty of care" should be this cautious, but they are nowhere close. In effect knowingly or not they rely on the old "best practice" ruse. I've yet to come across any "best practice" that actually is any more than "lucky guesswork". Thus it's likely the industry is keeping best practice dummed down to a "price point" where there is profit and more importantly "high usability"[3].

[3] The problem with many security systems is they "get in the way of business" as our host @Bruce has pointed out on a number of occasions people will do what they need to do to make their numbers at the end of the month. Thus "ease of use" or better still "invisibility of use" are what users demand of security solutions unless their terms of employment are different to most.

[4] Most risk models are based on those used to assess "fire or theft" risk not "army of one" risk. Put it this way a real world burglar can only hit a couple of houses a day tops. An information stealing cyber-burglar can hit thousands of machines a second. Worse a good cyber-burglar knows to go in quietly and bid2 there time copying things selectively and quietly (ie APT style). Likewise the cyber-vandal can use a Distributed Denial of Service attack from hundreds of thousands to millions of zombies simultaniously. Such behaviours don't have risk models yet because they are not limited in the way real world events are by an attackers locality and energy.

parabarbarianJanuary 2, 2019 10:49 AM

@Clive Robinson

"If anyone knows a FOSS TeX that just "drops in" I guess quite a few might be interested."

I used LyX for years. Even wrote several term papers using it before the Powers that Be demanded everything be submitted electronically in Word format. It is really just an interface to LaTex (mostly) but CentOS still includes LaTex. LyX is packaged on epel.

Libreoffice includes some Latex tools, too.

FaustusJanuary 2, 2019 11:07 AM

@ Puff

We shouldn't feed the fake news machine with made up quotes, even if you hedge obscurely in a different paragraph. It is totally made up and shouldn't be attributed to Director Wray.

NadaJanuary 2, 2019 11:56 AM

The best definition of "propaganda" I know of is this one :
"Fighting brainwashing with another brainwashing". ;-)

65535January 3, 2019 9:42 PM

@ Clive Robinson

You have covered most angles and I can agree with most of it.

Start of post:

“how dangerous is this “preprocessed” junk in dot net and java?”-65535

“As dangerous as any inventive mind with time… to create...”-Clive R.

Yes.

That is the problem and, a big problems is macro’s in Word and blobs in PDFs with flash. It is very significant and wide spread.

[Disassembly in VMs or live Linux cd’s]

”…VM approach is a start… walls are made of irregular stone so gaps exist… My advice in the past was run up word on an issolated machine with no hard drive using a version of MS Windows running in RAM from a DVD[1] much as people do with Linux. use one of the Word "viewers" that let you print to postscript that ps2txt, ghostscript etc could convert to a text format... [1] This was back in the XP and before days, I'm realy not sure if you can still do it with MS Win these days. TomsBoot was the way to do it. Once the DVD was made it was easy for any user to use. VM's are not quite as easy in this respect.”-Clive R

That is good solution.

Sometimes VMs will consume huge amounts of memory and can be leaky if not Bare Metal installed. As for live CDs’ and DVD’s they can be done with linux images in a less expensive lab. But, there is a limit to size when using CDs’. A live thumb could work.

[Data Diodes]

“…then pull in a stripped down MS Win and word/viewer and dump the resulting ASCII to a serial port, then you can build a Data Diode and instrumented choke point to your issolated machine.But unless you have real need to be this cautious[2] then it's both expensive and potentially overkill, whilst also a significant impediment due to not having "High Usability"[3]…”-Clive R

Yep.

I started to work on mine but Marcus Ortella [Sp] took his data diode projoect blog off line. No go after that.

Also, this leave out the average Jane/Joe office worker with limited time and resources insecure. It’s good where one person is a ICT security specialist with a lab and the equipment to do so. But, he IT security expert probably is already hired by Cloud provides - who may only use him in very large breaches. It is hard to find an IT security expert to help the average Jane/Joe at a reasonable cost. The same goes for small business, small doctors offices and small law offices.

[Economic facts of ICT life – the real problem]

“The result is anything that effects short term gain will get nixed no matter what the longterm risk is… the "Who gives a 5h1t" issue… Well there are so many security breaches with loss of user details in the millions that a little PR and find somebody else to blaim, causes little or no damage to the organisation so why bother with anything like "best practice" as long as the work flow continues… also corporations doing it. Have a look into Amazon's shady little tricks with small companies with popular or premium products... It's got to the point where it's nolonger Taiwan causing the title "China Knock off" to be used. No we now have "Amazon Knock Off" or "Bezos Knock Off" entering the lexicon…”-Clive R

Exactly Right.

It not only is lax security due to economics it is getting to be actual lucrative confidence game[s] played out by semi-legally big data providers platforms via complex Terms of Service Agreements. Amazon is an example.

This steps-up to international state players who spy not only for “National Security” but scam Intelectual Property from other countries. Sure, the USA TLA’s are doing but also Russia, China, India and so on. This game then gets in to international trade and makes a mockery of justice from various players perspectives. It is a downward spiral to the botton.

I am beginning to wonder if most “Smart” things an Iot bling are confindence games wrapped in a shinny package to cheat consumers or steal their personal information. I would guess that most people should become educated in IT games and con-games to prevent the scams.

This would include many powerful Politicians, Judges, and lawyers of older vintage who lived in “innocent ARPA Net” days. They have to be better educated in their powerful positions. A blithering US Supreme Court Justice sitting at his desk typing on his Windows 10 Word program is multiple blobs of code in it and then being sent off to Microsft’s Motherhip is not of much help to us - maybe to Microsoft but not the average Jane/Joe.

It is very distressing to see somebody sitting in front of his Smart TV and Iot device giving away his personal data and probably his kids data without knowing the risks of doing so. But, I happens.

There is a lot to be done on the actual ICT front [removing back doors], the consumer education front, and the legal front.

Sure, the EU General Data Protection Regulation [GDPR] is good but it will take much more.

There has to be consumer education and laws in the USA to protected us from being fleeced by the Bling Sellers and dossier’d by LE for fishing expiditions and intellectual enslavement. You could call it the “War On Spying” for lack of a better term. It has to happen or we are going to be flushed down the drain.

FileDetonationJanuary 4, 2019 1:10 PM

Regarding secure detonation of untrusted files, I haven’t heard anyone here mention selinux as a mitigation.

It seems like you could set up a restrictive selinux policy (i.e. disallow everything, run your program with a trusted input, then build a policy to only allow the system interactions required by the trusted input) on top of a docker image with the requisite execution environment and get reasonable protection.

This would also allow you to profile what happens (via the selinux audit log) so you could see any outliers in attempted access or the order or operations when opening the file (vs opening trusted files of the same format).

I realize that docker by itself is horribly insufficient for this, but if you were only using docker as a container for your execution environment and relying on selinux to prevent non-standard access, it should work.

Impossibly StupidJanuary 5, 2019 11:31 AM

@65535

I am beginning to wonder if most “Smart” things an Iot bling are confindence games wrapped in a shinny package to cheat consumers or steal their personal information.

Why would you only be beginning to question that? It was the case decades ago that "dumb" terminals were the hot thing, which were devices that were essentially useless unless they were connected to a network so that they could move all your data back and forth to a corporate server. The current crop of IoT devices function the same way and yet, with no sense of irony, are somehow considered "smart".

I would guess that most people should become educated in IT games and con-games to prevent the scams.

Social engineering usually is the easiest vulnerability to exploit. But these kinds of "clicked an attachment" phishing attacks are old news. Nobody should be in need of an education or awareness campaign on just how a bad an idea it is to still be doing those things. Like I said earlier, we have a derivatives problem: the people who are in control of the people who are incompetent need to be shown the door, because they're demonstrating that their own incompetence on these now common matters.

This would include many powerful Politicians, Judges, and lawyers of older vintage who lived in “innocent ARPA Net” days.

The problem isn't their old-school "innocence", it's the corruption of power. Even mere corporate middle managers often take the position that the rules (security and otherwise) shouldn't apply to them because they're So Damn Important™. The only real solution is to remove those kinds of people from positions of power.

65535January 5, 2019 8:23 PM

@ Impossibly Stupid

“’Why would you only be beginning to question that?... The current crop of IoT devices function the same way[as a dumb terminal] and yet, with no sense of irony, are somehow considered "smart"-Impossibly Stupid

That is a good way of describing the problem. It seems accurate. But, the young users probably have never encountered a dumb terminal. They have been taught to believe Iot device and cell phones are computers in their current form – just smaller.

I would say those devices are very “server-side” dependant and most buyer’s don’t control the device - as in being able to act as root or Administrator. Further, the buyers don’t control the servers which is leaves them in a position to be manipulated or spy’d upon.

Take a look at Android and Apple sales of all types [Iot to cell phones]. They are still very high. The problem still is growing. Take a look at Krebs site with the current iPhone scam involving “contact list" subverted by fake caller ID hackers. I don’t see either iPhone sales dropping or Apple users taking control of their devices.

The only action I can think of is to try to convince those buyers not to trust the device - or even not buy them. That can be called IT education.

“The problem isn't their old-school "innocence", it's the corruption of power. Even mere corporate middle managers often take the position that the rules (security and otherwise) shouldn't apply to them because they're So Damn Important™. The only real solution is to remove those kinds of people from positions of power.”- Impossibly Stupid

True.

That is the hard line and probably should be taken.

Has the Admin’s of the OMP been fired? I am doubtful. That same power just keeps them in power. These people are so deeply entrenched in the “System” it is going to take mountain blasting techniques to dislodge them. I just don’t see that happening anytime soon.

WaelJanuary 9, 2019 3:52 PM

@bttb,

The the grugq is wrong. I'm giving lessons in world-class eloquent speach. A lesson or two won't hurt him ;)

Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life."

Give humans a 0day, and they'll mock up things for a couple of years1; Teach them how to phish, and the scumbags will give you a lifetime of job security.

[1] Zero-days remain unpatch for long periods ranging from a few months to never.

bttbJanuary 9, 2019 7:29 PM

@Wael
"Give a man an 0day..."
When I posted I noticed the extra n (a vs. an) and wondered if some people pronounce 0day (zero-day) Oday (oh-day). Regardless
a zero-day
an oh-day
Not scientific, but it does seem that phishing attacks have been in in the news a lot regarding high profile, consequential, attacks.

"Give humans a 0day, and they'll mock up things for a couple of years1; Teach them how to phish, and the scumbags will give you a lifetime of job security."

Did you mean muck not mock?
Synonyms of mock from https://www.merriam-webster.com/thesaurus/mock :
"artificial, bogus, dummy, ersatz, factitious, fake, false, faux, imitation, imitative, man-made, mimic, pretend, sham, simulated, substitute, synthetic"

I don't know the costs (USDs, elections, IP theft, and so on) of 0day vs. phishing attacks. I assume that many sophisticated spear-phishing attacks also use 0day(s) at some point.

"Teach them how to phish, and the scumbags will give you a lifetime of job security."

It does seem hard, expensive, and time consuming to try to get people not to click on links or open things, enticing or not.

WaelJanuary 9, 2019 7:58 PM

@bttb,

Did you mean muck not mock?

I guess. Or perhaps it's a word play on a dirtier word with a Russian accent.

regarding high profile, consequential, attacks.

Likely spear phishing in this case.

It does seem hard, expensive, and time consuming to try to get people not to click on links or open things, enticing or not.

There are a few solutions out there with varying degrees of effectiveness. I click on links by mistake on my mobile device when I mean to scroll the page, so it happens even when the user is aware of the risks. A better solution needs to be developed.

I assume that many sophisticated spear-phishing attacks also use 0day(s) at some point.

Yes. A few were covered here. There was this journalist who got an SMS link on his iPhone, then he sent his phone to citizen labs for analysis - can't find the link now.

I assume that many sophisticated spear-phishing attacks also use 0day(s) at some point.

Sounds right.

bttbJanuary 12, 2019 5:37 PM

@Wael

Regarding things like opening things, potentially bad links or Phishing or SpearPhishing attacks, you wrote:

"I click on links by mistake on my mobile device when I mean to scroll the page, so it happens even when the user is aware of the risks."

Not scientific, but that sort of thing may happen to me more often when I have JavaScript enabled.

"There was this journalist who got an [or a] SMS link on his iPhone, then he sent his phone to citizen labs for analysis..."

iirc that may have led to the burning of a million dollar 0day

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.