Just after lunch I read an article published by Discovery[1] where Bruce Schneier talks about the "The truth about Chinese hackers"[2]. While reading it I didn't have the impression that it gave a clear answer about the truth. Because I guess you only know the truth if you ever had contact with them, and that is exactly what never happens. As far as I am concerned he is right on the point that Chinese hackers are good. But actually, that also seems to me an understatement because I know that China have very brilliant hackers, but they don't show themselves necessarily because of their professionalism. One problem I have with Schneiers assertions on the Chinese hackers article, is that he basically says:
There certainly is a lot of hacking coming out of China, and any company that does security monitoring sees it all the time..
False flags.
To me there are two problems with this idea:
- It is a wrong assumption to say that when an attack originates from a certain country, that the attacker is located there. Think about it for a moment. Let's say you want to hack a server from the U.S. Government from your own backyard. Guess what happens. I don't need to tell you that smart attackers or botnet operators work like this. It isn't going to happen. The U.S. Military knows this very well and has used many false flag operations -like planes- to trigger a military reaction from a country. Blaming someone else is the first tactic you should consider.
- If companies can detect an attack you basically can assume it's not interestingly enough to even consider an analysis because a really bright attacker knows how to stay stealthy, even if you have an intrusion detection system running for you. How else do servers that run Snort get rooted? I can't go into many details about this, but it's true.
Stealth.
What is the opposite of a stealthy attack, in case of an intrusion detection system? the answer is very simple: still stealthy! When attacking a system that is running a proper intrusion detection, like Schneier's BT does, what do you do? You trigger false flags all over the place. This means generating millions of false originating attacks in order to overwhelm the intrusion detection, think "Sneeze" here[3]. The more triggers, the more stealthy your real attack becomes. The idea is plain simple: when you attack a system that has millions of visitors each day with a vector that an IDS can detect, you will stand out from all the other normal requests. The more noise, the harder it is to extract a real signal from the fake signals. So the opposite makes you in fact more stealthy than you would otherwise. Note, this only goes for systems that are hard to attack and properly secured. Nonetheless, it's doable and it's done for many years.
Logging.
I never mentioned it here I think, but I don't believe in logging a server. It's also my second biggest argument against any intrusion detection system. When you get hit by a massive attack that triggers enormous amounts of false flags, and you grep through 100 million lines of logs, by the time you got the genuine attacker -which is definitely tough with false flags and almost impossible- he already rooted your box and removed all your logs. To me, it's pointless and even dangerous because you take all your time and effort in analyzing logs, whereas you should have temporarily locked the system down from all access upon suspicion. Personally I stopped logging and moved over to an intrusion prevention system that also doesn't log attacks. It saves me disk-space, and my peace of mind. If some attacker wants to hack me, he will do it when I sleep or when I don't pay attention. If he wants to get it, I can't do anything than hoping I secured it well.
[1] http://dsc.discovery.com/technology/my-take/computer-hackers-china.html
[2] http://www.schneier.com/blog/archives/2008/07/chinese_cyber_a.html
[3] http://www.phrack.nl/phrack62/p62-0x0d.txt
Want to discuss this topic? then visit:
http://www.thedarkvisitor.com/2008/07/bruce-schneier-the-truth-about-chinese-hackers/
