Saturday, January 30, 2010

Hackers target friends of Google workers

Personal friends of employees at Google, Adobe and other companies were targeted by hackers in a string of recently disclosed cyberattacks, raising privacy concerns and pointing to a highly sophisticated operation, security experts said.
Cybersecurity experts analysing the attacks said the hackers spied on individuals and used other sophisticated techniques, making them extremely difficult to stop. The disclosures come amid renewed alarm over cybersecurity after Google said it had been the target of a series of cyberattacks from China.

The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.

“We’re seeing a lot more up-front reconnaissance, understanding who the players are at the company and how to reach them,” said George Kurtz, chief technology officer at security firm McAfee.
“Someone went to the trouble to backtrack: ‘Let me look at their friends, who I can target as a secondary person’.”
McAfee discovered that a previously unknown flaw in Microsoft’s Internet Explorer had been used in the attacks. Mr Kurtz said the attackers also used one of the most popular instant messaging programmes to induce victims to click on a link that installed spy software.
Another element of the attack code used a formula only published on Chinese language websites, said Joe Stewart, a researcher for security firm SecureWorks. Mr Stewart also found that some of the code had been assembled in 2006, suggesting that the campaign had been not only well organised but enduring.
The evidence pointed to a government-sponsored effort that only large spy agencies or perhaps some of the most advanced big companies could have withstood, experts said. China on Monday described accusations it was behind cyberattacks as “groundless”.
Sam Curry, vice-president of security firm RSA, said: “This is a loud message for the commercial world, which is: wake up, this isn’t all happiness and goodness and new business.
“Doing business on the internet is as risky as sending ships through the Panama Canal.”

1 comment:

  1. Mr. Stewart's "China code" claim seems to have some problem:

    1) A follow-up published by The Register on 1/26 contradicted the claim the CRC algorithm was not known outside China. The 4-bit CRC code has been around for over a decade in the device application arena. Once this fact is public, several code samples outside China have been located by bloggers discussing this issue.

    2) Mr. Stewart seems to have neglected the fact variable names are stripped out during code compilation when he alluded to a variable name in the Aurora machine code. There is absolutely no link between the "crc_ta[16]" variable he identified as Chinese, and the machine code in Aurora.

    Google "crc_table[16]" turns up code example outside China, what does that prove?

    3) Upon closer examination of Mr. Stewart's citations, the alleged Chinese white paper containing the algorithm, and code snip found by Googling the identified variable name, both turned up different code than what's in Aurora.

    Specifically, the Aurora code contains a 12-bit shift optimization (found as early as 1988 according to The Register article):

    crc16 >> 12

    however the code passed around in Chinese sites is unoptimized code using two divisions: