Monday, March 30, 2009

China Engaging in Cyber Spying? Really?

This should be filed under "duh".

Media outlets are agog over reports that China is involved with "GhostNet", a computer espionage network.

According to Canadian security officials, compromised computers that make up GhostNet have been completely taken over, and those behind this evil network can browse and download files, and make use of "covertly installed" microphones and web cameras.

Smile, you're on Canton Camera.

Some are quick to point the finger at the Chinese government as being a central player in this espionage, but official spokes-peoples-Republic-of-China denies involvement, stating that cybercrime is expressly forbidden. Like pirating software and designer fashions is verboten, no doubt.

GhostNet has seemingly infiltrated business, education, government, and industry networks, which sounds remarkably like a systematic, well-planned mission to reconnoiter with breadth and depth. There's obviously an end-game here. What remains to be seen is the extent of the reach and the identity of the players.

As an infosec professional, I'd be interested in a detailed analysis of the infected systems and networks to identify common components. Without having any inside information, I'd guess Microsoft products might figure prominently in this, due to the long history of Asia-centric malware that targets the Windows and Office product sets. I just don't see a Mac or Linux / Unix footprint to this, given the disparity in targets and low saturation of these platforms.

Over the past year, there have been a staggering number of breaches and compromises resultant from silly, insecure infrastructures - P2P software on government computers, missing and / or stolen devices from which authorization and authentication credentials could be harvested, poor email practices, crappy Internet browsing policies coupled with insecure browsers and configs...the list goes on and on.

Something as simple as the security tests that were conducted in certain cities where scores of USB drives containing harmless malware were scattered in and around corporate parks, company headquarters, and government installations to determine how many would be taken inside a nearby premises and plugged into a desktop or laptop. The answer? Way, way too many. They know this because the flash drives reported in to a command & control point to report they had been inserted into a computer. You can't cure stupid.

No one should be surprised by this reporting. I'd be concerned about why it took so long to identify the issue, and if there was a gap between having this data and making it public.
This shows that relying on security "controls" to prevent data leakage and compromise is only part of the equation.

Defense in depth as a strategy is beginning to show that there are always cracks, even tiny ones, and the other side only needs a small opening in order to accomplish their goals. It's very difficult to protect your network from everything, everyday, from everyone.

No comments:

Post a Comment

Please tell me what you think.