Friday, November 07, 2008

Current and Future White House v China

To continue my "v China" series of blog posts, I note the following:

Chinese hack into White House network:

Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times.

On each occasion, the cyber attackers accessed the White House computer system for brief periods, allowing them enough time to steal information before US computer experts patched the system.

US government cyber intelligence experts suspect the attacks were sponsored by the Chinese government because of their targeted nature. But they concede that it is extremely difficult to trace the exact source of an attack beyond a server in a particular country.

”We are getting very targeted Chinese attacks so it stretches credulity that these are not directed by government-related organisations,” said the official.

The official said the Chinese cyber attacks had the hallmarks of the “grain of sands” approach taken by Chinese intelligence, which involves obtaining and pouring through lots of - often low-level - information to find a few nuggets.

Some US defence companies have privately warned about attacks on their systems, which they believe are attempts to learn about future weapons systems.

The National Cyber Investigative Joint Task Force [apparently an FBI-led group], a new unit established in 2007 to tackle cyber security, detected the attacks on the White House. But the official stressed that the hackers had only accessed the unclassified computer network, not the more secure classified network.


So that's the current administration. On to the next:

Obama, McCain campaigns' computers hacked for policy data:

Computers at the headquarters of the Barack Obama and John McCain campaigns were hacked during the campaign by a foreign entity looking for future policy information, a source with knowledge of the incidents confirms to CNN.

Sources say McCain campaign computers were hacked around the same time as those of Obama's campaign.

Workers at Barack Obama's headquarters first thought there was a computer virus.

The source said the computers were hacked mid-summer by either a foreign government or organization.

Another source, a law enforcement official familiar with the investigation, says federal investigators approached both campaigns with information the U.S. government had about the hacking, and the campaigns then hired private companies to mitigate the problem.

U.S. authorities, according to one of the sources, believe they know who the foreign entity responsible for the hacking is, but refused to identify it in any way, including what country.

The source, confirming the attacks that were first reported by Newsweek, said the sophisticated intrusions appeared aimed at gaining information about the evolution of policy positions in order to gain leverage in future dealings with whomever was elected.

The FBI is investigating, one of the sources confirmed to CNN.


This is the Golden Age for incident detection and response. Where are all the prevention advocates? How about the inside threat fans? Sorry, it's all about detecting and responding to external threats.

14 comments:

Anonymous said...

"Sorry, it's all about detecting and responding to external threats"

Tell that to Societe Generale

Gunnar said...

" Where are all the prevention advocates? "

Its never been properly explained to me how not putting access control on your resources and then whining when those resources are broken into is an effective strategy.

Is it possible we need prevention, detection *and* response? Or am I supposed to believe that improved response will just deal with everything we need whilst the resources are "protected" by Swiss cheese?

Last time I checked we don't have a silver bullet in *any* of the prevention, detection, and response domains and we need to improve all three. Maybe that's why the Pentagon has Army, Navy, Air Force and Marines. Oh yeah and Coast Guard.

Richard Bejtlich said...

Response 1: Jerome Kerviel committed fraud.

Response 2: Of course we should try to stop but we can, but the fact is prevention eventually fails. Anyone who thinks differently hasn't been around long enough, or isn't looking where and how they need to look, to find evidence of intrusion.

Gunnar said...

wrt Kerviel: So? The assets were compromised. Societe Generale is out billions. My job is to protect the asset. If the assets are compromised could care less about which threat did it.

Think about car design, air bags, brakes, ABS and so on. These are safety mechanisms used to protect assets. The threats could be a bad driver, bad conditions, or the person at the wheel could even be the bad driver but the safety mechanisms protect the asset, they are threat agnostic.

wrt fail: prevention, detection, and response are all failure prone. I was responding to the comment "it's all about detecting and responding to external threats." If you are not gonna improve prevention your not gonna have a system to monitor. You could easily make the case that part of improving security is that you need to consider the failure modes of your prevention mechanisms such that when they fail you notify your detection and response mechanisms.

Richard Bejtlich said...

Gunnar, billions have been lost at banks all over the place. Is it our job to protect those assets? Those traders took risks too. JK didn't steal anything -- he was trading, and may have been encouraged to do so. He was making money for his company until his bets went bad. The only security angle (and a weak one) is that JK figured out how to mask his activities.

I agree with your statements on prevention in your comment. However, the absolute number one problem we have right now are outsiders. 2008 is the year of the outsider, if we need to call it such.

Rob Lewis said...

@gunnar,

"If you are not gonna improve prevention your not gonna have a system to monitor."

Right. It is akin to REACTING FASTER to a bullet in the head.

Well the security industry has spent billions since its start to combat the external threat. Let's take a look at how its doing? Hummm. More doom and gloom reports that the bad guys are winning.

Of course, if one was able to successfully close the doors to external sources of attack, then the attack plane would shift to internal attacks, which is MUCH harder to protect against.

Richard Bejtlich said...

Better bullet-proof vests aren't the answer. Putting the shooter in jail is.

Rob Lewis said...

Well that does not offer much in prevention for the first victim does it?

Davi Ottenheimer said...

You think Chinese hackers are bad news? American fundies completely penetrated the White House, took full control of accounts, and look at all the damage to the country they did.

Anonymous said...

"Better bullet-proof vests aren't the answer. Putting the shooter in jail is."

I'm sure with current forensics the ability to put criminals in jail is a lot better than in the past, yet it doesn't seem to deter criminals. Hasn't the crime rate gone up despite being more likely to go to jail than in the past?

Rob Lewis said...

Hypothetically, if one could develop a "silver bullet" in one of the areas that Gunnar mentioned, one would choose prevention as that would eliminate the need for detection and response.

I know you will respond with "prevention eventually fails", but we are talking about the silver bullet case.

Richard Bejtlich said...

Silver bullets don't exist.

Jonathan said...

A much as I would like to believe that "putting the criminal in jail" would be a solution, and it would for this individual, there are always gonna have another in line to take its place. Especially since that we are talking about a "nation vs nation" case right now, not just some kid having his hacking thrill. Diplomacy and politics are implied in those kind of cases.

Of course, prevention is always the first think to consider, I totally agree with you on this, but that is not enough. I strongly believe the weakest link in any system is the human part, but humans are what they are...lazy and slow to learn. That's why computers exists afterall. The only problem, is that they are not programming themselves...so for now, there will always be a "weak spot", whether it's the users, or the protection. As for this case, the classified material network was not connected to an external network, and that's the best solution for those kind of threats.

As for internal vs external threats, I guess the American government as a lot more interests in publicizing external threats posed by China and Russia. That's the reason we don't hear much about internal threats. I believe that most managers don't consider internal threats as they put too much confidence on the personal selection, especially in high-security areas, since the checks are much more strict. That's only an opinion though, not a fact. And humans, lazy as we are, don't bother thinking about this eventual problem, that's the problem of the Human Resources I guess...

zoom said...

Having a "secure" net and public net are fine, but employees have to be constantly reminded to practice comsec.

And I agree with Rich...toss them all in jail.