Operation Shady Rat

tpatt100

Interesting read, I know the US is really lacking when it comes to protecting the infrastructure.

Exclusive: Operation Shady RAT—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza | Culture | Vanity Fair

For at least five years, a high-level hacking campaign—dubbed Operation Shady rat—has infiltrated the computer systems of national governments, global corporations, nonprofits, and other organizations, with more than 70 victims in 14 countries. Lifted from these highly secure servers, among other sensitive property: countless government secrets, e-mail archives, legal contracts, and design schematics. Here, Vanity Fair’s Michael Joseph Gross breaks the news of Operation Shady rat’s existence—and speaks to the McAfee cyber-security expert who discovered it.

The list of victims, which ranges from national governments to global corporations to tiny nonprofits, demonstrates with unprecedented clarity the universal scope of cyber-espionage and the vulnerability of organizations in almost every category imaginable. In Washington, where policymakers are struggling to chart a strategy for combating cyber-espionage, Operation Shady rat is already drawing attention at high levels.

Last week, Alperovitch provided confidential briefings on Shady rat to senior White House officials, executive-branch agencies, and congressional-committee staff. Senator Dianne Feinstein (D-CA), chairman of the Senate Select Committee on Intelligence, reviewed the McAfee report on Shady rat and wrote in an e-mail to Vanity Fair: “This is further evidence that we need a strong cyber-defense system in this country, and that we need to start applying pressure to other countries to make sure they do more to stop cyber hacking emanating from their borders.” McAfee says that victims include government agencies in the United States, Taiwan, South Korea, Vietnam, and Canada, the Olympic committees in three countries, and the International Olympic Committee.

Rounding out the list of countries where Shady rat hacked into computer networks: Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India. The vast majority of victims—49—were U.S.-based companies, government agencies, and nonprofits. The category most heavily targeted was defense contractors—13 in all.

wastedtime

This was a pretty good article. Reason stuff like this can happen and persist for a long time like this is due to no one looking for this type of stuff. Then as was pointed out in the article response is usually slow to non-existent.

Forsaken_GA

Someone should point out to the Anon/Lulz folks that going after China instead of defacing the CIA's website might be kind of fun.

Bl8ckr0uter

Ok I am sorry but, you mean to tell me that out of all the blackhat/ceh/gpens/cissps in America, we can't keep out stuff secure? I mean come on? I thought with places like CMU and MIT aren't producing any infosec pros? I mean it makes you wonder if security is even working in this country at all....

tpatt100

Bl8ckr0uter wrote: »

Ok I am sorry but, you mean to tell me that out of all the blackhat/ceh/gpens/cissps in America, we can't keep out stuff secure? I mean come on? I thought with places like CMU and MIT aren't producing any infosec pros? I mean it makes you wonder if security is even working in this country at all....

From my experience it seems companies are really slow to take security serious because like what has been said before, security is noticed when things get jacked up. You can justify sys admins and help desk because they produce results and or work required. I am getting more interested in the compliance side of security now because I have gotten a lot of calls for jobs doing C&A work. I think companies are trying to get on the compliance train because they cannot prove they took security seriously.

Bl8ckr0uter

tpatt100 wrote: »

From my experience it seems companies are really slow to take security serious because like what has been said before, security is noticed when things get jacked up. You can justify sys admins and help desk because they produce results and or work required. I am getting more interested in the compliance side of security now because I have gotten a lot of calls for jobs doing C&A work. I think companies are trying to get on the compliance train because they cannot prove they took security seriously.

But is compliance enough? Regulations such as pci and hipaa have been around around forever, is security getting "better" or worse because of it?

Forsaken_GA

Bl8ckr0uter wrote: »

But is compliance enough? Regulations such as pci and hipaa have been around around forever, is security getting "better" or worse because of it?

The entire problem is that IT is not seen as an asset. The operations budget is a straight up liability for most companies. And since we don't make them money, if we want funds, we have to show a return on investment. In some cases, companies do the risk analysis and decide that the risk of an intrusion will cost less than implementing a proper security solution.

Until they have a reason to spend the money, they won't. And when the stealthy ninja hackers are compromising your stuff without tripping any alarms, they won't have a reason.

it's kind of like taking your health seriously. Most americans don't do it until the doctor gives them some bad news. Then all of a sudden, they've got religion where nutrition and exercise are concerned.

ehnde

Bl8ckr0uter wrote: »

Ok I am sorry but, you mean to tell me that out of all the blackhat/ceh/gpens/cissps in America, we can't keep out stuff secure? I mean come on? I thought with places like CMU and MIT aren't producing any infosec pros? I mean it makes you wonder if security is even working in this country at all....

It's easier to attack than it is to defend.

tpatt100

Bl8ckr0uter wrote: »

But is compliance enough? Regulations such as pci and hipaa have been around around forever, is security getting "better" or worse because of it?

Compliance just ensures things are in place, its still a failure in security if "how" you make yourself compliant fails plus I think a lot of it is failure to actually follow through once you are compliant. When I was doing audits at my last job they did what needed to be done to get authorization to operate but once they got the ATO? two and a half years later when they were getting ready to get renewed they gave me:

1. Scans that were a year old

2. Network diagrams and asset lists that were not updated as changes occurred. They had systems in the diagram list and asset list that did not match what the scans produced when I told them I needed new scans. Part of their network was not documented, they even had systems that were stinking replaced with new servers, new names and new operating systems lol.

3. Emergency contact lists that had names of people who had no clue they were even on the contingency plan.....I called the numbers and got a "I am the what???"

Sys admins have enough work on their plates so they do what has to be done to get certified for approval to operate and then it gets kicked to the curb until the three year renewal window opens up.

A lot of it is manpower imo. So they wait until it blows up and all hell breaks loose to spend money.

wastedtime

Forsaken_GA wrote: »

The entire problem is that IT is not seen as an asset. The operations budget is a straight up liability for most companies. And since we don't make them money, if we want funds, we have to show a return on investment. In some cases, companies do the risk analysis and decide that the risk of an intrusion will cost less than implementing a proper security solution.

Until they have a reason to spend the money, they won't. And when the stealthy ninja hackers are compromising your stuff without tripping any alarms, they won't have a reason.

it's kind of like taking your health seriously. Most americans don't do it until the doctor gives them some bad news. Then all of a sudden, they've got religion where nutrition and exercise are concerned.

I always liked the Fight Club version of this.

A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

RobertKaucher

Forsaken_GA wrote: »

The entire problem is that IT is not seen as an asset. The operations budget is a straight up liability for most companies. And since we don't make them money, if we want funds, we have to show a return on investment. In some cases, companies do the risk analysis and decide that the risk of an intrusion will cost less than implementing a proper security solution.

Until they have a reason to spend the money, they won't. And when the stealthy ninja hackers are compromising your stuff without tripping any alarms, they won't have a reason.

it's kind of like taking your health seriously. Most americans don't do it until the doctor gives them some bad news. Then all of a sudden, they've got religion where nutrition and exercise are concerned.

I agree with this 100% but I also have to say that attackers have it easier. Defense has to plug every thing, the attackers only need to find 1 hole over time.

I especially enjoy the last analogy there, though. Because that is very true with men and it is mostly men who are running the IT infrastructure. How often do I see skinny-fat guys in the gym trying t lift wieght far over what they should be? Guys tend to have an exaggerated mental image of their own fitness (physical and otherwise).

Forsaken_GA

RobertKaucher wrote: »

I agree with this 100% but I also have to say that attackers have it easier. Defense has to plug every thing, the attackers only need to find 1 hole over time.

I especially enjoy the last analogy there, though. Because that is very true with men and it is mostly men who are running the IT infrastructure. How often do I see skinny-fat guys in the gym trying t lift wieght far over what they should be? Guys tend to have an exaggerated mental image of their own fitness (physical and otherwise).

Yup, we're not so much fighting a war in the cyberz-landz as we are trying to stop the war on drugs. Defending the country from a full on invasion is easy, keeping the nose candy down south is a different story.

Security is difficult, but not impossible. Unfortunately, it is expensive, as you basically need guys and gals as smart as the attackers (and maybe with just a little bit of guts to try and counter-attack, though we surely don't like to talk about that in public). Hiring and retaining that kind of talent isn't easy, however, especially in a highly corporate atmosphere (there's just a tad bit of culture clash...), or one that's crippled with conforming to government regulations.

As for my analogy, well, let's just say it's not a generalization, and was typed with a rueful smile on my face.

RobertKaucher

Forsaken_GA wrote: »

As for my analogy, well, let's just say it's not a generalization, and was typed with a rueful smile on my face.

I understand. It took me watching my grandparents die and my parents and aunts and uncles starting down the path. So I am an example of the rule, not the exception.