Holy hell. Apparently I've not been paying attention. I mean, none of what you say about China's activities surprises me. And as you say, the "meh..." responses from everyone over here are cause for concern, but it doesn't surprise me that the government is just not paying attention. But I am utterly flabbergasted to learn that my root certificate store now doesn't just include Thawte and Verisign, but CNNIC, HK Post, Turktrust, Taiwan, Deutsche Telekom, etc.

I mean honest to god, what bright spark thought it would be a good idea to include them? I'll tell you one thing: I'd almost prefer cross-border controls enforced on the ISPs to this level of insanity where your most hostile foreign powers can sign stuff and advertise for your networks and nobody cares or notices. And if I'm saying that, and I'm a staunch small-government libertarian, then it seems fair to extrapolate that the average Joe wouldn't need much persuasion to give Obama his big red button to "turn off" the Internet.

A final thought: SMTP/SSL has been viable for years and years now, as have other suitable solutions to encrypt at least the transport or even the message itself. Yet hardly any corporates or consumers turn it on, or petition their email providers to do so. Hotmail/Gmail/Yahoo/etc., as well as the businesses you deal with and email, need some consumer demand shown to them to get transport security improved.

And someone needs to start red-teaming the backbone providers to give them more incentive to pay attention to their route security. They may not care collectively if China chooses to transport packets for them, but they sure as **** would care if one of them were singled out to have their routes get hosed while their competitors survived...

Swan, Yesterday I went thru the scanner. I thought about raising hell about it, but was too tired and in a hurry. Makes me chuckle that some dumbass had to inspect my junk via a computer monitor :).

If there had of been a hot TSA agent there to actually do sex to me, then I may have been more willing to protest the scanner tho. :)

I blame Al Gore. He invented this thing. Seriously.. wtf.. government asleep at the switch again.

Floyd - unfortunately it does not work that way... that was an SNL skit years ago.. agents make the hot chick remove clothes.

I have disabled EVERY CA on firefox. On windows, mac, and Linux. And I use the "Perspectives" extension which uses a set of notaries that verifies google.com is the same cert 10,000 others are getting and not signed by china, the turkish government, or by a cert the FBI has subpoenaed from verisign and has in a local appliance.

This is just the sort of things which firesheep and the more complex versions (dns hijack or arp cache poisoning) of what can be done at your local starbucks - even if they have wifi encryption on.

Quote:

So now tell me again why we allow US firms to include trusted keys issued by The Chinese ****ing government when they have more than a decade-long history of stealing intellectual property along with various acts of military and state-secret espionage?

That would be because we have a government that has the collective mental firepower of a mosquito, especially when it comes to these matters.

I'd guess they are just bribed. Bankers did it too. And, well, pretty much everyone with enough money.

Miss Peggy Lee said it best:

@Tz: "This is just the sort of things which firesheep and the more complex versions (dns hijack or arp cache poisoning) of what can be done at your local starbucks - even if they have wifi encryption on."

Ermmm, yeah.

Except for the fact that many people who operate in such environments do so in the full knowledge that just such things may be occurring. And so will take precautions, such as using encryption back to a known trusted server.

When it comes to hijacking server to server traffic, and those servers are operating in places very much unlike a tea-room, you have to bear in mind that even although people should know better, and have had many opportunities to improve, the simple fact is that there's a hell of a lot of unsecure transmissions flowing between data centers, in clear, over just the sorts of backbones whose traffic was hijacked.

It's one thing to be in a coffee shop and worry about the script kiddy next door, or the organized crime ring next country over; it's quite another to find that traffic from one data center in the US to another data center in the US might be flowing through a Chinese listening post; and it's quite another still to find out that our government's reaction to this is that "they were not alarmed". Even if our government were well aware that this kind of thing goes on every day, a little bit of feinted "alarm" in their reaction might at least give the impression that they have a half of a clue and are addressing the situation.


P.S. Of course, there are plenty of companies who have multinational presence who do nothing about securing their internal networks in one country from those in another, and who may already have networking devices shipping information from the boardrooms and executive floors to hostile services overseas, without even traversing the internet...

Traffic can be routed through anywhere on the Internet. You can't trust it to take the shortest path.

So yeah, people are stupid if they're not encrypting their sensitive content, and if they are encrypting it, the new Chinese supercomputer is not enough to break 128-bit private-key encryption or RSA with keys of a few thousand bits (in fact you would need a computer about the size of the whole universe to crack that).

Let's hope there are no real breakthroughs in quantum computing...

If you're worried that a site that's in the US has been re-directed to China, Ping it. There's one thing which is physically impossible for the Chinese to fake, and that's a reasonable latency.

-Uwe-

Uwe: Yep.

127001

Quote:

I also attest to seeing this every day non-stop for the past several years. Oil and Gas and elecftrical generatrion industries.

Another thought about "trust" and keys. Stuxnet, the virus attempting to infect power generation controllers and embedded systems around the globe, has multiple attack vectors. (not just the usb one originally seen).

Another vector is to inject some malicious code directly into the kernel via a driver. How is that possible, the kernel requires signed certificate code. You cannot just write a driver and have it loadedable right?

http://www.f-secure.com/weblog/archives/....

Quote:


Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.

Q: Has the stolen certificate been revoked?
A: Yes. Verisign revoked it on 16th of July. A modified variant signed with a certificate stolen from JMicron Technology Corporation was found on 17th of July.

Q: What's the relation between Realtek and Jmicron?
A: Nothing. But these companies have their HQs in the same office park in Taiwan. Which is weird.


weird my ass.

http://www.wired.com/threatlevel/2010/11....
Clues Suggest Stuxnet Virus Was Built for Subtle Nuclear Sabotage

* By Kim Zetter Email Author
* November 15, 2010 |
* 4:00 pm |
* Categories: Cybersecurity

New and important evidence found in the sophisticated “Stuxnet” malware targeting industrial control systems provides strong hints that the code was designed to sabotage nuclear plants, and that it employs a subtle sabotage strategy that involves briefly speeding up and slowing down physical machinery at a plant over a span of weeks.

“It indicates that [Stuxnet's creators] wanted to get on the system and not be discovered and stay there for a long time and change the process subtly, but not break it,” (.pdf) says Liam O Murchu, researcher with Symantec Security Response, which published the new information in an updated paper on Friday.

The Stuxnet worm was discovered in June in Iran, and has infected more than 100,000 computer systems worldwide. At first blush, it appeared to be a standard, if unusually sophisticated, Windows virus designed to steal data, but experts quickly determined it contained targeted code designed to attack Siemens Simatic WinCC SCADA systems. SCADA systems, short for “supervisory control and data acquisition,” are control systems that manage pipelines, nuclear plants and various utility and manufacturing equipment.

Researchers determined that Stuxnet was designed to intercept commands sent from the SCADA system to control a certain function at a facility, but until Symantec’s latest research, it was not known what function was being targeted for sabotage. Symantec still has not determined what specific facility or type of facility Stuxnet targeted, but the new information lends weight to speculation that Stuxnet was targeting the Bushehr or Natanz nuclear facilities in Iran as a means to sabotage Iran’s nascent nuclear program.

According to Symantec, Stuxnet targets specific frequency-converter drives — power supplies used to control the speed of a device, such as a motor. The malware intercepts commands sent to the drives from the Siemens SCADA software, and replaces them with malicious commands to control the speed of a device, varying it wildly, but intermittently.

The malware, however, doesn’t sabotage just any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.

Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds — between 807 Hz and 1210 Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

“There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment,” said O Murchu. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.

The malware appears to have begun infecting systems in January 2009. In July of that year, the secret-spilling site WikiLeaks posted an announcement saying that an anonymous source had disclosed that a “serious” nuclear incident had recently occurred at Natanz. Information published by the Federation of American Scientists in the United States indicates that something may indeed have occurred to Iran’s nuclear program. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 around the time the nuclear incident WikiLeaks mentioned would have occurred.

Researchers who have spent months reverse-engineering the Stuxnet code say its level of sophistication suggests that a well-resourced nation-state is behind the attack. It was initially speculated that Stuxnet could cause a real-world explosion at a plant, but Symantec’s latest report makes it appear that the code was designed for subtle sabotage. Additionally, the worm’s pinpoint targeting indicates the malware writers had a specific facility or facilities in mind for their attack, and have extensive knowledge of the system they were targeting.

The worm was publicly exposed after VirusBlokAda, an obscure Belarusian security company, found it on computers belonging to a customer in Iran — the country where the majority of the infections occurred.

German researcher Ralph Langner was the first to suggest that the Bushehr nuclear power plant in Iran was the Stuxnet target. Frank Rieger, chief technology officer at Berlin security firm GSMK, believes it’s more likely that the target in Iran was a nuclear facility in Natanz. The Bushehr reactor is designed to develop non-weapons-grade atomic energy, while the Natanz facility, a centrifuge plant, is designed to enrich uranium and presents a greater risk for producing nuclear weapons.

The new information released by Symantec last week supports this speculation.

As Symantec points out in its paper, frequency-converter drives are used to control the speed of another device -– for example, a motor at a manufacturing facility or power plant. Increase the frequency, and the motor increases in speed. In the case of Stuxnet, the malware is searching for a process module made by Profibus and Profinet International that is communicating with at least 33 frequency-converter drives made by either the Iranian firm or the Finnish firm.

Stuxnet is very specific about what it does once it finds its target facility. If the number of drives from the Iranian firm exceeds the number from the Finnish firm, Stuxnet unleashes one sequence of events. If the Finnish drives outnumber the Iranian ones, a different sequence is initiated.

Once Stuxnet determines it has infected the targeted system or systems, it begins intercepting commands to the frequency drives, altering their operation.

“Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz,” writes Symantec’s Eric Chien on the company’s blog. “Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.”

“That’s another indicator that the amount of applications where this would be applicable are very limited,” O Murchu says. “You would need a process running continuously for more than a month for this code to be able to get the desired effect. Using nuclear enrichment as an example, the centrifuges need to spin at a precise speed for long periods of time in order to extract the pure uranium. If those centrifuges stop to spin at that high speed, then it can disrupt the process of isolating the heavier isotopes in those centrifuges … and the final grade of uranium you would get out would be a lower quality.”

O Murchu said that there is a long wait time between different stages of malicious processes initiated by the code — in some cases more than three weeks — indicating that the attackers were interested in sticking around undetected on the target system, rather than blowing something up in a manner that would attract notice.

“It wanted to lie there and wait and continuously change how a process worked over a long period of time to change the end results,” O Murchu said.

Stuxnet was designed to hide itself from detection so that even if administrators at a targeted facility noticed that something in the facility’s process had changed, they wouldn’t be able to see Stuxnet on their system intercepting and altering commands. Or at least they wouldn’t have seen this, if information about Stuxnet hadn’t been released last July.

China Telecom denies hijacking U.S. Web traffic

HONG KONG | Wed Nov 17, 2010 5:21am EST

HONG KONG (Reuters) - China Telecom denied on Wednesday that it had "hijacked" U.S. Internet traffic in April, after a U.S. congressional advisory group said the company had sent incorrect routing information.

The incident resulted in Internet traffic to major corporate websites and U.S. military and government sites being sent through China for 18 minutes, according to the report, a draft copy of which was obtained by Reuters.

"The spokesman of China Telecom Corporation Limited denied any hijack of internet traffic," the state-controlled company said in a brief statement emailed to Reuters.

A report from the U.S.-China Economic and Security Review Commission said the Web traffic, much of which originated in the United States and was directed toward U.S. corporate and government websites, should have travelled by the shortest available route, and not through China.

The incident was one of several discussed by the U.S.-China Economic and Security Review Commission.

Some of the traffic was headed to sites owned by the U.S. Senate, the office of the Secretary of Defense, NASA and the Commerce Department, the draft said.

The commission said it was unclear whether the hijacking was intentional or whether any data was collected or stopped, or if the massive amount of data affected concealed a targeted attack.

The body which wrote the report was set up in 2000 to advise the U.S. Congress on the economic and national security implications of the U.S.-China relationship.

(Reporting by Doug Young; Editing by Daniel Magnowski)

http://tickerforum.org/cgi-ticker/akcs-w....

RED TAPE.....

credits MSNBC

CHINA WEB HIJACKING SHOWS NET AT RISK.....

The cyber cold war between China and the U.S. just got a little chillier. Twice this year, China demonstrated its ability to "substantially manipulate" the Internet, a congressional commission said in a report issued on Tuesday. In one incident, traffic headed to 15 percent of the world's websites was redirected through Chinese servers for about 20 minutes.

The high-level hijacking included bits and bytes headed for the U.S. Senate, the Army, the Navy, the Marine Corps, the Air Force, the secretary of defense, NASA, and other government offices, along with commercial entities like Dell, Yahoo, Microsoft, and IBM, the report said.

Chinese officials disputed the findings. But several technology firms said they charted the hijacking in April.

In a prior incident in March, the Chinese censorship firewall was temporarily extended to block some U.S. users from visiting websites like Twitter and YouTube, the report said.
Chinese officials disputed the findings. But several technology firms said they charted the hijacking in April.

In a prior incident in March, the Chinese censorship firewall was temporarily extended to block some U.S. users from visiting websites like Twitter and YouTube, the report said.

"Computer security researchers observed both incidents but were not able to say conclusively whether the actions were intentional," concluded the report, by the U.S.-China Economic And Security Review Commission. "Nonetheless, each incident demonstrates a capability that could possibly be used for malicious purposes."

The Internet, we are frequently reminded, is a shockingly fragile creation. These incidents, both of which took advantage of well-known vulnerabilities, are a wake-up call for U.S. authorities, who need to insist on security upgrades to protect U.S. interests, said Dmitri Alperovitch, a security researcher with McAfee. His firm supplied the U.S. government with a list of 53,000 websites that were hijacked for 18 minutes on April 8.

"This is a troubling development. It could be innocuous, and China is claiming it's an accident, but this has a pretty wide-ranging set of implications," he said. "That traffic could be eavesdropped upon."
The report comes near the end of a tumultuous year for China and the Internet. Beijing had a very public spat with Google early in the year, and the nation was ultimately accused of spying on Google employees. It was also accused of a sophisticated plot to use the Internet to spy on the Dalai Lama and other detractors.

The March incident involved a flaw in the way the Internet converts friendly website addresses -- like msnbc.com -- into their reference IP addresses – such as 128.206.11.1. The conversions occur through a system of networked computers called Domain Name Servers. A key tool in China's internal "Great Firewall" censorship tool is the rerouting of Web page requests through Domain Name Servers away from potentially subversive Web sites. Requests for some Web sites are simply dropped; others are redirected to China-friendly sites.

But domain name conversion tables, when handled incorrectly, can spread themselves upstream on the Internet. In March, some domain servers around the world were "poisoned" with China's censored list, causing some users in Chile and the United State to be blocked from social networking sites for about a day. The problem was readily fixed, and some researchers believe the cause might have been an honest mistake.
Bad 'route announcements'
But the April incident is far more mysterious, and consequently makes some security experts more nervous. It involved what are called "route announcements," which are made by telecom providers to the wider Internet. Servers can advertise that they offer the best route for Internet traffic headed to specific destinations, and like obedient bits and bytes, the traffic automatically follows -- even if the advertisements are incorrect. That means an e-mail sent from Congress to the White House could be tricked into traveling through China, if a server were configured that way.

That's what happened in April, according to the report. A massive amount of Web traffic worked its way around the world through Chinese-controlled computers. According to McAfee’s Alperovitch, only workers at China Telecom know why. But the most disturbing thing about the April incident, he said, is that almost no one noticed. China Telecom absorbed the traffic and redistributed it to its destinations without so much as an Internet blip.

While it's possible an honest mistake was to blame, it's easy to conjure up other possibilities.

"That they are able to take in that much traffic without breaking a sweat, I find that almost unimaginable," Alperovitch said. "The capacity built into their networks must be astonishing. ... Things worked miraculously."
The report speculated that the mammoth data slurp might have been committed to obfuscate a more targeted Web attack. And an entity in possession of that much data might eventually be able to decrypt encrypted Web traffic -- in addition to the fishing expedition that a government agency could enjoy by simply searching all that data for valuable secrets.

"The spokesman of China Telecom Corp. Ltd. denied any hijack of Internet traffic," Chinese officials said in statement e-mailed Tuesday to the Reuters news service.

This is not the first time route announcements led to World Wide Web trouble. In 2008, Pakistani censorship efforts of YouTube went awry, leading to a temporary blackout of the video service. In 2004, Turkish servers accidentally told the world that all Web traffic should travel through its borders; widespread outages followed.

But this the first time such a large traffic rerouting was conducted without noticeable impact on Web traffic.

"The methods used during these activities are generally more sophisticated than techniques used in previous exploitations," the report concluded.
The Cold War was full of menacing military exercises and accidental airspace violations. A cyber cold war will naturally produced similar incidents. If there is a grey area between honest mistakes and outright cyber attack, these incidents probably fall right in the middle – if not a pre-planned testing of the waters, then certainly a happy accident with valuable results to be studied by would-be cyber-attackers. Don't expect a cyber cold war thawing any time soon

Quote:

3250: I find it amusing that you're asking if I'm going to expend 5x or more the CPU cycles I now expend to run the forum (which is about what SSL support would cost) when you have not donated anything to the system.

Short answer: No.

Things have changed.

Quote:

http://www.imperialviolet.org/2010/06/25....

If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users.

In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.

If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.

Here's a donation: SSL Certs are free at startssl.com. That ought to save you a few bucks a year.