Even Einstein Can’t Track Google’s “Script Kiddie” Hackers

Tuesday, March 09, 2010

Cross-Posted from: http://www.theaeonsolution.com/security/?p=290

If you choose believe the writings of Mandiant, you’re under the impression that “Chinese hackers are hellbent on taking over every large corporation in the United States.” If you choose to follow the writings of McAfee[2], you’re under the impression that “Chinese hackers only wanted Google’s secret sauce” – their source code. If you choose to follow Damballa’s writings[3], the attackers who penetrated Google are amateur script kiddies. Take your pick, there is no lack of speculation.

News surrounding the attacks at Google and other companies are a dime a dozen and, while we have not seen any evidence publicly disclosed, we too can speculate along with everyone else. My first thoughts surrounding the news of the attack led me to believe that the compromise may have been an inside job. The notion that Google was compromised via “spearphishing” [4] makes little sense. The theory that IE6 [5] was the attack vector used makes even less sense. What we do know is that this entire Google fiasco is a learning experience that many will learn little from.

I have touched base before on “defending the castle” [6], and I have received a few emails expressing gripes about corporations *NOT* being able to defend against these attacks. Whenever I receive emails or read articles explaining the difficulties, even impossibilities, of “defending” the castle, I anticipate another news article about another high level compromise. As a security professional, my initial reaction is: “if I managed that security group, they’d all be on unemployment.” At least I can sleep better nowadays: After all, I do have Big Brother [7]; and I have just found out that Big Brother has Einstein 3.


Yes, my fellow readers, Einstein 3 will solve the countries’ security woes in just one fell swoop. Both the National Security Agency and the Department of Homeland Security will now monitor my network for me and “halt the hackers.” They will halt the hackers by “attempting to thwart in-progress cyberattacks by sharing information with the National Security Agency.” By sharing the information in an ongoing attack, the NSA will be able to analyze millions of attacks and respond in seconds!

Sometimes I wonder who in government comes up with some of these plans. For starters, government (and especially the NSA!) has been *accused* [8] of economic espionage via use of the ECHELON network, so I would be really skeptical about allowing them “unfettered” access to my data. Since 2001, our European counterparts don’t even trust the United States’ capabilities[9], so I would be really cautious, especially if I had business with a competitor of an NSA contractor. Aside from the economic concerns, there are also privacy concerns[10]. Now imagine the politics involved if the United States launches Einstein 3.

What I wonder from the 50,000-foot view is: What does the NSA, or even the DHS, propose to do in the event they DO see a “real life hack” taking place? The biggest problem they will face is cross-juridstiction issues. GLOBAL Justice XML Data Model[11] (GJXDM) might work on an
interstate level, but I’m willing to bet that countries like Russia, China, North Korea and countless others couldn’t care less about “real time hacker tracking.” For starters, it would be an endless money loser for American taxpayers.

Let’s have a realistic look at just a normal attack (forget about a more structured, high level attack). In most attacks, hackers often compromise one system in order to compromise another, in order to compromise yet another. Imagine that there is a hacker sitting in one of the hundreds of thousands of Internet cafes somewhere in China. Determined to compromise a company in the United States, he begins his attack on Monday March 08th 2010, 09:00 in China. He compromises a machine in South Korea to perform the recon, another in Germany to store the gathered information, and yet another in Russia to analyze the data. Altogether, his program takes a day to piece together bits and pieces of data. Let’s say that he took 72 hours to perform the recon, and that he obtained what he needed. He then visits another Internet cafe, where he
compromises three other machines using the information he obtained, and he successfully infiltrates his target.

While a compromise like this usually doesn’t work like that unless there was a Hollywood director involved, even at the onset of the attack what could the NSA realistically do? Contact their Russian, German and Chinese counterparts? How do they propose to cross analyze all that
data in such a short amount of time? Analyze the data, then have countries agree to issue warrants AND thwart an attacker? What happens if the attacker is using encrypted tunnels? How does the NSA propose to realistically view the data? We can move to a conspiratorial point of
view that “the NSA has backdoored crypto,” but that would be absurd in the sense that the overhead of “tapping the entire Internet” AND “decrypting everything that has been tapped” would mean that the NSA would likely have to use the entire state of Alaska as a data center. There would be too much information involved. Too much information and, by the time they could realistically act on it, the Chinese hacker would have left the Internet cafe already. What would the NSA have accomplished? And at what cost? Surely going through the process of tracking or even trying to thwart one hacker could potentially cost hundreds of thousands, and just as surely our deficit would triple with this braindead plan (Einstein 3).

Aside from this little money drainng caveat, how would the NSA or the DHS propose to understand the structure of data across ALL business in order to determine what is a valid attack and what isn’t? I could imagine the emails I would receive from fellow pentesters who were performing legitimate redteam exercises!

[1] http://www.wired.com/threatlevel/2010/02/apt-hacks/
[2] http://www.reuters.com/article/idUSN0325873820100303?type=marketsNews
[3] http://www.itbusinessedge.com/cm/community/news/sec/blog/damballa-google-attacks-perpetrated-by-amateurs/?cs=39800
[4] http://www.michaelsinsight.com/2010/01/hackers-used-spearphishing-in-google-attack.html
5] http://blog.seattlepi.com/microsoft/archives/195378.asp
[6] http://www.theaeonsolution.com/security/?p=278
[7] http://news.cnet.com/8301-13578_3-10463665-38.html?tag=rtcol
[8] http://en.wikipedia.org/wiki/Echelon_%28signals_intelligence%29#Controversy
9] http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A5-2001-0264+0+DOC+PDF+V0//EN&language=EN
[10] http://abcnews.go.com/Blotter/story?id=5987804&page=1
11] http://it.ojp.gov/jxdm/

Possibly Related Articles:
Enterprise Security Security Awareness Breaches Webappsec->General
Google Hacks Security Management
Post Rating I Like this!
Ted LeRoy Well structured article. Thanks for including your references.

"I would be really skeptical about allowing them 'unfettered' access to my data."

My bet is the NSA already has such access, at least to any data that crosses national boundaries. Who knows the extent of DHS' powers?

Steven Wolford working in an environment that includes Einstein 1 and 2 all I can say is that we really shouldn't feel any safer.

Einstein is a pretty good netflow collector but as any infosec / IA practitioner knows network security is only a sub-domain of the overall IA world.

Roman Zeltser Since every microprocessor has thousands or open ports that need to be plugged-in and multiple applications that have more security holes than sieve (To draw water with a sieve), expect hackers to be on a top. The only revolutionary new hardware and applications can make a difference, until then...
Mister Reiner Great article.

It's unfortunate that lawmakers don't know enough about computer security to ask these types of questions. They'll learn the truth soon enough.