Defensive Security Podcast Episode 4

Happy New Year!

In this week’s podcast, I cover an article about the alleged Chinese hacking of Solid Oak due to a lawsuit over China’s improper use of Solid Oak’s software CYBERsitter covered in a Business Week post.

First, a bit of news.  Unless you’re still recovering from an egg-nog hangover, you’ve probably heard about the Internet Explorer zero day exploit. Note that it doesn’t impact the latest versions of IE, only 6, 7 and 8.

This is interesting because it shows a great example of a “watering hole” attack.  The Council on Foreign Relations website was compromised and an exploit of the vulnerability was added.  This basically enables an attacker to attack a certain profile of person or entity.  Not everyone visits the CFR website – one can imagine the types of people that do, however.  And the CFR was not the only one.  A turbine manufacturer’s site was also compromised.  Again, it should seem obvious why someone would want to target visitors to that site.

Last word on this – Microsoft issued a “FixIt” to address the weakness, but then attackers demonstrated that even the fixed version is still vulnerable.  A metasploit module to take advantage of the vulnerability has been out for a few days now, so we can expect to hear many more horror stories in the coming days.

What’s the lesson to be learned here?

Even if you are not surfing sites of ill repute, even if you are running AV, the Internet is a dangerous place.  Update your browsers, kids.

Also take a long, hard look at EMET.


The second bit of news is about the Turkish certificate authority Turktrust issuing an improper certificate which allow phishers to spoof Google. There’s nothing magical about this situation, but I like to take every opportunity I can to highlight how utterly broken the concept of trust is with respect to certificate authorities.  This issue surfaced because Google has a somewhat unique ability to detect fraudulent certificates using it’s install base of Chrome browsers – most any other organization would be unaware that someone was spoofing them with a legitimate appearing certificate.

This reminds me of the great CA debacle a few years back – “how do we determine how trustworthy our certificate authority is” was the question I heard.  But, it’s the wrong question to ask.  Unless you’re Google, “trust” in certificates is only as strong as the weakest link in the chain of certificate authority trust – a network that spans many organizations across the globe, some of who get hacked or issue the wrong kinds of certificates by mistake.

Back to the main story – Solid Oak.

Maker of CYBERsitter, which was apparently gratuitously copied by a Chinese company and distributed in China.

This seems to be another example of “We’re utterly defenseless against the great Chinese APT!”

Assuming details in the article are accurate, what happened?

  • Solid Oak employees phished with malware.
  • Attackers took control of workstations and apparently activated webcams
  • Attackers were copying lists of passwords/key and uploading malware
  • Attackers toyed with web servers, email servers and firewalls
  • Attackers impacted the order taking ability of Solid Oak’s web site, it’s primary source of revenue
  • Attackers were stealing documents and listening in on conversations, causing paranoia
  • The attacker likely used common tactics to steal domain credentials once the initial trojan was planted on the workstation, enabling attacks on the mail and web servers and plant malware on other workstations on the network.  No indication is given that active directory was in use, but I make that inference.
  • Key loggers were likely used to capture user IDs and passwords as Mr. Milburn logged into the firewall’s administrative interface, which enabled the attacker to cause damage which “stumped” the manufacturer.

Key quote in the article:

From a hacker’s point of view, everything Milburn experienced is technically “pretty elementary,” says Nicholas Percoco

What can we learn?

  • This entire attack likely all transpired due to the initial malware intrusion
    • People are the weakest link – the poor performance of AV on previously unseen malware samples is well known.
    • Attackers, particularly those intent on targeting a victim, are going to ensure that their malware sample is not detectable prior to the attack – otherwise they will tinker with it until it is.
    • We rely on people to recognize and avoid phishing attacks, but that is becoming increasingly difficult and is not a reliable control.
  • Do not use email/web browsers on systems that are used to perform administrative functions on key systems and applications.
    • Using compromised workstations to gain access to secured systems is becoming a common tactic among attackers – RSA, South Carolina, etc.
    • There is no magic technology bullet that makes this safe.
  • Do not allow the use of administrative IDs for normal work
  • Don’t continue to use systems that are suspected of being compromised
  • When a system has been compromised, the only reliable recourse is a system rebuild
  • Suspect systems need to be isolated from the network
  • When an active directory managed network becomes compromised, recovery can be very complicated
  • Take this stuff seriously
    • Advanced attackers don’t have magic pixie dust that nothing can be done to defend against
    • Look holistically at the situation and take appropriate steps – ie:
      • I’ve pissed off some unscrupulous foreign entities
      • My employees are getting strange phishing emails
      • My workstation web cams are being turned on/my people are being monitored
      • My email server keeps being shut off
      • My web app to accept orders is only working 1% of the time
  • It’s a bad time to start learning about information security while an active attack is happening.
    • Bring in some professional help to mitigate the damage, particularly when you are losing money due to the attack.

What are some practical defenses that might have helped stop this attack?

  1. Segregate “administrative” functions and “normal business” functions onto different workstations
    1. Do not permit administrators to operate with administrative rights (in an active directory setting) while performing normal activities
    2. Restrict domain admin and server administrator functions to certain workstations, which are only used for administrative purposes
      1. Do not permit web browsing/email use on these systems
    3. A & B can be accomplished using workstation virtualization using a tool like Virtualbox, or with a multi-boot partition configuration
  2. Use application whitelisting on workstations and servers
  3. Properly isolate servers from workstations, even on small networks
  4. Implement strict egress network filtering
  5. Proxy workstation connections (ie, do not allow open connections to the Internet)

I have the benefit of hindsight and experience with handling lots of security incidents as I write this.  I’m not throwing rocks at Solid Oak, or Mr. Milburn.  This is a learning experience for everyone.

Leave a Reply