Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
China Businesses Government Security United States

Despite Promises, China Still Targeting US Firms (crowdstrike.com) 125

itwbennett writes: Three weeks after the U.S. and China reached their first ever cybercrime and cyberespionage agreement, a new report from CrowdStrike details intrusions from hackers affiliated with the Chinese government, indicating they almost immediately broke their word. In a blog post, CrowdStrike's Dmitri Alperovich said the first observed intrusion was detected on September 26 – one day after President Obama hosted President Xi Jinping of China for a state visit.
This discussion has been archived. No new comments can be posted.

Despite Promises, China Still Targeting US Firms

Comments Filter:
  • While I don't view my personal website as being valuable to anyone, my server does get hit by a lot of script kiddie type attacks that are coming from Chinese IP addresses. It seems that these "hackers" (who always fail as the overwhelming majority of them do tens of thousands of attempts to ssh in as root) are just hitting my server by IP address without concern for its function (beyond running ssh [yeah, I know there are things I can do to prevent or slow down their attempts but I don't want to]). It wo
    • by gstoddart ( 321705 ) on Monday October 19, 2015 @12:24PM (#50759623) Homepage

      I think the more likely answer it pretty much anything facing the internet should probably expect to be under fairly constant attack, from lots of different sources, none of which knows what you are.

      Years ago it was true that if you took a brand new Windows machine, put it on the internet, it would probably be hacked within 30 minutes. I very much doubt that has changed for the better.

      I suspect a lot of this stuff is just purely automated at this point.

      The internet isn't really a safe place. You should pretty much assume that someone on the internet is actively trying to hack into machines. In fact, you should probably assume a lot of someones are.

      I suspect they don't know or care the function of your machine. It's just a blanket "attack everything and see what happens".

      • I suspect they don't know or care the function of your machine. It's just a blanket "attack everything and see what happens".

        I whole-heartedly agree - and apparently did not express that adequately. I don't expect that they give a shit what my server is doing, they just know that ssh is open so they try to get in. Frankly I think of the hackers as being like The Joker's line from The Dark Knight:

        if they caught a car, they wouldn't know what to do with it!

        So really what I'm wondering is, given a list of X different Chinese IP addresses that tried (and failed) to get in to my web server, can I tell if any of them are from the Chinese government? Obviously a WHOIS will give me some info

        • by thoromyr ( 673646 ) on Monday October 19, 2015 @01:59PM (#50760421)

          The short answer is no.

          The longer answer is that an IP address alone tells you almost nothing. For example, any competent agent for the NSA is going to use a compromised system in the EU, Russia or China when attacking Chinese targets. Equally, any competent state-sponsored actor in China is going to use a compromised system in the EU, Russia or the US when attacking US targets.

          And the remote IP is not necessarily even compromised. Maybe not so much for Chinese IP addresses, but what the bad guys like for the US IP address space are university virtual private networks. Get the password for an account at an EDU then (bounced through a compromised system) connect to that, *then* attack. Some of them will bounce through multiple EDU VPNs.

          Another example is the javascript malware that you get to a browser via: injection from privileged position on the network (e.g., NSA), compromised server, advertising, or any other method. The javascript runs in the browser and does its thing. The user's system is effectively compromised and part of a botnet, but closing the brower "cleans" it. There's no requirement to have anything on the file system making antivirus as helpful as some hand sanitizer.

          If you have a remote IP address all that you can really say is that packets were routed to you with that as the identified source (in some attacks they don't even have to come from that IP address at all). Who was at the computer? Who was responsible for the packets? That takes a lot more than an IP address to determine.

          • You make a valid point with

            If you have a remote IP address all that you can really say is that packets were routed to you with that as the identified source (in some attacks they don't even have to come from that IP address at all). Who was at the computer? Who was responsible for the packets? That takes a lot more than an IP address to determine.

            As indeed the IP address that the attack is coming from could be in any of a variety of different states of use or misuse.

            I will say though that much of the rest of what you said is assuming a certain degree of competence. I will argue that the behaviors I am seeing in my logs - thousands of failed ssh attempts as root in a 24 hour period from one address - negate any claims of competence. One would expect that "government" hackers would be more competent, but then again t

        • I have done a couple of traces on hacked systems, so I have some experience with this.

          One system, they got in through a monitoring application that someone had installed with a default password, they then loaded up a copy of their intrusion software and used the company's high speed connection to search for other exploitable systems.

          Another system I worked on, they exploited a FTP server, and started loading the server up with movies that I suppose they were sharing out. They overdid it and crashed the ser

      • Years ago it was true that if you took a brand new Windows machine, put it on the internet, it would probably be hacked within 30 minutes. I very much doubt that has changed for the better.

        It's generally less than 10 minutes [sans.edu].

        • by KGIII ( 973947 )

          Those appear to be probes, not entirely successful. While an interesting number and nice to have, I'm not sure how well it can be extrapolated to mean infection/invasion. Another surprise was how the Unix attacks looked very similar. I'm assuming they're counting Linux in with Unix. I'd have expected the probes to be even sooner than Windows because, honestly, Unix systems are where the good stuff usually is - considering their prevalence in data centers.

          If I were evil and wanting to 'hack' a system then I'

          • Anyhow, I hate to give Windows any credit but they're much harder to exploit - even unpatched and new installs online, without the user doing something stupid, than they used to be.

            Yes. Remember the days of Nimda and Code Red? Windows was an open door, inviting the world to enter.
            Now if you want that kind of welcome mat, you need to look at the IoT.

          • I'd want stuff in data centers and in business servers.

            Sometimes the best way in to a server is by hijacking one of the desktop clients that are probably left turned on all night.

      • I suspect they don't know or care the function of your machine. It's just a blanket "attack everything and see what happens".

        That's what it looks like in my logs, too. When I was running an open http port I would see not targeted attacks, but what looked like scripts looking for an insecure/misconfigured server.

        I found it amusing that since switching to https with self-signed certificates, the number of attacks dropped to zero. Even hackers won't accept my certificate :/

    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday October 19, 2015 @01:07PM (#50759975)

      Quick advice: move the port to some random (RANDOM!!!) port above 1024.

      It won't help your security but it will stop you log from filling up with notifications.

      I see "attacks" from addresses in almost every nation. It isn't that I'm under constant attack. It isn't that I'm particularly valuable.

      It's that it is easily scripted.

      • I don't believe my system to be valuable. I wholeheartedly agree that my system is being attacked just because some script kiddie is pointing his script at a large range of IP addresses, and mine happens to be in there.

        FWIW, just this morning I was attacked by address 117.27.152.55 which belongs to the ISP "Chinanet" (according to WHOIS). According to wikipedia, Chinanet is state-owned, so if we were to get conspiracy-ish I could postulate that this could be government-connected and not just some rand
        • by khasim ( 1285 )

          Check you logs. Were you "attacked" by any IP's in the USofA? Or Europe?

          Just because an "attack" is coming from an ISP owned by someone does not mean that that someone is connected to the attack.

          Any minimally competent attacker would have bounced the attack through at least 2 other cracked systems outside of his/her home or government or whatever.

          Or, to clarify that, a competent Chinese attacker would connect to a machine in France that would connect to a machine in California that would run the script that

          • When speaking of China why does everyone go down this rabbit hole? Does anyone remember the Great firewall of china? Do you really think they block blogs etc but let all potential hacking attempts right on through?

            If they do let all attempts through then they are approving it. That would make it at least state acknowledged if not state sponsored.

            • by khasim ( 1285 )

              Do you really think they block blogs etc but let all potential hacking attempts right on through?

              Yes. Because to block everything else would be unmanageable.

              Blocking certain sites is feasible AND won't ruin their attempts at international commerce.

              Blocking ALL sites (except for approved sites) is feasible BUT it would ruin their attempts at international commerce. And require an army of sysadmins. And fail anyway.

              If they do let all attempts through then they are approving it. That would make it at least sta

    • by waspleg ( 316038 )

      I have a CentOS server that I use for nothing but sshd (on a non-standard port, not for security but because it's one that isn't filtered at work) and squid for unfiltered web browsing at work and I have multiple attacks every day, currently:

      Oct 18 20:17:41 echo sshd[22226]: Bad protocol version identification '\026\003\001' from 74.82.47.3
      Oct 19 03:12:05 echo sshd[23298]: Bad protocol version identification '\026\003\001' from 54.149.243.130
      Oct 19 06:33:30 echo sshd[26619]: Bad protocol version identificat

    • Years ago(10+) when I was running my site from home I would check the logs daily and see similar to what you describe.
      Sure, there were loads of crap ssh attacks from all over the world, but the vast majority were from Chinese and Eastern European ip block ranges.

      I blocked whole ranges of ip's(Chinese and Eastern European).

      I think the moral of the story, which I can't believe still isn't the reality we live in, is that everything will have only whitelists.
      However, have fun whitelisting Office 365 [office.com]
      • Whitelisting... It's the reason I still use Hotmail. Nobody else offers it. And Office 2007 still works, even in Win10, no connection needed at all.

  • Ahh baby, (Score:4, Funny)

    by burtosis ( 1124179 ) on Monday October 19, 2015 @12:17PM (#50759559)
    That's just what we call pillow talk.
  • by Jawnn ( 445279 ) on Monday October 19, 2015 @12:20PM (#50759585)
    Is anyone surprised by this? Even a little bit? I don't know what it is about the Chinese, but they seem to think that if one repeats one's denials enough, the plainly observable truth will just go away. How else would you explain their straight-faced, utterly disingenuous denials?
    • by imgod2u ( 812837 ) on Monday October 19, 2015 @12:24PM (#50759615) Homepage

      If you've ever read Mao's Little Red Book, that's one of the key devices used in it. The thing basically repeats the same philosophy over and over. It's funny because when you read the sentiments on page 1, it sounds fairly ridiculous. By the time you reach page 30, however, it starts to sound more plausible.

      Human psychology is interesting that way.

      • Did he develop it independently from Islam?

    • Re: (Score:3, Insightful)

      How else would you explain their straight-faced, utterly disingenuous denials?

      The same way you explain the straight-faced denials by America, until the Snowden leaks exposed them as utterly disingenuous.

      • by harvey the nerd ( 582806 ) on Monday October 19, 2015 @01:54PM (#50760387)
        Mainland China takes obnoxious, cheating and invasive nonsense to a whole new level, whatever the sins of the US. Just like the island building in the So China sea, grabbing coastal waters from nations a 1000 miles away.
        • As opposed to building infrastructure and making deals with other countries to intercept internet traffic?

          China may be stealing land from it's neighbours, the USA on the other hand is stealing the privacy of people and via treaties the laws that protect people all over the world. Team America the world police are every bit the authority-overreaching bullies that their local department equivalents are.

          Fuck China, AND Fuck the USA.

      • too bad I've already posted or I'd've modded you up

    • Is anyone surprised by this? Even a little bit? I don't know what it is about the Chinese, but they seem to think that if one repeats one's denials enough, the plainly observable truth will just go away. How else would you explain their straight-faced, utterly disingenuous denials?

      Based on comments by a few in the original discussion of this topic, the answer seems to be...yes.

      http://news.slashdot.org/story... [slashdot.org]

    • by dfn5 ( 524972 )

      I don't know what it is about the Chinese, but they seem to think that if one repeats one's denials enough...

      Yes, because the US government clearly does not do this.

      • by Jawnn ( 445279 )

        I don't know what it is about the Chinese, but they seem to think that if one repeats one's denials enough...

        Yes, because the US government clearly does not do this.

        No, not like that. Even when presented with clear, incontrovertible evidence, the Chinese will still insist that water is not wet. That's the part I don't get; how they expect anyone to take them the least bit seriously.

    • by AmiMoJo ( 196126 )

      Do you really think that the US ever stopped either? Of course not, spying went on interrupted from both sides.

      • by tnk1 ( 899206 )

        Fair enough, but I don't think the piece was written to inform about the balance or blame of the hacking. Instead, it was to inform the unaware that the agreement wasn't worth the paper it was written on.

        An actual Chinese crackdown on hackers (which they could easily do) would have a real effect. So people will want to know if China was serious for reasons other than just trying to prove that they are nefarious or better/worse than the US.

        • Fair enough, but I don't think the piece was written to inform about the balance or blame of the hacking. Instead, it was to inform the unaware that the agreement wasn't worth the paper it was written on.

          Many international agreements are that way, as are many high-profile acts of congress in the US.

          This particular one was a "Joint Statement" that they intend to be nicer in the future. These are usually called resolutions, much like your resolution to lose ten or twenty pounds that you make every year at your new year's party. Politicians resolve that the nations will place nice together but there are no specifics and they have no consequences if the resolutions are broken. The politicians create and sign t

    • There's no way Chinese government could control all script kiddies on their territory and make them stop. I don't see any lie on part of Chinese here, US just made a really dumb and nonsensical request to them and they agreed because it's dangerous to argue with a madman.
  • The only way they will stop is if you publicly humiliate them inside China or at a major event.

    Everything else won't work.

  • Well, if they promised, then it should have stopped by now, right?

    I mean, after all, they promised, and everybody knows that's binding.

    Or, alternatively, the shit nations tell one another is pretty much meaningless lip service, and China doesn't give a crap what anybody else things.

  • It's not hard to imagine that there are disagreements and rogue elements within China, even within China's government. There certainly are contradicting practices and policies within the United States! Out of one side of our mouth, we say "torture is horrible and should be banned," while out of the other, we refuse to agree to the Geneva conventions on torture. Why wouldn't we expect China to have similar in-fighting and disagreements? To what extent is this hacking endorsed by their government?

  • Obama is negotiating with North Korea. Any guesses on how that will work out?
  • One of the reasons of some may attacks "from China" is that they have of the largest network of "pirate", not maintained, old XPs...the rest is just political talk. Look, a flying commie that eats baby just went by!
  • Water is wet.

  • by Anonymous Coward

    Quick show of hands. How may people are using a VPN from a different country so they can access Netflix over seas? Uh huh.

    If Netflix can't determine the country of origin of a bunch of brainless media consumers, why is everyone so ready to believe that professional hackers can't hide their point of origin an pin it on China? Seams like that would be a no brainer for anyone wanting to cover their tracks.

    Or maybe it's just a bunch of Chinese script kiddies having fun with no government involvement at all.

  • Shame them (Score:5, Interesting)

    by ThatsNotPudding ( 1045640 ) on Monday October 19, 2015 @12:51PM (#50759867)
    Daily State Department press briefings with verifiable evidence of the actions, with the same basic script every time: "Given that our Chinese friends have pledged not be engaging in nor benefitting from such actions, one can only conclude they have lost control of their internal domestic networks."

    The Chinese government would hate nothing more than being publicly accused of not having iron control, to the point of possibly even shutting the hacking down for real.
  • there are only two kinds of organizations in the world: those that know they've been hacked, and those that don't know it yet.
  • by Anonymous Coward
    FUCK CHINA!
  • by Anonymous Coward

    The government can't protect us or itself from security threats from China by agreement. Only a bunch of incompetent 'security experts' would even suggest it. These people are playing games trying to be important when they know little to nothing about real security. The only way we can even begin to secure out systems is by reducing the bloat to something manageable for which we can actually audit (and I don't mean the type of audit that was done on Truecrypt- but a real audit) and designing better KISS har

  • Insert free advert for CrowdStrike Falcon

    How is this CrowdStrike Falcon immune from hack attacks?

    Why aren't these 'Chinese' hackers bouncing their attacks of servers in another country?

    This 'Chinese' hacker bogeyman is becoming tedious.

    Most people here don't get their tech info from watching CSI: Cyber.
  • Perhaps all countries do this like they do with spies. As written in Mad Magazine decades ago, "When we want to know more about another countries activities, we employ intelligence agents. When another country does the same to us, we accuse them of using spies."
  • by TaleSpinner ( 96034 ) on Monday October 19, 2015 @06:54PM (#50762431)

    Obama is a hopeless wimp and a god-awful "negotiator," and we've no more reason to suppose China will live up to bargains with him than Russia or Iran will. They are laughing their asses off at this putz. Spare us the bewildered tone of surprise, this is exactly what we all wanted when we elected this idiot.

  • I'm sure our president will take prompt, strong, effective action based on his long string of foreign-policy successes.

Fast, cheap, good: pick two.

Working...