Opinion by Ira Winkler
OCTOBER 20, 2005
At the moment, there's a dirty little secret that only a few people in
the information security world seem to be privileged to know about, or
at least take seriously. Computers around the world are systematically
being victimized by rampant hacking. This hacking is not only
widespread, but is being executed so flawlessly that the attackers
compromise a system, steal everything of value and completely erase
their tracks within 20 minutes.
When you read this, it almost sounds like the plot of a cheesy science
fiction novel, where some evil uberhacker is seeking world domination,
while a good uberhacker applies all his super brain power to save the
world. Sadly, this isn't science fiction, and we don't typically have
uberhackers on our side.
Talk of these hacks is going on within the intelligence and defense
communities in the U.S. and around the world. The attacks were even
given a code name, Titan Rain, within the U.S. government. The
attackers appear to be targeting systems with military and secret
information of any type. They are also targeting the related
But I'm not just talking about government systems. There are a variety
of industries that support the government. For example, automobile
companies make tanks and other military equipment. Food service
companies supply military rations. Oil companies provide fuel to the
government. Companies with personal information on federal employees
can be exploited to identify undercover operatives.
That also brings up other potential targets, as the attackers are
necessarily limiting their sites on apparent military systems. Oil
companies know where potentially valuable oil reserves might be.
Telecommunications companies have details about satellite
communications and new technologies for improving communications
reliability and bandwidth. Any organization with intellectual property
worth protecting is a potential victim of these attackers.
I only present the above facts to demonstrate that most companies can
expect to fall victim to the attackers. Way too many companies believe
that they have nothing to fear or nothing of value that sophisticated
attackers would want. The fact of the matter is that these attackers
are extremely indiscriminate in whom they compromise.
The critical issue is the identity of the attackers. The source of the
attacks will tell you how much you have to be worried about.
Initially, the attacks were traced to China, which told investigators
very little. There are so many poorly secured computers in China that
many hackers use China-based systems as relay points for their
attacks. So despite the fact that all attacks went through China,
there was little evidence to conclude that China was responsible. That
was until Shawn Carpenter, a security analyst at Sandia National
Laboratories, decided to pursue the attacks after being told to drop
them by his superiors.
Using computer forensics techniques and hacking into the offending
systems, Carpenter was able to use the compromised systems against
themselves and find the actual origin of the attacks. Doing things
that official government agents could not, he determined that the root
of the attacks was China. He set up the attack systems to report back
to him what the attackers were doing and also performed analysis of
the attacks. Based on the volume of the attacks, he determined that
there were anywhere from six to 10 people hacking around the clock.
Given the skill and the size of the operation, there could be only two
sources of the attack: the Chinese intelligence agencies or the
Chinese triads (a.k.a., the Chinese Mafia). As I describe in my book,
Spies Among Us (Wiley, 2005), China as a government vacuums up
whatever information it can for potential value. Chinese triads
examine whatever they can get for profit potential, whether it's to
extort money or to sell to the highest bidder. Even worse for
non-Chinese entities, the Chinese government cooperates and exchanges
information with the triads.
The information is used against its victims in a variety of ways. Many
companies, both high- and low-tech, find themselves competing against
Chinese companies that somehow seemed to invent the exact same
products or technologies, but that don't seem to care about recovering
research and development costs. Companies operating in Southeast Asia
seem to be one step behind the Chinese triads and end up paying a
great deal more for their operations than they would have expected.
Companies that aren't directly involved are still enablers for the
attacks, allowing the Chinese hackers to compromise other
organizations and national security.
Despite the level of sophistication of the attacks, most of them are
completely preventable. That includes the attacks on the government
and contractor systems. They are exploiting some vulnerabilities that
are unknown to the general security community. However, they only
resort to those when all else fails, and that isn't very frequently.
Generally, though, even the "unpreventable" attacks could be prevented
in some ways. For example, unnecessary services on a computer can't be
exploited if they aren't running. Firewalls don't have to let
unnecessary traffic through. There are many things organizations can
do to protect themselves by adding defense in depth.
Given the current diplomatic situation between the U.S. and China,
Titan Rain attacks will continue to proliferate in the foreseeable
future. It's essentially a vacuum of cyberspace by the Chinese.
Unfortunately, we are relying on uberhackers, like Shawn Carpenter,
who are few and far between, to protect us.
It's up to CIOs and other IT managers to ensure that their companies
practice good systems-hardening procedures, along with applying
defense in depth throughout their entire organization. While people
may think of Titan Rain as just applying to organizations with
high-tech or national security interests, the fact is that since every
organization faces the same wide threat landscape, you can't ignore
basic security practices.
The sad fact is that if you're hit by the Titan Rain hackers, you'll
likely never know about it. Even worse, though, is that you are more
likely to be hit by other attackers who will cause blatant damage to
your systems and business. The good news is these attackers are less
talented and can more easily be stopped by basic security measures.
Ira Winkler is president of the Internet Security Advisors Group. He
is a former National Security Agency analyst and the author of Spies
Among Us (Wiley, 2005).
InfoSec News v2.0 - Coming Soon!