I think it is very important to understand that the timing of this report is likely no coincidence. With Xi set to have discussions today with Obama, this is effectively a slap across the face to Xi right before an important visit that he can't back out of, and effectively puts china on a lower footing by showing them to be lying directly to the US about their intentions.
Edit: this isn't to say publication/announcement was done at the administration's request, simply that the timing is extremely suspect. Other interests also want to see Xi brought down a few pegs. Politics :-/
It's possible this was coördinated, but likely it's rather one of those current trends things. Like on HN, article on X comes up, and soon after article on tangent of X comes up shortly after riding the coattails of X.
Mr Xi is in town, what else related to Xi can give us more eyeballs now that all things Xi/China are in the news, what do we have? Oh, yes, of course, spying!
Ironical MSFT and FB are fawning over Xi's visit giving him the royal tours. China treats these two companies very poorly. Nearly all MSFT software in China is pirated. China bans FB partly for censorship and partly to protect internal social networking products.
MS technically has ability to shut off and cripple any pirated Windows over the wire if it wants to. But in this case, it has chosen not to for a lot of Asian countries. The reason? Market share.
It wants users to get used to how Windows works, versus to other alternatives like Linux, Mac, etc.
MSFT and FB want to maintain and increase access to the 1.35 Billion people of China. Not ironic at all, those companies need to be in China even if treated poorly.
Facebook is completely blocked in China, as far as I'm aware. In fact, it's not just blocked, a DNS lookup of facebook.com is returns a bogus IP address. I can't see why Facebook would think that they have any hope of getting unblocked, unless they are willing to let China's censors do their thing with Facebook posts.
I have no doubt there is significant espionage going on.
What the last some years have done, however, is to make me rather distrusting of both sides.
I may be in the minority. But a democracy is in significant trouble when its own population no longer trusts and believes it, in the large. The leadership either turns increasingly autocratic, or it loses its power.
The t-word wins again. The lies told ostensibly because t-word, are proving to be far worse than the original risk of t-word.
And instead of effective oversight to harden our own systems, we have blindness, lack of accountability, and scapegoating.
It's not just the data collection that makes me distrust the Feds. It's its gross mis-management, abuse, and the insistence that I can't know what is going on.
So, pump out your stories about the Chinese. Many of you politicians sold us down the river, in that regard, years ago.
Sorry to tangent the tangent, but will we ever see adblockers hunted down the way torrenters were? The net effect is the same, but the scope (news articles) is much smaller.
"Grassroots" hacking isn't a good strategy for a state that wants to cover up its tracks. So I'm suspicious of these claims.
Perhaps the government makes it worth the hackers' while to hack the USG instead of it. Just sad that so many intelligent people would rather be powerful/wealthy than free (not that the USG is a shining example of that sentiment).
I'm not sure I understand your point. What does material possession and power (I assume over others) have to do with freedom?
These hackers have power (their ability to obtain government data and subvert its power) and the Chinese government is perhaps wisely channeling it to its foreign adversaries.
Without having read the full PDF report [0], the summarized version [1] makes the allegations seem quite weak. It comes down, seemingly, to the fact that a PLA domain name appears in the malware. Maybe I'm missing something.
Looks like PLA domain shares name with probable PLA employee social media handle. And the social media accounts were deleted immediately after the WSJ called the guy.
It seems pretty likely there is some PLA connection, though not necessarily to this particular guy - no way of knowing that a buddy didn't steal his handle for use elsewhere (seriously, not sharing the same hacking handle and the same personal username should be Tradecraft 101)
Why do companies, security companies even, do something like this...
"
Below are the document checksums for Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf
... when you are then providing both the PDF, and the list of its supposed hashes, over an unencrypted connection! It renders it meaningless. I can't trust those hashes or that document. And creating megabyte long PDFs with colliding MD5 hashes is not even a difficult challenge anymore.
The irony here is this page is say "hey open this document, it's safe, trust us" when the document is all about APT attack methods, which often involve compromising people's computers by opening untrustworthy documents! I doubt that's what's happening here, but still kind of silly when you think about it.
Please, all the companies out there. Stop adding a list of hashes to appear more legitimate when you clearly don't know what you are doing.
Well, not meaningless. You can monitor the original values of the hashes, and verify they haven't been changed. The PDFs will be copied around and around.
Also - There is no known method to (within the lifetime of this universe) create a different document with the same MD5 and SHA1 and SHA256. Adding the MD5 doesn't weaken things, and might improve them.
Are you saying that some random ISP(s), some third party or even their hosting provider can't modify the PDFs and the sums on the fly to inject malware? Do you really think most people checks the sums?
The person who posts PDFs on websites with MD5/SHA1/SHA256 hashes adds a watchdog to verify that those hashes aren't changing - Once you get the framework together, adding a new page with hashes to the watchdog takes just a few seconds. That way, if the random ISP(s) or third parties are modifying those sums on the fly, will trigger the watchdog.
As to whether most people check the sum - I have no idea, but at least anybody who wants to take 90 seconds to authenticate the document can just go:
x=Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf ; md5 $x; shasum -a 1 $x; shasum -a 256 $x;
Keep in mind - I totally agree with you that this isn't a great mechanism, but I would argue it's better than nothing at all. (as long as someone has a watchdog to confirm the hashes aren't being modified in flight - they could probably help their case a little by at least serving those pages with HTTPS).
A much better mechanism would be to use OpenBSDs signify (http://www.openbsd.org/papers/bsdcan-signify.html) which solves this whole problem of trying to sign documents with something simple that doesn't involve byzantine chains of trust in a very elegant way.
They could just create a key pair:
signify -G -p threatpub -s sec
And make their public key, which is short, and easy to copy/distribute everywhere - looks like this:
untrusted comment: signify public key
RWQw2u3UPjm6spK9OYJxylK2jSKz2agskG2EKPsxwFN4IjHVw66dYPhT
And then, with each document they create, they just sign the PDF:
Which provides a signature file, signed with their private key:
untrusted comment: signature from signify secret key
RWQw2u3UPjm6svkWhs4fgy1Qi0P72hp+uDuTxX8bDSvd/qr/7vc55v+PndgDdWOWj0JiLco/CCfOzw6Alau9RTi5gBiHSzuRHAs=
Now, those two documents, the PDF and the Signature file - can be distributed everywhere - and are not subject to a malware attack because everyone has ThreatConnect's public key, which they can use to verify any threatconnect file and signature, with the simple command:
I'm presuming that's the better mechanism you have in mind for this sort of thing? I think I'll forward our thread over to the threatconnect team, see if they are willing to upgrade their procedures.
ahhh. Was mixing pre-image attacks with collision attacks in MD5. so ignore that.
If its not over HTTPS, it doesn't matter there are 3 hashes. I change the doc. I generate the 3 hashes for my changed doc. I can serve those new hash values.
Ugh, not these guys. Hopefully the WSJ article had a better source. ThreatConnect will take any random connection and a big brand name / country and crap out a report.
Having read many of these reports over the years, this one seems more manifesto than security report. It is full of carefully controlled language meant to appease a very specific audience: politicians and members of various agencies.
A huge amount of space is dedicated to tenuous ties between physical military activities and espionage on the assumption that all chinese agencies are coordinating with each other, that the Chinese are just better at conspiracy than any US operation. No actual intelligence officer would ever describe China in that way. It's a patchwork of poorly-connected operations all trying to put on a good show for the bosses, much the same as US intelligence agencies.
Certain key phrases suggest political motive. As example, the phrase "China’s ... military grade signals intelligence Unit" caught my ear. "Military grade" doesn't mean much in infosec. It does mean something to lifelong service members who labour under the assumption that military structures just do things better than civilian organizations. In some fields "military grade" is actually a bad thing, a reference to products built to conform to rarely-updated procurement standards. It's like still selling floppy disks because the computer on the stealth bombers haven't been updated in 20 years. The phrase appears right at the start of the takeaways section, right where most senior officials will probably start reading.
The drilling down upon a few people, to the point of tracking a man's movements and finding the bike he offered for sale, certainly plays into current US national security desires. Targeted killings based on poor intel is a big chip on the military shoulder these days. They aren't happy about it. So peppering a document with a few grains of seemingly accurate and specific intel about individuals is a good trick to win people over. The excessive reliance on google maps is just eyecandy. This gives the false impression of validity, a false suggestion that the rest of the report is based on equally detailed and reliable intel. if this were such intel, it wouldn't be released publicly.
A scapegoat would be innocent. I doubt even the Chinese would argue they haven't done anything. That's much of the problem generally and with this document specifically. If you latch onto things and investigate them to death you will in time run across actual wrongdoing. The danger is then that you cherry-pick these truths and spread them to each and every situation, giving the appearance of overwhelming wrongdoing. I think the people behind this document have done this knowingly.
>I mean isn't it already widely accepted that China has one of the world's largest and most active cyber warfare forces?
Do they? I thought the largest "cyber warfare force" (gotta love these buzzwords) was the NSA, and the US govt itself. The US practically controls the internet...
Well yes, I imagine the US force dwarfs most others, however that doesn't change my being worried about China's activities.
The whole world needs to start making protection of user data (private sphere) and citizen data (public sphere) a priority. Until that happens, there will continue to be massive hacks of sensitive data that end up hurting very large numbers of people.
It's well past time that the world as a whole started taking the issue of cyber security seriously.
One of the most difficult aspects of cyber security is attribution. There's really no way to know for certain who did what. Also, it's easy and convenient (right now) for other nations to blame China as cover for their own cyber intrusions. Compromise a few systems in China, launch attacks from them then sit back and watch while others place blame.
Edit: this isn't to say publication/announcement was done at the administration's request, simply that the timing is extremely suspect. Other interests also want to see Xi brought down a few pegs. Politics :-/