# Something Wicked This Way Comes...



## rebroome (Jan 16, 2014)

On the February 19, 2013 this headline appeared on the front page of the New York Times.

*"China's Army Seen as Tied to Hacking Against U.S., Report Traces Attacks to Military Office's Doorstep - Power Grid is the Target."
*
How would you like to wake up some morning and find the power is off? No heat. No lights. No home appliances working. No electricity to operate the pump at the service station to gas your car. No cash register working at the store you normally frequent to pick up some milk and bread.

And&#8230; not because some snow laden tree limb fell on a power line, but because of an intentional, malevolent attack by a hostile nation. Your power company can't estimate when your power is going to be restored, because it is not just some tree limb that's busted a line, it was a purposeful, well thought out cyberattack that has really fouled up the computer systems that operate our national power grids. It will require an intense effort to unravel. Will the power be restored in days? Weeks? Months? Ever? Who knows?

The New York Times article identifies a People's Liberation Army unit on the outskirts of Shanghai as the source of "&#8230;an overwhelming percentage of the attacks on American corporations, organizations and government agencies..." The article further reports these attacks are widespread and happening daily to probe our systems, our data and gather information about us.

Here is a headline from within the last two weeks.

*New York Times: "Report Calls for Better Backstops to Protect Power Grid From Cyberattacks, March 2nd, 2014."*

Here a headline from today.

Small-scale power grid attack could cause nationwide blackout, study says | Fox News

So, as I sit at my desk on this beautiful Montana morning and write this, I have to wonder, what will it take to get our collective attention? The actual attack?


----------



## Notsoyoung (Dec 2, 2013)

No water, no food distribution, hospitals closing down as their generators run out of power and medical supplies dry up. No communications. Sounds like a good reason to start prepping.


----------



## rebroome (Jan 16, 2014)

Notsoyoung said:


> No water, no food distribution, hospitals closing down as their generators run out of power and medical supplies dry up. No communications. Sounds like a good reason to start prepping.


Yeah. Good thing this is a prepper site isn't it? :-D


----------



## James m (Mar 11, 2014)

Oh its going to be something worse than resetting a computer. That only takes a few hours at most. I heard that with the power generation sites that use jet engines to create power they are looking to spin them out of control. If they run too fast they destroy themselves. Then you have to find power elsewhere. 
Hack into a nuclear plant.


----------



## rebroome (Jan 16, 2014)

James m said:


> Oh its going to be something worse than resetting a computer. That only takes a few hours at most. I heard that with the power generation sites that use jet engines to create power they are looking to spin them out of control. If they run too fast they destroy themselves. Then you have to find power elsewhere.
> Hack into a nuclear plant.


What if the code has malware that has been installed in it that corrupts everything else? That generates bad transactions, incorrect readings? You don't just reboot your way out of that. You have to find and fix this. There are millions of lines of code to go through. This could take a very long time.


----------



## James m (Mar 11, 2014)

Stuxnet 
I remember being told that there were copy machines made in China that were being used in a top secret program. It sent the info it copied back to China. 
Anyway I was thinking of a complete reinstall. Or a backup. But nobody knew stuxnet was there till it was all over. 
Hacking isn't that hard actually. Its more like social engineering. Getting some one to give information with out knowing any better


----------



## rebroome (Jan 16, 2014)

James m said:


> Stuxnet
> I remember being told that there were copy machines made in China that were being used in a top secret program. It sent the info it copied back to China.
> Anyway I was thinking of a complete reinstall. Or a backup. But nobody knew stuxnet was there till it was all over.
> Hacking isn't that hard actually. Its more like social engineering. Getting some one to give information with out knowing any better


My worry is a phenomenon called "Advanced Persistent Threat." What if some sort of malware was placed in the code when it was originally probed by a hacker, and is a cyber time bomb waiting to go off?


----------



## nephilim (Jan 20, 2014)

Now that stuxnet is out there, it is being re-engineered and because the US used it already on another nation, they have essentially said, its fine to do, bring it on.


----------



## AquaHull (Jun 10, 2012)

The call to battle will sound,but won't be answered.


----------



## Silverback (Jan 20, 2014)

order allow,deny
allow from all
# Get up-to-date list from Okean - The Goods or (in .htaccess format) Block Chinese and Korean IP Addresses From Apache Based Servers with .htaccess Blocklist
# China IP Address Blocks
deny from 58.14.0.0/15 58.16.0.0/13 58.24.0.0/15 58.30.0.0/15 58.32.0.0/11 58.66.0.0/15 58.68.128.0/17 58.82.0.0/15 58.87.64.0/18 58.99.128.0/17 58.100.0.0/15 58.116.0.0/14 58.128.0.0/13 58.144.0.0/16 58.154.0.0/15 58.192.0.0/11 58.240.0.0/12
deny from 59.32.0.0/11 59.64.0.0/13 59.72.0.0/15 59.77.0.0/16 59.78.0.0/15 59.80.0.0/14 59.107.0.0/16 59.108.0.0/14 59.151.0.0/17 59.155.0.0/16 59.172.0.0/14 59.191.0.0/16 59.192.0.0/10
deny from 60.0.0.0/11 60.55.0.0/16 60.63.0.0/16 60.160.0.0/11 60.194.0.0/15 60.200.0.0/13 60.208.0.0/12 60.232.0.0/15 60.235.0.0/16 60.245.128.0/17 60.247.0.0/16 60.252.0.0/16 60.253.128.0/17 60.255.0.0/16
deny from 61.4.80.0/20 61.4.176.0/20 61.8.160.0/20 61.28.0.0/17 61.29.128.0/17 61.45.128.0/18 61.47.128.0/18 61.48.0.0/13 61.87.192.0/18 61.128.0.0/10 61.232.0.0/14 61.236.0.0/15 61.240.0.0/14
deny from 116.1.0.0/16 116.2.0.0/15 116.4.0.0/14 116.8.0.0/14 116.13.0.0/16 116.16.0.0/12 116.52.0.0/14 116.56.0.0/15 116.58.128.0/20 116.58.208.0/20 116.60.0.0/14 116.66.0.0/17 116.69.0.0/16 116.70.0.0/17 116.76.0.0/14 116.89.144.0/20 116.90.184.0/21 116.95.0.0/16 116.112.0.0/14 116.116.0.0/15 116.128.0.0/10 116.192.0.0/16 116.193.16.0/20 116.193.32.0/19 116.194.0.0/15 116.196.0.0/16
deny from 116.198.0.0/16 116.199.0.0/17 116.199.128.0/19 116.204.0.0/15 116.207.0.0/16 116.208.0.0/14 116.212.160.0/20 116.213.64.0/18 116.213.128.0/17 116.214.32.0/19 116.214.64.0/20 116.214.128.0/17 116.215.0.0/16 116.216.0.0/14 116.224.0.0/12 116.242.0.0/15 116.244.0.0/14 116.248.0.0/15 116.252.0.0/15 116.254.128.0/17 116.255.128.0/17
deny from 117.8.0.0/13 117.21.0.0/16 117.22.0.0/15 117.24.0.0/13 117.32.0.0/13 117.40.0.0/14 117.44.0.0/15 117.48.0.0/14 117.53.176.0/20 117.57.0.0/16 117.58.0.0/17 117.59.0.0/16 117.60.0.0/14 117.64.0.0/13 117.72.0.0/15 117.74.64.0/20 117.74.128.0/17 117.75.0.0/16 117.76.0.0/14 117.80.0.0/12 117.100.0.0/15 117.103.16.0/20 117.103.128.0/20 117.106.0.0/15 117.112.0.0/13 117.120.64.0/18 117.120.128.0/17 117.121.0.0/17 117.121.128.0/18 117.121.192.0/21 117.122.128.0/17 117.124.0.0/14 117.128.0.0/10
deny from 118.24.0.0/13 118.64.0.0/15 118.66.0.0/16 118.67.112.0/20 118.72.0.0/13 118.80.0.0/15 118.84.0.0/15 118.88.32.0/19 118.88.64.0/18 118.88.128.0/17 118.89.0.0/16 118.91.240.0/20 118.102.16.0/20 118.112.0.0/13 118.120.0.0/14 118.124.0.0/15 118.126.0.0/16 118.132.0.0/14 118.144.0.0/14 118.178.0.0/16 118.180.0.0/14 118.184.0.0/13 118.192.0.0/12 118.212.0.0/15 118.224.0.0/14 118.228.0.0/15 118.230.0.0/16 118.239.0.0/16 118.242.0.0/16 118.244.0.0/14 118.248.0.0/13
deny from 119.0.0.0/15
deny from 121.0.16.0/20 121.4.0.0/15 121.8.0.0/13 121.16.0.0/12 121.32.0.0/13 121.40.0.0/14 121.46.0.0/15 121.48.0.0/15 121.51.0.0/16 121.52.160.0/19 121.52.208.0/20 121.52.224.0/19 121.55.0.0/18 121.56.0.0/15 121.58.0.0/17 121.58.144.0/20 121.59.0.0/16 121.60.0.0/14 121.68.0.0/14 121.76.0.0/15 121.79.128.0/18 121.89.0.0/16 121.100.128.0/17 121.192.0.0/13 121.201.0.0/16 121.204.0.0/14 121.224.0.0/12 121.248.0.0/14 121.255.0.0/16
deny from 122.0.64.0/18 122.0.128.0/17 122.4.0.0/14 122.8.0.0/13 122.48.0.0/16 122.49.0.0/18 122.51.0.0/16 122.64.0.0/11 122.96.0.0/15 122.102.0.0/20 122.102.64.0/19 122.112.0.0/14 122.119.0.0/16 122.136.0.0/13 122.144.128.0/17 122.156.0.0/14 122.192.0.0/14 122.198.0.0/16 122.200.64.0/18 122.204.0.0/14 122.224.0.0/12 122.240.0.0/13 122.248.48.0/20
deny from 123.0.128.0/18 123.4.0.0/14 123.8.0.0/13 123.49.128.0/17 123.52.0.0/14 123.56.0.0/13 123.64.0.0/11 123.96.0.0/15 123.98.0.0/17 123.99.128.0/17 123.100.0.0/19 123.101.0.0/16 123.103.0.0/17 123.108.128.0/20 123.108.208.0/20 123.112.0.0/12 123.128.0.0/13 123.136.80.0/20 123.137.0.0/16 123.138.0.0/15 123.144.0.0/12 123.160.0.0/12 123.176.80.0/20 123.177.0.0/16 123.178.0.0/15 123.180.0.0/14 123.184.0.0/13 123.196.0.0/15 123.199.128.0/17 123.232.0.0/14 123.244.0.0/14 123.249.0.0/16 123.253.0.0/16
deny from 124.6.64.0/18 124.14.0.0/15 124.16.0.0/15 124.20.0.0/14 124.28.192.0/18 124.29.0.0/17 124.31.0.0/16 124.40.112.0/20 124.40.128.0/18 124.42.0.0/16 124.47.0.0/18 124.64.0.0/15 124.66.0.0/17 124.67.0.0/16 124.68.0.0/14 124.72.0.0/13 124.88.0.0/13 124.108.8.0/21 124.108.40.0/21 124.112.0.0/13 124.126.0.0/15 124.128.0.0/13 124.147.128.0/17 124.156.0.0/16 124.160.0.0/13 124.172.0.0/14 124.192.0.0/15 124.196.0.0/16 124.200.0.0/13 124.220.0.0/14 124.224.0.0/12 124.240.0.0/17 124.242.0.0/16 124.243.192.0/18 124.248.0.0/17 124.249.0.0/16 124.250.0.0/15 124.254.0.0/18
deny from 125.31.192.0/18 125.32.0.0/12 125.58.128.0/17 125.61.128.0/17 125.62.0.0/18 125.64.0.0/11 125.96.0.0/15 125.98.0.0/16 125.104.0.0/13 125.112.0.0/12 125.169.0.0/16 125.171.0.0/16 125.208.0.0/18 125.210.0.0/15 125.213.0.0/17 125.214.96.0/19 125.215.0.0/18 125.216.0.0/13 125.254.128.0/17
deny from 134.196.0.0/16
deny from 159.226.0.0/16
deny from 161.207.0.0/16
deny from 162.105.0.0/16
deny from 166.111.0.0/16
deny from 167.139.0.0/16
deny from 168.160.0.0/16
deny from 192.83.122.0/24 192.124.154.0/24 192.188.170.0/24
deny from 198.17.7.0/24 198.97.132.0/24
deny from 202.0.110.0/24 202.0.160.0/20 202.0.176.0/22 202.4.128.0/19 202.4.252.0/22 202.8.128.0/19 202.10.64.0/20 202.14.88.0/24 202.14.235.0/24 202.14.236.0/23 202.14.238.0/24 202.20.120.0/24 202.22.248.0/21 202.38.0.0/20 202.38.64.0/18 202.38.128.0/21 202.38.136.0/23 202.38.138.0/24 202.38.140.0/22 202.38.144.0/22 202.38.149.0/24 202.38.150.0/23 202.38.152.0/22 202.38.156.0/24 202.38.158.0/23 202.38.160.0/23 202.38.164.0/22 202.38.168.0/21 202.38.176.0/23 202.38.184.0/21 202.38.192.0/18 202.41.152.0/21 202.41.240.0/20 202.46.32.0/19 202.46.224.0/20
deny from 202.60.112.0/20 202.69.4.0/22 202.69.16.0/20 202.70.0.0/19 202.74.8.0/21 202.75.208.0/20 202.85.208.0/20 202.90.0.0/22 202.90.224.0/20 202.90.252.0/22 202.91.0.0/22 202.91.128.0/22 202.91.176.0/20 202.91.224.0/19 202.92.0.0/22 202.92.252.0/22 202.93.0.0/22 202.93.252.0/22 202.94.0.0/19 202.95.0.0/19 202.95.252.0/22 202.96.0.0/12
deny from 202.112.0.0/13 202.120.0.0/15 202.122.0.0/19 202.122.32.0/21 202.122.64.0/19 202.122.112.0/21 202.122.128.0/24 202.123.96.0/20 202.124.24.0/21 202.125.176.0/20 202.127.0.0/18 202.127.112.0/20 202.127.128.0/19 202.127.160.0/21 202.127.192.0/18 202.130.0.0/19 202.130.224.0/19 202.131.16.0/21 202.131.48.0/20 202.131.208.0/20 202.136.48.0/20 202.136.208.0/20 202.136.224.0/20 202.141.160.0/19 202.142.16.0/20 202.143.16.0/20 202.148.96.0/19 202.149.160.0/20 202.149.224.0/19
deny from 202.150.16.0/20 202.152.176.0/20 202.153.48.0/20 202.158.160.0/19 202.160.176.0/20 202.164.0.0/20 202.164.25.0/24 202.165.96.0/21 202.165.176.0/20 202.165.208.0/20 202.168.160.0/19 202.170.128.0/19 202.170.216.0/21 202.173.8.0/21 202.173.224.0/19 202.179.240.0/20 202.180.128.0/19 202.181.112.0/20 202.189.80.0/20 202.192.0.0/12
deny from 203.18.50.0/24 203.79.0.0/20 203.80.144.0/20 203.81.16.0/20 203.83.56.0/21 203.86.0.0/18 203.86.64.0/19 203.88.0.0/22 203.88.32.0/19 203.88.192.0/19 203.89.0.0/22 203.90.0.0/22 203.90.128.0/18 203.90.192.0/19 203.91.32.0/19 203.91.96.0/20 203.91.120.0/21 203.92.0.0/22 203.92.160.0/19 203.93.0.0/16 203.94.0.0/18 203.95.0.0/21 203.95.96.0/19 203.99.16.0/20 203.99.80.0/20
deny from 203.100.32.0/20 203.100.80.0/20 203.100.96.0/19 203.100.192.0/20 203.110.160.0/19 203.118.192.0/19 203.119.24.0/21 203.119.32.0/22 203.128.32.0/19 203.128.96.0/19 203.128.128.0/19 203.130.32.0/19 203.132.32.0/19 203.134.240.0/21 203.135.96.0/19 203.135.160.0/20 203.148.0.0/18 203.152.64.0/19 203.156.192.0/18 203.158.16.0/21 203.161.192.0/19 203.166.160.0/19 203.171.224.0/20 203.174.7.0/24 203.174.96.0/19 203.175.128.0/19 203.175.192.0/18 203.176.168.0/21 203.184.80.0/20 203.187.160.0/19 203.190.96.0/20 203.191.16.0/20 203.191.64.0/18 203.191.144.0/20 203.192.0.0/19 203.196.0.0/22
deny from 203.207.64.0/18 203.207.128.0/17 203.208.0.0/20 203.208.16.0/22 203.208.32.0/19 203.209.224.0/19 203.212.0.0/20 203.212.80.0/20 203.222.192.0/20 203.223.0.0/20
deny from 210.2.0.0/19 210.5.0.0/19 210.5.32.0/20 210.5.144.0/20 210.12.0.0/15 210.14.64.0/19 210.14.112.0/20 210.14.128.0/17 210.15.0.0/17 210.15.128.0/18 210.16.128.0/18 210.21.0.0/16 210.22.0.0/16 210.23.32.0/19 210.25.0.0/16 210.26.0.0/15 210.28.0.0/14 210.32.0.0/12 210.51.0.0/16 210.52.0.0/15 210.56.192.0/19 210.72.0.0/14 210.76.0.0/15 210.78.0.0/16 210.79.64.0/18 210.79.224.0/19 210.82.0.0/15 210.87.128.0/18 210.185.192.0/18 210.192.96.0/19
deny from 211.64.0.0/13 211.80.0.0/12 211.96.0.0/13 211.136.0.0/13 211.144.0.0/12 211.160.0.0/13
deny from 218.0.0.0/11 218.56.0.0/13 218.64.0.0/11 218.96.0.0/14 218.104.0.0/14 218.108.0.0/15 218.192.0.0/12 218.240.0.0/13 218.249.0.0/16
deny from 219.72.0.0/16 219.82.0.0/16 219.128.0.0/11 219.216.0.0/13 219.224.0.0/12 219.242.0.0/15 219.244.0.0/14
deny from 220.101.192.0/18 220.112.0.0/14 220.152.128.0/17 220.154.0.0/15 220.160.0.0/11 220.192.0.0/12 220.231.0.0/18 220.231.128.0/17 220.232.64.0/18 220.234.0.0/16 220.242.0.0/15 220.248.0.0/14
deny from 221.0.0.0/13 221.8.0.0/14 221.12.0.0/17 221.12.128.0/18 221.13.0.0/16 221.14.0.0/15 221.122.0.0/15 221.129.0.0/16 221.130.0.0/15 221.133.224.0/19 221.136.0.0/15 221.172.0.0/14 221.176.0.0/13 221.192.0.0/14 221.196.0.0/15 221.198.0.0/16 221.199.0.0/17 221.199.128.0/18 221.199.192.0/20 221.199.224.0/19 221.200.0.0/13 221.208.0.0/12 221.224.0.0/12
deny from 222.16.0.0/12 222.32.0.0/11 222.64.0.0/11 222.125.0.0/16 222.126.128.0/17 222.128.0.0/12 222.160.0.0/14 222.168.0.0/13 222.176.0.0/12 222.192.0.0/11 222.240.0.0/13 222.248.0.0/16 222.249.0.0/17 222.249.128.0/18 222.249.192.0/19 222.249.224.0/20 222.249.240.0/21 222.249.248.0/23
# Korea IP addresses follow:
deny from 58.72.0.0/13 58.239.0.0/16 58.140.0.0/14 59.0.0.0/11 59.186.0.0/15 61.248.0.0/13 121.128.0.0/10 122.99.128.0/17 124.50.87.161 125.128.0.0/11 125.176.0.0/12 143.248.0.0/16 211.41.224.0/19 211.104.0.0/13 211.112.0.0/13 211.211.36.0/23 218.144.138.0/26 219.240.0.0/15 219.248.0.0/13 221.128.0.0/12 221.144.0.0/12 221.160.0.0/13 221.168.0.0/16 221.163.46.0/24
# Malaysia
deny from 60.48.0.0/13 202.71.102.0/24 203.223.128.0/19
# Thailand
deny from 58.137.13.0/24 203.113.13.0/24 203.144.144.0/24 203.149.0.0/18 203.155.0.0/16
# Vietnam
deny from 58.187.112.0/20 125.234.0.0/15 203.113.128.0/18


----------



## Silverback (Jan 20, 2014)

Yea redbroome, I remember that, I personally had to add the above to 5-600 devices. THANK GOD for global management systems. The about is all the subnets assigned to the region in and around china, adding these block lists makes your router/firewall drop ALL packets. Which means they get nowhere when attacking your equipment. 

I do fear the admins that are not proactive from threats foreign or domestic. There is a war out there that is not only fought with boots but with keyboards as well.


----------



## Silverback (Jan 20, 2014)

One of the services I manage is a windows service running the the background. Much like Stuxnet. It checks into a regional server every 5 minutes for orders. Those orders can be anything I want, from fixing an sql DB, to downloading and installing a program to hell a DOS attack if I wanted.

It is the very definition of a Botnet and it is simple to maintain and control. When I apply a new update to our networks I watch it check in with 3-400 clients at once download and run the updates I ask it too. Imagine if I wanted to propagate it to more clients. The Shear bandwidth and CPU power I could have available to do DOS or shit... mine bitcoin (I may or may not have done that). I.... feel my peripial vision blurring..... My driving skills diminish... a sudden hunger for PHO... or hell I am becoming evil.... chinese even.... ARRRGGHHSGSHHGGEHESSSS..... 這他媽的狗屎


----------



## rebroome (Jan 16, 2014)

Silverback said:


> Yea redbroome, I remember that, I personally had to add the above to 5-600 devices. THANK GOD for global management systems. The about is all the subnets assigned to the region in and around china, adding these block lists makes your router/firewall drop ALL packets. Which means they get nowhere when attacking your equipment.
> 
> I do fear the admins that are not proactive from threats foreign or domestic. There is a war out there that is not only fought with boots but with keyboards as well.


IMHO -- The next war will be a cyber war that starts with a cyber Pearl Harbor. Quite possibly with all the probing of our systems, this has already been put into place. It is just a matter now of when they decide to launch.


----------



## Silverback (Jan 20, 2014)

If I had to guess at a time of attack, refer to this page.

Windows Xp End Of Support Countdown Clock | CountingDownTo.com

If they have been working this long to probe and prepare an attack infrastructure. i would assume they would lose quite a bit of power in their attack when these machines begin to come offline.


----------



## Inor (Mar 22, 2013)

One thought that has kept reoccurring to me the last few years is what is to stop China (or Vietnam) from inserting malicious code into the firmware of devices manufactured there? Virtually every every piece of hardware now has at least some components that come from either China or Vietnam. It would not take much to insert a backdoor into the firmware of a device, especially now that a lot of firmware is written in languages like Java or .NET which can easily be decompiled, modifications made, and recompiled. Firewalls and other operating systems safeguards would be largely ineffective against something inserted at that low level.


----------



## rebroome (Jan 16, 2014)

Inor said:


> One thought that has kept reoccurring to me the last few years is what is to stop China (or Vietnam) from inserting malicious code into the firmware of devices manufactured there? Virtually every every piece of hardware now has at least some components that come from either China or Vietnam. It would not take much to insert a backdoor into the firmware of a device, especially now that a lot of firmware is written in languages like Java or .NET which can easily be decompiled, modifications made, and recompiled. Firewalls and other operating systems safeguards would be largely ineffective against something inserted at that low level.


If you just sit and think for a moment, what controls and safeguards do we have that is a true capability to screen off-shore development like this? I am not comfortable that we are doing much at all to effectively screen. I am sure the government will say they do, but are they technologically competent enough? I'm skeptical.


----------



## Piratesailor (Nov 9, 2012)

To Silverbacks comments.. The highest vulnerability is from the inside. Either malicious or stupidity.


----------



## rebroome (Jan 16, 2014)

Piratesailor said:


> To Silverbacks comments.. The highest vulnerability is from the inside. Either malicious or stupidity.


Indeed. No question about it. It is the insider threat. But.....they are many malevolent, bad actors out there who want to try their hand at penetrating and doing damage.


----------



## Silverback (Jan 20, 2014)

Inor said:


> One thought that has kept reoccurring to me the last few years is what is to stop China (or Vietnam) from inserting malicious code into the firmware of devices manufactured there? Virtually every every piece of hardware now has at least some components that come from either China or Vietnam. It would not take much to insert a backdoor into the firmware of a device, especially now that a lot of firmware is written in languages like Java or .NET which can easily be decompiled, modifications made, and recompiled. Firewalls and other operating systems safeguards would be largely ineffective against something inserted at that low level.


I'll just leave this here on a non-cyber scale.

Chinese counterfeit parts found in U.S. weapons - The Washington Post


----------



## Inor (Mar 22, 2013)

rebroome said:


> If you just sit and think for a moment, what controls and safeguards do we have that is a true capability to screen off-shore development like this? I am not comfortable that we are doing much at all to effectively screen. I am sure the government will say they do, but are they technologically competent enough? I'm skeptical.


I am not sure much, if anything, _could_ be done. Even if all of the software/firmware development is happening in very secure facilities within the U.S., the compiled output of that development is still burned onto the chips in their remote manufacturing facilities in China and Vietnam. Although it would be tedious as hell, that compiled byte code can be disassembled and modified before it gets set on the chip and nobody would know.

I KNOW for a fact this is possible because about 4 years ago I found low level bug in IBM's WebSphere server. The IBM CAC was useless in helping us fix the issue (no surprise there). So, I spent about a week of quality time with an open source tool called JAD disassembling the IBM code, locating the problem and figuring out a work-around.


----------



## Silverback (Jan 20, 2014)

Piratesailor said:


> To Silverbacks comments.. The highest vulnerability is from the inside. Either malicious or stupidity.


Very true, just look at Snowden of Feinstein. I actually like Snowden and think he is a patriot but he did unveil much to us. My response to this thread is one dimensional as it was talking about an attack from China our of Beijing.

I did not get into logless VPNs in the homeland as a bounce attack or anything you can do to prevent that, I felt jumping into too much detail would diminish a simple point of protection against attacks originating from Asia.


----------



## rebroome (Jan 16, 2014)

Silverback said:


> Very true, just look at Snowden of Feinstein. I actually like Snowden and think he is a patriot but he did unveil much to us. My response to this thread is one dimensional as it was talking about an attack from China our of Beijing.
> 
> I did not get into logless VPNs in the homeland as a bounce attack or anything you can do to prevent that, I felt jumping into too much detail would diminish a simple point of protection against attacks originating from Asia.


On the other hand.....go for it. China was just an example I wanted to use, but there is Iran, Syria, North Korea, Russia....and as you all know, I could keep going on, adding to the list. To me it is the issue of preparedness, in general, against something like this and it does merit a wider discussion than in my original post. All of this is an interesting discussion.


----------



## James m (Mar 11, 2014)

A malicious Windows update for a botnet


----------



## Silverback (Jan 20, 2014)

Its a hard topic to jump into blindly, but if I wanted to keep with this theme lets talk about Smart Meters.

SmartMeter? Network?How It Works

Here is what is used in my area, these feature remote shutoff. How are they connected? It's called an RF Mesh meaning they piggyback the connection and information to all their in reach peers until they reach a local access point (Receiver) that is then uploaded to PGE. How hard would it be to layout an RF Spoof in a neighborhood to poison this RF Mesh and turn off all the local smartmeters? Or just take over the IP based RF Access point and turn off the city block.. meaning... no power and PGE shrugging shoulders.

If you want thoughts on a direct topic just let me know which.


----------



## bad (Feb 22, 2014)

Silverback (or others)
A bit OT
I have been using ubuntu linux, how does that compare on security to other computer systems.


----------



## James m (Mar 11, 2014)

Linux takes getting used to. But I found a video online on YouTube we here Linus Torvalds father talks about a forced nsa or government back door.


----------



## oldmurph58 (Feb 8, 2014)

i used ubuntu for a few year on my last coputer never had a virus that i knew of, windows, norton is always telling me i just had an attack and they blocked it.


----------



## Silverback (Jan 20, 2014)

Ubuntu is just a Shell for Linux, much like redhat or any other. I use Linux on a Virtual Machine farm and really like how stable it is. 

Security wise however, that is in the eyes of the beholder.

Since windows 8 there is no need for a 3rd party Antivirus or Firewall but people still use them. What really matters is a layered security Model.

Layer 1: Physical (Think Wiring to and from the router and network cards)
Layer 2: Data Link (None Routable connection detection, think ARP (Translates IP to Media Access Codes))
Layer 3: Network (IP Network delivery, this is routable using RIP, IGrip and other routing protocals)
Layer 4: Transport (This is the base protocal used to transport data, for IP it istypically TCP (Connection oriented with data correction) or UDP (Quick connectionless))
Layer 5: Session (You begin to jump into securing a line here by use of Virtual Private Networks or Secure Socket Layers)
Layer 6: Presentation This is the framework you build on to show your Data think ASP or .NET or HTML5
Layer 7: Application This is the programmed interface a user runs on 

When you talk Operating systems like Ubuntu you are actually talking Layers 5-7 which skips security on layers 1-4 which are handled by hardware firewalls, Packet Scanners, Intrusion detections systems, Network Layer Antivirus all of which needs to be handled by your ISP or Network admin for a bigger business. MOST if not ALL Attacks should end HERE in the Layers of 1-4. They are only prevented in Layers 3-5 and if they get to Layers 6-7 you have already lost. The operating system you choose after that is up to you.

Someone mentioned Norton, that actually operates on Layer 6 and 7 of this model.... It, along with Mcaffree are jokes among people deeper in the business. The warnings you see are more for show that actual attacks and if you are getting to many of them then you may already have a Spyware or installed an App to do that to you. Just download Malbytes from ninite.com update it and scan. Reboot and it will be good as new. Windows 8's Included Defender and Firewall package starts early in the OS load, much earlier than Norton does which enables it to protect and stop Virus's that attack on system load when the system is most vulnerable.

In short what I am trying to say is Linux based Operating Systems are nice, since they do not have a big user base they are attacked less. However an OS is the end of security not the beginning, hopefully this model and explanation helps clarify.


----------



## Piratesailor (Nov 9, 2012)

Silverback said:


> Its a hard topic to jump into blindly, but if I wanted to keep with this theme lets talk about Smart Meters.
> 
> SmartMeter? Network?How It Works
> 
> ...


I recently retired from a global consulting firm. My specialty was energy - oil and gas and utilities. In my group we had top notch security people. If the public only knew.

Just an aside, years ago I had a crackerjack white hat working for me... And I'm glad he did. He was 12 for 12 with bank pen tests. I won't even begin to tell you about an airline. The good thing was that after every test, the businesses learned and shored up their vulnerabilities. And they run constant tests which also help.


----------



## Silverback (Jan 20, 2014)

We constantly have to run penetration testing at my main hubs. While we constantly pass in layers 1-5, my programmers occasionally screw up in 6-7. Luckily we have a 14 day revolving schedule and any hole is found and closed rather fast. At least I hope they are, no one can be completely sure now days.


----------



## James m (Mar 11, 2014)

It would be interesting to hear if anyone knows anything about government back doors. 
I'm taking I.T. right now. I took desktop support twice and have a certification then I took three server classes and a Linux class. Its test out and in person classes. They were recruiting for a type of security club where you have a section and try your hand at cracking. People said they give you all of the tools you need and give you an ethical hacking handbook or speech. I need a security class but they are hard to get into because there's also a computer forensics track too so alot of people competing for spots. I take Cisco in August. I also applied to be an nsa summer intern and got a response. I sent a resume and they wanted a transcript so I sent that and that was the last I heard. They are probably watching us right now


----------



## Silverback (Jan 20, 2014)

Start learning about Secure Shell then work your way up to Social hacking. When Pirate Sailor was saying the biggest threat was from within I believe he was implying pebkac issues or... easier to understand incompetent users. Sometimes they do not realize what they are doing or worse who they are talking too. When I need direct access to a server it is not uncommon for me to call and get access from an unwitting employee who knows me from adam. While I have a legal right to get a connection, you could call that same person and they would give you access without asking questions. Social hacking it a primary tool in "White hats" arsenal. 

When you get into worries about firmwares, routers or gaining access on the network level you are normally talking SSH attacks, ARP or Route cache poisoning on switches then you move up to layer 6-7 authentications like kerberos spoofs for tokens or dumping SAM files to get credentials. As far as government vs private sector back doors, they really are the same thing and are only differentiated as to IP location. Now days most business requires some level of remote access. Use Social Hacking to find out what those access points are (RDC?, Website?, Custom App?) What Layer 5 systems are used to secure it (VPN, SSL?) and if you can get credentials or access on a machine that has privileges that can gain them.

A proper Admin not only monitors his Perimeter but also secures the interior by allowing users to have the least amount of access to systems to get the job they need to do done. This reduces or mitigates the effects of social hacking. It also allows the tracking of attacks that have happened and the damages to be easier to follow.


----------



## James m (Mar 11, 2014)

http://splashdata.com/press/worstpasswords2013.htm

Its just dumb.
Oph with rainbow tables. Don't know if I should have shared that. 
We had a guest speaker from Egypt during the spring. He said they used Google maps and tweeted coordinates to NATO. Lol. 
The guy from Egypt said about shutting down dns but not everything. Then there's the tor project browser. 
Remote assistance. Its in everything mostly Windows.
Live CD's and DVD. Usb stick with an O.S. like Linux or Windows bootable. Ultimate boot CD's for fixing stuff. 
Tell init 6


----------



## Inor (Mar 22, 2013)

Silverback - 

Just to throw this out as food for thought... Your layered description is a very good description of how security is currently implemented. But, I believe there is one glaring hole in how we are presently implementing security. In the layered description, every layer depends on the layers below it being secure. For example, when I develop a web application, I do not even consider whether HTTPS has been compromised. Admittedly, with our present toolset there is not a whole lot I can do to determine that, let alone do anything about it. 

For protecting against an average attacker, that philosophy works fine. Since 99.9% of the attacks are criminals trying to steal identity information or proprietary company information to sell for money. In other words, after a successful exploit the attacker will usually use the exploit fairly quickly to get whatever they are after - usually within a year or two.

But, what about the case where a foreign government successfully penetrates a network at a very low level? I am talking about an exploit within the firmware of a device, such as a printer or a card reader. An exploit like that may go undetected for years and no matter how much security is implemented in the layers above it, the hole would remain open.

Obviously, an attack like that would be FAR too expensive and take too long for a criminal enterprise to profit from. But a foreign government?

Network Admins generally do a pretty decent job of protecting out networks from human beings sitting at a keyboard or a tablet and trying to illegally access network resources. But what if the attack is initiated by the firmware in that old HP LaserJet sitting in the corner of the Accounting department?


----------



## Silverback (Jan 20, 2014)

James m said:


> "Password" unseated by "123456" on SplashData's annual "Worst Passwords" list
> The guy from Egypt said about shutting down dns but not everything.


Shutting Down DNS can get pretty scary, all records have a TTL (time to live) which can be anywhere from 5 minutes to 48 hours depending on how stable the domain to IP is and if they want to get stormed or not on highly used domain names. I run a few nameservers (shit when I start to think about it I do nearly everything....) these name server went down once and hosted the records for 500ish domains. The fallout and loss of connection to not only websites but mail service, sms anything that relied on a service record in the name server associated with the domain name went down. A proper attack on a name server could shut down everything as most everything, and I do mean EVERYTHING relies on a domain name for service.


----------



## Silverback (Jan 20, 2014)

Inor said:


> Silverback -
> 
> Just to throw this out as food for thought... Your layered description is a very good description of how security is currently implemented. But, I believe there is one glaring hole in how we are presently implementing security. In the layered description, every layer depends on the layers below it being secure. For example, when I develop a web application, I do not even consider whether HTTPS has been compromised. Admittedly, with our present toolset there is not a whole lot I can do to determine that, let alone do anything about it.
> 
> ...


Thanks Inor!

As a web developer you should be relying on your Web Admin for layer 5. In all Web Servers you setup Bindings to IP and port to listen too, this Binding includes any SSL Cert applied to an HTTPS connection. If a site should only be accessible to SSL protected sites there should be no http binding in place. If done correctly you would never have to worry about layers 1-5 in your programming BUT you have to have a respectable tech in charge of that. Your charge is purely in layers 6-7. Since you are working on a web app as you know your concentration is tightening you app against DB Injections techniques and the not they would use unsecured forms to gain access to Tables and Informations thru typical post protocols in the App.

For a further explanation, let say I wanted to have this board which is Layer 7. I would first test the posts to see if I can gain information on table structure... this takes a bit of post/delete to get the table name and Columns but an attack post would look like this...
Set RecUsers = Server.CreateObject("ADODB.Recordset")
RecUsers = 'Select * from Users'
Do Until RecUsers.EOF
<%=Username%><%=Password%><%=SecurityLevel%>
RecUsers.Movenext
loop

This would search the table DB for a User Table and try and guess column names as Username and Password then dump them in the post after posting. This is a lot of guesswork and can be easier if you look at the page sources for unhidden code for clues but once you figure out the columns you can add something like...

Set RecUser = Server.CreateObject("ADODB.Recordset")
RecUser.Open "SELECT * FROM Users", Connect
RecUser.addnew <-- This adds a new User with the right name you figured out
RecUser("Username") = Silverback
RecUser("Password") = 123456 <--haha
RecUser("SercurityLevel") = Admin
RecUser.update

And congratulations you now have an admin level User on this board to which you can do whatever you want in the Admin Control Panel.This is just an example of a layer 7 attack, and it takes time. Social hacking is much much easier. Get the clues you can, then hack. This is just an example of how it can happen.... Do not read into it.

As far as firmware exploits, why do you think the US does not want china parts in our planes? It is a threat on the level of Secure Shell and up, Level 2-3 Switches help in securing that type of threat but hey, your switch may end up being the threat.

Edit to Make this type of hack easier I noted at the bottom of the forum its "Powered by vBulletin® Version 4.2.0" Install this on your own server to find the DB Structure and DB Connection command strings to find out the details then come back to the board you want to hack armed with more knowledge of it.


----------



## Inor (Mar 22, 2013)

Silverback said:


> Thanks Inor!
> 
> As a web developer you should be relying on your Web Admin for layer 5. In all Web Servers you setup Bindings to IP and port to listen too, this Binding includes any SSL Cert applied to an HTTPS connection. If a site should only be accessible to SSL protected sites there should be no http binding in place. If done correctly you would never have to worry about layers 1-5 in your programming BUT you have to have a respectable tech in charge of that. Your charge is purely in layers 6-7. Since you are working on a web app as you know your concentration is tightening you app against DB Injections techniques and the not they would use unsecured forms to gain access to Tables and Informations thru typical post protocols in the App.
> 
> ...


I understand completely what you are saying and you are absolutely correct in defending the most common types of attacks (usually criminals looking to steal information etc.) What I am getting at is a more "out of box" attack that could be undertaken by a very well financed organization such a government.

The Macbook that I am typing this response on was likely assembled in China. I am guessing most of the EPROM code for the video and the BIOS was probably written in California, but it was likely burned onto the chips wherever the chips were grown (likely Intel's facility in India or China). If that BIOS code was tampered with between the time it was created by the developer and the time it was put in the chips, there is basically nothing that could be done with an operating system or an application to secure that device. Has something like that happened yet? There is really no way to know.

I know it is kind of tin foil hat stuff. But if I were a foreign government looking to seriously disrupt networks within the U.S., that is type of attack I would plan and execute. It would take years to get it in place, but once done, there is basically nothing that could be done to prevent it from being successful.


----------



## Silverback (Jan 20, 2014)

Your right I swayed into a Higher level attack and the one you describe is worst case fear, like the refusal and inspections to see if we are using chinese chips in our aircraft.

When I mentioned "Level 2-3 Switches help in securing that type of threat but hey, your switch may end up being the threat." I was actually implying the type of attack you are mentioning. Allthought I can add all the Blacklists, Whitelists, VLAN groupings, whatever I wanted. What if a single chip had code put into it that can circumvent that? For instance when looking at a User login table for a Switch you get a lookup as

1 User Security
2 User2 Security 
3 User Security

that lookup just grabs that which is available. Now when you talk about Firmware that is updateable you can usually read the firmware before applying it to see attack that would include a user table that looks like

-1 HiddenUser2 Security
0 HiddenUser Security
1 User Security
2 User2 Security 
3 User Security

Since the User lookup does a count from 1 and above the others are hidden. Anyway thats dum stuff the problem is when a chips instruction set is burnt into its ROM there is no way to verify after the fact what is there. You can only run queries against it's instruction sets you expect it to have.

What you are worried about is "Red Button" Instruction Sets that are not detectable and burnt in while at the factory in China.

To do this type of attack they would have to 1. Have the Chips made with the Hack Instruction Set and 2. Have a delivery system, like hell, the iPhone. Whos to say china can't turn off my kid's iPhone at anytime due to a chip like this? All they would need is patience and a slow introduction of the new Play station until every household has a "Red button" Chip. 

.... Whose to say that switch made in taiwan they use in the nuclear silos can't be flipped when they want? (Thats rediculous tin hat tho...or is it? The thinking is the same.)


----------



## James m (Mar 11, 2014)

I was told by two professors in my program that this has already happened. Copy machines made in China were used in a top secret program and data was lost but I'm unable to find any links on this. I was also told about flash drives in the Pentagon's parking lot. A supposed lost flash drives was found and plugged in. Then software was automatically loaded or something.


----------



## Smitty901 (Nov 16, 2012)

It would only make sense. In China there is no divide between the government and the military. It is called the people army.
They would be a big part of any government spying or data collection system.


----------



## rebroome (Jan 16, 2014)

As the one who started this thread, I find this discussion, albeit a little technical for some of the readers, is really, really excellent. I have the education and technical background to follow it. I do appreciate the clear effort by so many of you to bring some solid and deep thinking to this discussion.

But....here is a new development for you.

U.S. to relinquish remaining control over the Internet - The Washington Post

Good news or bad news?


----------



## Silverback (Jan 20, 2014)

rebroome said:


> As the one who started this thread, I find this discussion, albeit a little technical for some of the readers, is really, really excellent. I have the education and technical background to follow it. I do appreciate the clear effort by so many of you to bring some solid and deep thinking to this discussion.
> 
> But....here is a new development for you.
> 
> ...


Oh man.... We discussed DNS attacks earlier. This paves the way for that. ICANN (Internet Corporation for Assigned Names and Numbers) Is the authority for all domain names. EVERYONE you buy a domain name from remotes to them. a FQDN (Fully Qualified domain name) looks like google.com. notice the "." behind the com? Thats the ROOT ICANN runs, they then attach .ORG .COM .NET and any prior root domain to their root and domains are sold to the public off those. ICANN keeps track of who holds what, They control the security for name server pointing. EVERYTHING DNS is Watched, Secured and Controlled by them.

So if you want to give a foreign power to hack the dns... simple... give them root access or in this case "."

My vote, is bad idea.

Edit line...

I mentioned the ICANN Address was root "." so look at this as well.

military.us.gov. 
whitehouse.gov.

notice what is the first to control those domain names? ICANNs root "." so to turn them off just kill the initial lookup at root for anything .gov. Military, whitehouse all goes down and can only be accessible by direct IP and since more web servers require host headers (IPv4 has limited IPs so multiple websites are ran on the same IP but the domain name is compared to deliver appropriate content) the direct IP could not work since it has no Domain name lookup attached.


----------



## rebroome (Jan 16, 2014)

Silverback said:


> Oh man.... We discussed DNS attacks earlier. This paves the way for that. ICANN (Internet Corporation for Assigned Names and Numbers) Is the authority for all domain names. EVERYONE you buy a domain name from remotes to them. a FQDN (Fully Qualified domain name) looks like google.com. notice the "." behind the com? Thats the ROOT ICANN runs, they then attach .ORG .COM .NET and any prior root domain to their root and domains are sold to the public off those. ICANN keeps track of who holds what, They control the security for name server pointing. EVERYTHING DNS is Watched, Secured and Controlled by them.
> 
> So if you want to give a foreign power to hack the dns... simple... give them root access or in this case "."
> 
> My vote, is bad idea.


Yeah. Real bad news. I was being a little disingenuous when I asked "Good News or Bad News." You have to remember I am a college professor now, so I ask my students these kind of questions to elicit their thinking. This just opens Pandora's Box in my view. This Obama administration is just inept. Must have been a political decision to please some donors or constituency. It really sets us all up for a major cyber catastrophe in the future. "Man".....is right. My beer light just went on. I am getting a beer and staring out of the window for awhile.


----------



## Silverback (Jan 20, 2014)

I asked one of my underlings what he thought of this and he is a pretty decent tech, but he just does not understand why this is a bad idea, if people respect his knowledge not knowing he had no idea there was a root "." behind com normally hidden... his advice would be taken as good and the idea passed. In reality my underlings decision just created a huge security hole due to his ineptness. I think Obama has technical advisors like my underling....

reposting my edit
I mentioned the ICANN Address was root "." so look at this as well.

military.us.gov. 
whitehouse.gov.

notice what is the first to control those domain names? ICANNs root "." so to turn them off just kill the initial lookup at root for anything .gov. Military, whitehouse all goes down and can only be accessible by direct IP and since more web servers require host headers (IPv4 has limited IPs so multiple websites are ran on the same IP but the domain name is compared to deliver appropriate content) the direct IP could not work since it has no Domain name lookup attached.


----------



## Silverback (Jan 20, 2014)

I like Rebroomes idea, this news actually makes me want to drink. I'll be back... later.


----------



## rebroome (Jan 16, 2014)

Silverback said:


> I like Rebroomes idea, this news actually makes me want to drink. I'll be back... later.


Sometimes.....when you really think about all that is spinning out of control.......you just want to have a beer or... two...or... three... and stare out the window.


----------



## Silverback (Jan 20, 2014)

rebroome said:


> Sometimes.....when you really think about all that is spinning out of control.......you just want to have a beer or... two...or... three... and stare out the window.


I liked you unedited version, the Eagle included. I read it went to my back porch and started searching for a similar friend, one with wing, strong talons and a cry that will inspire me again.


----------



## StarPD45 (Nov 13, 2012)

Silverback said:


> If I had to guess at a time of attack, refer to this page.
> 
> Windows Xp End Of Support Countdown Clock | CountingDownTo.com
> 
> If they have been working this long to probe and prepare an attack infrastructure. i would assume they would lose quite a bit of power in their attack when these machines begin to come offline.


The scary part is how many government agencies are still using XP. Probably a lot more than we think.


----------



## Montana Jack (Feb 27, 2014)

The challenge for the United States is constant vigilance. The bad guys only have to be successful 1 time out 100. We have to be successful 100 times out of 100.

Reminds me of the story a few days ago of that kid who snuck into the World Trade Center and got to the top. The guard at the top was asleep. What a fitting metaphor for America.


----------

