I really do not understand how the origin country of the attack can be so quickly identified, and that based on that it gets attributed to the government of said country. The source IP of attack usually tells you absolutely nothing about the origin, it's typically a hacked server or a desktop which can be in China or in France just the same.
I also heard on the news the so called "security experts" claim that certain "patterns" in the attack allow them to attribute it to a specific group of hackers. Anyone who's dealt with security for real knows that there are no patters (just like there really are no hacker groups).
In 99.9% of these cases the best you can do is identify and close the hole they used and any others they've left behind, assess the damages and notify the affected people. You will never find who did it, from where and why.
It could boil down to having other intelligence fingering China, but the US doesn't want to expose and consequently draw attention to the source of the information.
If the US doesn't have some 99.9999% assurance it was China and they made a statement like that with egg still on their face from the breach, it's pretty sad. I don't rule it out, but the US probably has more common sense than that. From a technical perspective, it sure was a fast "investigation".
The DoD/OPM/FBI would not reveal who the attacker is at all. Think about this for a second, why the hell would they reveal the fact that they could attribute an attack to China? That stuff is kept secret because that's how the intelligence agencies work. The US has a global cybersecurity strategy and so they are setting the precedent that they can hold nations responsible for cyberattacks and this became apparent with the North Korea/Sony attack attribution debacle
Funny particularly because I did not defend America.
Not only did I not defend them, but I actually left open the possibility that they're lying— explicitly! And I suggested they might (hah!) be doing the same thing the Chinese allegedly did (hacking/spying/etc).
Based on the Snowden files, it seems completely plausible that the US has the capability to determine the origin of the hack. Of course, we all know that having a Chinese IP is not proof of origin, but what about network flows? The NSA has sensors all over the world analyzing traffic. They even have a limited history they can query. What if they could determine the endpoint of the data and see that there was nothing connected to that endpoint at the same time, sending the same amount of traffic (using it as a proxy). You might think this would be extremely hard, since there is so much data on the net, but if they had some implants on some routers watching a particular hotspot, they could reasonably make the determination that the attack originated from fingers on a keyboard there.
And let's talk about implants. The NSA has installed malware in China, we can agree on that, right? So if they can see that a known Chinese dumpsite has the stolen data, it's pretty obvious that China was involved somehow. Maybe they have hard drive firmware that constantly scans drives for particular strings and when found, it calls home. Inside the stolen data files were some of those strings.
With all the money spent on the NSA's infrastructure and the stakes involved in agitating a powerful nation, it stands to reason that they have made proper attribution a high priority. These guys aren't just looking at source IPs in a pcap and calling it a day.
>What if they could determine the endpoint of the data and see that there was nothing connected to that endpoint at the same time, sending the same amount of traffic (using it as a proxy).
You say that as if breaking into someone's PC and using their wireless NIC to break into neighboring networks is totally implausible. Commonly known as pivoting.
I don't think that's implausible, but that misses my main point. If they are officially blaming China, they likely have some solid evidence from inside sources, not just an IP from China. Break-ins happen all the time, everyday, but not everything is attributed to someone because they don't have enough to go on. In a case like this, it could be as simple as a captured email from Chinese intelligence saying "Got those d0x you wanted. lol".
This case would not be "99.9% of these cases." It is not quite the same as, for example, the attack on Sony. The main differences are: 1) attack targets intelligence, rather than IP 2) target is US government, rather than private sector company 3) attack targets government infrastructure, rather than corporate infrastructure. I think that in this case the US likely has more resources at its disposal for analyzing the attack than, for example, it could use after the Sony attack, so a quick response is predictable. I also see no reason to doubt China as a possible culprit, as they certainly have both the capability and motivation for this attack.
Also this attack happened last December. The scope of the breach was not fully known until April when some deeper penetration was found then the reports in December initially indicated. The sad thing is this attack could have easily been prevented by using PGP signatures in emails (it was a phishing attack method) but the defense/government is incapable of implementing this
My understanding is that the attack actually started ~August/September, specifically targeting clearance information, but the attack broadened in December to target more information.
Does anyone find it hilariously convenient the timing that as soon as something expired ... this announcement goes to all the papers within a few days while they basically pass a nearly identical thing?
I do. Not only the timing of the Patriot Act expiration but also the recent NY Times/Snowden story (in which the government specifically cited state-sponsored cyber attacks as justification for mass surveillance). I read somewhere the actual breach was detected a month or two ago, so it doesn't seem that unreasonable they planned the announcement to coincide with the NY Times story and/or the Patriot Act end date.
Also on all the cyber crimes I have a hard time believing anything. Definitely China's attacking us and we're attacking them, but on specific instances, we're never shown any proof at all. What are we to believe? And then I hear people asking about when a cyber attack constitutes an act of war. My god, I hope we don't go to war again on evidence that is unverified. And hopefully the media learned to be more skeptical of government claims after that whole Iraq WMD story, but it doesn't seem like it.
I'm not clear how the Patriot Act (if that's the "something" you mention) has anything to do with a state-sponsored advanced persistent threat. Can you explain?
> The federal personnel office learned of the data breach after it began to toughen its cybersecurity defense system. When it discovered malicious activity, authorities used a detection system called EINSTEIN to unearth the information breach in April, the Department of Homeland Security said.
They knew in April, they waited until right after Section 215 of the Patriot Act expired June 1st. Section 215 is the piece of legislation the NSA used as justification for its carte blanche collection of data in the US.
What I'm trying to say is that I don't think it furthers their goal.
It isn't like some terrorist act occurred which would've been uncovered with Section 215 still active. This happened on their watch and under the so-called protection of the Patriot Act. To me, it seems like just another example of the Patriot Act not protecting people.
The vote does not significantly affect their technical or legal capabilities. There are plenty of other laws they can invoke - or just relay the raw data feed to the UK and get the UK to do the dirty work. I think that it is principle of voting against surveillance that they want to quash before it becomes a habit.
> WASHINGTON — The inspector general at the Office of Personnel Management, which keeps the records and security clearance information for millions of current and retired federal employees, issued a report in November that essentially described the agency’s computer security system as a Chinese hacker’s dream.
That's an SF-86. You fill that out for clearances as low as Secret. The bar for a Secret is roughly "Are you blackmailable? No? Here's your clearance.". You can ship Secret material through the USPS if you ship it as registered mail. There's no need to hand-carry it.
There are many, many things that are classified as Secret that are either overclassified, are classified as such to cover someone's ass or prevent embarrassment. Secret material can be sensitive stuff, but should never be serious spy shit. If it is, someone seriously fucked up their classification guide.
There are no secrets. We can't put the genie back in the bottle. We need to change our approach. We need to figure out a way to establish identity that doesn't rely on information anyone else has, such as names, dates, government-issued numbers, fingerprints, DNA, etc.
I also heard on the news the so called "security experts" claim that certain "patterns" in the attack allow them to attribute it to a specific group of hackers. Anyone who's dealt with security for real knows that there are no patters (just like there really are no hacker groups).
In 99.9% of these cases the best you can do is identify and close the hole they used and any others they've left behind, assess the damages and notify the affected people. You will never find who did it, from where and why.