Anatomy of a cyber attack

arthwollipot

Observer of Phenomena, Pronouns: he/him
arthwollipot
Joined
Feb 11, 2005
Messages
98,756
Location
Ngunnawal Country
This is fascinating, and more than a little disturbing.

It's a breakdown of what happened during a six-week long cyber attack on the Australian National University, in nontechnical terms so that anyone can understand what was done. There are still a lot of questions about the attack that remain unanswered, but this shows how dedicated and sophisticated cyberwarfare agents have become.

Check it out:

Inside a massive cyber hack that risks compromising leaders across the globe
 
Some things do not equate in the story.

The cyber attack was so sophisticated it’s left the nation’s leading security experts shocked.
Click to expand...

Which experts were these? Guys at ANU?

The article notes the following three parts that are 100% the fault of poor online security by ANU:

The email was previewed by one of their colleagues...
Click to expand...

Well, duh.

They also used software called Tor, which disguised where they were operating from.
Click to expand...

And it's the easiest system in the world to block, and any sensible IT security would have it blocked. That is monumentally poor security.

As an aside, I'd even go as far as to say the mere use of TOR suggests they weren't pros in any form - a pro would have spoofed an ip#.

Based on that point, and hacking personnel details says more "Disgruntled former staff" than a government hack.

They emailed those details to external addresses by using an old ANU mail server that didn’t need login details to send messages.
Click to expand...

Sounds like the whole system suffered from typical public service mentality - old and new systems integrated without attention to security.

I'd give ANU 0/10 for prevention. I hope they were using Symantec.
 
Venom said:
Is there a way to find these people?

Hackers need some severe punishments imo.
Click to expand...

What do you suggest? Boiling in oil? 20 years hard labour?

According to the story, they've stolen data. So far, that data hasn't been used to execute any crimes, and it has a value of $0.00. If they'd ransomed the site, or stolen money, there would be a case to answer.

As it stands, they accessed a computer system and have hopefully alerted the IT clowns that they need to fix it. The costs involved are entirely the fault of ANU.

There's no way to find them unless they're really, really stupid. TOR is untraceable with the right security settings in place.
 
Venom said:
Is there a way to find these people?

Hackers need some severe punishments imo.
Click to expand...
If there were, it would have been done. They covered their tracks really well. As noted in the article, they were probably from China, but there are a lot of countries with the capability.

By the way, I can personally attest to the number of Chinese students at the ANU, since the campus begins less than a kilometre from where I work. There are a LOT of Chinese students.
 
arthwollipot said:
As noted in the article, they were probably from China, but there are a lot of countries with the capability.
Click to expand...

I absolutely refute the idea that it was any kind of state attack by China. Their electronic warfare is sharp and they certainly don't use anything as amateur as TOR. Attack from someone in China, sure, why not? But any kind of state-sponsored hack - not in a million years.

To be perfectly frank, the TOR attack and simple exploits scream script kiddie. Professional, it was not. The capability required to hack that system, with out-of-date but open gateways is about year 12 at school.
 
The Atheist said:
I absolutely refute the idea that it was any kind of state attack by China. Their electronic warfare is sharp and they certainly don't use anything as amateur as TOR. Attack from someone in China, sure, why not? But any kind of state-sponsored hack - not in a million years.

To be perfectly frank, the TOR attack and simple exploits scream script kiddie. Professional, it was not. The capability required to hack that system, with out-of-date but open gateways is about year 12 at school.
Click to expand...
I will readily admit that you know considerably more about the subject than I do, but some very serious people are describing it as sophisticated.

The full report from the ANU is available here, by the way. It's interesting reading, especially the Malware and Tradecraft Analysis section, but I don't have a lot of context into which to put what it says. The report calls the actors "operationally sophisticated and deliberate in their targeting", which doesn't sound to me like they think it was script kiddies.

ETA: Also, I want to be really clear here that it was not the ANU or the Australian Cyber Security Centre (a part of DSD) who suggested that it was probably China. It was Tom Uren of the Australian Strategic Policy Institute, who wasn't part of the investigation and who seems merely to have been contacted by the ABC for comment.
 
Last edited:
ANU hack report answers lots of key questions, except the most important — who did it?

Almost one year after it was hacked in 2018, the Australian National University (ANU) released a play-by-play account of how sensitive student and staff data was stolen from its servers.

The report describes spear-phishing emails and malware, but one significant thing is missing: who did it.

The university has been unwilling so far to point the finger.

"There are a whole bunch of countries that can do it," ANU vice-chancellor Brian Schmidt told the ABC.

"Organised crime potentially has the ability to do it and certainly all of these groups going forward are going to have more and more capabilities."

In fact, the question of attribution — working out which individual, criminal syndicate, or country is behind an attack — is a seriously fraught topic.

When Australia is hacked, government officials sometimes describe the culprit as a "sophisticated state actor" but go no further.

That's because apportioning blame in cyberspace can be both technically difficult, and politically treacherous.
Click to expand...
 
arthwollipot said:
Yeah, I don't know how that could happen either, and ASD aren't sharing. Nor should they.
Click to expand...

One possibility:

Are they talking about the email message preview, or the attachment preview option? Newer versions of Outlook can give previews of the contents of attached files in office formats (docx, xlsx, etc) that appear in the preview window; I could see how macro code might be run via that preview window.

This can be disabled on the client (and via policy on the domain), and probably should for security reasons.
 
arthwollipot said:
The full report from the ANU is available, by the way. It's interesting reading, especially the Malware and Tradecraft Analysis section, but I don't have a lot of context into which to put what it says. The report calls the actors "operationally sophisticated and deliberate in their targeting", which doesn't sound to me like they think it was script kiddies.
Click to expand...

No, I withdraw the script kiddies and go back to my first thought - a disgruntled employee. It has all the hallmarks of a lone wolf attacker, and I'd be looking inside Aussie rather than out.

First place I'd be looking is at any IT staff who got fired before the attacks.

I think the claims of sophistication are being made to try to flub over the fact their security was pathetic.
 
The Atheist said:
I think the claims of sophistication are being made to try to flub over the fact their security was pathetic.
Click to expand...
I think that's overly cynical. I see no reason to believe the report as written.

But yeah, there were definitely some major security issues. Those are outlined in the report, and measures have been taken.
 
Meanwhile...

Qld govt cyber defences fail ethical hack test

Sensitive information accessed with relative ease.

Ethical hackers from Queensland’s Audit Office were able to exploit vulnerabilities in the IT systems of three state government entities to access sensitive information during recent cyber security testing.

In a damning audit report [pdf] released on Tuesday, the state’s auditor said testing had revealed all of the three unnamed entities were failing to manage their security risks “as effectively as they could”.

The report found “key information assets” at each of the entities were successfully compromised by its security consultants using what was determined to be the “easiest path to attack”.

...

At one entity, the pen testers were able to gain entry to the network simply by waltzing in through the front door.

“Our security consultants were not prompted for identification at any point when accessing facilities,” the report states.

“It was possible to walk from the lifts, past the reception desk, and tailgate employees into the entity's offices.

“Upon accessing the office, our consultants were able to sit down at employee desks and connect a malicious device to the network.”

But the testing also revealed more traditional vulnerabilities in the networks, including “easily guessable passwords” at all three entities.

“At one entity, our consultants were able to crack and recover clear text passwords for over 6,000 user accounts. They cracked the majority of these in less than three minutes,” the report states.

Passwords for user accounts were also found to have been disclosed in multiple data breaches such as Adobe, Dropbox and LinkedIn.
Click to expand...
 
Passwords for user accounts were also found to have been disclosed in multiple data breaches such as Adobe, Dropbox and LinkedIn.

Jesus, where's that laughing dog?

Public servants get ridiculously well paid, and they're almost all bloody useless. IT people in particular, it seems.
 
The Atheist said:
Passwords for user accounts were also found to have been disclosed in multiple data breaches such as Adobe, Dropbox and LinkedIn.



Jesus, where's that laughing dog?



Public servants get ridiculously well paid, and they're almost all bloody useless. IT people in particular, it seems.
Click to expand...
It's very hard to stop people from writing down passwords and storing them in third party repos. And there are lots of smart people who aren't really trained to think about information security at a sufficiently technical level.
 
Roger Ramjets said:
Yeah, wearing that skimpy dress and walking alone at night, the bitch was asking for it!
Click to expand...
It's actually reasonable to hold a victim liable, if they haven't taken appropriate measures to secure their own interests.

A university has an obligation to safeguard student and employee data. They can't escape responsibility simply because someone else exploited their negligence.

Your rape example is a special case, because of the emotional nature of it, the entanglement with issues of sexism, etc.

Instead of trying to force it as the standard, and trying to normalize it you should recognize it as the exception. And work on how to bring it back in line with the reasonable standards we trend to apply in non-rape scenarios.
 
Last edited:
I've had to re-do our security training recently due to certain policy changes. It's very, very clear that security is EVERYBODY's responsibility. It's the agency's responsibility, and it's the end-user's responsibility. Neither can drop the ball.

That's mandatory training by the way, for all staff of the department.
 
theprestige said:
It's actually reasonable to hold a victim liable, if they haven't taken appropriate measures to secure their own interests.

A university has an obligation to safeguard student and employee data. They can't escape responsibility simply because someone else exploited their negligence.

Your rape example is a special case, because of the emotional nature of it, the entanglement with issues of sexism, etc.

Instead of trying to force it as the standard, and trying to normalize it you should recognize it as the exception. And work on how to bring it back in line with the reasonable standards we trend to apply in non-rape scenarios.
Click to expand...

Jeez, it's not often I agree with every word you write, but all of that is 10/10 with me.
 
arthwollipot said:
Basically it wipes out pretty much every password complexity requirement that the Australian Government has.
Click to expand...

Sensible option.

The whole password business is a bloody joke - we should be using voice ID. Oddly enough, the first place in NZ to adopt it was the tax department.
 
The Atheist said:
Sensible option.

The whole password business is a bloody joke - we should be using voice ID. Oddly enough, the first place in NZ to adopt it was the tax department.
Click to expand...
We should be using multi-factor authentication, of which biometric identification can be one factor. As it says in the article.

And yes, I agree. Passwords are stupid.
 
The Atheist said:
Sensible option.

The whole password business is a bloody joke - we should be using voice ID. Oddly enough, the first place in NZ to adopt it was the tax department.
Click to expand...

https://www.theguardian.com/money/2018/sep/22/voice-recognition-is-it-really-as-secure-as-it-sounds

Graham Cluley, a leading computer security expert, “There is extraordinary technology now which is able to emulate people’s voices pretty much in real time. If a criminal has fragments of you speaking already – for example, a YouTube video or podcast – there’s technology that can put together a very convincing imitation of your voice.”

Cluley believes you can use something like a voiceprint as an additional method of confirming someone’s identity, “but it shouldn’t be the only one. Simply the voice alone, I think, isn’t enough
Click to expand...
 
Wudang said:
https://www.theguardian.com/money/2018/sep/22/voice-recognition-is-it-really-as-secure-as-it-sounds
Click to expand...

I don't know how many people have their voices recorded on YouTube, but I'd expect it to be a very small percentage, and even smaller for podcasts. The chances of intersecting with someone you'd want to hack make it highly unlikely, and if you use an extra authentication layer, you're as close as you'll get to hack-proofing, but no system will ever be 100% perfect.
 
"Good afternoon, this is XXXXX bank calling for Mr Doe. We've had customers complaining they haven't received statements. Can you confirm that you have?"
"Yes I have"
"and did it include a letter explaining changes to our terms and conditions? Was there anything unclear in the letter."
I wonder how large a sample you need.
 
Wudang said:
I wonder how large a sample you need.
Click to expand...

I'm no expert in voice patterns, but I would expect you'd need a fairly big sample, because the match isn't just for the voice pattern itself.

For our tax department, you have two different voice IDs recorded. When you connect to the system, it asks you to say either your date of birth or IRD number.

A voice hacker would first off need to know that information and have it faked & taped & ready to go. The voice pattern itself not only needs to match, but it needs to match in terms of the cadence of the speech as well, so a stilted fourth ... january... 19... 22 isn't going to work. They would need to match the voice analysis and style of speech.

I'd say voice recognition - except in rare circumstances - would require government-level sponsorship to hack. You'd need to find out who to target, then obtain recordings and spend a fair amount of time learning speech patterns, then find out what the questions are that need answers. Add into that that the provider can update and change at any time, so you could spend months to get nowhere.

Like I said, no system is perfect, but it's infinitely better than typing in a password.
 
theprestige said:
Your rape example is a special case, because of the emotional nature of it, the entanglement with issues of sexism, etc.
Click to expand...
No, it isn't. The issue is the same.

I was an employee in a business that got hacked. The emotional effects on me - of being violated, fear of further attacks, unwarranted guilt etc. - were similar to being raped. Nobody will ever find out who did it or bring the perpetrators to justice.

theprestige said:
It's actually reasonable to hold a victim liable, if they haven't taken appropriate measures to secure their own interests.
Click to expand...
But what do we define as 'appropriate'? It doesn't matter how many measures you put in place, hackers will always find a way to breach them.

The primary party that should be held liable is the criminal, not the victim. If I put a lock on my door it should be enough to tell people not to enter my house without permission. I shouldn't have to install steel bars to prevent people from breaking in. But even if I did it wouldn't help - they would just steal a car and ram it into the door until it broke (true story).

It's the same with cyber security - except now I have to worry about pricks from Canada breaking into my place from the comfort of their own home.

But the worst part is the 'good guys' are actually in on it. They don't want to see the criminals brought to justice because it would kill their golden goose. From 'White hats' getting fame and fortune destroying security systems, to Microsoft using it as an excuse to push crappy operating systems onto us, they all benefit while it costs us billions (not to mention the emotional drain from the constant fear of being hacked).

The Atheist said:
Venom said:
Hackers need some severe punishments imo.
Click to expand...
What do you suggest? Boiling in oil? 20 years hard labour?
Click to expand...
I would suggest a bullet through the head, but that's too good for them. So I'm thinking - start by cleaning out their bank accounts and selling off all their possessions to help pay back their victims. Then fake their identities to turn family and friends against them, and go after other cyber-criminals under their name. Finally put a hit out on them via Tor, payable in Bitcoin. Either that or strap them to a computer and run 20,000 volts through it. Or maybe both.
 
The Atheist said:
For our tax department, you have two different voice IDs recorded. When you connect to the system, it asks you to say either your date of birth or IRD number.
[snip.....]
Like I said, no system is perfect, but it's infinitely better than typing in a password.
Click to expand...

I'm more familiar with the HSBC system

https://www.theguardian.com/busines...recognition-system-breached-by-customers-twin

Noted differences
Unlike traditional password systems, which lock users out after repeated attempts fail, Joe Simmons tried seven times to mimic his (non-identical)twin’s voice before HSBC allowed access.

The HSBC system asks users to say “my voice is my password” into the phone, which is then matched to an original recording of the person’s voice, allowing access to their account.
Click to expand...

A person I know well has experience of dealing some of a major bank's security processes. That person is not impressed.
 
Wudang said:
A person I know well has experience of dealing some of a major bank's security processes. That person is not impressed.
Click to expand...

Understandably so - it makes it a million times easier to hack than the tax method.
 
The Atheist said:
I don't know how many people have their voices recorded on YouTube, but I'd expect it to be a very small percentage, and even smaller for podcasts. The chances of intersecting with someone you'd want to hack make it highly unlikely, and if you use an extra authentication layer, you're as close as you'll get to hack-proofing, but no system will ever be 100% perfect.
Click to expand...
Anyone with a smartphone and a brief opportunity to converse with the target can bypass most voice ID systems.
 
Wudang said:
"Good afternoon, this is XXXXX bank calling for Mr Doe. We've had customers complaining they haven't received statements. Can you confirm that you have?"
"Yes I have"
"and did it include a letter explaining changes to our terms and conditions? Was there anything unclear in the letter."
I wonder how large a sample you need.
Click to expand...
UK R&C used the phrase "my voice is my password" for it's sampling (now pretty much dead in the water).
 
Are we still doubting the China connection?

Are Australian universities putting our national security at risk by working with China?

Australia's top universities could be aiding the Chinese Communist Party's mission to develop mass surveillance and military technologies, amid rising concerns from Australian intelligence agencies that they are putting national security at risk.

A joint Four Corners-Background Briefing investigation has uncovered extensive collaborations between Australian universities and Chinese entities involved in Beijing's increasingly global surveillance apparatus.

At least two of those companies and organisations have been blacklisted in the past week by the US Government, which concluded they were implicated in human rights abuses against China's Muslim minorities.
Click to expand...
 
arthwollipot said:
Are we still doubting the China connection?
Click to expand...

As far as the hack goes, absolutely.

I'm also at least as confident China has a planned program of soft influence at universities and institutions throughout NZ and Australia. (and others)

They're smart & subtle, which the hack was not.

We've had a great example of China's influence lately, with pro-HK democracy students being physically removed by Chinese students when they've tried to protest.
 
You must log in or register to reply here.

Back
Top Bottom