OK, there are bad people who like to cause trouble, and, since computer systems now have intelligence (but are stupid enough to allow unknown download of unknown code), the bad people can cause problems. Ho Hum.
But - to take North Korea (every last server, apparently) down for 2 days?!
I’m impressed.
In 25 words or less (I know mainframes inside out - have only most basic understanding of micro architecture) - how do you do that, and how deeply can you (theoretically, or record-to-date) penetrate the victim machine? Is it possible to corrupt the BIOS? Or is that the Holy Grail of Hackdom?
Flip side - why haven’t OS developed the sense not to perform whatever ir is the hacks do? Why not flag every bit of code that comes from the web with <suspect code start> <suspect code end> and automatically prevent such code from generating anything it tries to store? If it misbehaves, delete the tag and everything within?
(hey, I SAID I knew next to nothing)
There’s no real information there, and no evidence the attack even happened. But as a hypothetical:
You can take down almost any small to medium server on the internet merely by hiring a DDoS network. There’s very little skill or cleverness about it, just brute force. North Korea probably does not have high end gear, nor the kind of skill and redundancy needed to withstand a large DDoS.
Since the OP is a novice, I’ll answer his next question before he asks it - DDoS is short for “Distributed Denial of Service” - i.e. have large numbers of computers (often home computers taken over by viruses - is your AntiVirus up to date?) constantly making large numbers of connections (which may just be the electronic equivalent of “Hi! I’m here!”) to their servers to the degree that their servers can’t accomplish anything useful. That technique requires no knowledge of exactly what type of server is being attacked.
The culprits could also be taking advantage of knowledge of the hardware/software which the victims are using in order to do nastier things like steal data or do serious damage. If they do it properly it’s not obvious until it is too late that modified programs were modified by someone a few thousand miles away rather than locally. It’s meaningless to say “flag the code as coming from the Internet and delete it if it is bad” - what if an important program has been editted (and if done sufficiently well, checking modification dates will do you no good)?
You don’t even have to make a connection: When you signal a server, it is programmed to always send a reply. If you do this enough times (in the thousands or millions per second), the server has to spend all its computing power with that reply.
Usually the sequence is
SYN (you contact server)
SYN-ACK (server replies and says it’s ready).
ACK (you connect to server. All is well).
With a Denial of Service Attack (in this form – there are others), the sequence is (attacker in bold): SYN
SYN-ACK SYN
SYN-ACK SYN
SYN-ACK SYN
SYN-ACK
(repeat constantly).
The server is required to reply whenever it gets a SYN signal. To stop it, you need to keep the multiple SYNs from getting to the computer. With a simple Denial of Service attack from a single computer, this just means blocking the IP address (how the computer is identified on the Internet). However, no one bothers with those nowadays. Instead, they use hundreds or thousands of computers with different IP addressed (distributed denial of service), so it’s harder to block.
I can see the DDos trick.
I can also see: you’re so stupid you’re still running xxx program, and I know if I insert this
<label: a>
Go to a
at line 156987 in module sss of that system, all hell will break loose.
Why on earth can I get that machine to even think of accepting that code?
It was bad enough when n operator (god id - can change anything), facing a broken system, will allow a programmer working on system A to modify a program in system B (sometimes, the problem is not in the program that died, it is in the program that fed it the crap that caused it to die), but why would an OS be dumber than an operator?
Just on a guess: how much of the vulnerability is a result of the fact that micros started out as 2 guys in a garage, not a professional group intending to create a monster that would run the world?
OTOH, the internet was created by the US DOD as a way of using the ATT network as backup command and control in the event that the Soviets could take out the military C&C - they should have put traps and isolation simply everywhere.
The vulnerability which allows hacking in the first place.
“Hack” used to mean to chop or cut crudely or viciously.
Of course “computer” meant a huge machine in a locked room with no means to update without the knowledge of the people in charge of it.
There is also the “social engineering” aspect of hacking. Basically, identifying a legitimate user and someone obtaining their credentials from them through some sort of deception or subterfuge. For example pretending to be from corporate IT and asking for your password or sending you what looks like a legitimate email from your bank or wherever prompting you to log into a fake website that also looks legitimate. The hacker can then log in as a legitimate user and do as they please.
There are several methods of countering this:
Physical security tokens that generate a random but predictable number sequence every few minutes. To log in, the user needs to enter both their password and the number from the token in their possession. If you don’t have the token, you can’t connect.
A user generated image that is displayed by the web site when you log in. A fake web site wouldn’t know what you image is so if you don’t see it, you don’t log in.
Although Windows NT and its successors have supported complex user permissions for 19 years, most users (including many corporate users) were executing programs with full administrator privileges until a couple of years ago. So it was difficult to prevent an ordinary program from damaging the whole system.
In the name of ease of use, some unsafe ideas were implemented in Windows, such as automatic execution of some programs on DVDs and USB keys.
Even with restricted permissions, once an installation program has been approved for execution, it basically has administrator-level access to the entire system.
Installable and built-in device drivers execute on processor Ring 0, with unrestricted access to all hardware.
Installable and built-in services (programs without a window) often execute with elevated privileges.
Windows was mostly built using C, which makes it easy to store arbitrary-length, NUL-terminated strings in fixed-length buffers. If the program receiving a string doesn’t properly check for a buffer overflow, this can be exploited.
Up until the mid-ougthies, Intel and AMD processors did not properly distinguish between code and data (or, at least, their facilities to do this were not used). So, if a buffer overflow could cause data to be executed, the processor didn’t prevent it.
The whole modern Web experience is about downloading and executing code inside the Web browser. Java, JavaScript, VBScript, ActiveX custom controls… Yes, in theory, you can isolate/sandbox everything. The people at Sun/Oracle have been trying to plug holes in the Java sandbox for, what, 16 years now?
People are used to clicking OK/Yes/Allow on any message, no matter how ominous.
As mentioned above, a denial-of-service attack can cripple any system.
Thank you quite sincerely for the biggest jolt I’ve ever heard regarding EDP/DP/MIS/IS/IT (I’ve been through all the names up to IT) and security.
Yes, I got that the entire configuration was to put the processing on the receiving machine.
That concept right there should have triggered a competition for how many keys are required to sneeze.
But to run everything at admin (what we used to call god) level? Any idea what it took in the old days to even LOOK at the code?
At Bank of America, production support was nearly impossible because the programmers were not allowed to look at the data causing the problem - there was an entire staff which did nothing but review signed/counter-signed requests for production data; if the request was approved, they would run the data through an encryption program specific to that file which obliterated identifying fields - you found the program died on account 57? Cool! Now, request a copy of that input file! Look up the record for account 57, and you’ll see what caused the problem! Easy!
Except the nice people who gave you that copy put random numbers in the account field - for security reasons.
I did contract work on the development side (yes, my job first jumped onto a PC then moved to India) - I only heard the horror stories second-hand.
“Always accept xxxxx from this site - go ahead, make my day”
Another reason why DoS attacks are usually distributed is that if you try to launch one from a single computer, the attacking computer is kept just as busy as the target computer.
And for an attack which “takes down an entire country”, I would guess that the most likely explanation would be an attack of some sort (which might not even be a digital attack: Think of a guy with a backhoe) on the Internet connections into the country. All of the computers in the country would still work, and would be able to talk to each other; they just couldn’t talk to the rest of the world.
These cards were around in the early 90’s - Pac Bell (which was tied for "most f***ed IT shop with BofA) used them.
2 things to know about Pac Bell’s IT department:
They took great pride in employing Scott Adams - my first day, I was told his cubie address - apparently I was expected to gawk. Yes, Dilbert was based on Pac Bell. It was when he retired that the strip lost its edge.
Their “daily cycle” ran 3 days. Yes, at any given point, there were 3 distinct copies of everything running concurrently on the same machine.
Bonus: ATT hired the “Baby Bells” to reformat the journal files they sent. Pac Bell was so screwed up they couldn’t even manage that - eventually ATT cancelled the project and modified ITS system to accept the Pac Bell file in the old format and everybody else’s in the new format.
I do hope there was a bloodbath once ATT re-assembled itself.
Do PC’s OS’s really not know the difference between:
Open to read
Open to update
Open to execute
?
Only up to a point. Yes, you can spoof an IP packet with a fake address (if you don’t want a return packet). However, it is much harder to get the spoofed packet to a target than it used to be. Many edge (non-routing) networks now have exit filters to prevent spoofed packets from exiting (egress filtering), and peering networks increasingly have ingress filters. The LOIC DDoS tool used by Anonymous does not use IP address spoofing - a fact that allowed a number of individuals in the UK to be arrested during Operation Avenge Assange.
Just dropping in with a few observations. DoS/DDoS has been pretty well covered it seems (I would only add that there are many, many varieties of such attacks - Smurf/Fraggle attacks being my favorite, but only because of the names).
Social engineering was mentioned up-thread, and remains my preferred attack vector. It manifests itself in a variety of ways, both physical and 'net based, and has (totally made up stat - but a good approximation) an 85-90% success rate. However, using social engineering to take down an entire country’s network infrastructure is a bit far-fetched (not impossible, but jeebus, what a pain in the ass). Attacking the physical infrastructure would probably be a more efficient use of resources.
Pretty much any system online is going to be consistently under some sort of attack at any given moment. Setting up honeypots provides interesting perspective on this - most attacks are unattended (not some “hacker” targeting a machine, but a botnet, malware creep, or whatever). Frankly, these wouldn’t be a huge problem if folks maintained appropriate patch levels/updated AV/etc. A targeted attack, unless you’ve some significant investment made in defensive resources, is pretty tough to stop if the attacker knows what she’s doing.
Cynicism alert: Bear in mind that the DPRK likes to tell its general population that the many power outages it experiences are caused by “the Americans”.
I would not be surprised if the connectivity problems the DPRK experienced/is experiencing were caused by local “operator error” and the government is blaming outside entities to disguise that.
TL;DR: Kim Jong-un infected the DPRK’s IntraWebz servers when he downloaded malware-laden pr0n.
Yup. Or a backhoe or whatever. I’ve been monitoring security news sites for details, and there’s been no independent confirmation that this was a deliberate attack.
