"The attackers, suspected to be based in China, planted carefully camouflaged spyware on client PCs in order to extract passwords, Shields said."
Does this mean Microsoft's fault?
Nortel was the victim of a years-long network security breach that allowed hackers to extract its trade secrets, according to a veteran of the bankrupt Canadian telco systems biz. The hackers stole at least seven passwords from top executives before downloading research, business plans, technical papers, corporate emails and …
The company developed a lot of different systems on Engineering Workstations from Sun, HP and others. The network was very large and there was a serious effort at keeping out the barbarians. When SATAN first came out, it was announced that unauthorized use of SATAN and similar products in the corporate network would result in immediate dismissal.
I can't speak for the place after the late 1990's but this was not a network built solely on Microsoft technologies. Developers would not have tolerated the performance and reliability of MS file servers of the period. Software was developed and integrated on Unix-based workstation and delivered to stand-alone systems for testing. Production code was always controlled, built and delivered in ISO 9001 approved processes from about 1996 onward.
I would not rule out the use of traditional forms of human intelligence.
Searching The Register for "SATAN", I'm only finding articles about the Vatican and information security, the people who will look after your pet when the Rapture comes and you go to heaven and they don't (the other people and your pet as well), and, apparently, Steve Jobs. Well, well.
Order a big box of less-than-lethal submission gear.
Every 3 months:
1) Unpack gear
2) Enter exec office by force, making use of the above against any opposing personnel
3) Extract disk of any machine for forensic purposes
4) Insert new disk, reinstall everything, destroy all USB keys, break CDs, replace phones, inspect wall plugs etc.
FAIL because I can't manage to do that at our place.
Nortel had a password tool named NORPASS, which would sync all your passwords across multiple platforms. It had a 60 day password refresh requirement... 8+ characters, uppercase and special chars and numbers required, with no dictionary words... I was a PITA to select a password that would pass the requirements.
"Top execs of a big company, with access to all sorts of sensitive info and company secrets, were allowed to use the same passwords for 4+ years...?"
At my previous contract, the new head honcho demanded (and received) a special dispensation from the security policy so that he could permanently "use the same 4 letter password that he is used to" for network and email accounts. Managers at a few levels considered resistance but then decided to think of their future career prospects.
A typical example that security is not a product - it is an ongoing process. Security needs to ask recurrently also what other risks does the security solution cause and what costs and trade-offs does the security solution impose.
These aspects are hardly being addressed by the PCI-DSS and the CISSP people. Ask them about security and they start waffling about the same they did 5 years ago: data availability, encryption, audits, physical security, virus-scan, buy this solution and that product. When I asked none of them had an answer about the compromise of RSA keys, virus databases can never be up to date, emails on smartphones are a backdoor, GPU attacks, biometric solutions can be broken with a glass of water, etc.
80% of security is show. And with COTS solutions we will never have effective security. Anyone who still thinks he can design a enterprise grade IT solution using COTS hardware and software is not on the winning side anymore.
Thumbs up for the comment but a general reminder that PCI-DSS only addresses security within a specific industry (Payment Card Industry) and CISSP is historically described as a mile wide but only an inch deep.
While I agree COTS products do have their issues alot of security standards (FIPS, CC and CAPS CPA) are working towards defining decent protection profiles so that organisation may have a greater confidence in adopting these products. However; within any system you must always consider people, process and technology.
As the PFY once said; "Security is a journey, not a destination."
You have a better chance doing it with the right COTS stuff properly configured and well managed than you do starting out and doing it all through home brew kit.
If however you mean deploying stuff because it has a shiney brochure and the salesman told me it would make me sure you are probably correct; it will never work.
The company was an equipment manufacturer created as a subsidiary of the Bell Telephone Company of Canada well before the invention of the transistor. For many years, it built Canadian versions of Western Electric designs under license. In the 1970's the company began the design of a digital switching system which became the DMS-100 system. Delivery of DMS-100 coincided with the breakup of the AT&T monopoly in the US and the company had its first growth spurt.
After much grunting and groaning the company filed for bankruptcy protection in the United States and other countries.
Nortel after going bankrupt now admits they have been pwned by the PRC for years. Makes you wonder how many fourtune 500 companies have APT's in their networks taking nibbles and bytes of their sensitive data daily. Weather you want to blame China or not it shows that companies and govt's still dont have a handle on cyber threats.
Of course, the West is whiter than white and would never be involved in such snooping type practices against the East, or its own subjects and businesses in the West.
Does one have to admit and concede that the East is way smarter than the West and much better at the things which really matter?
"Why would anyone spy on *Canadians*?"
Canada is currently the 10tth largest economy in the world, on both IMF and World Bank figures. 1.7 trillion dollars GDP/year is nothing to be sneered at.. They're large enough to be a worthy target of industrial espionage themselves.
If you think $1.7 trillion is pissweak, you could consider the "Tinker, Tailor, Soldier, Spy" scenario: spy on a major ally of the USA, and then manipulate things so that intelligence sharing exists. Now you've got your hands on the crown jewels.
For *years* and no one notices or asks "Why?"
A thought occurs to me. If you can't *account* for why a program (any program) is sending messages to the outside world why *let* it? Did you *ask* for some kind of security backup to be engaged? In corporate land isn't it safer to have them justify themselves *before* being allowed to open a port?
And BTW It's not only what the perpetrators (*wherever* they were really based) got out of Nortel.
It's what (if anything) they were able to *install*
Changes to the source code running its switches to create (for example) hard coded engineering test passwords into *every* future Nortel product using that code base?
That would make this the crack that just keeps on giving.
It *should* be impossible *but* if no one's actually eyeballing the code why would they go looking for a section they were not assigned to? They don't know it's even there And it *should* have been impossible for a major *manufacturer* of comms equipment to have been penetrated like this for so long
Source code changes in the area I was in, was tightly locked down. Full change management policies.. Valid reason to update code ( via feature/bug tool) , architects approval, code inspection approvals, config mgmt approval. Even the highest ranked user could not override these checks.
Sounds good (TBH my impression is that software development for *embedded* systems in the telecomms industry is fairly rigorous) but it depends how deep the security goes.
It's SOP in some development shops to run tests on database systems by stuffing the data files *directly*, bypassing the data entry & validation front ends.
That's not to say there is *no* audit trail, merely that it's on programmer, not the software management system. Depending on how well the source code control system is integrated it might or might not show access when the code .
And of course a *real* black hat would aim to disable the logging software *first* to prevent anyone following their trail as a matter of course.
Yes this is highly speculative and highly paranoid. It should be *impossible*.
However the chance to infect every unit of some major piece of Nortel kit would make a *very* tempting target, both for the access it can give to users *directly* but also as a beach head into other networks.
Like the update to ATM's in Eastern Europe (Hungary?) that allowed a dump of all users card details and PINs.
"I get your point, but it's not like you can do a netstat and a whois and automatically weed out anything that looks vaguely Chinese. "
Agreed. However I'm thinking a little wider. It's more the idea of a white list where *every* IP address (and the port they are sending to) is *accounted* for. Think of it more like a corporate phone book.
I'd expect *most* traffic to be going to *known* IP addresses (and ports) in the sense of IP addresses of other offices within the company, main suppliers and main customers.
The rest is more suspicious, *especially* if one or more of them are being sent data on a *regular* basis.
This would not stop traffic to a compromised supplier or customer (unless you're cross checking send time against when people are actually *using* those machines) but it would have picked up weird-stuff-is-going-on a lot sooner.
"Blocking traffic to China" is too simplistic a policy. They might have been the end users, they might not (I think China has the record for the most number of pirated copies of Windows, so no security updates to stop them being exploited as relays to somewhere else).
..because certainly modern managers will give utmost consideration to data security issues. They listen to their senior IT people and will refrain from doing insecure things. Of course they spent serious money on competent network defence specialists and give them ample time to monitor the network, develop diagnostic scripts and look deeply into anything suspect.
Well. NOT. Not anything of the above. Modern managers simply give a rodents a$$ about anything not directly related to shipping a product or service and generating revenue. Security efforts are seen as an "overhead" which should be kept well below the bare minimum. They don't want anyone to be bothered with learning proper information security practices, because that would distract from the priorities of the next two weeks. Little wonder corporations are royally penetrated through all openings on a regular basis.
It is probable that this kind of security breakdown has happened and is happening at all of those companies that sought to make room in the budget for ever increasing executive bonuses by outsourcing IT and by hiring VISA workers with dubious at best credentials.
The fact is that the black hats are better compensated whether they are PRCs cyberattack group in the PLA or cowboys looking for something to sell.
Biting the hand that feeds IT © 1998–2020