Solution?
Delist all .cn domains then proactively authorise the ones that have a legitimate complaint. Extreme but effective.
Hackers have responded to a purge of malicious links within search results by Google with a fresh effort to subvert the search giant's page rank system. As previously reported, miscreants recently set out to poison search results with links to malware infested sites. The tactic involved gaming search engines' ranking systems …
Standardized LART Form for poor computer security articles. Released under the GPL v2 for everyone to use. Please modify as needed. See http://www.gnu.org/
Check all that apply to this article. You may have to delete unchecked items to fit in the space alloted by the author's comment form.
======= Indices
Troll-O-Meter: (6 out of 10 for repeat performance) [X] 6. False prophet
Flame Meter / Threat Level: (1 out of 10) [X] 1. Firecracker
BS Meter: (6 out of 10) [X] 6. "We're here to protect you"
======= Conditions of exploitation
Your article assumes the victim:
[X] Uses Microsoft Windows [X] ...with Administrator access [X] ...and turns off User Account Control (Vista)
The problem described was addressed:
[X] More than a month ago by a patch [X] ...more than a year ago [X] ...more than five years ago [X] More than a month ago by a simple workaround [X] ...more than five years ago [X] By the current version of whatever has this problem [X] ...by the previous version
Reproducing and/or exploiting the problem requires:
[X] Clicking a malicious web link [X] ...while logged on as an Administrator [X] Jumping through more hoops than a dolphin at Sea World
Exploiting the problem also requires:
[X] Google [X] Blogspot / Blogger / other major blog site
======= Umbrella salesmen predicting bad weather
Your article cites:
[X] A computer security firm [X] ...twice in a row
The quoted person / firm / organization:
[X] Has a fix for the problem for a price [X] Claims they had known about and/or had fixed the problem [X] ...more than a month ago [X] Predicts the death of the Internet as a result [X] Has unearthed a diabolical conspiracy to destroy the Internet [X] ...or whatever
======= Celebrities
The author or quotee accuses the following celebrated entities of abusing the problem:
[X] China [X] Any other country on the list of Cyber-Enemies of the United States
======= Punishments
For crafting this article, you deserve:
[X] To be interviewed by... [X] ...Rick Mercer [X] ...John Leyden (go interview yourself)
Before writing another security article, you must:
[X] Ask one or more real security experts first [X] ...that don't work for computer security firms (Yes, they do exist.) [X] Ask a critic of whoever you're going to quote [X] Try reproducing the problem yourself [X] ...while logged on with a Limited (XP) or Standard (Vista) account [X] ...while leaving User Account Control (Vista) turned ON [X] Buy a copy of "Euthanize the Internet" by Rob Rosenberger [X] ...and actually listen to it for more than five minutes
Yeah but scaremongering is ok sometimes because it is a problem that needs more attention drawn to it. no point in just taking the "im a geek so it wont effect me because im already aware of it" tone. its not you / me that need the wake-up call, but it is you / me/ etc who have to fix non-geeky peoples computers. so i think its helpful to draw attention to it. it also good to keep pulse on what the general trends are and stuff.
but yeah i take your point.
i was just going to write my response in the format...
[X] Was I going to write my response like this... [X] But do I expect everyone else also to do this ... [X] Can I really be bothered... [X] No im going to bed... [X] Or maybe to hunt for some decent google alternatives again
Personally, I think we should wall off China.. I don't know how many times a day my home network is probed, pinged or scanned by an IP address that originates from a .cn network. And from the statistics I've seen from firewalls at other organizations, my little network is barely a blip, compared to a corporate entity or government agency of any interest to the Chinese.
Call me a conspiracy theorist but I believe the PRC's military is behind a lot of it...
Customer of mine has an Arabic world business website. One fine day a couple of years back some assholes I traced to the group of IP addresses used by a major Saudi university attacked the site - so, I blocked the IP range (rather a wide range if I recall correctly).
A week or so later their IT head contacted me asking 'what was wrong' with the site. So I politely explained.
Two days later I received another communication, this time from the university head, explaining the issue was resolved and was unlikely to reoccur, should I see fit to restore their ability to connect.
So I did - no further problems.
What happened? Your guess is as good as mine, but this was Saudi Arabia... My favourite fantasy involves some form of public and typically barbaric punishment.
Ahh, if only it was THAT easy with your common or garden hacker!
Re. cn domains - yup, they are a sodding nuisance - and a waste of bandwidth!
John, I believe you mean *fake* anti-spyware program. "Rogue" would imply that it really is anti-spyware, but that it doesn't conform to some sort of rules.
And just for the record: *All* IP space controlled by China is considered "add to DENY Tables on sight" by anyone who has the vaguest idea of Internet security.
I'm also of the opinion that the Red Army is behind the majority of this stuff, along with the "poison toys." Once is an accident; twice i coincidence. Three times is enemy action. There have been far more than three such major incidents.
As an information security specialist based in Hong Kong, I recognise that many people around here communicate with .cn addresses on a regular basis, and "add to DENY Tables on sight" would not be an appropriate response. Also take a look at international trade statistics... a lot of other people, including, perhaps, your customers or employer, need to communicate with China.
Whether or not the Chinese military is hacking, I don't know, they don't tell me. However, broadband usage is growing in China, and millions of new users getting onto the internet means millions of poorly-secured machines to be turned into zombies. A lot of the non-Chinese spam I get comes from Chinese IP addresses. I guess that most of the malicious traffic from Chinese IP addresses is from botnets controlled from elsewhere. I would expect the Chinese military to bounce their attacks through non-Chinese addresses, to conceal the source.
I don't worry about the domain name, but when I see spam that gets psst my blocklists, I update my firewall. whois often indicates a arge (up to /11) range of IP address, and I simply block the lot against smpt and ssh. www I don't worry about, but it's just crossed my bind I should also take out imap.
No, blacklisting the entire chinanet from the civilized world is the right solution for EXACTLY the reasons you listed for not doing it. Those interests you mentioned that needs the blacklisting to drop can lean pretty heavily on chinanet to do something about the abuse. Unless chinanet can start behaving responsibly, this is going to isolate china. I have personally today added
218.13.0.0-218.18.255.255 to my distributed blacklist, and will keep the range blacklisted until I read on a reliable source that Chinanet has cleaned house. Thanks for participating. Goodbye.
//Svein