JEFFREY BROWN: Now, a newly discovered cyber-attack on U.S. and international systems.
Margaret Warner has the story.
MARGARET WARNER: For at least five years, a high-level hacking campaign infiltrated the computer systems of more than 70 governments, corporations and public and private organizations in 14 countries. So says the Internet security firm McAfee, which uncovered the massive campaign and dubbed it Operation Shady RAT.
A summary released by McAfee yesterday identified -- identified the perpetrator only as one specific state actor.
The story became public Tuesday through reporting in Vanity Fair by Michael Joseph Gross. And he joins us now.
And, Michael Gross, thank you for being with us.
MICHAEL JOSEPH GROSS, Vanity Fair: Thanks, Margaret.
MARGARET WARNER: This operation sounds breathtaking in its scope.
Give us a sense. Flesh that out for us. How widespread was it? What kind of information were they going after? Who was targeted?
MICHAEL JOSEPH GROSS: This is an unprecedented campaign of cyber-espionage, demonstrates with absolute clarity now that there are just two kinds of organizations, those that have been compromised and those that haven't, as Dmitri Alperovitch, the guy who discovered this campaign, has often said.
What happened is, they went into more than 70 organizations, everything from the International Olympic Committee to giant corporations, to tiny nonprofits, in 30 different organizational categories in 14 countries. They took out government secrets, design schematics, legal contracts, negotiation plans for business deals, every kind of sensitive information you can think of. In many cases, these organizations were compromised for at least a year, in some cases, more than two years. And there's a really interesting pattern to the evolution of the attacks that suggest where they may have come from.
MARGARET WARNER: And that is?
MICHAEL JOSEPH GROSS: That is China. There are -- in the run-up to the Olympic Games, they started -- the 2008 Olympic Games -- these attackers started turning their attention to national Olympic committees and to the IOC.
MARGARET WARNER: And this was in Beijing, of course, the Games, just to remind people.
MICHAEL JOSEPH GROSS: That's right. The list of victims includes 49 in the United States and many in almost every Southeast Asian country. Almost every organization is known to be of interest to China, but there wasn't a single victim in the People's Republic itself.
MARGARET WARNER: So what you're describing is not just cyber-espionage, but also cyber-theft...
MICHAEL JOSEPH GROSS: That's right.
MARGARET WARNER: ... theft of really valuable information, valuable economically and politically.
MICHAEL JOSEPH GROSS: That's right. This is -- you know, it's interesting to be having this conversation today, on the day the Dow takes this massive drop, because what we're talking about when we talk about the theft of this information is the theft of our economic competitiveness. This is the theft of the potential that we have to get back up to speed. We don't know what's happening to this information yet. And we won't know for a few years, whether it's being used to engineer new products. But by the time we figure that out, if that is indeed the case, it will be too late.
MARGARET WARNER: And, just briefly, this is quite different, then, than the very well-publicized hacking that came out a few months ago into, whether it was the Senate website, CIA website, the PBS website. This is a different quality.
MICHAEL JOSEPH GROSS: That's right. Again, Alperovitch, the guy who discovered these attacks, told me that it's been very frustrated for him all spring to be watching the news of this Anonymous and LulzSec activity, because so much of it is just nuisance. They're just defacing websites. That's the sideshow. That's the sideshow. And this is the main event.
MARGARET WARNER: So, how did McAfee, the security company, get on to it? And what -- what did they do with it once they realized what was going on?
MICHAEL JOSEPH GROSS: In 2009, one of their clients, a defense contractor, noticed some unusual traffic. And when McAfee looked at it, they realized that they were being attacked by a never-before-seen species of malicious software. When the victims would click on a link to a Web page, malware would be loaded on to their computer which would give the attackers privilege -- or allow the attackers to open a back door, take privileges, get access to information in the system, and begin exfiltrating it, pulling it out. McAfee closed down the link to that server, the server to which the stolen information was going, immediately, so its clients were blocked from connecting there. But -- but, you know, for those who have chosen not to accept information about these attacks, which is -- several of the victims actually seem to be quite determined not to confront this problem, the attacks are ongoing and the theft continues.
MARGARET WARNER: So, in other words, some -- though McAfee notified all 72 organizations, some didn't even take their offer of help, and this server, wherever it is, is still up and running?
MICHAEL JOSEPH GROSS: That's right. McAfee is working with government agencies to try to get it shut down. But there are a lot of jurisdictional and procedural issues that make that a complicated and lengthy process. In at least two cases, I found that, even after McAfee had alerted the victims, when I called the press representatives for those victims, that they had not heard anything about this. And, as I say, in at least some of these cases, the attacks are ongoing and folks have refused to take help in addressing the problem.
MARGARET WARNER: And, just very briefly, has the U.S. government said anything in response?
MICHAEL JOSEPH GROSS: I believe Jay Carney did -- the White House spokesman -- did make some comments about this in a press conference. I believe it was today. But that's just hearsay from a hacker convention that I'm attending here in Vegas. I do know that McAfee has been briefing Congress, the White House, other executive agencies. And I received a statement from Sen. Feinstein, the head of the Senate Select Committee on Intelligence, expressing her extreme concern after reading this report.
MARGARET WARNER: Well, more to come. Michael Joseph Gross, thank you so much, and good reporting.
MICHAEL JOSEPH GROSS: Thank you.
As marcas em vermelho que eu fiz são as que considero mais importantes. Mas em resumo, pode ser observado que o ataque foi dirigido a usuários comuns. Quando o usuário clicasse em um link, um código intencionalmente desenvolvido para isso seria copiado para o computador da vítima e possibilitaria que a ação externa pudesse ter início. Existem alguns desdobramentos mais graves disso:
- O usuário ainda está tremendamente despreparado. Mais e mais vezes se repete que informações suspeitas não devem ser atendidas em seus pedidos de "clique aqui". As empresas parecem estar falhando na construção da cultura com o usuário. Isto seria o mesmo que um curso de direção defensiva, ou um curso de "o que não fazer nunca em hipótese nenhuma". O canto da sereia continua o mesmo:
- As cenas de nudez de alguma mulher famosa
- Fotos do flagra da esposa/esposo em plena traição
- Fotos do corpo de algum famoso recém-falecido
- Os convites falsos nas redes sociais
- Material de trabalho sendo usado para fins pessoais. É impressionante como o usuário final usa do seu tempo de expediente para resolver seus assuntos pessoais, pela internet. Não me refiro a pagamento de contas, notícias e semelhantes. Mas o pessoal que fica com o navegador de internet aberto o dia inteiro nas redes sociais, e enviando/recebendo emails de assuntos os mais estranhos possíveis: pornografia, esportes, piadas, fotos de viagens suas, ajuda a desconhecidos com doenças crônicas que receberão 1 centavo de dólar/real/euro/ien/rublo/peso argentino a cada email repassado. E é em destes que o malware "cai" no computador do usuário.
- Anti-Vírus é tremendamende necessário, mas com funcionamento abaixo do desejado. Os computadores comprometidos são de vítimas corporativas. É quase certo de que todos estejam usando anti-vírus neles. E mesmo assim, o "malware" se instalou e executou sua atividade tranquilamente. É importante observar aqui que o ato de espionagem foi identificado pelo fluxo causado pela transferência de dados, e não pelo malware no computador do usuário final.
- O pior crime não é o que pode ser visto. Recentemente o crime de "pichação virtual" esteve ocupando todas as mídias, levantando a bandeira de vulnerabilidade dos orgãos públicos afetados. Muitos fizeram questão de atribuir este crime ao uso do Software Livre, outros a funcionários tecnicamente despreparados.
Mas o que se deve notar é que este tipo de crime não passa de um ato de vandalismo público, agredindo a imagem da instituição. Não que isto não seja sério, pois realmente é. Afeta a credibilidade da instituição junto a seu público. Mas e quando existe furto de informações estratégicas da empresa? Um novo produto que vai ser lançado sem concorrência, informações de contribuintes, etc ? E devemos observar que isto tem ocorrido nos últimos 5 anos, pelo menos.
Quando pensamos em algo desta proporção ocorrendo em instituições do porte das que foram vítimas neste caso, devemos também pensar nas empresas menores, que não investem em segurança como deveriam, com a desculpa de valores altos.
Estas empresas infelizmente ainda se valem de software pirata, contam com um só funcionário para desempenhar todas as atividades (Analista de Sistemas, profissional de Segurança, Programador, Técnico de Manutenção, tudo com pouco mais que salário mínimo!!!), não investe em atualização dos usuários finais.
Com este tipo de posicionamento profissional, estão se candidatando a vítimas. Se já não estão contratadas sem saber.
Eu gostaria de saber qual o seu posicionamento acerca disto. Mande seu comentário para este assunto.
Nenhum comentário:
Postar um comentário