They never say what evidence, which is the most interesting part of the article. Does anyone have a more detailed description of how they identified it was China?
I am sure the people on the attribution side dug deeper than this (for example they most likely tried to verify that this guy is really Chinese and not just pretend-Chinese) but I don't know anything about the non-technical side of things.
edit: http://jeffreycarr.blogspot.com/2011/06/18-days-from-0day-to...
Frankly, what's more alarming; the dedicated resources of a single state actor, or a complex, emergent network of self-interested individuals and groups persuing their own aims?
I find the Chinese explanation a little too convenient and a little too amenable to typical national defense thinking. What this article really says to me is that if you want to hack an American company, own a Chinese box first. Nobody will look any further.
so it seems at least possible that there is some collusion, conscious or not, between journalists and cybersecurity spooks to name an enemy in order to get traction in the public mind, vs. saying "well, it's from a lot of different people, lots of stuff from china, and who knows what else."
I even think this might be a good strategy - I guess my point is i'd like to see more real public evidence before we accuse foreign governments of attacking us in the press. not because i don't believe it is happening, but because i feel those assertions should be backed up if they're going to be made.
Exactly -- it's pretty easy to rent a chinese box from one of the many botnets out there, and I guess that would be the first choice of an intruder to hide his trails.
Would you also limit your targets to things that would seem to be of overwhelming interest to the chinese government?
The article is garbage. Nonsense. Brain-dead. Trying to jerk people around by the gut.
'Vanity Fair' is for what, overly emotional, determinedly non-technical, easily scared, fundamentally incompetent and, thus, dependent, young woman who want to gossip about fashion and celebrities?
If the article had anything, then it would have explained something solid; since nothing solid was explained, it must not have had anything.
So, the article starts with:
"Lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an e-mail from an associate with a subject line that looked legitimate caught the man’s eye. The subject line said '2011 Recruitment Plan.' It was late winter of 2011. The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA. RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations."
and in particular:
"The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA."
Garbage. Absolute reeking, fuming, bubbling, flaming, smelly, gooey, sticky, yucky nonsense.
So, he received an e-mail message. Okay, we're talking likely post office protocol 3 (POP 3).
Back when I was using OS/2 and had no decent e-mail software, I took out an afternoon and wrote my own POP 3 client e-mail software. I used it for years. I'm about to ditch Outlook 2003 and return to what I wrote (in Rexx) on OS/2.
Gotta tell you, no way, not a chance, was there any way to infect my computer by sending me e-mail. Not in this galaxy. Send me anything you want, pictures, viruses, root-kits, Flash, infected, 'active' PDF files, EXE files, Active-X files, spreadsheets, etc., and no way will my computer be 'infected'. Just impossible.
Why: First, the data that comes via POP 3 is lines of text of just 8 bit characters. Period.
At the beginning are the 'header lines'. The end of the header lines is denoted by one blank line.
The rest of the e-mail is just the 'body', and it is just more lines of text of 8 bit characters.
Harmless. It's just some simple minded data as lines of 8 bit characters. Can put the data in an ordinary file, edit it with an ordinary editor, view it on the screen, print it out, etc. All harmlessly.
The body may have a PDF file, a movie, some audio, some Flash, and EXE file, a spreadsheet, etc., and still it's all just harmless data. Period.
If there is one or more 'attachments', then each of these is delimited by a line with some text indicated in the header. Each such attachment is just more lines of text. To permit sending any data at all, these lines of text consist of just 65 simple-minded, old ASCII printable characters. You can print them out, and they won't hurt you, steal your bank records, install software on your computer, etc. They are 100% harmless.
Those 65 characters are part of a scheme called 'base 64 encoding' which is part of the e-mail 'multi-media internet mail extensions' (MIME).
For such an attachment. can follow the base 64 rules and 'decode' the attachment back to the original data in the file. The file, then, will be a sequence of 8 bit bytes. Give the file any name you want and put it in any directory ('folder') you want. Yes, you do NOT want to put the file where other software will use that file without your knowledge; but why would you do that? E.g., don't overwrite some important operating system DLL file.
The file may be in the format of an EXE file, JPG file, GIF file, PNG file, XLS file, etc. Still it is just a file, just a sequence of bytes. Like any other sequence of bytes, it's harmless, will not cause blindness, falling hair, black toenails, or an infected computer. You can copy it, back it up, send it as an attachment via e-mail, etc. all harmlessly.
The file can be a virus, a root-kit, a Trojan, malicious, malevolent, nasty, etc., but STILL is just 100% harmless, safe, and innocuous. No rubber gloves needed.
Now, if the computer is being used by a total dummy, idiot, drooling on the keyboard, licking the screen, etc., then there might be a threat: The rube might permit such a file to execute as software on their computer. Dumb. Stupid. Brain-dead. Don't do that. Never do that.
First rule of computer security:
Never, ever permit data from an untrusted
source to execute as software.
So, if there was a computer security problem, then it was NOT the e-mail, the attachment, or the spreadsheet but JUST some total idiot who let such an attachment execute as software.
Any author of any e-mail program that lets data execute as software without very explicit approval of a user should be dragged through the streets while peasants throw garbage, two week old dead animals, night soil, upchuck, toxic witch's brew, effluent from tanning animal skins, etc., racked, excoriated, eviscerated, drawn, quartered, hung, dried, roasted, and fed to sick animals.
Second, I suggest you take a moment to reconsider your position that "a virus, a root-kit, a Trojan, malicious, malevolent, nasty, etc., but STILL is just 100% harmless, safe, and innocuous" unless the computer is being operated by an idiot. That is, unless you have never, on any occasion, been a victim of malware yourself. If that is the case, I suppose it is possible that you are superior, in every way, to the rest of the computing world. Has it occurred to you that perhaps there is a legitimate reason for the thriving computer security industry?
It is a fact that there are very competent people behind these attacks. You don't slip through the security of the likes of major defense contractors and multi-billion dollar internet companies like Google without some skill. It is also a fact that even the most competent computer users make mistakes from time to time. The whole scenario seemed quite plausible to me, without my having to assume that RSA employs a bunch of idiots.
As for your gripe about the quality of the article, think about the target audience. You are obviously not a part of it. It was directed at the mainstream, and it would have been inappropriate to fill it with technical details that only another hacker would understand. That said, I thought it was a pretty decent article. It explained in relatively easy to understand terms how the attack worked and the possible rationale behind it. The tech-savvy readers can use a little imagination to fill in the technical gaps. You probably already have a pretty good idea how some parts of it worked. You don't need to trash the author for not spelling it out for you. It's not supposed to be a howto guide.
Please seriously entertain my claim that the article is not to inform computer users about how to avoid 'malware' but, instead, is just a case of a standard practice in journalism to distort a real situation to create uninformed fears to grab people by the gut to get their eyeballs for the ads.
In particular, the article is very far from reality about computer security.
Next, you are just not reading; instead, you wrote:
"You are sorely mistaken. First, the article clearly states that the user downloaded and opened the file. It was not some automatic process put into motion by the mere fact that someone emailed him, as you suggest in your rant."
Totally, flatly, clearly, absolutely wrong. Your "and opened the file" is just wrong. The article never said any such thing. I just went through the whole article and looked at every case of the string 'open', and at no point did the article mention that the file was open or opened. And in the first paragraph with the start of the story, nothing like 'opened' was described or even implied.
Instead, the situation in the article was just as I quoted in the key statement from the first paragraph of the article:
"The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA."
There is nothing here about 'open' in any sense.
Indeed, if this sentence were correct, then with any decent e-mail software his computer would have been quite safe.
Of course, "downloaded the attached Excel spreadsheet file" has to be wrong: The e-mail message would have already been received, in total, with the "attached" file so that the file did not need to be "downloaded". Of course, if the file was "downloaded" from just a URL in the e-mail message, then the file was not "attached" to the e-mail message. So, either the spreadsheet file was attached or downloaded but not both.
With irony, your:
"It was not some automatic process put into motion by the mere fact that someone emailed him, as you suggest in your rant."
gets at the main bad point in the article: The author is interested in drama, just drama, to grab readers by the gut, and in the special case of drama as some threat from some inexplicable, unfathomable, hidden evil forces of darkness. In particular the article did NOT include your "opened" the file and, instead, just had its:
"unwittingly set in motion a chain of events allowing hackers to raid ..."
So the threat was not from your "opened" but from its "unwittingly", that is, synonymous with my "inexplicable, unfathomable, hidden" and, with irony, also with your "some automatic process ...". The author IS claiming that the 'infection' was from some "automatic process" which, of course, is nonsense.
Again, the main claim early in the article is that any computer user is vulnerable to a massively destructive infection and security breach MERELY, "unwittingly", from an "automatic process", of receiving a bad e-mail and then downloading an attachment. This claim is nonsense, total 100% fuming, flaming, reeking nonsense. It's wrong, and from an effort to create confusion to scare people.
For your
"Second, I suggest you take a moment to reconsider your position that 'a virus, a root-kit, a Trojan, malicious, malevolent, nasty, etc., but STILL is just 100% harmless, safe, and innocuous' unless the computer is being operated by an idiot."
No, my statement is correct, a nice contribution, and fully appropriate for the subject of computer security for users of e-mail and personal computers.
To repeat, the key point for the target audience is not some "unwittingly" but just what I wrote:
Never, ever permit data from an untrusted
source to execute as software.
The rule is simple and plenty within the ability of nearly any computer user.
And the rule insists that computer users know the difference between data just sitting in a file and data permitted to execute as software; this difference is just crucial.
Of course, the article, out of convenient ignorance or deliberate confusion or both, wanted to avoid mentioning your "opened", to avoid saying that the problem was not receiving the e-mail with an attachment, was not downloading a spreadsheet file, but WAS 'opening', and thus executing as software, data from an untrusted source.
The poor computer user was fine, safe, secure, etc. up to the moment they 'opened' the file. Again, the problem was 'opening' the file and not just receiving or downloading, unwittingly or not, the file.
"That is, unless you have never, on any occasion, been a victim of malware yourself."
The usual approach of the losing side of an argument is to attack the other person, not the other ideas. So, you are now after me, personally. I'm not the subject here; the article and computer security are the subject.
I've never gotten an infected computer via e-mail. With any decent e-mail software used in any decent way, it's essentially impossible for anyone to get an infected computer via e-mail. Again, as I explained, all standard SMTP and POP 3 e-mail is is just some lines of text of 8 bit bytes. This data is super simple to handle safely. To get an infection from such data, have to work at it. I made this point clear; it's good news; apparently you missed it.