The United States maintains two civil and one military program to provide meteorological imagery and data from spacecraft in polar and geostationary orbits around the Earth. The civil programs are managed by the National Oceanic and Atmospheric Administration (NOAA) and the military program is managed by the Department of Defense. The National Environmental Satellite, Data, and Information Service (NESDIS) is a unit of NOAA and is responsible for operating the civilian weather satellites (GOES and POES), distributing the satellite data and imagery, archiving the data, and planning for future systems. NESDIS also controls the Department of Defense constellation of polar orbiting weather satellites called Defense Meteorological Satellite Program (DMSP), which is similar to the civilian POES program.
...
Due to the classified nature of the DMSP imagery and other data products, the DMSP downlink data is encrypted, and thus the direct readout system is not available to nonmilitary users.
That all comes from this cool-as-hell PDF† about how to build a GOES/POES ground receiving station. Anyways the most obvious target here is probably the DMSP products, rather than, say, a Bruckheimer-esque plot to disrupt NOAA satellite imagery during the height of the Atlantic hurricane season.
Of course if you were an evil genius bent on destroying the US by sending a massive hurricane into the eastern seaboard, your first step would be to disable the ability to see it coming ... :-)
As a Chinese I would prefer to believe our government is behind this. Do you know Beijing (or even the whole country) has a serious smog issue which was first uncovered by American embassy in Beijing? The incident makes the government lose their trust in public, and for quite some time people only want to trust forecast from NOAA in stead of Beijing. If Chinese government hacked NOAA, it would be out of their intention to contain domestic reactions. Actually, our government has greater problems at home than abroad.
People could see the smog for sure, but official forecast would report nothing unusual or indicating the hazard to people's lives. It was till Americans embassy spoke it out that the majority realised we breathe highly polluted air.
The official forecast in China is presumably controlled by the government. That's what makes it "official". You can't possibly argue that because the US is not publicly shaming the Chinese government into release accurate heath-relevant information to its citizens, that that same government has the right to hack US systems to determine weather information. If that is actually what occurred.
We can talk about this all day without moving anywhere. Remember tanks in 1989 Tiananmen Square? From primary school people are brainwashed with CCP-is-holy thing. Many understand what is going on, but the attitude is "survival comes first". There are still plenty are too well brainwashed to know why life in China could be so hard.
Yes, people can dream, but communism has its tradition, brutal tradition. People become realistic, you know, pay the bill and feed their children.
The vast majority of Chinese I meet here have zero interest in democracy, the few students I do meet who advocate it generally have very little idea of what it actually is.
They have no end of complaints about the government and are quite vocal about it- but huge divisions (to put it mildly) between provinces, as well as urban and rural people mean that the idea of letting "those people" have a say in how things are run is unthinkable.
I always appreciate how the US are able to pin every network compromise directly back to China. And not just China but the Chinese government in particular.
Almost like VPNs, proxies, TOR, compromised machines, botnets, or similar do not exist in this arena and that a reverse DNS lookup will tell them 1337.mss.gov.cn.
When the US talk about cybersecurity/"cyber wars" in general they're talking about something more akin to a Hollywood movie than anything you see on the ground on either side of the "fight."
I'm extremely sceptical every time they claim Chinese responsibility. I am sceptical not because China wouldn't have the skills or motivation to do so (they do/would) but because they jump to these conclusions unrealistically quickly and if their adversary covered their tracks even modestly pointing fingers like that would be quite hard (e.g. send it through Russia).
There are many details left out that could reasonably pin the attacks on the Chinese. While communication back to the source may be obfuscated and hard to pin on any particular actors the exploits, shellcode, and malware they use can possibly be tied to other breaches. Like regular programmers, hackers tend to reuse modules, code blocks, techniques, etc. from attack to attack. So whereas the NOAA breach may not conclusively point to China something found during the incident response and forensics phases may connect it to the USPS breach, Lockheed Martin breach, or others. A good example of this technique would be how researchers were able to tie Stuxnet, Flame, DuQu, and Guass to the same actors (probably the US and Israel).
That doesn't mean that it's actually Chinese users doing anything though. China has a lot of software piracy in their culture, where piracy is, malware and botnets are rife.
I find that debatable, they are still guilty to some extent because of their inaction to do anything (effective) against these botnets. whether 'action' would refer to users installing a decent anti-virus, or an ips blocking and isolating obviously infected hosts.
Of course, this is a whole different level of culpability than if they were actually condoning large scale attacks on other countries infrastructure.
The fact remains that if I were to plot the amount of ip's that come knocking at my non-production server you'd see over 50% coming from china.
17.18% of all desktop OS-es connected to the internet are Windows XP, the version for which Microsoft doesn't publish updates. Most of these computers are in China. Also "in 2009, approximately 80% of software sold in China was pirated."
The average weekly income of a Chinese worker is around 100 USD. He is not going to buy new software even if it costs the same as in the US. It typically costs even more.
Don't be surprised bots have easier targets there.
I find it very hard to believe myself, because when you can obtain for free, why not go for the latest, shiniest version? But the reality is, most of Chinese computers are still stuck with XP, whatever the reason is.
XP was made for much weaker machines, older hardware. When you earn 100 USD per week you don't upgrade hardware as long as you can. Just as an example from another part of the world, I live in Europe and I've used a Sony notebook from 2002 until the last year, when the hardware started to fail. I guarantee you that Windows 7 can't be installed on it. Even the newer Ubuntu versions weren't installable from one point on.
Ever heard of PPStream or PPTV? Well, good news is that both software open some sort of transparent http proxy listening on 0.0.0.0, obviously it's for helping the p2p.
I share that skeptical feeling. It's always been a common technique to bounce an attack on US servers through servers in a foreign country that doesn't speak English much and doesn't have the best relationship with the US. China is the ideal one for this, and generally has the best supply of vulnerable servers to do this through.
Having hacked Google, Juniper, Symantic, Morgan Stanley and countless USGOV sites - why not hack NOAA? Its not as if there will be any USGOV response. No sanctions. No demarche of which I'm aware. No counter-attack that has been publicized by China. Turning the other check is not a valid strategy in a prolonged conflict.
Turning the other cheek is an OK strategy when the damages are not terribly high and the political and economic costs of any reaction would be worse than that of the attacks. In fact, improving defensive security and not responding to cyber-warfare except in cases that imminently endanger human lives or defense capabilities would probably be the sounder policy. That said, that's far from what the U.S. government is doing, the U.S. government engages in espionage and arguable cyber-warfare against nations it's not in conflict with (including China) with alarming regularity. The Snowden leaks give us an idea of how a fraction of those operations looked more than 6 years ago...
If it were me, I'd just issue a formal letter thanking the Chinese government and their people for spending their own taxpayer's money pen-testing U.S. infrastructure and ensuring security best practices are followed ;p (yes, I am being tongue-in-cheek, speaking of cheeks...)
Done. Tepid feeling of unease was experienced that could be also be attributable to the grocery store sushi I had for lunch. To help put your mind at rest, USGOV bureaucrats oscillate across an ass-covering wave of incident driven threat detection peaks, and valleys of privacy right restrictions on their abilities. China, singling out just one state actor, operates unmodulated. There is a difference of level, accountability and transparency that makes your comparison invalid.
These articles always make me wish I could see the Chinese equivalent. Are the newspapers in Beijing just full of stories about US "cyber attacks" on Chinese infrastructure?
No. There are plenty of articles in China about how an evil empire the US is, but mostly on how it misuses its military, financial and cultural power, how it instigates unrest in other countries, how its democracy is a fake one, etc. Seldom if any mentions US hacking.
The "one POV" thing is not about how interconnected the world is; it's about language barrier. An English site will always be dominated by people whose native language is English.
Someone I know who grew up in mainland China told me he was raised and taught in school to believe the Tianenmen square massacre was just U.S. fabricated propaganda.
Rest assured, they have better methods of attribution than a reverse DNS lookup. It's difficult to attribute a specific attack, but relatively easy to attribute large campaigns.
I also appreciate how the public unquestioningly believes that the Mars rover was in fact really on Mars. Especially, if one is to ask "qui bono", the answer that you'll get is that the administration is trying to direct attention from its police surveillance of Someone1234. I'm not saying that the Mars rover landing was faked, I'm just asking questions.
I don't know who this Wolf guy is, but he's absolutely right: if we are in the government, and we have a breach, and we're working on it, we have an obligation to fess up. (Unless there's some kind of counter-intelligence operations underway)
We can all sit back in our comfy chairs and debate whether it really is China or not, whether various networks are secure or not, or how much various agencies can store (and the dangers associated with them storing things). But we can only do that if we have recent and valid information about what's going on. Good public policy decisions depend on an informed electorate. This kind of situation is not the place to be covering up your mistakes.
I think you're right that an open attitude towards security breaches is essential for a healthy security ecosystem. However,
in practice, fessing up in public during an investigation will rarely happen. Security incident responses are some of the most-hushed processes, even inside otherwise open organizations.
That's because you want to find and close the vulnerabilities before publicizing them. Otherwise, by publicizing, you invite attacks that will (a) multiply the noise you have to sift through to complete the investigation and (b) potentially create new incidents, at a time when you are already in a crisis (the current attack & investigation).
So most security departments will only talk about what happened after the fact, when it's all been tidied up again. But even then, the habit of secrecy has already been established. It's a constant struggle to bring openness to a process where secrecy is a short-term advantage. If you want an informative accounting of what happened, I think you need to add it to the incident response process.
For example (simplified for illustration)
1. Notice an intrusion
2. Capture information (logs, vulnerabilities used, etc)
3. Secure systems that have been compromised
4. Prevent future intrusions within the organization
Need to modify 4 (or add 5)
5. Publish to help other orgs also prevent intrusions.
But other orgs may hate you for that, because in the process of publishing, you have exposed their lax practices that (in hindsight) used to be your lax practices ...
I don't know who is really doing this or what the impact will be but let's pretend for a moment that the chinese government is responsible. They are largely funding our government. We need each other.
I wonder if a serious problem with the world is due to secrets that allow some to have power over others. For example, a company with a patent on a drug that costs $80K has power over those who will die without it. If you can't afford it, have you seriously harmed the company if you violate the patent to manufacture it in a 3rd world country for people who could never pay for the drug. When is human life more important that a company's right to a patent (or information)?
The chinese have a serious problem in the form of several hundred million people who need to be moved out of poverty. To help them get there they seem to be mining a precious resource: information in 1st world countries. Is this different (or worse) than 1st world countries mining precious resources in the 3rd world?
What is the net result? China will use this information to make itself wealthy enough to buy more of our goods? China will acquire the ability to make our goods cheaper than we can make them and force us to work harder?
I'm not saying "stealing" is "right" but it seems to be an important way all 1st world countries became richer. The notion of "right" is suspect given that history is written by the winner.
My experience five years ago was that regular African people were not too keen on the Chinese mining companies that had set up shop. But perhaps there was not enough competition to mine more locally.
The article does not discuss much the motivation they might have had for this hack, aside from the fact they're probably looking for gaps in general US systems. But I'm very curious about the economics of hacking another nation's weather service; China could give itself significant (and creepy) economic advantages my MITMing the data from the satellites. I wonder if they're considering things like this?
Edit: Also, if they just wanted weather data, they should've signed up for http://pressurenet.io ;)
It gets even more incredible. The landings would have been canceled for the day they actually happened, except that the meteorology officer in Eisenhower's staff predicted that there would be a short break in the bad weather sufficient for the landings to occur.
Eisenhower rolled the dice and the weather did indeed hold up long enough for the invasion to occur. His opponent, Gen. Rommel, felt the weather was going to be so bad there was no way the invasion could commence so he was actually away from Normandy on D-Day to see his family.
> The article does not discuss much the motivation they might have had for this hack, aside from the fact they're probably looking for gaps in general US systems.
NOAA is a branch of the US Department of Commerce - it's likely that is a relatively interesting target. And the NWS probably has data feeds that are based on non-publicly available information: maybe they've got some military satellite feeds out there. Who knows.
But in reality I'd bet this was just a "cast many lines, see what we catch" operation. And most people probably discounted the risks of Chinese attacks against the weather service. I'd further bet that there are plenty of lesser-known government organizations out there that are being actively exploited right now.
It is probably less Hollywood-like, such as predicting cloud cover over areas you'd be interested in using your satellites to look at. Or maybe they had a cyberhacking campaign and broke into as many US orgs as possible simultaneously, but each department discovers it at different times. Or, as others have said, maybe it isn't China at all but some other party?
I never will understand how this spying stuff always is allowed to happen. I know every government does is, but I find it unbelievably dishonest. What kind of relationship is that? I would intuitively see any spying as an act of war, especially if supposedly friendly countries do it.
Yeah, but what are they going to do about it. Sanctions that hurt you just as much? Retaliate in kind? War? I'm not sure its understood yet what the appropriate response should be, or what the bounds of the consequences are.
A lot of people worry about Government sponsored hacking taking the gloves off, and fucking with commercial infrastructure directly and relentlessly. The amount of leaks and compromises we see today suggests this could be economically catastrophic.
Do we know what kind of data was accessed in these attacks? I wonder what kind of weather data can be so important to be kept secret that they must disrupt the service and seal off everything. Were they storing other data on these servers?
Public companies risk running afoul of US data breach laws if they don't disclose a breach and customer data was potentially stolen. So it's a matter or piss off your stockholders or break the law. The only winning move is to have proper security before you get hacked.
> Public companies risk running afoul of US data breach laws if they don't disclose a breach and customer data was potentially stolen.
There are no US data breach laws, only state data breach laws, and they vary significantly from state to state, also in what constitutes "data", "breach", and "disclosure".
So it's not just a matter of breaking the law or not. There are lots of situations where specific companies can not disclose publicly that they've been breached and not run afoul of the law.
I work in the Information Security field, so I'm aware. I don't mean US-wide data breach laws, I mean data breach laws in the US. Many states (100% of the states I support) require disclosure in a certain timeframe if customer data has been disclosed.
Is it just me, or is this apparently the reaction every time a US government or military system gets hacked by China?
"Yep, we got hacked again. But we're just going to do our best to minimize the damage and pretend it never happened. No meaningful action will be taken against the perpetrators."
China officials would probably deny that it was them if the US publicly accused them, saying it was some isolated hacker acting on its own, or maybe a foreign country routing its traffic through a VPN in China, AND they would point out that the US is doing exactly the same in China and elsewhere (Stuxnet, etc...).
...
Due to the classified nature of the DMSP imagery and other data products, the DMSP downlink data is encrypted, and thus the direct readout system is not available to nonmilitary users.
That all comes from this cool-as-hell PDF† about how to build a GOES/POES ground receiving station. Anyways the most obvious target here is probably the DMSP products, rather than, say, a Bruckheimer-esque plot to disrupt NOAA satellite imagery during the height of the Atlantic hurricane season.
† http://noaasis.noaa.gov/NOAASIS/pubs/Users_Guide-Building_Re...