Re: E-Mail Leak Has Google Threatening to Leave China

[phester <funsec () armorfirewall com>]

On Tue, 12 Jan 2010, Paul Ferguson wrote:

> On Tue, Jan 12, 2010 at 9:09 PM, rick wesson
> <rick () support-intelligence com> wrote:
>
> > I'm hearing that its like 30 companies involved. What I'm wondering is
> > how they attributed it to the Chinese. With so many compromised systems
> > in china isn't that the perfect joe-job?

There's an advantage to wearing hats of varying shades of gray. When my 
systems are attacked, I attack back. Your point on compromised systems is 
valid, but it also presents an opportunity to an investigator - the 
attacking machines are usually not hard to own. Once you own the box, 
finding the source of a bounced attack is easy. Changing the default route 
when you're done also usually deprives the attacker of that asset.

> > If I was Chinese and working to penetrate a bunch of us companies why
> > would i do the deed from my own countries network. Rarely does a cyber
> > criminal use networks within their own country to control asses, why do
> > the Chinese?

Probably because their outbound connections are watched very closely when 
entering any other country. Wouldn't say, Romania be very helpful to the 
attacked party in sending logs of the inbound connection from China to the 
attacking proxy?

> > If I was from another nation I would look at the Chinese systems as a
> > easy proxy, and throw off my trail by attempted crompromise of "freedom
> > fighter" accounts. One thing I have learned is that attribution is very
> > hard to do.

True. But it's also worth noting that many institutions which have had 
intellectual property stolen soon see their product appear in China.

> Hi Rick,
>
> Those are great points -- but of course there are a lot of details missing
> right now.

Yup. Hopefully Google will be more forthcoming, at least to the security 
field.

> Having said that, I know some really bright security folks at Google, so I
> have to initially believe they have good reason to suspect in-country
> perpetrators.

Yeah, I doubt they'd go public without some pretty solid evidence.

> But then again, we all know that things are not always as they appear. :-)

If this was the fedgov, I wouldn't be surprised if they were wrong (or 
flat-out lying). But this is Google, where there is some degree of 
competence and accountability.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.