Evidence Weakens That China Did the Recent Cyberattacks

click2005 notes an article in The Register calling into question the one piece of hard evidence that has been put forward to pin the Google cyberattacks on China. It was claimed that a CRC algorithm found in the Aurora attack code was particular to Chinese-language developers. Now evidence emerges that this algorithm has been widely known for years and used in English-language books and websites. Wired has a post introducing the Pentagon's recently initiated effort to identify the "digital DNA" of hackers and/or their tools; this program is part of a wide-ranging effort by the US government to find useful means of deterring cyberattacks. This latter NY Times article notes that Google may have found the best deterrence so far — the threat to withdraw its services from the Chinese market.

digital DNA is years old

[walkoff]

We were using and describing digital DNA in the mid to late 80s although the terminology used was slightly different as we /stole/ the term FIST from ham radio to use for it. it's actually an interesting technique although we weren't that sophisticated as we only looked at command streams and lingustics to identify country of origin and style of attack and group M.O. rather than pin pointing the actual attacker. It was actually used successfully in a few virus and trojan incidents and I stil have at least a partial copy of the NARK database I collated at the time.

Re:The Chinese code matches _exactly_

[the_povinator]

To add to this: the analysis on the original "research blog" was also more specific than the register article. He said:

By decompiling the algorithm and searching the Internet for source code with similar constants, operations and a 16-value CRC table size, I was able to locate one instance of source code that fully matched the structural code implementation in Hydraq and also produced the same output when given the same input

The Register people seem to have accepted similarity in code, without going to the trouble of checking the outputs.

Digital DNA?

[Smallpond]

How hard is that? Parse /var/log/secure, do a lookup and see where the attacks are coming from.

121.172.227.78 KR KORNET, Namdong-gu, Incheon
218.200.163.148 CN China Mobile Communications
222.173.194.10 CN CHINANET SHANDONG PROVINCE NETWORK
203.250.137.143 KR kreonet.net
209.151.248.213 US Cyberverse, Los Angeles Colocation and Datacenter
190.144.126.227 CO TELMEXLA.NET.CO, Bogota
203.134.223.248 IN HFCL INFOTEL, Punjab
194.246.101.52 FR Transnode

Wow. No Brazil today. That's odd.

Re:F-China

[chiguy]

Why all the pro-China posts lately on Slashdot?

I've noticed this too. I try to be objective about Chinese and American relations. We're definitely frienemies, but lately I've noticed subtle push-back from the pro-China folks.

Like my comment in a previous post got modded to +4 insightful but then ended back down to +2:

Google should also check where all their laptops were manufactured. And make sure each BIOS is clean.

There's a battle going on on /.

Skip the NY Times

[Kylere]

As an FYI, skip the NYTimes version of this story, I have had 4 users walk in today with infected systems. It appears that NYTimes has pulled another screwup in security land http://news.cnet.com/8301-1009_3-10351460-83.html [cnet.com]

Re:Cui bono

[Anonymous Coward]

By setting China and the US up against eachother, they increase the likelihood that the Chinese accelerate the dumping of their dollar reserves, which will devalue the dollar and drive investments to Europe.

Devaluing the dollar would drive investments to the US. Suddenly US labor and products can be had for less. It's the reason China doesn't float the Yuan: they don't want it to reflect actual value.