An Underlying Message from Operation Aurora
Looking past the hype surrounding the IE 0-day that was utilized in Operation Aurora, is it all that different from other attacks in the past? Not at all. In fact if?one were to look a little closer at what is actually delivered to the victim, it is blatantly obvious that this is an attack. From the large
unescape variable that is clearly percent encoded hexidecimal values (and probably shellcode) to the padding in the form of the repeated 0c 0d. These are characteristics of exploits that the security community has been dealing with for the past four years and not of a sophisticated new threat!?In fact, existing IPS signatures were capable of triggering alerts on the attack itself. For example, ISS Proventia IPS devices would have raised at least six alarms should this IE 0-day have crossed a sensor. Why then does the security community find these attacks so frightening?
My own personal perspective is it is because the attackers showed an advanced level of sophistication beyond what most security professionals will ev er achieve in their careers. The security community today is saturated with professionals who may have never even witnessed a computer compromise, let alone truly understood one.?For the most part security professionals do not know how to hack and to a large extent do not know how to code. While they might understand the basics of a buffer overflow or SQL injection from a theoretical level, in a real world situation the average security professional would not have the slightest idea how to actually infiltrate an application or network. Thus, when security professionals are enlightened to the level of sophistication held by their opponents it is frightening. Even more so when jazzy labels like, Advanced Persistent Threat (APT) or “Operation” are applied to an incident. Terms such as these insinuate battle and make people feel threatened by something they do not truly understand and like so many other things, what people do not understand, scares them.
So while I do encourage decision makers to allocate more budget towards the products and services that will better protect them from attacks like Operation Aurora, I also encourage them to recognize the need for better understanding. Particularly, I encourage them to realize that ten people with certifications may not be worth a single person who understands the COND field of a microword, or rather someone with a deeper level of knowledge. For the rest of the security community, I would encourage them to recognize that with the saturation of what qualifies as a security professional, the endless pursuit for knowledge in this field is invaluable. If a cyberwar does truly exist, then it is not a battle of what was hacked and what was secured, but rather an intellectual competition the likes of which have not been seen since the space race. And for those frightened by the events that took place in Operation Aurora, I offer for comfort the fact that in this intellectual race, the good guys are not behind, just saturated. | An Underlying Message From Operation Aurora