CYBER SA for 1130Z22AUG2013

Good morning Cyber Fans –

Remember Red Dragon’s rules of cyber SA and newsworthy items – with writer deadlines both Wednesday, yesterday and the weekends are when you are likely to discover & learn about the nascent and unusual from cyber land…

In today’s edition of CYBER SA we have a decent batch of cyber related stories out of the People’s Republic of China…(中國人民共和國), news of Russia’s Cyber Initiatives; Iranian Oil going to China thanks to Hillary; proof that the United Kingdom has been definitely colonized by the Chinese under the ROE for Operation Middle Kingdom; HUAWEI’s endeavors in both Poland and Indonesia..yes and the latest silliness from our own shores…

Enjoy my friends – it is only Thursday!

Chinese Ransomlock Malware Changes Windows Login Credentials |
http://www.symantec.com/connect/blogs/chinese-ransomlock-malware-changes-windows-login-credentials
Poison Ivy RAT Spotted in Three New Attacks…ties to hackers in People’s Republic of China

Poison Ivy RAT Spotted in Three New Attacks


Revamped Aumlib, Ixeshe Malware Found in New People’s Republic of China Attacks

Revamped Aumlib, Ixeshe Malware Found in New China Attacks

In global cyber war, Silicon Valley urged to take care of own
As U.S., People’s Republic of China spar over attacks, Google others told to step up.
http://www.sltrib.com/sltrib/money/56411570-79/china-security-cyber-government.html.csp

Veterans of 2001 Sino-US cyberwar become entrepreneurs
While some veterans of the Sino-US cyberwar of 2001 remain true to the ‘spirit of geeks’, many have since carved out profitable internet businesses
http://www.scmp.com/news/china/article/1298200/hackers-entrepreneurs-sino-us-cyberwar-veterans-going-straight

People’s Republic of China: ‘An economic force to be reckoned with’ | Asia | DW.DE | 21.08.2013
http://www.dw.de/china-an-economic-force-to-be-reckoned-with/a-17036412?maca=en-rss-en-all-1573-xml-atom
People’s Republic of China Takes Aim at Western Ideas
http://www.nytimes.com/2013/08/20/world/asia/chinas-new-leadership-takes-hard-line-in-secret-memo.html?_r=1&&pagewanted=all

Surrounded: How the U.S. Is Encircling People’s Republic of China with Military Bases
US military options now must counter People’s Republic of China’s Operation Middle Kingdom in Asia Pacific….
http://killerapps.foreignpolicy.com/posts/2013/08/20/surrounded_how_the_us_is_encircling_china_with_military_bases

US, People’s Republic of China still wary of each other despite military cooperation talk
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130821000115&cid=1703

People’s Republic of China’s Rise, Disputed Territories & Competition Between Major Powers In Asia-Pacific Concern For Canada And Australia – Report
http://www.eurasiareview.com/21082013-chinas-rise-disputed-territories-and-competition-between-major-powers-in-asia-pacific-concern-for-canada-and-australia-report/?

The untold truth behind the US rebalancing policy|
http://www.wantchinatimes.com/news-subclass-cnt.aspx?cid=1703&MainCatID=17&id=20130811000079

A gap in U.S. sanctions law allows People’s Republic of China to import more Iranian oil
http://online.wsj.com/article/SB10001424127887324619504579026333611696094.html

UK’s BBC Strikes China Content Deal…agrees to OP Middle Kingdom ROE

BBC Strikes China Content Deal


People’s Republic of China media: Online rumours
http://www.bbc.co.uk/news/world-asia-china-23776560
Xinhua reveals People’s Republic of China’s ‘Area 51’ in Inner Mongolia
http://www.wantchinatimes.com/news-subclass-cnt.aspx?cid=1101&MainCatID=11&id=20130821000013

Security probes into foreign companies backed by People’s Republic of China’s netizens
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130821000139&cid=1101
People’s Republic of China’s Sinochem plans further investment in Brazil’s offshore oil
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130821000010&cid=1102
People’s Republic of China’s Everbright’s strategic investments keep firm afloat after errors
http://www.wantchinatimes.com/news-subclass-cnt.aspx?id=20130821000062&cid=1206
People’s Republic of China arrests Weibo users for “inciting public dissatisfaction with the government”
http://www.techinasia.com/china-arrests-weibo-users-inciting-public-dissatisfaction-government/?
A Chinese Wikipedia editor is banned from leaving People’s Republic of China until 2016
http://www.techinasia.com/wikipedia-china-editor-banned-from-leaving-country/?
Indonesia’s flagship airline Garuda spotted using People’s Republic of China’s AliPay
http://www.techinasia.com/garuda-indonesia-alipay/?
Apple’s iPad sees People’s Republic of China market share shrink to 28%
http://www.techinasia.com/apple-ipad-market-share-china-shrinks-to-28-percent-q2-2013/?

What Is the People’s Republic of China Unable To Make?
http://www.ibtimes.com/chinese-companies-struggling-gain-foothold-global-market-1392949?ft=rc480
Chinese Telecom ZTE Latches Onto Firefox for Image of Privacy – The Epoch Times
http://www.theepochtimes.com/n3/255482-chinese-telecom-latches-onto-firefox-for-image-of-privacy/
People’s Republic of china to Lead – Growth in Wind Energy to Boost Global Operations and Maintenance (O&M) Market
http://www.investorideas.com/news/2013/renewable-energy/08201.asp
ChinaSoft International and Alibaba Cloud to Build Pilot Smart Government Services Cloud for Zhejiang
http://www.istockanalyst.com/business/news/6541645/chinasoft-international-and-alibaba-cloud-to-build-pilot-smart-government-services-cloud-for-zhejiang

Apple loses ground in People’s Republic of China smartphone market
http://www.eetasia.com/ART_8800688899_499488_NT_71fe3e9a.HTM
Apple Takes A Small Step Toward Boosting Its Presence In the People’s Republic of China
http://www.businessinsider.com/apple-takes-a-small-step-toward-boosting-its-presence-in-china-2013-8?
Apple’s iPad suffers drastic decline in share of Chinese tablet market while cheap competitors grow
http://appleinsider.com/articles/13/08/20/apples-ipad-suffers-drastic-decline-in-share-of-chinese-tablet-market-while-cheap-models-grow

Japan’s nuclear crisis deepens, China expresses ‘shock’
http://www.reuters.com/article/2013/08/21/us-japan-fukushima-severity-idUSBRE97K02B20130821
Malaysia’s Celcom signs five year digital services deal with People’s Republic of China’s Huawei
http://www.telegeography.com/products/commsupdate/articles/2013/08/21/celcom-signs-five-year-digital-services-deal-with-huawei/?
People’s Republic of China’s Huawei Helps Polish Government Build
…the World’s First 3.6GHz~3.8GHz eLTE Broadband Access Network
Poland is the Operation Middle Kingdom target for colonization in Eastern Europe…

http://www.istockanalyst.com/business/news/6540174/huawei-helps-polish-government-build-the-world-s-first-3-6ghz-3-8ghz-elte-broadband-access-network

Soldier of Fortune –
Memories of army life from both sides of the Chinese Civil War to a reeducation camp after the Korean War
http://english.caixin.com/2013-08-09/100567733.html

Australia’s glittering investments from People’s Republic of China are not all gold
http://www.usatoday.com/story/news/world/2013/08/20/australia-elections-china-financial-boom/2574249/?
New Zealand spy bills key up controversy
Laws expected to pass this week anger surveillance-wary New Zealanders and irk China, a major trading partner.
http://www.aljazeera.com/indepth/features/2013/08/2013812113057818160.html

Russian Military Creating Cyber Warfare Branch | Defense | RIA Novosti
http://en.ria.ru/military_news/20130820/182856856/Russian-Military-Creating-Cyber-Warfare-Branch.html
Russia Preparing New Cyber Warfare Branch, Military Official Says
http://news.softpedia.com/news/Russia-Preparing-New-Cyber-Warfare-Branch-Military-Official-Says-376807.shtml
Russia’s FSB mulls ban on ‘Tor’ online anonymity network — RT Russian
http://rt.com/politics/russia-tor-anonymizer-ban-571/

Poison Ivy: Assessing Damage and Extracting Intelligence
http://www.fireeye.com/blog/technical/targeted-attack/2013/08/pivy-assessing-damage-and-extracting-intel.html
You Had Me at NIST…謝謝您.. Persistent Threat @AdvancedThreat

You Had Me at NIST

From Nuclear Deterrence To Cyber Deterrence – OpEd
http://www.eurasiareview.com/21082013-from-nuclear-deterrence-to-cyber-deterrence/?

Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge: The Cost of Anonymizing a Cybercriminal’s Internet Activities – Part Three
http://ddanchev.blogspot.nl/2013/08/the-cost-of-anonymizing-cybercriminals.html
McAfee: ‘$1 trillion global cyber crime cost was over the top’
http://www.computing.co.uk/ctg/news/2289953/mcafee-usd1-trillion-global-cyber-crime-cost-was-over-the-top

Millions stolen from US banks after ‘wire payment switch’ targeted
http://www.scmagazine.com.au/News/354155,millions-stolen-from-us-banks-after-wire-payment-switch-targeted.aspx

In ‘cyber’ Maryland, a bid for business growth
http://articles.baltimoresun.com/2013-08-16/business/bs-bz-federal-cybersecurity-industry-20130816_1_business-growth-business-group-national-cybersecurity-center

The 2013 Cybersecurity Executive Order: Potential Impacts On The Private Sector – Strategy – United States
http://www.mondaq.com/unitedstates/x/258936/technology/The+2013+Cybersecurity+Executive+Order+Potential+Impacts+on+the+Private+Sector
Resilience of the Internet Interconnection Ecosystem — ENISA
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/inter-x/interx/report

Enjoy!

Semper Fi,

謝謝
紅龍

Yandex.ru Indexing Crawler Issues

The yandex.ru crawler is an indexing application that spiders hosts and puts the results into the yandex.ru search engine. Like Google, Bing and other search engines, the system searches out new contents on the web continually and adds the content to the search engine database. Usually, these types of activities cause little issues for those whose sites are being indexed, and in fact, over the years an etiquette system based on rules placed in the robots.txt file of a web site has emerged.

Robots.txt files provide a rule set for search engine behaviors. They indicate what areas of a site a crawler may index and what sections of the site are to be avoided. Usually this is used to protect overly dynamic areas of the site where a crawler could encounter a variety of problems or inputs that can have either bandwidth or application issues for either the crawler, the web host or both. 

Sadly, many web crawlers and index bots do not honor the rules of robots.txt. Nor do attackers who are indexing your site for a variety of attack reasons. Given the impacts that some of these indexing tools can have on bandwidth, CPU use or database connectivity, other options for blocking them are sometimes sought. In particular, there are a lot of complaints about yandex.ru and their aggressive parsing, application interaction and deep site inspection techniques. They clearly have been identified as a search engine that does not seem to respect the honor system of robots.txt. A Google search for “yandex.ru ignores robots.txt” will show you a wide variety of complaints.

In our monitoring of the HITME traffic, we have observed many deep crawls by yandex.ru from a variety of IP ranges. In the majority of them, they either never requested the robots.txt file at all, or they simply ignored the contents of the file altogether. In fact, some of our HITME web applications have experienced the same high traffic cost concerns that other parts of the web community have been complaining about. In a couple of cases, the cost for supporting the scans of yandex.ru represent some 30+% of the total web traffic observed by the HITME end point. From our standpoint, that’s a pain in the pocketbook and in our attention span, to continually parse their alert traffic out of our metrics.

Techniques for blocking yandex.ru more forcibly than robots.txt have emerged. You can learn about some of them by searching “blocking yandex.ru”. The easiest and what has proven to be an effective way, is to use .htaccess rules. We’ve also had some more modest success with forcibly returning redirects to requests with known url parameters associated with yandex.ru, along with some level of success by blocking specific IPs associated with them via an ignore rule in HoneyPoint.

If you are battling yandex.ru crawling and want to get some additional help, drop us a comment or get in touch via Twitter (@lbhuston, @microsolved). You can also give an account representative a call to arrange for a more technical discussion. We hope this post helps some folks who are suffering increased bandwidth use or problems with their sites/apps due to this and other indexing crawler issues. Until next time, stay safe out there!