I don’t have much sympathy for the victim here: I’ve had a visceral dislike of filtering software since, oh, middle school.
But, from a security standpoint, the story of CYBERsitter and its founder vs. one of China’s most prolific black-hat penetration teams offers a chance to ask the question — what should he have done?
For three years they waged a war of harassment and attrition against the guy’s firm, trying to bleed them into bankruptcy in order to end the lawsuit he’d filed against the Chinese government (and many Chinese companies). They all but succeeded.
The guy spend those years responding with band-aid homebrew solutions to every problem, and in the process came away personally worse for the wear and a fair bit poorer thanks to the $58,000-month drop in revenue the Chinese mischief caused.
Here’s my suggestions to anyone finding themselves in his shoes. What are yours?
o) There’s always a point where you realize you won’t walk away from this the same as you came in. For the CYBERsitter founder, that seems to have been when he got a professional analysis done of some of their malware.
At this point, realize that taking a loss now, on your terms, is infinitely better than dying of a thousand papercuts on theirs.
o) It seems like he had a fairly small company, probably under 20 employees. So go around and do a survey of what everyone uses their computers for, what software they run, etc.
o) Reboot your servers — to Linux or BSD LiveCD/DVD images. Assuming you don’t have the expertise to put together custom/preconfigured ones, put all the configuration steps into a script that you can run on boot. If the server starts acting up again, reboot.
o If migrating from your previous configuration takes more knowledge than you have time to learn, bring in a consulting firm.
o) Get a Linux support contract, not too long term, but the platinum-plated model with more bells and whistles than a carnival in a carillon.
o) If you or the support company can do custom LiveCDs, put some together with maximum practical hardening. No services listening, no Bluetooth or wireless support, boots to a user without sudo access, etc.
o) Call your staff together, and explain to them that the company is being electronically attacked by people that want to drive the company out of business. If they succeed, everyone will lose their jobs. You don’t intend to let them suceed. But fighting them off will take some big changes, and inconvenient ones. Dealing with them is the price the company must pay to survive. “We will fight them on the beaches, we will fight them on the landing grounds…”
o) Hand out pre-paid burner phones. “Forget the phones on your desk, use these.” PBXes are death, at least for the moment. For style points, get some “THIS PHONE IS TAPPED” stickers from 2600 and put them on people’s desk phones.
o) “Everyone, this is Linux. Here’s where you click to browse the web. Here’s where you click to edit documents. Here’s a few printed-off screenshots with “DOCUMENTS” and “WEB” labels hastily Photoshopped in large friendly letters. If you get confused, I photoshopped the number to call at the bottom.”
o) Hand out Linux LiveCDs, hard drive docking stations, and USB CD-drives to everyone. From now on any computer that touches the Internet runs on a LiveCD. “If you make a mistake and they get in your computer, just save your work and reboot. When you go home for the day, lock the hard drive in your desk.”
The hard drives should be formatted to Ext2/3/4 (or another open-source version): this a) ensures nobody ‘backslides’ and boots up Windows, b) cuts the odds of a filesystem-level autorun vulnerability, and c) makes forensics easier if the hackers do find one.
o) Using your earlier survey, get the people most likely to need help in touch with support. Come up with field-expedient (read: “not pretty but it works”) ways to meet their computing needs.
o) People that NEED to run Windows applications get VirtualBox and a VirtualBox image, configured to have no network access (but with the add-ons so you can drag and drop files). If possible, set up the applications to write all data to a “shared folder” instead of the VirtualBox image, so if the Windows system gets messed with — just copy over a fresh version of the image and reboot it.
o) Step back, take a deep breath. Immediate disasters (hopefully, mostly) averted. Now go hire some forensics geeks, pen-testers, security experts, and TSCM sweepers — and spend a few weeks of intense conference-room sessions re-engineering the company’s network.
“During his civil lawsuit against the People’s Republic of China, Brian Milburn says he never once saw one of the country’s lawyers. He read no court documents from China’s attorneys because they filed none. The voluminous case record at the U.S. District courthouse in Santa Ana contains a single communication from China: a curt letter to the U.S. State Department, urging that the suit be dismissed.
That doesn’t mean Milburn’s adversary had no contact with him.
For three years, a group of hackers from China waged a relentless campaign of cyber harassment against Solid Oak Software Inc., Milburn’s family-owned, eight-person firm in Santa Barbara, California. The attack began less than two weeks after Milburn publicly accused China of appropriating his company’s parental filtering software, CYBERsitter, for a national Internet censoring project. And it ended shortly after he settled a $2.2 billion lawsuit against the Chinese government and a string of computer companies last April.
In between, the hackers assailed Solid Oak’s computer systems, shutting down web and e-mail servers, spying on an employee with her webcam, and gaining access to sensitive files in a battle that caused company revenues to tumble and brought it within a hair’s breadth of collapse. “