Paul Walker on 4 Apr 2018 14:41:19 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] understanding Russian threats (was: Re: Massive Breach in Panera Bread) |
I for one embrace our new russian overlords! I am actually learning
Russian on duolingo right now.
> ______________________________
On 4 April 2018 at 17:03, brent timothy saner <brent.saner@gmail.com> wrote:
> On 04/04/2018 04:24 PM, george@georgesbasement.com wrote:
>> While the security breach revealed in this clearly documented discussion
>> is important to inform IT managers about the privacy risks to affected
>> individual accounts of blind usage of canned proprietary software, I've
>> been following another risk growing out of the Russian interference with
>> our 2016 election.
>>
>> This has been going on since September 2016 and continues to the present
>> day. The Russians are working on the logistics of attacking our entire
>> installed software base with the aim to control a massive shutdown of the
>> Internet by pushing a "Czar" button at the Troll farm ...
>>
>> They have been developing a technique of activating an arbitrarily large
>> number of compromised Russian-language websites worldwide from the Remote
>> Access Ports shared by a number (presently about two dozen) of Russian and
>> Seychelles-based servers controlled by a handful of actors. They now are
>> able to engineer the nearly simultaneous arrival of HEAD / HTTP requests
>> made by the numerous compromised Russian-language websites.
>>
>> Starting December 2017 and since they have apparently been escalating to
>> the
>> near-simultaneous sending of PORT requests to deliver compromised WordPress
>> applications, plugins, etc. to minimally protected WordPress installations
>> so as to compromise them or their servers.
>>
>> They're doing this to my webpage (anonymized on the 'Net) even though there
>> is no WordPress software on its server, but I presume that the attempt is
>> spread among as many prospective victims as possible without evaluating or
>> winnowing the unproductive instances.
>>
>> To whom should these activities be reported ? I've gotten no feedback of
>> any
>> kind since I went public with this, and the only "visitors" to the website
>> (pinthetaleonthedonkey.com) are RU, UA, CN, TR, IR, KR and various
>> WordPress
>> attackers, all 403'd or promptly added to the site's .htaccess file. Google
>> occasionally visits, but in-depth readers are few and far between.
>>
>> These efforts will be exceedingly difficult to stop because the compromised
>> Russian-language websites are scattered worldwide and the Port 3389 servers
>> are all out of our reach. However, if the Powers-That-Be can gain
>> admittance
>> to the Access Files of the compromised servers that are on friendly ground,
>> then the presently hidden activating servers might be traced from the
>> timing
>> and identity of the specific requests documented in
>> pinthetaleonthedonkey.com.
>>
>> George Langford
>
> do you talk about anything *other* than what you perceive to be a
> targeted attempted campaign by Russian actors-in-power aimed at you,
> Some Guy Who Runs His Own Server?
>
> because that's literally all you post about. this isn't even relevant to
> panera's breach.
>
> you haven't gotten any feedback on this because it's unrealistic.
>
> let's break it down:
>
> first off, your first premise of russians conducting a widescale attack
> doesn't suit them. if anything, they prefer targeted, narrow-scope
> compromise attempts but it's a lot cheaper and easier to conduct psyops,
> which they definitely engage in a lot more than any sort of direct
> digital attack. when you conduct an attempted compromise, you never do
> it wide-scale because that's how you blow your cover, period. (not to
> mention the cost involved in something like that.) they spend their
> money where there'd be an actual payoff - .gov's, gov contractors, and
> the like. i doubt your nonexistent Wordpress server holds US state
> secrets. (sidenote: the US gov sites do not use Wordpress.)
>
> secondly, "They're doing this to my webpage (anonymized on the 'Net)" -
> if it's anonymized, how do you know it's russian in origin?
>
> third, "To whom should these activities be reported ?"
> certainly not to a LUG, assuming it's actually valid.
>
> "the Port 3389 servers are all out of our reach" - what does this have
> to do with Wordpress probes?
>
> "of the specific requests documented in pinthetaleonthedonkey.com" -
> stop peddling your website.
>
>
> lastly, anyone can tell you that wordpress probes have been happening in
> large number from a slew of IP ranges for... well, forever. it's a part
> of being on the 'net, and it certainly predates any russian involvement
> in US 2016 election. it's mostly a bunch of skids with a bot farm trying
> to deface wordpress websites because it's easy. state-level operations
> are much less noisy.
>
> (inb4 "you're one of them!")
>
>
______________________________ _______________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
>
____________________________________________________________ _______________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug