Amongst other news outlets, CIO reports on a hacker attack on the German parliament (Bundestag) that occured four weeks ago and is still ongoing:
Trojans introduced to the Bundestag network are still working and are still sending data from the internal network to an unknown destination, several anonymous parliament sources told German publication Der Spiegel.[German]
All software and hardware in the German parliamentary network might need to be replaced[1]. More than four weeks after a cyberattack, the government hasn't managed to erase spyware from the system, according to a news report.
Some MPs have concerns to call experts from the foreign intelligence service, the Bundesnachrichtendienst, for help, because the agency would gain access to the legislative process, a possible violation of the principles of Separation of Powers.
[1] Apparently about 20.000 machines are affected
Related Stories
Bild claims [paywall and in German] that Chancellor Angela Merkel's personal computer was one of the first to be compromised in a cyberattack linked to Russia. Merkel's computer was reportedly used to spread malware to other targets within the German government.
Germany's top prosecutor has dropped an investigation into the National Security Agency's surveillance of Chancellor Merkel's cell phone.
V3.co.uk is claiming that German defense minister Ursula von der Leyen is under attack by hackers, but this has yet to be corroborated in any source the author can find.
Original Submission
(Score: 4, Insightful) by ThG on Saturday June 13 2015, @08:47AM
...Incompetent imbeciles... Maybe they shouldn't have relied on Microsoft after all and maybe hired some people with actual knowledge.
(Score: 5, Funny) by Anonymous Coward on Saturday June 13 2015, @08:52AM
But the people they hired are Microsoft Certified Professionals. Is simply not possible to be more knowledgeable.
(Score: 3, Interesting) by Anonymous Coward on Saturday June 13 2015, @09:56AM
But the people they hired are Microsoft Certified Professionals. Is simply not possible to be more knowledgeable.
http://www.bbc.co.uk/news/technology-30054140 [bbc.co.uk]
(Score: 1, Funny) by Anonymous Coward on Saturday June 13 2015, @08:56AM
It's all part of their plan to violate the principles of Separation of Powers.
(Score: 0) by Anonymous Coward on Saturday June 13 2015, @02:08PM
Sadly plausible statement
(Score: 2) by No Respect on Saturday June 13 2015, @08:58AM
I seem to remember some governmental orgs in Germany made a big thing of switching to Linux a few years ago. Maybe it was only a city or two. Munich, maybe? In any case, with incidents such as this, the recent US "attacks from China", and every other intrusion attempt (whether successful or not) I put the blame squarely on whoever owns and/or controls the systems. Period. Make them legally liable and watch this shit get cleaned up real fast. That goes for banks and other financial organizations, too.
Maybe I'm approaching get-off-my-lawn territory, but I'm not really interested in even debating the subject anymore. Someone breaks into your system? YOU are responsible and nobody else.
(Score: 0) by Anonymous Coward on Saturday June 13 2015, @09:07AM
not saying you don't raise an interesting point, but your position is as controversial as blaming a female rape victim for being raped because she wore a miniskirt; it may be argued that the miniskirt helped make her a target, but if you take blame away from the perpetrators, the number of incidents would skyrocket.
nobody is a computer security expert, and those that think they are are the most insecure of all. the only exception to this is bruce schneier for obvious reasons :p
security is a process, not an end goal
(Score: -1, Troll) by Anonymous Coward on Saturday June 13 2015, @09:19AM
"I totally disagree with everything you said, but I still want to be modded up for sucking your juicy fat cock."
(Score: -1, Troll) by Anonymous Coward on Saturday June 13 2015, @11:34AM
where's the part in the original post that implied disagreement?
chicks that walk around in miniskirts are begging to be raped
faggot
(Score: 5, Informative) by No Respect on Saturday June 13 2015, @09:36AM
Fuck no it's not the same. Not even remotely. I'm talking about legal and ethical responsibility and assignment of blame for a technological, business and financial fuckup where people who should know better don't give a fuck and then lash out when their own fuckups result in damage. You just want to take that and project that that sentiment is equivalent to blaming the victim. Ha! Fuck you, no. Equating business loss and liability to personal, human suffering and violence is fucking wrong, dude.
You are the problem. Look in the mirror the next time someone asks why this country is so fucked up. You are why all the other countries hate us.
(Score: 0) by Anonymous Coward on Saturday June 13 2015, @11:53AM
you can try to secure systems all you want, but if they contain something of sufficient value there will be hackers who invest plenty of effort into breaking them (and will in all likelihood succeed if the prize is worth it).
Under your dictatorship, businesses would go broke due to the costs of endless spending on security. In reality, businesses will always do the absolute minimum to cover their asses, and no more. For anything they miss there is liability insurance. If customers aren't happy with the level of security provided, they go elsewhere, which is why when security is paramount there is a market incentive to improve (such as banking). Forcing companies to be held liable for breaches is fine if such breach would cause grievous harm to others (such as security of weapons), but otherwise it will just pointlessly hurt small businesses who can't afford to have the best security or defend themselves in court.
What would work much better than your bureaucratic bullshit is for your big government cronies to get out of the way and let failing corporations go bankrupt. If the market decides that a company has fucked up their security, it will abandon it to rot. If the government then comes in and bails it out, what the fuck good is that gunna do? It's just going to make the problem worse. It's called 'moral hazard' for you Keynesian imbeciles.
Dipshit democrats like you are why businesses are so wrapped up in red tape they eventually get chased offshore.
(Score: 1, Insightful) by Anonymous Coward on Saturday June 13 2015, @05:12PM
Sounds like natural selection where only the best and most competent prevail.
(Score: 1) by KGIII on Sunday June 14 2015, @08:50AM
Equating business loss and liability to personal, human suffering and violence is fucking wrong, dude.
But you want to put the people who are victims of attacks into prison. That is, you know, equating business loss and liability to personal, human suffering and violence... And, it is fucking wrong, dude. Seriously? Did you seriously type that or was that a joke?
Anyhow, if the penalty for failure is that high nobody will do the job and you can not force someone to do the job.
"So long and thanks for all the fish."
(Score: 2) by urza9814 on Monday June 15 2015, @04:59PM
You guys are arguing the wrong point entirely. The victims of hacking attempts are not the operators of the networks which are hacked; the victims are the *users* of these networks. The owners of the networks are often co-conspirators in the crime. If they weren't aware you could say it's negligence rather than malice, but often they certainly *are* aware. "Securing against threat X will cost $Y" "That's too expensive; let the users get hacked."
(Score: 2) by c0lo on Saturday June 13 2015, @11:58AM
bruce schneier is beyond exception: he rules.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 0) by Anonymous Coward on Sunday June 14 2015, @02:05PM
It would be far more similar to say a bank that had a pile of your gold with information on where to get more of your gold locked up in a store room with a deadbolt. They will say they had someone come and make sure it was locked up, but it doesn't mean it was adequate. You need to have an actual safe to protect your valuable information adequately and it's the banks fault if they don't not yours. At a certain point, you have to trust those with your information to do the right thing, because you can't possibly know everything.
(Score: 1, Insightful) by Anonymous Coward on Saturday June 13 2015, @09:12AM
Because Linux malware DOES NOT EXIST. It simply doesn't. There's no such thing as a Linux virus, Linux rootkit, or malicious Linux kernel module. These things are NOT EVEN POSSIBLE. And I personally did not see Linux malware in the wild as early as FIFTEEN YEARS AGO. That did NOT HAPPEN.
Seriously, Linux dude, go fuck yourself.
(Score: 2) by No Respect on Saturday June 13 2015, @09:46AM
Do they run Linux in Germany or don't they? I was asking a question, not trying to throw shade at Linux. Blame the fuckers who can't set up a decently secure system? Sure, absolutely. Blame it on Linux? I don't believe I ever said that.
I mean, I know for a fact they run Linux in Germany. Most of IBM's Linux work is based there. So that was a rhetorical question, too, in case anyone didn't notice.
(Score: 2) by bradley13 on Saturday June 13 2015, @01:34PM
IIRC, that was only a couple of cities. Certainly not the whole government.
Everyone is somebody else's weirdo.
(Score: 1) by KGIII on Sunday June 14 2015, @08:54AM
That does not mean that there are no exploits nor does it mean that it is secure. The rant was nice, though.
"So long and thanks for all the fish."
(Score: 0) by Anonymous Coward on Sunday June 14 2015, @02:15PM
gnu/inux has significantly less vulnerabilities by design. You can easily make it less secure and it has bugs and exploits like everything else, but it's still a safer system than most other OSes that focus on usability first. Generally the linux bugs you see tend to be far less impactful as well, a few in the past year notwithstanding, and there's exploits that get attached to linux that don't have anything to do with linux. The upside and downside of open sourced software is higher visibility. I'm quite sure that there have been some horrendous closed sourced vulnerabilities we never even knew about because they didn't tell anyone, and didn't have to tell anyone. If you knew about linux, then you knew about this.
On top of all this, you read into the question something that wasn't said so...
Seriously hyperbolic or purposefully ignorant dude, go fuck yourself.
(Score: 3, Interesting) by maxwell demon on Saturday June 13 2015, @09:23AM
And if someone breaks into your house, I guess he's not to blame either, because it was you who didn't secure your house properly, right?
Yes, those who didn't properly secure their systems deserve a part of the blame. But that doesn't let those who attacked off the hook.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by No Respect on Saturday June 13 2015, @09:39AM
Correct. 100% absolutely correct. Next?
(Score: 5, Informative) by MichaelDavidCrawford on Saturday June 13 2015, @09:40AM
A carpenter once explained to me that you cannot make concrete out of beach sand; rather you have to grind up rocks in a ball mill. That makes for sand particles with lots of nooks and crannies that enable the solidified Portland cement to bind far more effectively than is the case with beach sand, which are worn round and smooth.
However during the great depression, it was common to use beach sand. This had the eventual result that a bunch of houses slipped off their foundations in Santa Cruz County during the 1989 Loma Prieta Earthquake. That same carpenter earned quite a lot of coin by jacking the houses up, pouring new foundations then putting them back down.
The Internet is much like that; while we can all work hard to use strncpy() rather than strcpy() as well as to sanitize our inputs [xkcd.com], that's not going to do a whole lot about the fact that the Internet, in a very real way, is broken by conscious design.
Concerns of security were not so much ignored by those who created the Internet, rather consciously avoided. Among the reasons was the US restrictions on encryption export. It's not just that everyone used telnet and ftp rather than ssh and scp, rather that the development of protocols that required encryption simply was not done. Given that the Internet was created by the Defense Advanced Research Projects Agency, it's not like they didn't know from secret codes, rather the decision was made not to even look into it.
Less well-known is that, at least at one time, it was also unlawful to export implementations of self-healing networks. There are some other technologies that one may not export but I do not recall them.
I once dropped a dime to the Bureau of Exports Administration to ask what I could export in the way of crypto. The gent I spoke to quite emphatically encouraged me to export crypto for use in authentication. However the confused notion that all crypto was forbidden lead to cryptographic authentication not being done much at all - even to this day.
At one time, to send so much as one single unsolicited commercial email could get you disconnected from the Internet entirely. It was like if you didn't pay the power company; they'd drop by your house then flick a switch on your meter to cut you off.
That led to the failure to develop any technological anti-spam measures. There are all manner of ways spam could have been, if not completely prevented, at least greatly discouraged, for example through the use of "hash cash", in which one must compute an expensive hash function before an SMTP server will accept an incoming mail.
The World Wide Web was invented in 1989 by Tim Berners-Lee in hopes of enabling Elementary Particle Physics collaborations to more-easily communicate with each other. It is quite common for thousands of physicists to work together on a single experiment. Consider the problem of everyone agreeing on the final draft of a paper.
Mosaic was written by Marc Andreessen while working at the National Center for Supercomputing Applications. Before Mosaic there were only keyboard-driven text-mode browsers. The one I tried to use at CERN was quite crude so Mosaic was quite a big deal. While NCSA serves many researchers, most supercomputing is done by physicists so I expect Mosaic was written with the intention of helping out the Physics community, so it would not have to use ascii terminal emulators to browse the web.
Mosaic was quite nice but there were many problems so Andreessen - I expect with some VC - founded "Mosaic Inc." then wrote Netscape Navigator. NSCA was concerned about trademark infringement so the company changed its name to "Netscape".
Right around then, Netscape and the World Wide Web started making the press all over the place. Everyone wanted to use it.
Despite that the Internet was by no means ready for public consumption there was so much demand, as well as so much opportunity to create so many things of genuine benefit to humanity that the decision was made to open it to the public. Before that, only government, the military, educational institutions as well as particularly large companies could get online.
I personally feel we would all have been a lot better off with USENET and UUCP. But that horse has already left the barn.
(Score: 2) by kaszz on Sunday June 14 2015, @12:00AM
The reason encryption by design were left out was lack of need on a purely research network that only allowed educational, government, military and big (relevant) business to even send or receive any IP packet. Abuse got you *plonk* in the physical way. Encryption software did also lack consistency, good documentation (no searchengines of any kind!) and would tax the computing capacity hard. Consider the capacity of Sun-2 machine that used a 10 MHz Motorola 68010 microprocessor with a proprietary MMU, and an operating system based on 4.1BSD. Ain't gonna crunch anything hard there. Focus were also on doing good, gentlemen honor. People that did bad were located and *plonked* mercilessly.
strncpy() vs strcpy(). Well sloppy thinkers will always be that in most cases. The problem comes when the negative feedback loop doesn't reach them.
If commercial ISP had forced users to read net etiquette and required them to read and sign. And also disconnected anyone breaking those rules. The internet had proberbly been better off. But one can suspect that profits came first.
(Score: 2) by gnuman on Sunday June 14 2015, @12:34AM
A carpenter once explained to me that you cannot make concrete out of beach sand; rather you have to grind up rocks in a ball mill. That makes for sand particles with lots of nooks and crannies that enable the solidified Portland cement to bind far more effectively than is the case with beach sand, which are worn round and smooth.
He told you some bullshit, maybe he believed it too! You don't want to make concrete with SANDSTONE. You want to make concrete with LIMESTONE. It has absolutely nothing to do with "beach sand".
https://en.wikipedia.org/wiki/Concrete#Composition_of_concrete [wikipedia.org]
You don't want anything in concrete that will absorb lots of water in climates that freeze. Guess what happens then?
However during the great depression, it was common to use beach sand. This had the eventual result that a bunch of houses slipped off their foundations in Santa Cruz County during the 1989 Loma Prieta Earthquake.
They slipped off the foundations because they were not fixed to the foundation. Or foundation had not rebars, which is very similar. Or maybe concrete was too weak - not enough cement. But it has nothing to do with sand, especially in California.
You do not want to use sand because it COSTS you more. Sand has more surface area than crushed granite or limestone. And cement amount depends on that to maintain strength. The only place where you use sand is brick laying because you need a thin layer of glue. Anyway ...
As to you comments about crypto, no one cares about crypto. And most that do, don't know what it is or how to use it. Crypto is not a "sexy" thing to work on. Look at current state of IPSec or DNSSEC for some hints.
(Score: 2) by gnuman on Sunday June 14 2015, @12:42AM
You don't want to make concrete with SANDSTONE. You want to make concrete with LIMESTONE
Just to correct my mistake, BOTH sandstone and limestone are shit. Both absorb water. Limestone is just used to make cement.
The most common fillers used include *smooth* river rocks (granite) or other granite gravel.
(Score: 0) by Anonymous Coward on Saturday June 13 2015, @09:44AM
I just wrote a long submission with a fairly substantial blurb of my original creation but when I hit preview, the text disappeared and all I got was
"This resource is no longer valid. Please return to the beginning and try again."
Fucking computers!
(Score: 5, Informative) by No Respect on Saturday June 13 2015, @09:49AM
Whenever you're entering a large amount of text in a browser form field, remember to always Ctrl-A followed by Ctrl-C before hitting the 'submit' button. You will not regret making this a habit.
(Score: 0) by Anonymous Coward on Saturday June 13 2015, @10:02AM
Or use vim to compose and paste in when done.
(Score: 1) by anubi on Saturday June 13 2015, @10:17AM
New one on me. I have had that very same experience. Several times.
What does Control-A followed by Control-C do?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Saturday June 13 2015, @11:01AM
It's a Windows (CUA?) thing. Select all, copy. Works on most GUIs nowadays, not just Windows. Stores the text in the clipboard. Anyway, it's best to use a real text editor and then copy into the web browser.
(Score: 1) by anubi on Saturday June 13 2015, @11:12AM
As long as I have used Windows, I never did get into the habit of Control-A for "select All".... always moused it.
Gotcha...
So now when I seem to have lost that entire block of text I had just composed when the submit did not work...just open up another submit window and Control-V the text from the clipboard right back into the text box.
I'll do that next time.
As long as I have been using Windows..... I should have known that. Oh well... learn something new every day. Thanks!
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2, Interesting) by Justin Case on Saturday June 13 2015, @01:25PM
> As long as I have used Windows... always moused it.
If I could go back in time and irrevocably delete two inventions, they would be GUIs and the mouse. They train users to be stupid.
I can't find words to describe how frustrating it is to watch somebody else (say, during a meeting when they're "presenting") tediously mouse their way through a large wall of text when a couple keystrokes could get it done 100 times faster and with more accuracy. Sometimes when someone is scrolling up and down eyeballing for the paragraph they want I just can't stop myself from saying "Control-F... Control-F. Control-F!!!"
(Score: 2) by maxwell demon on Sunday June 14 2015, @07:30AM
Ctrl-F only works if you know an exact string that appears in the paragraph.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Informative) by choose another one on Saturday June 13 2015, @02:55PM
It is CUA, which is IBM, not Microsoft, and comes from back in the 80s. https://en.wikipedia.org/wiki/IBM_Common_User_Access [wikipedia.org]
MS Windows happens to be probably the most used implementation of the standard, but originally it was a Unix standard to - CDE/Motif was to be the standard desktop and it followed CUA.
(Score: 3, Informative) by tibman on Saturday June 13 2015, @08:10PM
Not sure about other browsers but Firefox will preserve your form data. You can hit your back button and get the text back.
SN won't survive on lurkers alone. Write comments.
(Score: 3, Funny) by kaszz on Sunday June 14 2015, @12:04AM
Try to grab your text by opening the "view source" window. Search for something that you wrote. If that fails then do the hacker trick by searching the process or kernel memory for any phrase you wrote. Using "grep" on the browser cache files may also work.
(Score: 3, Interesting) by kaszz on Monday June 15 2015, @12:40AM
To grab your post out of memory one could using "fairly substantial blurb of" as a marker:
a) Go to "View" on the toolbar and then select "View source" in the menu. Then search that window for "fairly substantial blurb of".
b) Change settings to a proxy server (127.0.0.1 12345) and make something listen on that proxy port and press retry: nc -l -p 12345 | tee dump.html Then search "dump.html" for "fairly substantial blurb of".
c) Memory method: grep -ai "fairly substantial blurb of" /dev/mem | more (Linux as root)
d) Cache files: grep -aiR "Ask Toolbar Now Marked" /home/guest/.browser/
If your lucky pressing the back button MAY work or clear your submission. But the above methods works after you messed up. They ain't pretty but they might save the day.
(Score: 1) by Dr Spin on Saturday June 13 2015, @12:16PM
The original kit was not Linux compatible - of course they have to ditch it!
Warning: Opening your mouth may invalidate your brain!
(Score: 3, Interesting) by Justin Case on Saturday June 13 2015, @01:29PM
> All software and hardware in the German parliamentary network might need to be replaced
I've read a few stories on this incident (sorry if I missed one) and I don't understand replacing the hardware. Unless this is Christmas in Ju
lyne.Nuke and pave anyone? Or is this the first widespread firmware/BIOS/hard-drive-controller worm?
Oh, and replace the people who allowed this to happen. I don't know who. Maybe the techs, maybe not. Maybe the boss who mandated Windows (if they did). Maybe the funding source that was told for years "we're dangling over a cliff" and ignored it.
(Score: 3, Funny) by choose another one on Saturday June 13 2015, @03:05PM
WTF has windows got to do with it if it is a bios / firmware worm ? Obviously they should have used different hardware - like Apple, because Macs have never turned out to be vulnerable to firmware hacks have they... http://9to5mac.com/2015/06/02/mac-vulnerability-bios/ [9to5mac.com]
(Score: 3, Insightful) by Justin Case on Saturday June 13 2015, @03:10PM
I'm asking questions. Was Windows to blame? Was a BIOS worm? How did it spread? I didn't say anything about Macs.
I didn't say I assume it was Windows and I assume it was a BIOS worm. I'm asking. What was it?
For about a thousand years Windows has been easiest to hack. Sure, other systems can be hacked. But Windows is easiest. Of course, you knew that already, which is why you're so sensitized and reactive to the topic.
(Score: 0) by Anonymous Coward on Saturday June 13 2015, @05:15PM
http://rationalwiki.org/wiki/Just_asking_questions [rationalwiki.org]
(Score: 5, Informative) by Dr Spin on Saturday June 13 2015, @04:02PM
WTF has windows got to do with it
The original source said it was spread by a rogue windows Installer (MSI) file.
As a Unix user since 1978 I have never known it be susceptible to rogue msi's.
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by maxwell demon on Sunday June 14 2015, @07:33AM
Of course that raises the question why ordinary user accounts had the rights to install software.
With such settings, you could also have compromised a Linux system with a malicious .rpm or .deb package.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Insightful) by Common Joe on Saturday June 13 2015, @03:58PM
I can't imagine any other reason to replace hardware. (Other than incompetence.) But replacing hardware won't stop a determined reinfection... and that underscores why something like a toggle switch should be required to update the BIOS of any hardware (whether on the motherboard or on a hard drive). The designs they have for today's computers should be labeled criminal in my opinion.