State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China
Here's a timely reminder that email isn't the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned.
This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a "confusingly worded typed letter with occasional Chinese characters."
Please insert in election computer.
Also at TechCrunch and Engadget.
Related Stories
The Biden administration on Tuesday warned the nation's governors that drinking water and wastewater utilities in their states are facing "disabling cyberattacks" by hostile foreign nations that are targeting mission-critical plant operations.
"Disabling cyberattacks are striking water and wastewater systems throughout the United States," Jake Sullivan, assistant to the president for National Security Affairs, and Michael S. Regan, administrator of the Environmental Protection Agency, wrote in a letter. "These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities."
[...] The letter extended an invitation for secretaries of each state's governor to attend a meeting to discuss better securing the water sector's critical infrastructure. It also announced that the EPA is forming a Water Sector Cybersecurity Task Force to identify vulnerabilities in water systems. The virtual meeting will take place on Thursday.
"EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems," Regan said in a separate statement.
(Score: 2) by Subsentient on Tuesday July 31 2018, @01:29PM (13 children)
I hate that government more and more all the time.
Sure, the USA might be bad, but we're angels compared to China.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 5, Insightful) by DannyB on Tuesday July 31 2018, @01:32PM (2 children)
China and Russia's values are the guiding light to which the current US administration aspires to attain.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 3, Interesting) by realDonaldTrump on Tuesday July 31 2018, @01:56PM (1 child)
Getting along with Russia, getting along with China and others is a good thing, not a bad thing. I’ve said that many times, for many years. Xi Jinping is a competitor. And a good competitor he is. And I think the word "competitor" is a compliment. Some folks think it’s China, they say, "oh, Chinese postmark!" I'll ask President Xi, is it China? I will say this: I don’t see any reason why it would be.
(Score: 2, Funny) by Anonymous Coward on Tuesday July 31 2018, @05:13PM
You've also said "Oh Vladimir, don't cum in my mouth" many times, yet you still drop to your knees every time he asks.
(Score: 2, Insightful) by Runaway1956 on Tuesday July 31 2018, @02:57PM
Angels compared to China? It all depends on how you measure angelic and/or demonic.
Yeah, I'll rank the US higher than China on most things, but we have to consider that I'm a westerner, and not an Asian.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 0, Funny) by Anonymous Coward on Tuesday July 31 2018, @03:51PM (2 children)
I am certain that nobody else except China has done this before. Well, and Russia. Probably Russian incel hackers put them up to it. They should be careful. The compact discs (they tell me this is abbreviated as "CDs") might have also been infested with Novichok!
In fact, let me make sure to get my +5 buff against lizard people by calling the true name [wikipedia.org] of a Kenyan Moslem. Maybe even Baraq Hussein Soretoro was involved.
(I'm not sure, but bolding the true name may extend the buff to 7 hours.)
(Score: 2) by Azuma Hazuki on Wednesday August 01 2018, @03:51AM (1 child)
Lizardmen are weak against ice-type magic. You don't need to buff, really, just recruit someone who can cast a decently powerful Bufudyne spell and you're good to go.
I am "that girl" your mother warned you about...
(Score: 0) by Anonymous Coward on Wednesday August 01 2018, @01:09PM
Well, if you're minmaxing it makes sense to spend a skill point or two to get the true name knowledge for the additional buff. What class would true name knowledge fit under? Priest? Druid? Mage? I suppose it could be in the skill tree for all 3. Mage is compelling due to the occult nature of true names.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @03:58PM
So I think this may be used by USA to enforce some mail-tampering acts. That's how it's done, now all of these "I-hate-china" people will happily welcome some hooknoses to put their noses into citizen's envelopes :).
This group just seems to have no wide access to design-level in-hardware backdoors like USA has. According to some security researchers (Creator of virut botnet for example) there are intentionally planted bugs into Intel chips since Coppermine core. This is Pentium III. Of course simultaneously IT education goes nuts to make programmers (programmers... without basics of maths, electronics and computer architecture!) write obese junk instead of code as backdoored chips must be used somewhere.
(Score: 5, Interesting) by Grishnakh on Tuesday July 31 2018, @04:36PM
Why? I don't see the problem here. I think people should happily insert these CDs into their computers, and if this causes all kinds of havoc, then they got what they deserved.
If you're running an OS that can be compromised by merely inserting an optical disc into the drive, you're doing something very, very wrong, and you deserve whatever happens to you.
(Hint: any OS that auto-runs anything from removable media is not an OS that you can trust with any important data.)
As for China, should you be more critical of someone who tells someone "please stand here calmly while I punch you in the face" and then does so, or should you be more critical of the idiot who actually willingly stands there and allows themselves to be punched? Personally, I'm more critical of the latter. Abject stupidity should never be excused.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @05:22PM
-1 hate speech
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 31 2018, @08:16PM
Hell yeah! We just bomb our enemies straight up instead of selling plastic sh#t to them. Oh there weren't any WMDs? Honest mistake.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @08:59PM
China doesn't think much better about you either. And they're just as morally self-righteous as Americans are. And with a chip on their shoulder for being "oppressed" by everyone else.
(Score: 2) by arslan on Wednesday August 01 2018, @12:05AM
Umm.. didn't Sony BMG do something similar as well?
Yea on the surface China is a lot worse than the US, but if you squint hard enough it is just a different kind of evil to the world. To their respective citizens they're likely better off than someone else, but tinted glass and all that.
(Score: 2) by RS3 on Tuesday July 31 2018, @01:32PM (12 children)
Call it intuition, but I've always hated any kind of automated thing that does something without my permission. One of the very first things I do to a new Windows install is to turn off autoplay, for this story topic's reasons.
(Score: 2) by DannyB on Tuesday July 31 2018, @03:21PM (9 children)
AutoPlay was one of those ideas that I can imagine software developers wold lobby for.
When a special interest with money has to lobby for something, then you know it must be really extra special good.
An alternate explanation is that Microsoft was stupid enough to create AutoPlay on their own. Microsoft can't be that stupid. That would be as stupid as automatically executing script content in the body of an incoming email message.
Oh, wait. Nevermind.
The only question now is if AutoPlay will be a forthcoming feature of systemd.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 2) by takyon on Tuesday July 31 2018, @03:28PM (8 children)
You're shit talking something that happened 20 years ago! It was a simpler time!
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 5, Insightful) by DannyB on Tuesday July 31 2018, @03:39PM (7 children)
A popular Usenet and email joke sent around the world was that OMG!!! your computer could be infected by merely receiving an incoming email!!!!
Of course it was a joke. There was no MIME. Email was pure text. All techies got the joke. Newbies would be frightened by the joke.
Then, years later, after they SHOULD have known better, Microsoft made the threat of that joke into a reality. The I LOVE YOU virus was one of the first major headlines. But not the last. And it spread like crazy. Made national, maybe even international news.
AutoPlay was another thing that SHOULD have been OBVIOUS even 25 years ago, not just 20. Even by 1993 malware was rampant in the DOS / Windows world. It was a real thing. A scourge. A well known problem. AutoPlay as a vector for malware transmission should have been BLINDINGLY OBVIOUS.
This can only be explained by stupidity. But considering what we know about the NSA, I would say that one should not attribute to stupidity what can be adequately explained by malice. Causing untold headaches, trouble, and financial cost to millions of users is just a casualty of war if the right piece of malware can penetrate the right NSA target. In a post-Snowden world it is easy now to look back at things through less naive eyes. One thing that is now beyond clear is that no matter how paranoid I was before, things were clearly already much worse.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 1, Informative) by Anonymous Coward on Tuesday July 31 2018, @03:57PM
Yep. When you get accustomed to getting viruses and random adware on your computer... no-one's going to notice the quiet process sending your keystrokes back home.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @03:59PM (1 child)
The project managers and developers simply didn't give a shit. It wasn't until the release of XP and the daily exploits targeting MSIE and IIS that Microsoft realised security flaws could impact their bottom line. You can't call gaining an OS monopoly "stupid" and it wasn't "malicious". We'll just have to settle for "reckless".
(Score: 5, Interesting) by DannyB on Tuesday July 31 2018, @04:35PM
Yes, I can call it evil and I will.
In 1982 there were alternate OSes for the IBM PC. PC-DOS and MS-DOS were not the only ones. And they weren't even the best.
Where it became evil was when Microsoft required OEMs bundling MS-DOS to not sell any other OSes. (Technically: the OEM had to pay for a copy of MS-DOS even if the computer were preinstalled with a different OS from another OS vendor.)
It doesn't have to be stupid to be evil. Often evil is not stupid.
Now as for when XP arrived. By the time of XP things like CODE RED had already spread around the world because of how astonishingly exploitable IIS was. I demonstrated to a coworker at the time that with a fully patched NT 4 box, I could trivially craft an HTTP request to a path that uses the dot-dot-slash technique to walk up the ancestor chain of the directory, right out of the C:\inetpub\wwwroot and into C:\Windows\Cmd.exe. Then the parameters to Cmd.exe could be to call TFTP.EXE (trivial file transfer protocol) which was conveniently bundled right into NT 4. Additional simple parameter allowed TFTP to fetch MALWARE.EXE from EVIL.COM. So then Microsoft "fixed" this.
You know how in an HTTP request that %20 is what you should actually use for a space? Guess what, you can use hex codes other than 20 to produce other characters than a space! Yes really! So even though Microsoft "fixed" the dot-dot-slash way of walking up the directory tree, you could send the dots and slashes using the % hex codes -- which IIS hands off to the Windows file system -- which guess what!!! it will interpret the percent-hex characters into a valid pathname.
Microsoft never really cared about security. (back then) They only cared once it made them look bad. Clearly at some point Microsoft got the security religion. But way too late.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @04:00PM (3 children)
Think about how you got the CD. You went to the store and paid money for it. It was read-only. It came in a colorful box. Not that this was needed, but law enforcement could trace that box back to the people who created the CD. (follow the money, review warehouse/trucking records, etc.) There was retail, then wholesale, then the software publisher and developer. At the end of the chain you'd find a corporation with people who could be interviewed and arrested. Originally, not even AOL was sending out CDs.
The only writable direct-access media was the floppy, and on that there was no AutoPlay.
(Score: 2) by DannyB on Tuesday July 31 2018, @04:39PM (2 children)
I was burning CDs by about 1991. Not everyone was. I lived in an R&D playground with all kinds of toys. (not any more) But even at $400 for a Mac CD ROM burner with Toast software, (in early 1990 dollars) it was possible for bad people to burn CD ROMs.
Leave a few of them in the restroom or parking lot.
By 1995 everyone was burning CD ROMs.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @09:05PM (1 child)
I was handling CD ROMs around 1988, but I am surprised that a burner was only $400 in 1991. I think I paid $200 for my first one in 1998. How much would the hard drive array have cost to hold the CD ROM source data (assuming the image was built on the fly)? I don't think I remember blanks being offered in Computer Shopper then either.
(Score: 2) by DannyB on Tuesday July 31 2018, @09:56PM
I'm going from memory on the pricing. It might have been much higher in 1991. I think I bought my first personal burner for $400 ish and it was probably more like 1996 or 97.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @03:56PM (1 child)
One of the very first things I do is wipe/repartition the hard drive and install linux. I never have problems with autoplay.
(Score: -1, Troll) by Anonymous Coward on Tuesday July 31 2018, @04:02PM
Me neither. It just takes 15 minutes to recompile the kernel and chmod a few files, then lspci, depmod and drop to run level 1 as su, and I'm golden.
(Score: 3, Insightful) by SomeGuy on Tuesday July 31 2018, @01:51PM (2 children)
But did it bundle 1000 free hours of AOL and Microsoft Internet Explorer 4?
I was under the impression the sort of idiots that might run this either were shunning perfectly useful CD/DVD drives or would not be able to see them on their computers over all their blue LEDs. Since we have dumbed desktop computers down to work like cell phones for these people they are %100.000000 secure because nothing bad can ever come from the Microsoft(R)(TM) store... right? Right?
Don't forget your "modern" computers and sell phones all came from freking china.
(Score: 2) by srobert on Tuesday July 31 2018, @02:03PM (1 child)
"Don't forget your "modern" computers and sell phones all came from freking china."
Actually mine came from South Korea, with parts made in China, Taiwan, Brazil, Mexico, Madagascar, Indonesia, France ...
(Score: 3, Funny) by DannyB on Tuesday July 31 2018, @03:26PM
Yee ha! My sail phone don't come from dem durn places like China with slanty eyes. And it ain't got nun of dare parts inside. Oh, wait. Google's Nexus 6P is made by Huawei. Nevermind.
(what was the saying: software controls the world, hardware controls the software, china controls the hardware)
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 2) by c0lo on Tuesday July 31 2018, @02:45PM (4 children)
Even the malware is cheaper from China.
Also, a nod to the old venerable Albanian virus [imgur.com]
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by DannyB on Tuesday July 31 2018, @03:29PM (3 children)
Also malware from China is more likely to work correctly. Unlike the NSA accidentally creating the great Syrian internet outage of 2012 due to defective malware that was kindly added to Syrian routers at no charge.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: -1, Troll) by Anonymous Coward on Tuesday July 31 2018, @03:41PM (2 children)
Quit defending China. It makes you look like an ignorant imbecile.
(Score: 3, Insightful) by DannyB on Tuesday July 31 2018, @04:41PM (1 child)
I don't think I was "defending" them. Just making a joke. But one can be an ignorant imbecile without defending China.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 2) by Nuke on Tuesday July 31 2018, @08:42PM
I think he was too.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @04:07PM (4 children)
A wise man once said: "It could be Russia. But it could also be China. It could also be lots of other people."
PROFF111!!1
(Score: 2) by DannyB on Tuesday July 31 2018, @04:42PM (3 children)
I was thinking about that. But got distracted.
I wonder how many of these CDs have malware specifically targeted at voting systems?
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 2) by takyon on Tuesday July 31 2018, @04:57PM (2 children)
Might not be for anything specific. If you can infect one agency, you could use the info gained to do convincing phishing attacks on other targets.
However, we don't know that these discs were sent by the government or govt-backed groups. It could just be a lackluster attempt by criminals (who couldn't be arsed to type up a proper-looking letter or obfuscate the country of origin).
Damn, where can one get paid to copyedit Engrish for cybercriminals?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by DannyB on Tuesday July 31 2018, @05:10PM
Use a sophisticated approach. First, like Stuxnet, spread, but deactivate the payload if the host computer is not the type of equipment you're looking for.
Eventually a replicated copy might make it onto an interesting computer. Then the "payload" actually turns out to be only a "scout". Scan the system further, be sure it really is what you want. That it doesn't have defenses that will give the really good tricks away. If everything seems okay, then phone home and get the real payload -- now that the scout is sure there aren't any hardware debuggers, etc.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 2) by realDonaldTrump on Tuesday July 31 2018, @07:27PM
China, very tough competitor. Very smart cookies. 22 million accounts were hacked in this country by China. Obama's Office of Personal Management, his OPM. That one was a biggie. Obama didn't want to say China, I'm saying China. It was China, folks. Big hacking job out of China.
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 31 2018, @07:21PM (1 child)
Wait, these machines have optical drives in them?
I haven't had a computer that came with an optical drive in a decade. Haven't seen them in a while on friends machines, or at businesses, etc, either.
(Score: 2) by AthanasiusKircher on Wednesday August 01 2018, @02:29AM
Indeed. I thought everyone immediately stopped using optical drives the moment Apple declared them unnecessary and deprecated them on their cool, hip new computers.
Just like no one ever uses a headphone jack anymore after Apple declared them superfluous.
[This is mostly sarcasm, though the availability of optical drives has been decreasing of late, which does make this story a bit surprising. I haven't bought a laptop/notebook with an optical drive onboard since 2003, though I have a couple USB optical drives I use when I need one, and obviously I still put them in my desktop builds.]