So maybe the title of this article is really a bit overkill. Or maybe It’s true. Maybe you should decide….
See, Bruce runs the fancy email newsletter known as “Cryptogram”. It’s actually a very good newsletter, so props to Bruce for that. It’s really just a monthly conglomeration of stories that relate to security, be it software, hardware, social, or otherwise. I have enjoyed the newsletter thoroughly for a while now, so I’m not just complaining about something after my first experience with it.
And congress, well, they seem to run the country. Which is funny, but we’ll get to that later.
Bruce made an interesting claim in his email newsletter a little bit ago – that the Chinese Government was developing some sort of secret and powerful operating system hellbent on attacking the critical computing infrastructure of the United States of America. To be fair, however, he did put this bit of text in quotation marks. Apparently this is not his doing. The backstory seems to follow that a briefing was given to congress not too long ago about this very subject. Apparently it’s called “Kylin”, and as a member of the IT community, we’re supposed to fear it.
Well lo and behold, the other day at work, I was setting up a snort Intrusion Detection System, and what did I see? Some very weird packets bouncing to-and-fro around the network. I mean _weird_ packets. Combinations of SYN/ACK/RST/FIN flags, sometimes there was an URG/PSH flag set just to throw off any sensors that might be listening. Fortunately, I log ALL packets to pcap data files, so I fired up tcpdump and extracted the relevant data. Insert this data into wireshark for some nice analysis, and the weirdest patterns were showing up. Scans like I really have not seen ever, but ones that make logical sense. Some ACK packets were being sent across the wire in the hopes to solicit an RST packet from a listening port. There were just strange packets everywhere, highly anomalous packets, some were even SYN/ACK/FIN packets. Not quite a christmas tree, but something that will never occur in nature. So I did what I could, and traced the packets back to their source. The funny thing was, they were bouncing all around the world. Africa, Asia, South America — nearly every country was seemingly scanning the network. And as quick as it started, it was over. I realized what was going on… A massive distributed reconnaissance mission just took place on our network. Combinations of weird packets and different sources all came together in harmony to do a full 65536-port scan on the network, and almost all without sending off a single alert from snort. Properly collated, this raw data could be put into a map of every open service on the network, and if it weren’t for a single seemingly benign alert, I would have not even known something just happened. The most chilling thing is, the possibility certainly exists that this has happened before and will happen again, but I just happened to be lucky enough to catch it this time as it happened.
I needed a lead. This was too strange. So I started analysing the packets that were sent across the wire. The ICMP packets looked very familiar, and upon further investigation, I noticed that these ICMP packets were somewhat verbatim from the FreeBSD kernel. The actual data portion of the packets vary from OS to OS… don’t believe me, then look it up! Suddenly I noticed that some packets were coming from China. I don’t know why I noticed this, but it just seemed like a pertinent detail. I think it was my subconscious telling me exactly what I feared – I was facing this “new and secret” Chinese operating system. I google’d “Kylin” and, rather unsurprisingly, the first page of results were all the same fear-mongering based on the briefing that was given to congress. But what if I changed the search a little bit maybe someone has seen this before? In this light, I google’d “Kylin FreeBSD”.
WELL WHAT HAVE WE HERE?
Kylin is not some secret Chinese government project to destroy America. It’s not even a secret. It’s a state-sponsored project to secure a common open source product. It’s absolutely no different than the US NSA’s SELinux. For crying out loud, YOU CAN DOWNLOAD THE ISO’S! It’s almost disappointing – I was secretly hoping deep down inside that I was the first person to encounter Kylin’s doings first-hand. Not so much. So I gave Bruce’s newsletter a once-over again. Looks like I was wrong all along, Bruce didn’t believe it either. He even made the conjecture that it was just over-hyped nonsense. But why even write about it as if it COULD be legit if a simple google search shows it’s all just overhyped garbage reporting? Like I said, Bruce needs to learn to use the Interwebs a little better!
And as for congress, well, they do too. I’m tired of the fear-mongerting that occurs so very, very often. I’m tired of the irresponsibility of it all. What does it accomplish? Maybe it pushes your own agenda a little faster? Why not do the right thing and report the facts, then maybe we can have some time to plan things out and do it right the first time. I’m all for a national Cybersecurity initiative, in both the public and private sectors. It’s truly a great thing that this is happening. I would just really hate to see it all go as wasted effort because proper time and resources were not allocated ahead to keep the project alive. Perhaps I’m just an idealist this way, but it’s the only way that (IMHO) works.
Now, in the light of sharing and freedom, here’s the Kylin ISO’s. Use responsibly, and above all else, use them to learn! This is no different than SELinux, and maybe the Chinese government will continue to sponsor open source projects like this, something from which we surely can ALL benefit. And don’t believe everything you read, I know I’ve learned my lesson this time around…
And as for the scans I was seeing? Who knows, it could have been one person all along, or it could have just been coincidence. It’s really hard to say, but that’s the nature of the beast we call the Internet. Surely, nothing that was done is out of the reach of some clever SSH’ing and NMapping. If there’s more to the story, I’ll make an update. But for now, I’m content with the facts that I have, no more, no less.