Attacks On Government Email Continue

In June we blogged about highly targeted emails that we being sent to the gmail accounts of U.S. government officials.

Contagio reports that the disclosure of these attacks has not stopped the attacks or caused the attackers to give up.   The latest attacks use a real report titled “Blinded: The Decline of U.S. Earth Monitoring Capabilities and its Consequences for National Security” from the Center for a New American Security (CNAS), a Washington D.C. think tank, as bait.  The victim is encouraged to subscribe to reports using their gmail credentials.  The concept appears to be that because using gmail credentials is a common log-in method, the victim will fall for the scam.  If the victim takes the bait, the attacker gains access to the victim’s gmail account.  Contagio reports that the attackers log into the account about two hours after it is compromised.

Contagio notes, “Google are aware of this, there is not much they can do to prevent these from coming in but I am sure they are trying.”

Social Media Outs CIA Agent

The effectiveness of spearphishing, the use of highly targeted email to compromise systems and data, depends upon the miscreant’s ability to craft an email that is enticing to the recipient.  This presents the phisher with two problems — identifying the target and determining what would entice the target.

After years of clandestine efforts, secret operatives of the United States were able to kill bin Laden.  Running this operation was a CIA employee whose identity is a closely guarded national secret.   The Observer reports that his cover was blown using Flickr.  The White House published a photo from the Situation Room which, although it did now show the CIA employee’s face, did show his yellow tie.  Also, it appeared that he was tall.  This photo allowed John Young of Cryptome.org, an intelligence blog dedicated to exposing government secrets, to get started.  The White House posted several other photos from that day and the using the clues of the necktie and height, Young was able to find a photo of the man’s face.  Within a day, Young was able to determine the CIA employee’s name, where he went to school, his college GPA, where he lived, the sports his kids played and his wife’s activities.   The Observer dubbed him “CIA John” to protect his identity.  This is CIA John.

Armed with this data, a spearphishing attack could be mounted against CIA John.

What if the spearphisher doesn’t have White House photographs to find the victims?  Finding targets is as easy as taking pictures of employees in the parking lot.  Carnegie Mellon University researchers led by Alessandro Acquisti  took photographs of student volunteers.  Using facial recognition software on social networking sites, the researchers were able to identify 31% of the students by name.  In another experiment, the Carnegie Mellon team was able to identify 10% of people who had posted their photos on public dating sites. The researcher’s have posted their research online, Faces of Facebook: Privacy in the Age of Augmented Reality. The researchers report that they have been able to use profile photos and facial-recognition software to get details such as birthdate and social security number predictions.

Social media provides a powerful source of data for spearphishers to identify and and target individuals.

Former Director of National Intelligence McConnell Discusses Cybersecurity

On August 7, 2011, former Director of National Intelligence Vice Admiral Mike McConnell (USN Ret) appeared on CNN’s State of the Union with Candy Crowley.  The Admiral discussed the risks of industrial espionage and cyber warfare.  He described the security breaches in McAfee’s recently released  Revealed: Operation Shady RAT as “the tip of the iceberg.”  You can see the entire interview at:

http://sotu.blogs.cnn.com/2011/08/07/fmr-dni-mike-mcconnell-on-the-threat-of-cyber-attacks/

Defcon Hacking Conference — Target the People

Last weekend the world’s largest hacking convention, Defcon, was held in Las Vegas.   Reuters reported on the conference:

[H]ackers taking part in the competition on Friday and Saturday found it ridiculously easy in some cases to trick employees at some of the largest U.S. companies to reveal information that can be used in planning cyber attacks against them.

This was the second year that Defcon included a contest in “social engineering,” in which the hackers tried to deceive people into disclosing information or taking ill-advised actions, such as opening an infected attachment, downloading malware or visiting a malicious website.   The most frequently used social engineering hack is spearphishing, in which the hacker impersonates a friend, colleague or other convincing sender (one such hack involved the impersonation of President Obama).  In the successful spearphishing attack, the impersonation and its call to action deceive the recipient into disclosing information or compromising the recipient’s system.  Recent examples of successful spearphishing attacks include Epsilon (the email marketing company), U.S. defense contractors, the French Finance Ministry, the IMF, EMC’s RSA Security division and government agencies around the world.

The Reuters article states that the success of social engineering hacks is because employees are poorly trained.  While there are no doubt cases where social engineering schemes could be overcome with training, the successful spearphishing campaign is driven by the guile of the perpetrator, not the training deficiencies of the victim.

Training people to avoid suspicious emails is essentially impossible because, as Lt. Col.  Gregory Conti,  IT professor at West Point observed in the New York Times,

“What’s ‘wrong’ with these e-mails is very, very subtle,” he said, adding: “They’ll come in error-free, often using the appropriate jargon or acronyms for a given office or organization.”

The tools to improve the criminals’ craft are becoming more robust every day.   A little internet research yields substantial personal information that can be used to deceive the recipient.  Email is the ideal medium for deception because the attacker has at his command all of the human factors needed to deceive the recipient.  Given the ability of criminals to craft and deliver deceiving emails, email recipients are essentially unarmed in this battle of wits with spearphishers.

Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

Where Have All My Secrets Gone?

McAfee has just released a whitepaper,  “Revealed: Operation Shady RAT,” in which they investigated  one of the secret command and control networks which have been surreptitiously installed in networks around the world.  McAfee reports that the purpose of these secret networks is to steal data.

What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

McAfee reports that this single operation compromised data from 72 targets.  In some cases, data was being stolen for more than 2 years before the intrusion was stopped.  How was the data stolen?

The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

This is nothing new.  A leaked secret State Department cable describes a cyberwarfare attack against the United States Government (USG):

Since late 2002, USG organizations have been targeted with social-engineering online attacks by BC [Byzantine Condor] actors. … BC actors typically gain initial access with the use of highly targeted socially engineered e-mail messages, which fool recipients into inadvertently compromising their systems [spear-phishing]. The intruders then install malware such as customized keystroke-logging software and command-and-control (C&C) utilities onto the compromised systems and exfiltrate massive amounts of sensitive data from the networks.

It is critical that many layers of defense are used by organizations to protect their data.  Operating systems and browsers must be current and patched.  State of the art security software should be deployed.  Systems should be monitored.  Staff must be trained.  But part of the solution is to realize that people respond to well-crafted spear-phishing emails.

When human factors are considered in the threat profile, human factors must be deployed in the defensive measures.  A tool is now available that uses human factors to identify trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard modifies the email client’s display to provide a visual indicator of the identity of the sender of email. This is an example from Outlook, the popular business email client, in which a company called “MyCo” is marking their internal messages as well as those from trusted partners such as their law firm.  Note especially the last message, though seemingly benign, is a spear-phishing message and is not marked as authentic:

SP Guard provides the email recipient with three easy to recognize confirmations that a message is really an internal email or from a trusted counterpart:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.

Iconix Whitepaper – Online Attacks Get Personal

Today Iconix released its whitepaper, “Online Attacks Get Personal.”  In this whitepaper,  Iconix discusses the disturbing trend of email attacks moving from general, widely distributed scams to highly personalized spearphishing emails.

This trend is occurring because technology favors the social engineering schemes employed in spearphishing that are used to deceive recipients.  It is technically easy to fake the sending email address that is displayed to the recipient.  A little internet research yields substantial personal information that can be used to deceive the recipient.  Email is the ideal medium for deception because the attacker has at his command all of the human factors needed to deceive the recipient.  Given the ability of criminals to craft and deliver deceiving emails, email recipients are essentially unarmed in this battle of wits with spearphishers.

Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spear-phishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spear-phishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard provides the recipient with three confirmations that a message is real:

1. List View. There is an integrity indicator in the list view of the email client.
2. Message. The open message has a further indicator of authenticity.
3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.