Joel Simon was scanning for news of journalists under fire when he was drawn to a suspicious email by an odd misspelling of a colleague’s name.
Simon is the executive director of the Committee to Protect Journalists, which reveals abuses against the Fourth Estate.
It came from “Rony Kevin”, a name similar to Rony Koven, who works for the World Press Freedom Committee, a CPJ partner. The subject line read: ‘Fw: Journalists arrested in Gambia’ and had a message body cut and pasted from press freedom group, Article 19.
CPJ internet advocacy coordinator Danny O’Brien says it had a password-protected zip attachment but CPJ employees are “extremely cautious about opening strange attachments”.
Inside were photos of Gambian journalists and a Windows executable disguised as a photo that would have run silently. Comments in the unpacking utility were in Chinese and the payload communicated with an Indonesian server.
O’Brien doesn’t know if repressive regimes were responsible, although “there aren’t many other reasons to target press-freedom groups, unless you are able to sell control of their computers to a third party who cares to disrupt or monitor their activities”.
“You might not need to speak Chinese to use a piece of software with Chinese comments, so I don’t think you can draw many conclusions from that,” he says. “Neither can you draw much from the use of an Indonesian command-and-control centre.”
The password-protected file – reasonable in such an email – could bypass anti-malware scanners, although the Windows executable would trigger alarms. And the effort to understand the target’s relationships point to “spearphishing”, a targeted attack; “the personalised password (“CPJ”) also helps make the email seem more genuine”, O’Brien says.
Such events point to the need to run attachments in a sandbox at the time of access, says Benjamin Teh, Asia general manager at security vendor Lastline, which has the Anubis service to scan Windows binaries and URLs for malware in a sandbox; its Andrubis does the same for mobile Android devices.
The CPJ attack has similarities to that against security vendor RSA when an intruder leveraged a peer relationship with a trusted partner. Such “social engineering” attacks are at plague proportions and often “chained” to other exploits, leading the victim down a rabbit hole from which it’s difficult to extricate themselves.
In 46 percent of cases, according to Verizon, attackers start with a phone call or email (17 percent) or physically trespass on the victim’s premises (37 percent). And while much of the security community’s emphasis in the past three years was on insiders – Verizon this year found they were implicated in 4 percent of attacks – 96 percent were external attackers.
And it found “higher frequencies of web and email infection(s) and lower frequencies of malware installed by attackers” in big organisations while drive-by downloads of infected websites were more common against SMEs. “Break the chain of events and you stop the incident from proceeding,” Verizon advises in its latest threat report.
Sydney security researcher, Securus Global, does such social-engineering audits for Australian enterprises and governments.
“If you chain vulnerabilities together, you can go really far,” a Securus Global researcher who requested anonymity told a closed-door gathering. “A vulnerability can seem small and of little overall risk but finding many of them chained allows for greater access into a company. Many companies address vulnerabilities as if they’re one-offs,” - and don’t consider the implications of such a holistic view.
And once there’s a chink in the enterprise armour, the first thing an attacker does is metastasise the breach, often relying on the target’s reliance on automated systems and incomplete risk profiles.
Referring to the global takedown of Sony’s PSN servers, which took the entertainment service off the air for a month and compromised 77 million accounts, the researcher said tools were “10 years behind where they need to be” and can’t encapsulate a penetration tester’s knowledge.
For instance, while under the watchful gaze of an FBI agent, Securus Global social engineer “Wayne” won his way to the top of a “capture the flag” competition at hacker gathering Defcon, gathering every bit of information from a global beverage giant. He leveraged an appeal to authority to coerce the helpful contact centre employee who had just completed security induction.
Securus Global managing director Drazen Drazic says, “we had enough information to do whatever we liked combined with a traditional IT attack”, if the intent was malicious. “All other companies gave away varying degrees of confidential information.”
Verizon found that regular workers were targets in 43 percent of cases while front-line staff (tellers, cashiers, waiters) were implicated in a third of intrusions. More worryingly, unwitting senior executives, HR, IT and finance staff – people who ought to know better – aided more than a fifth of intrusions.
1. Email, instant messaging are your customers’ worst enemies
The spearphishing attack on RSA – a Flash object embedded in an Excel file – targeted its SecurID tokens, eventually compromising major US defence contractors and causing the security vendor to lose face. The emails sent to RSA workers, titled “2011 recruitment plan”, were caught by spam folders but a worker fished out the dodgy email.
“The email that came in to RSA was from an organisation that we dealt with,” says RSA adviser Ian Farquhar. “People are the perimeter and people are really hard to upgrade. Someone received the email and opened it unwisely and that allowed the bad guys on to our network. That’s what happens in most cases, that’s the advanced persistent threat.”
RSA was reasonably lucky. It had NetWitness (which parent company EMC subsequently bought) to identify the threat, but not before the attacker wormed its way up the vendor’s information food chain.
Security researchers say most persistent threats are not advanced, although they tend to be diverse against big organisations. Securus Global says an average length of time for an intrusion – its “persistence” – is six months to a year, and the attacker is hammering away daily. Verizon notes 92 percent of intrusions are revealed by outside parties – something for savvy resellers to consider
Once an attacker gains access, they may install command shells (such as ksh or c99) and elevate their privileges – as happened with RSA – to access more resources and build a life raft in the event of exposure.
Trend Micro antispam senior architect Jon Oliver says the Blackhole toolkit is the most favoured by hackers: “It’s the best on market in terms of exploits. As soon as you click on it, you are exploited,” Oliver says.
Staff must be on their guard when dealing with the outside world especially on untrusted connections. That includes talking to overly friendly strangers.
A Securus Global researcher says instant messaging “presents a far greater threat” than email: “It’s the ability of an attacker to directly communicate with a victim”. And organisations should invest in virtual private networks, email encryption and signing to reduce the incidence and severity of such attacks.
Read on for how size doesn't matter but physical security does, where the bad guys live and how to be wary of the company you keep.