Phishing Has Gotten Very Good

This isn’t phishing; it’s not even spear phishing. It’s laser-guided precision phishing:

One of the leaked diplomatic cables referred to one attack via email on US officials who were on a trip in Copenhagen to debate issues surrounding climate change. “The message had the subject line ‘China and Climate Change’ and was spoofed to appear as if it were from a legitimate international economics columnist at the National Journal.” The cable continued: “In addition, the body of the email contained comments designed to appeal to the recipients as it was specifically aligned with their job function.” […] One example which demonstrates the group’s approach is that of Coca-Cola, which towards the end was revealed in media reports to have been the victim of a hack. And not just any hack, it was a hack which industry experts said may have derailed an acquisition effort to the tune of $2.4bn (£1.5bn). The US giant was looking into taking over China Huiyuan Juice Group, China’s largest soft drinks company — but a hack, believed to be by the Comment Group, left Coca-Cola exposed. How was it done? Bloomberg reported that one executive — deputy president of Coca-Cola’s Pacific Group, Paul Etchells — opened an email he thought was from the company’s chief executive. In it, a link which when clicked downloaded malware onto Mr Etchells’ machine. Once inside, hackers were able to snoop about the company’s activity for over a month.

Also, a new technique:

“It is known as waterholing,” he explained. “Which basically involves trying to second guess where the employees of the business might actually go on the web. “If you can compromise a website they’re likely to go to, hide some malware on there, then whether someone goes to that site, that malware will then install on that person’s system.” These sites could be anything from the website of an employee’s child’s school – or even a page showing league tables for the corporate five-a-side football team.

I wrote this over a decade ago: “Only amateurs attack machines; professionals target people.” And the professionals are getting better and better.

This is the problem. Against a sufficiently skilled, funded, and motivated adversary, no network is secure. Period. Attack is much easier than defense, and the reason we’ve been doing so well for so long is that most attackers are content to attack the most insecure networks and leave the rest alone.

It’s a matter of motive. To a criminal, all files of credit card numbers are equally good, so your security depends in part on how much better or worse you are than those around you. If the attacker wants you specifically — as in the examples above — relative security is irrelevant. What matters is whether or not your security is better than the attackers’ skill. And so often it’s not.

I am reminded of this great quote from former NSA Information Assurance Director Brian Snow: “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”

Actually, that whole essay is worth reading. It says much of what I’ve been saying, but it’s nice to read someone else say it.

One of the often unspoken truths of security is that large areas of it are currently unsolved problems. We don’t know how to write large applications securely yet. We don’t know how to secure entire organizations with reasonable cost effective measures yet. The honest answer to almost any security question is: “it’s complicated!”. But there is no shortage of gungho salesmen in expensive suits peddling their security wares and no shortage of clients willing to throw money at the problem (because doing something must be better than doing nothing, right?) Wrong. Peddling hard in the wrong direction doesn’t help just because you want it to. For a long time, anti virus vendors sold the idea that using their tools would keep users safe. Some pointed out that anti virus software could be described as “necessary but not sufficient” at best, and horribly ineffective snake oil at the least, but AV vendors have big PR budgets and customers need to feel like they are doing something. Examining the AV industry is a good proxy for the security industry in general. Good arguments can be made for the industry and indulging it certainly seems safer than not, but the truth is that none of the solutions on offer from the AV industry give us any hope against a determined targeted attack. While the AV companies all gave talks around the world dissecting the recent publicly discovered attacks like Stuxnet or Flame, most glossed over the simple fact that none of them discovered the virus till after it had done it’s work. Finally after many repeated public spankings, this truth is beginning to emerge and even die hards like the charismatic chief research officer of anti virus firm FSecure (Mikko Hypponen) have to concede their utility (or lack thereof). In a recent post he wrote: “What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.. This story does not end with Flame. It’s highly likely there are other similar attacks already underway that we havn’t detected yet. Put simply, attacks like these work.. Flame was a failure for the anti-virus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”

Posted on March 1, 2013 at 5:05 AM • 48 Comments