This isn’t any April fool’s story, but a rather depressing one about how easy it is to compromise a corporate network. Markoff’s recent story in the New York Times got me looking for the research paper by Anderson and Nagaraja that should be required reading by anyone in the email and network security space.
The paper describes a determined attack on the exiled government offices of the Dalai Lama by purported agents of the Chinese government. It is a chilling account of how easy it is for hackers to penetrate a network with a little bit of social engineering and a lot of clever programming. While none of this is new, what is new is how it is getting harder to keep the bad guys out.
The Tibetan government contacted the authors of the paper when they observed suspicious diplomatic behavior. The authors found the following disturbing items:
- A number of successful logins were observed to the Tibetan’s US-based hosting accounts that came from Chinese IP addresses, none of which originated with genuine Tibetan users,
- Social engineering tactics were used to obtain the email identities of many Tibetan government officials who were then sent a number of phished emails
- The emails contained rootkit programs masquerading as ordinary documents from apparently legit sources
- Once the attachments were opened by Tibetan monks by mistake, the rootkits were then used to obtain more information and compromise other users on the network.
What is interesting about this case was the combination of malware and “good guessing” – which is really what social engineering is anyway — by doing research on the Tibetan communications, to find plausible email addresses of their correspondents, so that the phished emails would be more likely to be opened by the exiled monks. The guessing was made easier given the nature of the Tibetan diaspora and how open the monks are about their activities and outreach.
Here is the nut graph of the report:
“Until recently, one might have assumed that it would take a ‘geek’ to write good malware, and someone with interpersonal skills to do the social manipulation. But the industrialisation of online crime over the past ﬁve years means that capably-written malware, which will not be detected by anti-virus programs, is now available on the market. All an attacker needs is the social skill and patience to work the malware from one person to another until enough machines have been compromised to complete the mission. What’s more, the ‘best practice’ advice that one sees in the corporate sector comes nowhere even close to preventing such an attack.”
So what countermeasures can a typical corporate IT person take? Certainly, encrypted email should be used more, and while this is something that I have written about for more than a decade, I probably will still be writing about it 10 years from now. (None of the Tibetan emails were encrypted.) Second, when possible, use separate networks for external communications that don’t contain operational elements of a company: don’t put your payroll on your SMTP mail servers, use firewalls or even physically separate networks, and so forth. The authors state: “It would in our view be prudent practice to run a high-value payment system on a PC that does not contain a browser or email client, or indeed any other software at all.” Of course, as the Internet becomes more pervasive, this becomes harder to do.
Next, don’t open unexpected attachments, and certainly be careful when receiving unexpected documents, even from your usual correspondents. And as we conduct more business over social sites like Facebook and LinkedIn, be wary of what you receive there as well: the bad guys are using fake accounts and expanding their reach to phishing these sites. Just because someone is your “friend” doesn’t mean that they are actually legit.
Finally, take a look at data leak prevention appliances and tools. While these are expensive, they can save your bacon and do a tremendous job at detecting abnormal situations. A good place to start is with Code Green Networks, one such product that I review over on my WebInformant.tv series of videos. The company tells me that every installation has resulted in finding someone doing something that they shouldn’t be doing within the first week of use.