[Web Informant] 1 April 2009: How to stay secure in these insecure times

[David Strom]

Web Informant, 1 April 2009: How to stay secure in these insecure times

This isn't any April fool's story, but a rather depressing one about
how easy it is to compromise a corporate network. Markoff's recent
story in the New York Times got me looking for the research paper by
Anderson and Nagaraja that should be required reading by anyone in the
email and network security space.
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html

The paper describes a determined attack on the exiled government
offices of the Dalai Lama by purported agents of the Chinese
government. It is a chilling account of how easy it is for hackers to
penetrate a network with a little bit of social engineering and a lot
of clever programming. While none of this is new, what is new is how
it is getting harder to keep the bad guys out.

The Tibetan government contacted the authors of the paper when they
observed suspicious diplomatic behavior. The authors found the
following disturbing items:
--      A number of successful logins were observed to the Tibetan's
US-based hosting accounts that came from Chinese IP addresses, none of
which originated with genuine Tibetan users,
--      Social engineering tactics were used to obtain the email identities
of many Tibetan government officials who were then sent a number of
phished emails
--      The emails contained rootkit programs masquerading as ordinary
documents from apparently legit sources
--      Once the attachments were opened by Tibetan monks by mistake, the
rootkits were then used to obtain more information and compromise
other users on the network.

What is interesting about this case was the combination of malware and
"good guessing" – which is really what social engineering is anyway --
by doing research on the Tibetan communications, to find plausible
email addresses of their correspondents, so that the phished emails
would be more likely to be opened by the exiled monks. The guessing
was made easier given the nature of the Tibetan diaspora and how open
the monks are about their activities and outreach.

Here is the nut graph of the report:

"Until recently, one might have assumed that it would take a ‘geek’ to
write good malware, and someone with interpersonal skills to do the
social manipulation. But the industrialisation of online crime over
the past five years means that capably-written malware, which will not
be detected by anti-virus programs, is now available on the market.
All an attacker needs is the social skill and patience to work the
malware from one person to another until enough machines have been
compromised to complete the mission. What’s more, the ‘best practice’
advice that one sees in the corporate sector comes nowhere even close
to preventing such an attack."

So what countermeasures can a typical corporate IT person take?
Certainly, encrypted email should be used more, and while this is
something that I have written about for more than a decade, I probably
will still be writing about it 10 years from now. (None of the Tibetan
emails were encrypted.) Second, when possible, use separate networks
for external communications that don't contain operational elements of
a company: don't put your payroll on your SMTP mail servers, use
firewalls or even physically separate networks, and so forth. The
authors state:  "It would in our view be prudent practice to run a
high-value payment system on a PC that does not contain a browser or
email client, or indeed any other software at all." Of course, as the
Internet becomes more pervasive, this becomes harder to do.

Next, don't open unexpected attachments, and certainly be careful when
receiving unexpected documents, even from your usual correspondents.
And as we conduct more business over social sites like Facebook and
LinkedIn, be wary of what you receive there as well: the bad guys are
using fake accounts and expanding their reach to phishing these sites.
Just because someone is your "friend" doesn't mean that they are
actually legit.

Finally, take a look at data leak prevention appliances and tools.
While these are expensive, they can save your bacon and do a
tremendous job at detecting abnormal situations. A good place to start
is with Code Green Networks, one such product that I review over on my
WebInformant.tv series of videos. The company tells me that every
installation has resulted in finding someone doing something that they
shouldn't be doing within the first week of use.