Comments:"Schneier on Security: Phishing Has Gotten Very Good"
A blog covering security and security technology.
« The Court of Public Opinion |Main | Me on "Virtually Speaking" »
March 1, 2013
Phishing Has Gotten Very Good
This isn't phishing; it's not even spear phishing. It's laser-guided precision phishing:
One of the leaked diplomatic cables referred to one attack via email on US officials who were on a trip in Copenhagen to debate issues surrounding climate change. "The message had the subject line 'China and Climate Change' and was spoofed to appear as if it were from a legitimate international economics columnist at the National Journal." The cable continued: "In addition, the body of the email contained comments designed to appeal to the recipients as it was specifically aligned with their job function." [...] One example which demonstrates the group's approach is that of Coca-Cola, which towards the end was revealed in media reports to have been the victim of a hack. And not just any hack, it was a hack which industry experts said may have derailed an acquisition effort to the tune of $2.4bn (£1.5bn). The US giant was looking into taking over China Huiyuan Juice Group, China's largest soft drinks company -- but a hack, believed to be by the Comment Group, left Coca-Cola exposed. How was it done? Bloomberg reported that one executive -- deputy president of Coca-Cola's Pacific Group, Paul Etchells -- opened an email he thought was from the company's chief executive. In it, a link which when clicked downloaded malware onto Mr Etchells' machine. Once inside, hackers were able to snoop about the company's activity for over a month.Also, a new technique:
"It is known as waterholing," he explained. "Which basically involves trying to second guess where the employees of the business might actually go on the web. "If you can compromise a website they're likely to go to, hide some malware on there, then whether someone goes to that site, that malware will then install on that person's system." These sites could be anything from the website of an employee's child's school - or even a page showing league tables for the corporate five-a-side football team.I wrote this over a decade ago: "Only amateurs attack machines; professionals target people." And the professionals are getting better and better.
This is the problem. Against a sufficiently skilled, funded, and motivated adversary, no network is secure. Period. Attack is much easier than defense, and the reason we've been doing so well for so long is that most attackers are content to attack the most insecure networks and leave the rest alone.
It's a matter of motive. To a criminal, all files of credit card numbers are equally good, so your security depends in part on how much better or worse you are than those around you. If the attacker wants you specifically -- as in the examples above -- relative security is irrelevant. What matters is whether or not your security is better than the attackers' skill. And so often it's not.
I am reminded of this great quote from former NSA Information Assurance Director Brian Snow: "Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents."
Actually, that whole essay is worth reading. It says much of what I've been saying, but it's nice to read someone else say it.
One of the often unspoken truths of security is that large areas of it are currently unsolved problems. We don't know how to write large applications securely yet. We don't know how to secure entire organizations with reasonable cost effective measures yet. The honest answer to almost any security question is: "it's complicated!". But there is no shortage of gungho salesmen in expensive suits peddling their security wares and no shortage of clients willing to throw money at the problem (because doing something must be better than doing nothing, right?) Wrong. Peddling hard in the wrong direction doesn't help just because you want it to. For a long time, anti virus vendors sold the idea that using their tools would keep users safe. Some pointed out that anti virus software could be described as "necessary but not sufficient" at best, and horribly ineffective snake oil at the least, but AV vendors have big PR budgets and customers need to feel like they are doing something. Examining the AV industry is a good proxy for the security industry in general. Good arguments can be made for the industry and indulging it certainly seems safer than not, but the truth is that none of the solutions on offer from the AV industry give us any hope against a determined targeted attack. While the AV companies all gave talks around the world dissecting the recent publicly discovered attacks like Stuxnet or Flame, most glossed over the simple fact that none of them discovered the virus till after it had done it's work. Finally after many repeated public spankings, this truth is beginning to emerge and even die hards like the charismatic chief research officer of anti virus firm FSecure (Mikko Hypponen) have to concede their utility (or lack thereof). In a recent post he wrote: "What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.. This story does not end with Flame. It's highly likely there are other similar attacks already underway that we havn't detected yet. Put simply, attacks like these work.. Flame was a failure for the anti-virus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game."Posted on March 1, 2013 at 5:05 AM • 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What about an email system that challenged all external links somehow? Perhaps combined with a secure browser that opened clicked links in a sandbox. Seems easy to do with company internal email. It wouldn't stop everything, but it might help.
Interesting. I am pretty sure that is only a couple of examples among dozens.
There is no certainty something can be done: after the link in the e-mail, it will be in a nicely printed letter, then on a CD, then as a USB drive, then ...
Wait, so a Coca-Cola exec that is in secret merger talks, regularly corresponds with his counterpart via plain text e-mails? No encryption?
This isn't phishing, it's out-and-out espionage. And this post very profoundly and succinctly demonstrates why AV tools, and even more advanced tools from that industry, can't protect you against targeted espionage.
@Zombie John:
"Hey! You! IT guy! I can't see the dancing cats my friend sent me! Make it work!"
It's hyperbolic, but not by much.
@cpragman:
This presupposes that either A) The executive in question fully understands PGP and key management, or B) The IT department can "work around it for him" on every device he might use. It's not an impossible problem, but it's nowhere near as simple as "just throw cryptography at it".
The only plausible way to combat these sorts of attacks is with a "security by isolation" approach. An operating system like Qubes OS which can automagically launch a non-persistent ("disposable") VM to read email attachments is the surest defense. Even if such a disposable VM is compromised by a 0-day, isolation from the rest of the system ensures no user data is compromised. A disposable VM in this scenario needs no networking (the attachment can be copied between VMs with some simple code in Xen dom0), so the exploit does not offer the attacker any pivot points into the network. Finally, the non-persistence of the VM ensures that any access obtained is transient.
Even better, rather of a TCB which includes all client software for parsing and displaying PDFs, DOCs, etc., you end up with a very small TCB (only Xen and a few thousand lines of GUI glue).
A start would be to disable the ability to click links in emails. Force users to type the urls. Then disable java, in the browser, in acrobat, in the entire machine. That would make the attacker's job much more difficult.
No @Tom, APT will use 0-day vulnerabilities in firefox, chrome, ...
@andrewb: xen and vmware have vulnerabilities on a regular basis.
Writing general-purpose A/V software is a very hard (unsolved) problem. The systems that we currently have can defend very well against common "amateur" vandalism attacks, or attacks that use well-known techniques that have been used previously, but fall down when pitted against novel, obscure and tightly-targeted attacks, particularly if those attacks have been designed, written and tested with the specific intent of bypassing the detection algorithms of, say, the top 5 A/V vendors.
It _is_ an arms race, and, as you rightly point out, the defender faces a much harder challenge than the attacker, mainly because the attacker has access to the A/V endpoint software to test against, whereas the A/V vendor does not have access to the virus until it has been detected in the wild at least once. As we have seen, the time delay between a piece of malware being released into the wild and it being picked up by the A/V industry can (in the case of highly targeted attacks) be on the order of years, maybe even decades (I suspect). However juvenile and disruptive the vandals may be, their actions serve to test, stretch and improve the A/V industry's detection algorithms, harden the software industry's products, and close off vulnerabilities and avenues of attack that the less-noisy-but-more-dangerous attackers might exploit. Personally, I am far more frightened of sophisticated criminals and unscrupulous nation states (you know who you are) than I am of juvenile vandals on an ego-trip.
This is one case where we might do well to step back, consider the ecosystem as a whole, and try to implement an "anti-fragile" solution to the problem. (And it is a very very serious problem).
Ultimately the problem isn't the particular software, it's the system as a whole. Any particular piece can be secure, but if all the pieces aren't secure then eventually the pieces that aren't will be used to breach the system. This includes more than just the software, the interactions between the software must also be secure (E.G. SQL injection attacks).
The complexity of a modern OS instance (plus human nature) means that building a completely secure system is nearly impossible. Not only are truly secure applications mostly non-existent, but any system complex enough to be useful is going to be largely too complex to make any strong security guarantees about.
I don't think the problem is entirely insurmountable, but it will definitely require some rethinking and re-evaluating of certain aspects of systems development and programming. To start with we're probably going to have to give up C to a large extent, leaving programmers in charge of memory allocations and keeping track of references is just too error prone to do securely in any large system.
@LinkTheValiant
Could a member of the CIA or NSA get dancing cats on their laptop? If not, then
why should the guy doing the 2bn dollar merger?
Almost all security problems are easy to fix if you get fired for a security lapse.
Its a choice - and one I bet Warren Buffet is talking to the Coca Cola board about right now
Clicks on links in an email
An email client that installs applications without asking you
An OS that lets an email client install applications
An OS that lets an application installed by an email client have access to other programs data on the machine?
Have we learnt precisely nothing in the last 40 years of OS design?
- smuggly being typed from my chromebook. At least now only Google are spying on me.
@ andrewb
"Even better, rather of a TCB which includes all client software for parsing and displaying PDFs, DOCs, etc., you end up with a very small TCB (only Xen and a few thousand lines of GUI glue)."
Are you saying that QubesOS doesn't depend on dom0 to work for security? If it does, the TCB is quite a bit larger. I've covered QubeOS before on this blog and had a nice little debate with the project leader. It's 2013 and the points I made in the post below are still valid for the project. They've done good work, though.
http://www.schneier.com/blog/archives/2011/06/...
All that said, I still congratulated them on their 1.0 release.
@Richard Birenheide
"Encrypting communication does not help when your machine is compromised."
Oddly enough, this means that somebody had to "attack the machine" along with the person. A computer where security was ever a consideration (mostly just non-windows) would be a start, but I suspect that would just mean that the laser-guided-spear-fishing would evolve until it was good enough to convince the user to turn on enough scripting to "0wn" his machine.
Looks like you can still do a lot to protect the machine, but only so much to protect it from a user who wants that lure.
@Paul Brian:
Could a member of the CIA or NSA get dancing cats on their laptop? If not, then
why should the guy doing the 2bn dollar merger?
Almost all security problems are easy to fix if you get fired for a security lapse.
Its a choice
It is one thing to shoot the stablehand who lets the horses get stolen. It's quite another to shoot the squire's son.
We can see what they do to him. My guess is an internal reprimand. With at least a little justice, he'll "retire for health reasons" or some similar bilgewater. But an actual firing, with concrete reasons? Not a chance. (I'll be VERY happy if I'm wrong though.)
@Kyle:
I don't think the problem is entirely insurmountable, but it will definitely require some rethinking and re-evaluating of certain aspects of systems development and programming. To start with we're probably going to have to give up C to a large extent, leaving programmers in charge of memory allocations and keeping track of references is just too error prone to do securely in any large system.
That will be supremely difficult. Memory management in C is a price paid for faster software. Move to a managed-memory language and you lose a great deal of that speed advantage to overhead. TANSTAAFL. Never mind "TRAH-DISH-UHN"
Not that I don't agree with you, of course.
As is shown on the page pointed to above, Brian Snow was the *technical* director, not the director. He actually understood technology and security problems.
I know technology can't solve all problems but this really looks like a job for digital signatures. I've been digitally signing my emails for years in the hope that someone else would follow my example.
Sure, the exec will have to learn something about how to use GPG. But it is really pretty easy with modern email clients. Enigmail makes it easy for Thunderbird.
@LinkTheValiant: If you're an executive responsible for a $2.4B transaction, surely you're capable of figuring out how this email signing thing works and understanding why it is necessary. Establishing secure communications and even meeting face to face or at least sending trusted representatives such as lawyers to sign keys really doesn't seem like an unreasonable measure given what is at stake.
@Richard Birenheide: His machine wasn't compromised until he clicked the link, right? And he wouldn't have clicked the link if the email wouldn't display because the signature check failed.
@ Tracy Read
"If you're an executive responsible for a $2.4B transaction, surely you're capable of figuring out how this email signing thing works and understanding why it is necessary. Establishing secure communications and even meeting face to face or at least sending trusted representatives such as lawyers to sign keys really doesn't seem like an unreasonable measure given what is at stake."
Exactly. This is certainly the right mindset. As the value of assets increase, then the strength of risk mitigation should also increase. Signatures are a start to authenticating the transaction (and maybe individual). Trusted path for signing mechanism, people's behavior and processes would be next issues.
One of my employers put much stronger controls in place that were actually used (most of the time) by low wage workers and executives alike that didn't like the scheme. The reason it worked is that work could still be done (albeit painfully) and violating security policy resulted in firing for some people. It's amazing that we did all that for assets with very limited value, while these other companies can't bother to put adequate protections in for assets in the millions.
Subscribe to comments on this entry
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram. read more |