Saturday, December 8, 2007

"Cyber Attackers" are Looking for PII, Not Nukes

The headlines keep coming about the news that several high-profile military labs - including some of the world's leading nuclear research labs - have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers "launched" a coordinated "major attack" on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

Case in point: The "FTC" phishing scam, cited by ORNL reps. As I blogged yesterday, this scam has been around for months, and is extremely widespread. In fact, Authentium's malware lab analysts first reported this scam in March.

The scam typically targets the capture of PII (Personally Identifiable Information) - such as the data that appears to have been stolen from the Oak Ridge Labs visitor database.

Need more evidence for the theory these are phishing scams, rather than coordinated, military-style attacks?

According to a link on the PC World web page hosting this article, those very same "Chinese hackers" are also hard at work "attacking" major oil companies and manufacturers of jet engines (check out the above link in the posted image under "Related Content", entitled "Chinese Hackers Accused of Attacking Shell, Rolls-Royce") .

Does anyone really think there is a coordinated attack going on right now against the US Military, Rolls-Royce, Shell Oil - and consumers?

Folks, the real story is, in some ways, far more scary than the one being reported by PC World.

It would appear, unfortunately, that we now have evidence that really smart people fall for phishing scams too - and sometimes those smart people happen to have a large database on their network filled with the personal information of other really smart people.

And sometimes, databases filled with nuclear secrets.

Update: To Steve B's point, these DBs *are* air-gapped, but physical separation is only successful if policies are adhered to - see comments below.

Let me repeat what I said yesterday: the technology exists to stop these kind of attacks. And some of that technology can be used in really simple ways.

Firewalls and email servers, when configured correctly and used in conjunction with robust filtering technologies and/or services located either in the DMZ or inside a secure MSSP data center, can provide a useful first-level defense.

Note: One additional approach used by some IT administrators at ISPs and businesses is the wholesale blocking of IP addresses, or super-blocks, based on the country or region originating the email.

You need to be careful when taking this approach - for example, Australia and China share the same registry (APNIC). But as an additional defense mechanism, it probably should be on this list for consideration.

Which of course leads to the obvious (political) question: Do folks that work at sensitive places like Los Alamos or the Oak Ridge National Laboratory *really* need to be able to receive email from China?


Steve T said...

Two comments:

1. Please remember that classified "nuclear secrets" at Los Alamos and other national (not military) laboratories are kept on networks physically disconnected from the Internet and thus are protected from such phishing attacks. At no time are nuclear secrets at risk when these incidents take place.

2. Places like Los Alamos and Oakridge need to receive email from China and other such countries because they are also involved in scientific research and have collaborators all over the world. Blocking such addresses would severely impact this research.

John C. Sharp said...

I agree with your comment regarding physical separation of databases. I used to work at a facility that held to similar policy.

But air-gaps are only as robust as the application and policing of policy.

Policies must be strictly maintained regarding the walking of files between the Internet and the non-Internet, using portable storage devices such as thumb-drives.

Recent studies by Raytheon and others show that many people often ignore these policies. That's when a technology like SureView can be useful.

As regards letting through email from China, if collaboration is necessary, then a managed service or filtering technology in-line with the mail server is a must.