While hill staffers and other washington movers and shakers were being carpet bombed two years ago during budget negotiations, it was really eye opening how much individual effort was put forth. They were exploiting a flash 0-day that was embedded in various .xlsx .docx and .pdfs - pretty slick as it got them around noscript policies and outside any sandboxes.
The turn around time was crazy - on at least two occasions the workflow went:
recent victim gets first/early copy of policy paper written that day -->
document is taken, translated to a different format and has 0 day inserted -->
emails with exploit are sent to no more than 10-15 people the victim frequently discusses the topics covered in the paper with. -->
Many include personalized notes that include observations the victim had sent to the author -->
Time from initial email receipt to exploits all mailed: around 3 hours
Yeah, what? Who is sponsoring 0-day exploit attacks against Hill staffers? Do the parties go that far to get an edge against each other in negotiations? That seems like it would be front page NYTimes material.
Political parties in this country would never stoop to criminal activity to gain strategic information. Why, if such a thing were to happen, and to involve high-ranking government officials, I bet it would be a major national scandal and maybe even lead to some unprecedented resignations!
Anyone who could profit is our starting set. And the budget for the federal government funds massive amounts of private entities that have a vested interest in finding out ahead of time what their and their competitors funding will be.
Notably, hedging their bets on an exchange.
And, maybe obviously, some of these private entities are the very entities that are consulted for the federal government's email and computer security policy.
I love how everyone here is extremely focused on the security of different technologies (Chromebook, Office, Java, etc.), when really the point of the article is that regardless of what technology is used, the weakest link in any system will always be people.
Schneier stated this explicitly: "Amateurs target systems, professionals target people." It doesn't matter if your money is behind a five-foot-thick reinforced-concrete safe if the banker can be convinced to open it for an attacker.
What I am pointing out is that nobody is discussing how to train/educate humans to be more resistant to social engineering attacks. Instead there seems to be an echo chamber of "X system is so much secure than Y system!" which is really banal.
I wonder how many of these exploits are simply the result of the following five factors:
o Windows
o Internet Explorer
o Java
o Flash
o Office
People can whine all they want about Chromebooks not running non-cloud stuff, but IMHO, diplomats, executives, et al should be required to use locked down machines for communications, and training to educate people about opening email links should be widespread.
I get emails all the time from my bank and credit card companies, but even if I visually inspect the link targets, I don't trust them, I always type in the location myself if it is a site that I know I'm going to enter important credentials into.
You should read the article more carefully. As Schneier says in his post, amateurs target systems, whereas professionals target people. So the technology used doesn't matter very much at all. In most cases all you need to do is some social engineering to figure out people's soft spots.
If "whatever they switch to" is ChromeOS + web apps, then it's going to be much more expensive to get past a Chrome sandbox than any of the current exploitation favorites. Sure, it's not impossible, but at least making exploitation more expensive will put the little guys out of business. And Google has sufficient money to throw at Chrome security that it will become more expensive over time, not less.
Of course. But that's very different from hacking the user's own machine, which effectively provides the hacker with access to everything the user does. Hacking a single service means that you merely get access to that one service, plus anything else where the user used the same password. And we already have technologies which would make it so that hacking a service would only give access to that one service, e.g. Mozilla Persona[1].
attack vectors and techniques are different, but everything else stays the same.
If one can add a <script> tag to arbitrary webpages via a malicious extension,XSS or whatever other method then that's probably as good as/better than root.
You are still not magically immune from buffer overflow, heap overflows or any of the other bread and butter stuff either.
This is not new. Government officials and corporate executives have always been targets of espionage. That spies would disguise their attempts as common spam/phishing is unremarkable; as is the notion that some ordinary hackers might also preferentially target this class of people.
Exactly. The term the article should be using for it is "social engineering." It would only take a minimal amount of research to create a legitimate-looking email to a Coca-Cola executive or whoever. Emails claiming to contain coupons for free sexual performance enhancers won't exactly work for most people, so a little research isn't a stretch at all.
It most certainly is NOT new. We were writing about it at MessageLabs (now part of Symantec) years ago (in 2007 or earlier IIRC).
What's surprising is that I gave a talk twice for Schneier's company Counterpane on tour with him in Texas, to a small room of people, including Bruce, covering exactly this topic, around that time.
Disclaimer: I no longer work there but I created their anti-spam software.
A lot can happen when you click a link. You download content like images, run plugins, open up third party apps (like iTunes or a chat client). You render images, you can start the hardware accelerated canvas stuff. You're downloading all of this content onto your computer and then your computer processes it. It's not like you're using a remote viewer to view something not on your computer. Going to a website is downloading files.
A lot of things that I don't want to happen occur when I click on a link. Cookies are sent to foreign servers without my knowledge or consent. Advertisements are displayed. Audio can be played without my consent. Powerful flash and javascript plugins can run without my consent that can hijack my browser and deny me the use of my computer until I restart it.
When I click on a link, I want a remote text and image viewer. Sometimes I'll allow certain sites like youtube to run flash, even automatically. This computer is my tool, not someone else's, and in 2013 clicking on a link shouldn't be a wildly uncontrolled and dangerous experience.
I agree with your point. Most of us here are experts and have click-to-plugin addons installed. However, as Schneider states, the person is always the weakest link.
I've been on the internet for a few years, as a kid, and never got into phishing trouble. Now, as an adult, I've seen phishing forgeries so incredibly detailed that I had to check a lot of factors to finally conclude that it's phishing. And I'm an adult computer scientist who programs web pages!
Just think about any other intelligent adult but without the technical knowledge to detect forgeries. It's turning to be really scary.
The web is what it is. In theory, my processors would only run the code I want them to -- not the selection of code, scripting, and plugins that any random website may have. I work very hard to make that theory into reality.
Did you pay attention to the problems mentioned by the NSA director? It's hard. Much much harder than making a application to share status. Much much harder than even making an application that searches big data for new drug possibilities. There are classes of problems that are unsolved even at the technical level, much less the human one.
So how do you protect yourself from these highly-targeted attacks?
How about running the browser in a sandbox that resets all changes on exit? I've actually set up Firefox (hardened) + Sandboxie on Win7 but exactly how good is this setup?
e) do not allow downloading of any file. Instead use chrome's plugin to open any word/etc files in google docs.
f) Use a chromebook. Chromebooks can't really execute programs like windows machines can, so it's fairly safe. And worst case is you expose a sandbox machine with no private data other than caches, that can be set to be cleared on sleep or whatever. Bonus security points:
- if a chromebook is hijacked, it will only be hijacked until a reboot during which time the chromebook does a sanity check ensuring the OS is exactly intact. If it is not it just reinstalls the OS from ROM. Basically no long-term compromised machines.
- The only time chrome's sandbox was ever completely bypassed allowing arbitrary code execution was using a combination of multiple chrome exploits (now closed) and a windows data execution prevention bug. That can't happen on linux (and the chrome team works to further solidify that sandbox). Pretty much almost impossible. And if it is quickly patched and vuala.
g) browse in private browsing mode only
h) When visiting links (like facebook) manually type in the url to ensure nothing is spoofed.
I think you will be fairly safe. However... I doubt most people will go that far.
So to avoid leaking any private data to third parties, I should send all my private data to a third party using a proprietary protocol?
Also, I 'd recommend using noscript, with no plugins. Don't bother opening word files, get them to send it to you in plain text. Or run around with usb drives (no one ever said it would be easy).
You're still not necessarily safe here from spoofing.
If an attacker can gain access to your network (splicing a network cable somewhere, long term hacks against wifi keys, etc) then they can run DNS or arp poisoning, and redirect all of your traffic through a transparent proxy that can strip off HTTPS and log all cookies and form submission.
Many people will then type in 'www.facebook.com' into the address bar, and will see facebook as normal (minus the padlock, which most people wouldn't notice is missing).
So: don't just type in 'www.facebook.com' ALWAYS type in 'https://www.facebook.com manually, or make a habbit of checking the padlock on every page view (perhaps there is a chrome addon for this?)
EDIT: and if you're being spoofed by a government or syndicate who has the ability to sign global certificates, then there is probably not much you can do.
embarrasing to admit, but I've always wanted to believe one could at least trust plugins like Adblock Plus or Ghostery to protect ones mind and privacy a little.. now, reading Hacker News almost every day, I'm getting paranoid. is it a vulnerability to even use them?
The more people you trust, the more susceptible you are to having that trust broken.
Let's say you trust Chrome, you can't trust AdBlock just because you trust Chrome. The install on the Chrome store could get compromised, somehow.
In this specific case though, you also have to weigh the risk of an attack being delivered from an ad. What's more likely? One of the thousands of ads you view a day launches an attack, or installing a Chrome extension does? Which would be more damaging?
Security is not an exact science. It's all about weighing options and making informed decisions.
First of all, in Firefox (and I believe in Chrome too) there is a distinction between "addons" (such as adblock plus) and "plugins" (such as flash). The main difference being that plugins are DLLs containing native code, and thus have all the privileges the browser has. In comparison, addons are mostly JavaScript, and run inside the browser with somewhat limited access to the rest of the system.
I'd say E-Mail signatures. Officials should get a big fat warning sign for E-Mails that contain either no signature or a signature issued by an untrusted party. The private keys to sign mails would also have to be encrypted in a way that infected systems could still not send signed E-Mails. I'm thinking a hardened USB stick with some kind of biometric scanner as the only place to store the key. You'd send a blob of data to that appliance, it waits for your authentication and then it sends the signed version back to the E-Mail client.
That is indeed a good point. However it won't prevent the ideas of hijacking little league sites that your employees may visit which would be maintained by one web designer one day a year, on that employee's home computer, which then goes on to use it as a vector to attack the company.
Yeah. Technology to hack someone is getting better by the minute.
What's really sad about this is that many government resources have certificates that the browsers available to their users (i.e., IE 6/7/8) don't trust, so the users are conditioned to blow through the clearest warnings they will ever get.
eg, here's the DoD global phone book (in case I want to email somebody). Server requires CAC token from the client, but the client's browser doesn't trust the server!
Just install the goddamn DoD root certificates and the client browser will work just fine.
I've used approximately zero DoD computers since 2005 that had the SSL CA chain misconfigured for use on DoD websites. It's really not that hard, even my Linux box here works fine.
Are you on NMCI? Because I have used approximately zero DoD computers since 1994 that had the SSL CA chain configured properly on delivery.
In my humble experience, installing DoD roots is a journey: there are at least a few dozen and they are constantly being retired and superseded. Meanwhile, to get the DoD root certs, one has to trust A) DNS B) whomever is in charge of access control to the cert servers. Clearly, access control is a major problem for the DoD, that's the whole problem to begin with.
It is true that they go through the intermediate CAs fairly quickly, but the actual root is still at CA-2 from what I can tell.
DNS security is certainly a concern, but not the kind of concern that leads to SSL warning popups unless there's something else screwy going on. But then maybe Chrome is seeing screwy stuff that MSIE doesn't know to check for...
For DoD it's already a requirement that any emails with URLs or other "clickable links" are digitally signed (possibly this is true for attachments too, I'm not sure).
However this is a policy which is not computer-enforced, which means of course that it's fairly useless in practice.
Does this really solve the problem though? If a file that contains the attack appears legitimate, it could potentially be shared. If the file is saved to google docs or dropbox everyone who tracks that folder is compromised also.
It's running on their servers! I prefer to have a VM on my side. In terms of security I don't trust third parties. Or saying it in a different way: can I look at their server configurations before acquiring their services?
pretty much air gapped networks, build yourself a computer with a MIPS CPU, or just buy a laptop every monday and throw it away on friday.
Chrome OS is probably the only commercial platform that is designed with this era of threats in mind. It's at least a generation ahead of everybody else. They're actually building their own embedded controller (controls the fans, battery etc.) to go along with their open source firmware so they can worry less about bad guys in the supply chain.
You can do some of this with VM's, Build a machine, use it for web access, delete it when done. With a carefully constructed virtual drive, you can just clone the drive, start the machine, discard when done. Not at all a "friendly" way to go but one which adds another layer to the puzzle for your attacker.
This is what Invincia offers. The browser runs in a VM with a "watcher" that compares its activity to typical browsing activity. If it sees something unusual it kills the whole VM and loads a fresh one.
The problem with this sort of approach is that it is slow on most office machines. A lot of companies are still running XP desktops with 1GB RAM.
The laboratory I work in has all Internet access routed through browsers on a separate server, accessed via RemoteApp. The browser server is supposed to be reimaged regularly.
This is one of the reasons I'm pretty happy about the new execution model being discussed by the W3C's System Applications Working Group. The move of sensitive information from the desktop to the browser is leading to a "sandbox" everything approach, which may not be safer, but should at least mitigate the damage done. Nowadays if you compromise the machine of an individual, you own everything they use and everything they do. With some sort of sandboxing between tabs and between privileged user resources (contacts, messages, email, calendaring), the amount of resources an attacker can control is reduced. The problem on the desktop is that the default M.O. has always been to trust the user entirely with respect to everything, but machine administrative (root) actions. With sandboxing and new security models around the user's own data, the M.O. now becomes only trust the user within one area of their life, but not between areas of their life (so a PDF document can't affect their email without explicit user action)
>This is one of the reasons I'm pretty happy about the new execution model being discussed by the W3C's System Applications Working Group.
What would make me even happier is a way for me to read the writings of my favorite authors without relying on many millions of lines of source code (i.e., a "modern" browser) and the inevitable security holes in those millions of lines.
Well, Mozilla is starting afresh with its Servo browser engine based on its Rust language. Given the design choices for Rust and Servo, I imagine that it's going to be a lot more secure and stable than the current crop of browser engines (Webkit, Gecko, Trident, etc.)
That's not a problem that will be solved completely, realistically. For better or worse the Internet is where most of your favorite authors are putting their writings for now. There are work arounds, though. Using a non-browser based RSS reader should help.
Anyone come across Bromium before ( http://www.bromium.com/ )? I think some of the 'micro-virtualization' ideas they describe sound really interesting. I believe it was founded by some of the people behind Xen.
While this is interesting it shouldn't really be surprising. Whatever happens in the real world is inevitable in the cyber (ugh, dislike that word) world. Government and commercial espionage is fairly common and employs the use of sophisticated infiltration, sabotage and subversion techniques; this is just its parallel on the Internet.
The turn around time was crazy - on at least two occasions the workflow went:
recent victim gets first/early copy of policy paper written that day --> document is taken, translated to a different format and has 0 day inserted --> emails with exploit are sent to no more than 10-15 people the victim frequently discusses the topics covered in the paper with. --> Many include personalized notes that include observations the victim had sent to the author --> Time from initial email receipt to exploits all mailed: around 3 hours
Now that's how you get a 95% open rate.
related: http://contagiodump.blogspot.com/search/label/CVE-2011-0611