There’s a saying in journalism: report the news, don’t be the news.

Unfortunately today the Associated Press (AP) ran afoul of that rule by having their Twitter account hijacked.

In good journalistic fashion, they’re telling their own story quickly and with as much facts as possible. It sounds that they saw a phishing attack against their network just before the account was hijacked. While they don’t connect the two, it’s certainly a possibility that this is how the attackers got control of AP’s credentials.

Once the attackers had control, they used it to send a bogus tweet out claiming there had been explosions at the White House that injured President Barack Obama. Proving that social media and twitter hacking has real-world consequences, the Dow Jones average dropped 143 points on the news (but later recovered). The account and other AP accounts have been suspended while AP works with Twitter to verify they have control of the accounts.

Read the rest of this entry »

Last week, we posted some detailed information about the actions that the March 20, 2013 MBR wiper attacks took against systems in South Korea.

Today, I’d like to take that and some additional information that has come out about the incident and draw some conclusions about what lessons this attack teaches us.

When we look at the South Korean attacks three specific lessons come out of what we’ve seen:

1. Post-PC attacks aren’t just about devices
2. Auto-updating infrastructure is a viable target
3. Security and infrastructure products are targets too

There is an overarching theme to these lessons: when we say targeted attacks it means not just targeted in terms of who a spear phishing email is sent to start the attack. Targeted attacks are also targeted in terms of understanding a carefully selected potential victim’s infrastructure, with an eye to circumventing and compromising that specific infrastructure as much as possible. Most importantly, this applies to the security protections and controls in place.

Post-PC attacks aren’t just about devices

One thing that stands out in these attacks is the presence of attack code targeting Unix and Linux operating systems. We’ve seen attackers starting to turn their attention to Mac OS X over the past year, so malware attacks against non-Windows operating systems aren’t inherently new. However, Unix and Linux have more often been targets of active hacking attacks than malware, so this does represent a new trend bringing these operating systems into the post-PC attack crosshairs.

Most organizations tend to use versions of Unix for high-value systems, so including them in this attack code would seem to indicate an active targeting of those sorts of systems. Linux tends to be used for infrastructure and as a commodity operating system, so here too we can see thought being given in selecting the operating system targets.

The key lesson here is that when looking at targeted attacks, we have to view all platforms and devices as viable targets now. It makes sense to extend endpoint security practices to all platforms and devices as much as possible, and to implement other layers of protection to protect those platforms and devices that can’t be protected by endpoint security (like iOS).

Read the rest of this entry »

It’s another big information security story day at the New York Times. Three weeks ago after their big story detailing the Advanced Persistent Threats (APT) attack against their network, today they have a story detailing the ongoing espionage and corporate espionage against companies and organizations around the world.

It’s a very interesting and very detailed story. It’s well worth the read. And from the overall goal of protecting people, it’s extremely valuable from an industry perspective for sharing a wealth of information that can be used to provide protections broadly. You can be sure our analysts are going through the report and ensuring we have protections for anything we don’t already protect against.

But for customers, I would argue that while this story is entertaining, last week’s 2012 Advanced Persistent Threat (APT) Awareness Study released by ISACA is a more important read because it has more relevant information on how to protect your company or organization. The New York Times article is a good read but the ISACA report can help keep you from ending up in the next New York Times story.

The important thing that we saw in this survey is a serious disconnect between people worrying about APT attacks and understanding how they work. 63% said they were likely or very likely to be the target of an APT attack. But at the same time almost as many, 53.4%, said that APT attacks are “similar” to conventional threats. This means that only a little under 10% (9.6% to be exact) of respondents see this as a threat and understand that this is a different kind of threat and requires a fundamentally different kind of approach to meet it.

When stories like this hit, customers often ask “Am I protected against this attack”? What they really mean in most cases is “Are your signatures up-to-date to catch this attack?” The right answer to that question is that it doesn’t matter: these attacks are designed to be undetected by signature-based endpoint security. We saw this in the attack against the New York Times. In fact, we believe that these attacks generally are tested against signature-based endpoint products to ensure they’re not detected. Yes, we do protect against much of the malware outlined in the report and are building new protections for new malware. But this underscores that reactive, signature-based endpoint security can only be a piece of your overall posture to protect against APTs. These are custom attacks and defending against them requires a different approach, a custom defense that employs advanced detection technologies that can discover an attack before real damage can be done.

Read the rest of this entry »

Zombies (the shambling, brain-eating kind, rather than the computer kind) are all the rage these days. They’re on TV shows and video games. There are even real-life zombie walks. For whatever reason, they’re the current, fun way we like to scare ourselves.

It’s not surprising when people are looking to make a little fun mischief that they would pick zombies. There’s a point where hacking and playing come together, and we’ve seen this lately with zombies. People have hacked roadway signs to warn drivers that zombies are on the road ahead. Last week, we heard about the Emergency Alert System being hacked to warn residents watching TV news in KRTV in Great Falls, Montana that “the bodies of the dead are rising from their graves and attacking the living.”

We read these stories and share them and laugh because it is clever and funny. But there’s a real danger here that’s no laughing matter.

Critical Infrastructures Can be Compromised

At its heart, what’s happening is that critical public safety communications infrastructure is being compromised and used outside its intended purposes.

We can see some of the more dangerous results when critical public safety communications infrastructure is compromised in the form of “swatting.”  An instance of swatting is when people call the 911 system to submit false calls for help. Typically, these result in fully armed SWAT teams being sent to the houses of unsuspecting, innocent people. No one has been killed in these incidents, but that has more to do with good training and luck. The fact is that the system is being compromised in a way that is putting people at real risk by sending fully armed teams into situations they believe may require deadly force (and where their own lives are at risk).

To understand the real risks in hacking highway signs and the Emergency Alert System, we have to focus on the fact that all the instructions we’re seeing are false but funny, and also absurd and implausible. We know it’s a joke and we don’t take action. But what happens when the instructions are false but plausible?

Take the Halloween radio broadcast of War of the Worlds by Orson Wells on October 30, 1938 to get an idea of what can happen here. CBS Radio broadcast a dramatization of H.G. Wells’ War of the Worlds. They chose to do it in the form of a seemingly-real radio news bulletin broadcast. Even though there were announcements that it was a dramatization and even though the idea of an alien invasion may seem implausible to us, enough listeners found the fictional story (false information) to be plausible enough that they believed it and acted on it. The dramatized reading of a classic story caused panic.

This didn’t cause widespread panic, but enough of a reaction to be noted and cause a discussion about the credibility of the radio (and the wisdom of using such a realistic format). The important lesson for us is that people will trust less plausible information to be real if it comes out of trusted channels.

Read the rest of this entry »

Today is one of those days when security news finds its way to the front page of mainstream news. The New York Times announced in a very detailed report that their network had been breached starting about four months ago in an Advanced Persistent Threat (APT) attack. Their story explains that the attackers have been repelled from their network with help from an outside security company.

What makes this story interesting and important reading is the scope of detail it provides around the attack. Because they’re disclosing an attack after it’s been thwarted, the story provides a broad view into the full lifecycle of an APT attack. The report also provides a level of detail that is rare in these situations. Anyone interested in security and protecting against APTs should take some time and read the full New York Times’s story.

One thing that the New York Times does is to call out that they had security products in place and that those failed to prevent the attack. They go so far as to name the vendor. Some have characterized this as “pointing the finger” at the vendor (who has defended themselves publicly). We don’t have detailed specifics around what products were deployed and how they were maintained. But the New York Times’ story and the vendor’s response would seem to imply that the protection regimen was focused on signature-based endpoint-security. Presumably there were other protections like firewalls and possibly intrusion prevention systems (IPS) that also failed to prevent the attack but there is no specific mention of that.

With that information and what we know about the attacks, we can draw some lessons from that around what it takes to adequately defend an environment against APTs.

Read the rest of this entry »