- Created on Tuesday, 05 February 2013 20:47
- Written by Steve Bellovin - FTC
Washington, DC - Most attacks are pretty mundane. Some aren’t, though, and we can learn a lot from them. Let’s consider the recent case of the New York Times being hacked, allegedly by China.
Several things stand out from the article. For one thing, it was a targeted attack. Most hacks, even very serious ones, are opportunistic, in the sense that the attacker doesn’t really care which system is penetrated. Someone who, for example, wants to use an open WiFi access point to penetrate a big box store’s network doesn’t really care much at which store the attack succeeds. If the first store has a protected net, it’s on to the next parking lot to try the next big box in the strip mall. Someone launching a targeted attack, though, has a very different goal. To misuse the old joke, if you’re being targeted, it’s no longer enough to outrun your friend; you have to outrun the bear, too. In this case, the attackers were after not just the Times but information on one particular story.
Note the duality: an opportunistic attacker tends to be technology-focused: he or she will have a set of break-in tools. If they don’t work against some site, that site is probably safe (until, of course, a better-equipped bear comes along). In this case, though, the focus was on the victim, with the attackers trying or building whatever tools were necessary. These people knew what they wanted. Once they were into the Times’ network they found and cracked the domain controller that had the master password file, then cracked some employees’ passwords. They wanted these not to use on other sites, but to gain access to particular Times computers, and in particular to certain reporters’ email and files. As I’ve noted before, strong passwords are an overrated defense in general, but this is one of the exceptions that proves the rule: when you’re being targeted, password strength can matter very much.
Another interesting point is the failure of antivirus software:
Over the course of three months, attackers installed 45 pieces of custom malware. The Times … found only one instance in which [it] identified an attacker’s software as malicious and quarantined it
This should not be a surprise. Most antivirus packages work by matching files against a database of known malware. A custom tool, or one that has not yet been analyzed by your antivirus company, by definition won’t be in this database, and hence won’t be detected. Indeed, the Times itself has recently reported on the growing failure of this technology:
A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.
The companies themselves realize this, and are moving on to newer techniques, though these themselves are imperfect. A spokesman for one company said, “In over two-thirds of cases, malware is detected by one of these other technologies.” Two-thirds is much better than 5 percent, but it’s still not great, especially against a serious adversary.
Is traditional antivirus software useful? It is and it isn’t. It does reasonably well against older malware. It does little, if anything, to protect you against “advanced persistent threats” or even the more clever cybercriminals. Should you run it? Let’s put it like this: just because you’re actually being hunted by invisible flying assassins from the Andromeda Nebula doesn’t mean you can ignore traffic when crossing the street; you can still be hit by an ordinary car. Traffic signals have their uses, even if invisible flying assassins don’t pay any attention to them.
The last point worth mentioning is how the Times cleaned up the mess. You often hear “don’t clean up the machine; reformat the disk and reinstall.” That’s good advice; it’s fiendishly difficult to exorcise all of the nasties any bad guy can leave behind, let alone a high-end attacker. Maybe one day your antivirus company will be able to detect and quarantine those files, maybe not; in any event, you can’t wait. Disinfecting a network isn’t as simple as waving a wand and chanting “Expulso”, either, and most companies can’t afford to reinstall the OS on all of their computers. More importantly, they can’t afford to lose the data, which is worth far more than the hardware it sits on. The Times approach was to wait and watch: watch to see which machines appeared to be infected, and how the malware behaved. This let them learn which machines were infected, and how the infections behaved; that in turn permitted replacement of just the affected computers, and the creation of new, tailored defenses. This isn’t a foolproof process—the article itself mentions a previous incident where a thermostat and a printer had been compromised—but it’s better than either guessing or throwing away everything.
There are a number of lessons from this story. The most important is that you need to understand if you’re at risk of serious, targeted attacks. The APT—Advanced Persistent Threat—concept is overhyped, but regardless of the attacker’s absolute capabilities the fact of targeting makes a big difference in your defensive posture. Not only do you need stronger defenses, you need different types. Phishing attacks happen to everyone, but they’re generally trying to extract your password for the Bank of Ruritania or some such. Spear-phishing is generally aimed at planting malware, and may carry a payload undetectable by most antivirus programs. Password strength can matter more, too, against an attacker who steals your site’s hashed passwords.
There’s another, more subtle point: should you centralize or decentralize your resources? Against random attacks, a single, strong server complex makes sense. If you’re being targeted, though, perhaps you should spread out your resources, and increase the number of systems the attackers have to penetrate. There’s no one answer to this question, but you should give it some thought.
There’s one more point to consider about targeted attacks: what are the attackers actual goals? It isn’t always obvious:
The attackers were particularly active in the period after the Oct. 25 publication of The Times article about Mr. Wen’s relatives, especially on the evening of the Nov. 6 presidential election. That raised concerns among Times senior editors who had been informed of the attacks that the hackers might try to shut down the newspaper’s electronic or print publishing system. But the attackers’ movements suggested that the primary target remained Mr. Barboza’s e-mail correspondence.
“They could have wreaked havoc on our systems,” said Marc Frons, the Times’s chief information officer. “But that was not what they were after.”
That is, the Times was concerned that the attackers might try to vandalize the network, either in revenge or to prevent more embarrassing articles from being published. Could they have coped? Could you?