Secure Coding mailing list archives
State Department break-in last summer
From: ed.reed at aesec.com (Ed Reed)
Date: Thu, 19 Apr 2007 09:14:45 -0400
http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department This article describes a Trojan horse attack introduced via MS Office (Word) documents that provided remote access by adversaries to compromised systems. It doesn't say if the exploit - "design flaw" - was intentionally introduced (a product of deliberate subversion) or not. While the article may provide "comfort" to the "defense in depth" crowd (the State department THINKS the issue was discovered immediately - but then again, after they were made aware of it - so they knew what to watch for - they found numerous other compromised systems, so I wonder how many haven't (yet) been caught). This isn't terribly surprising, but it brings to mind a new insight (for me, anyway) into the issue that government and commercial customers are facing. We've (Aesec) been saying that subversion (deliberately introduced design and implementation defects into a customer's IT supply chain) is the preferred avenue of attack of professional adversaries, and I agree that it is. We've (Aesec) also noted that the commercial security industry is largely focused, instead, on discovering and patching software defects that can be easily discovered (via fuzzing and testing) and exploited to gain access to systems. Both those two avenues can lead to serious security breeches. But it's not necessary to plant an operative into a vendor's shop in a position to introduce flaws into software to gain advantage. Simply knowing enough about the internal design and implementation of the system is likely to provide the adversary with the knowledge and opportunity to discover paths of attack that can be researched at their leisure, held until needed as what would be considered a private "zero day exploit". So at one end of the spectrum of malicious attacks are pure opportunists (including amateurs and script kiddies) using defects discovered through fuzzing interfaces and related black box testing techniques. At the other end of the scale are paid professional operatives infiltrating vendor development and delivery supply chains to introduce defects intentionally. And in the middle are those with "gray box" knowledge of products involved, who are in a better position than the public to identify attack vectors worth investigating. This middle ground would seem to significantly increase the threat - there are many more jobs in vendor organizations (and their supply and support chains) that provide privileged insight to product design, development, implementation and delivery than there are with direct code modification roles in the product. So I think you'd have to assume that the pool of unreported zero day exploits may be much larger than generally expected. Just a thought. This doesn't reduce the challenge or need to deal with subversion by the professional adversary - it just expands my appreciation for the size of the threat customers face. Ed State Department got mail _ and hackers By TED BRIDIS, Associated Press Writer/Wed Apr 18, 8:29 PM ET/ A break-in targeting State Department computers worldwide last summer occurred after a department employee in Asia opened a mysterious e-mail that quietly allowed hackers inside the U.S. government's network. *In the first public account revealing details about the intrusion and the government's hurried behind-the-scenes response, a senior State Department official described an elaborate ploy by sophisticated international hackers. They used a secret break-in technique that exploited a design flaw in Microsoft software.* Consumers using the same software remained vulnerable until months afterward. Donald R. Reid, the senior security coordinator for the Bureau of Diplomatic Security, also confirmed that a limited amount of U.S. government data was stolen by the hackers until tripwires severed all the State Department's Internet connections throughout eastern Asia. The shut-off left U.S. government offices without Internet access in the tense weeks preceding missile tests by North Korea. Reid was scheduled to testify Thursday at a cybersecurity hearing for a House Homeland Security subcommittee. He was expected to tell lawmakers an employee in the State Department's Bureau of East Asian and Pacific Affairs --- which coordinates diplomacy in countries including China, the Koreas and Japan --- opened a rigged e-mail message in late May giving hackers access to the government's network. *The chairman of the Homeland Security Committee, Rep. Bennie Thompson (news, bio, voting record), D-Miss., said hackers are no longer considered harmless, bored teenagers. "These are experienced, sophisticated people who are trying to exploit our vulnerabilities and gain access to our information," Thompson said.* Reid was not expected to disclose the identities or nationalities of the hackers believed to be responsible for the break-ins or to disclose whether U.S. authorities believe a foreign government was responsible. The department struggled with the break-ins between May and early July. *The panel's chairman, Rep. James R. Langevin, D-R.I., called cybersecurity an often-overlooked line of defense. "Since much of our critical infrastructure is dependent on computers and networks and is interconnected and interdependent, a cyberattack could disrupt major services and cripple economic activity," Langevin said.* The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as backdoor communications with the hackers. *The technique exploited a previously unknown design flaw in Microsoft's Office software, Reid said. *State Department officials worked with the Homeland Security Department and even the FBI to urge Microsoft to develop quickly a protective software patch, but the company did not offer the patch until Aug. 8 --- *roughly eight weeks after the break-in.* Microsoft said it works as quickly as possible to provide customers with security updates. "If we release a security update that is not adequately tested, we could potentially put customers at risk, especially as the release of an update can lead to reverse-engineering the fix and lead to broader attacks," said Microsoft's senior security strategist, Phil Reitinger. "Updates must be able to be deployed by customers with confidence." At the time, Microsoft described the software flaw as "a newly discovered, privately reported vulnerability" but did not suggest any connection to the U.S. government break-in. It urged consumers to apply the update immediately. It also recommended that consumers not open or save Microsoft Office files they receive from sources they don't trust or files they receive unexpectedly from trusted sources. *The State Department detected its first break-in immediately, Reid said, and worked to block suspected communications with the hackers. But during its investigation, it discovered new break-ins at its Washington headquarters and other offices in eastern Asia, Reid said.* *At first, the hackers did not immediately appear to try stealing any U.S. government data. Authorities quietly monitored the hackers' activity, then tripwires severed Internet connections in the region after a limited amount of data was detected being stolen, Reid said.* Reid also complained the State Department's efforts to deal quietly with the break-in were disrupted by news reports. The Associated Press was first to reveal the intrusions. "We were successful here until a newspaper article telegraphed what we were dealing with," Reid said. Copyright ? 2007 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070419/31c20d0b/attachment.html
Current thread:
- State Department break-in last summer Ed Reed (Apr 19)
- <Possible follow-ups>
- State Department break-in last summer Nick FitzGerald (Apr 19)
- State Department break-in last summer Florian Weimer (Apr 20)