Spoofed White House Card Dupes Many Gov't Employees, Steals Data 173
tsu doh nimh writes "A run-of-the-mill malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters, writes krebsonsecurity.com. The story looks at several victims who fell for the attack, and suggests it may be related to a series of similar document-harvesting runs throughout 2010. Government security vendor NetWitness notes that these types of incidents are blurring the lines between online financial fraud and espionage attacks."
Merry Christmas (Score:5, Funny)
Re: (Score:2)
To retrieve card just click on this totally legitimate official White House e-mail address: elvis.com.au/(something)
Yeah, that address actually appears in the card, according to TFA.
Like... seriously?
Merry Freaking XMas... (Score:2)
Re: (Score:2)
:The government can't keep track of used hard drives, so this is not a big threat in real terms."
Ok, so how about the government agency who's dept. heads were caught spending all their time in the office surfing for porn and generally goofing off last year? Were they a threat?
Re: (Score:2)
No, they were a blessing! They weren't actively involved in screwing the citizenry ;^)
Hey, whatd'ya know... (Score:2)
"malware-laced e-mail"
"contractors who work on cybersecurity "
I guess everyone falls for a good old spoof. Not just 70 year old grandmas like it was suggested in the last article on spoofing.
Practicin' my terminology... (Score:2)
"malware-laced e-mail"
Ok... isn't this a tautology?
"contractors who work on cybersecurity "
and isn't this an oxymoron?
Signed "anxious to learn"
Re: (Score:3)
No, not at all. This just shows that there are idiots everywhere. Anyone who's ever worked in IT has had to deal with a coworker or boss who is so incompetent that they'd probably screw up a fry-chef job at McDonalds. I'm not exactly shocked that a few of them clicked a spoofed e-mail.
Really? (Score:2)
Re: (Score:2)
Wikileaks Round 2!
Re: (Score:2)
Re: (Score:2)
Training has little to do with it. You need the personality traits of common sense and healthy suspicion, which no amount of training will imbue you with. At best, you can be a parrot, but won't be able to apply those traits to new and unknown situations, which is what was required here.
Re: (Score:3)
Training has little to do with it. You need the personality traits of common sense and healthy suspicion, which no amount of training will imbue you with. At best, you can be a parrot, but won't be able to apply those traits to new and unknown situations, which is what was required here.
Bull. Training has alot to do with it. Sure some people won't "get it" and continue to do stupid stuff while on a PC at work, but to blatantly write off training is stupid. Tons of Federal employees grew up without PCs and were "trained" to use them at work. Many of these folks actually pay attention to training and react accordingly to various situations.
However, there are those folks who will NEVER get it and continue to open up every email attachment they get regardless of who it comes from and if t
pack.exe as Perl/ZeuS Trojan? (Score:2)
Is it so hard to get Mac OS X, Linux or other OS's to run something perl like via a click click of something cute in a email?
Could anyone make something stacked/packed to be Win7/OS X/Linux aware?
Re: (Score:2)
Off the top of my head I'd say that if you're executing something which you got from the internet, the executable bit will need to be turned on manually. Installing things also requires root privilages, so if you're using a *nix I'd say its much harder to do that.
Re: (Score:2)
things also requires root privilages
Only if you're trying to install something that can fuck up the whole system. It's not hard at all to install FireFox in userspace, although it won't be available to other users unless they have rights to the directory it's installed in.
Windows is the OS that insists that all its programs be installed in root, and some idiots write programs that insist you run them as administrator (why does MS allow this?).
"Open the pod bay doors, HAL"
"I'm sorry, Dave, I can't do that."
"
Re: (Score:3)
It's not hard at all to install FireFox in userspace
It can be, if you mounted the home directories partition with "noexec".
Re: (Score:2)
Well, yes, it all depends on what distro and how you install it.
Re:pack.exe as Perl/ZeuS Trojan? (Score:5, Informative)
Really though, this is all superficial by comparison with multilevel security systems, which for someone with top secret clearance seems like an obvious measure. MLS policies should forbid a program that you download from some random website from even opening a file that is "Top Secret," let alone sending a copy to some other system. A lot of research went into such systems, which are designed around the assumption that the threats are internal (e.g. a malicious program that is already running on the system) and that the goal is to prevent leaks (as opposed to the more common goal of restricting unauthorized access).
Re: (Score:2)
Re: (Score:2)
I suggest a new stipulation in government contracts: You will be given a one-day basic data security course. You will be trained in how to identify emails which are not genuine, and how to dispose of them properly. Once completed, you will sign to say you have undertaken the course and will enact all advice and policy conta
Re: (Score:2)
Blame Windows. These vulnerabilities don't exist, or at least are not exploitable/exploited to the same degree on other platforms.
I'm still waiting for a -successful attack- like this on the Mac. Given the growing Apple market share, particularly concentrated at the high end (i.e. more wealthy) of the market, I'm still not buying the argument that 'all computers are equally vulnerable.' But then, I don't support purely random searches to prevent terrorism, either.
Re: (Score:2)
If anything, we should blame the IT staff.
Re: (Score:2)
Valid point, but I think we're conflating a couple of issues:
1. vulnerability to these kinds of attacks
2. existence of management controls to turn off some classes of access
You can't have "a random program from the net read classified documents" unless there's a cross-domain guard of some sort to bridge the classified and unclassified networks.
Re: (Score:2)
Re: (Score:2)
No evidence in the base article this was loaded on a machine in a -classified- network.
"lower market share" does NOT make attacks more difficult, it just reduces the number of potentially vulnerable machines.
Re: (Score:2)
MacOS X, which is Unix underneath the Apple GUI, doesn't have these problems, and It is a "viable desktop platform" (unless you're a Sold-your-soul-to-Microsoft CIO/IT guy...)
Re: (Score:2)
...or you just don't see a need to shell out for a closed OS to get something *nix based when many Linux distros could do the job, while costing you less and keeping you free of Apple's whims...
Why Windows is to blame. (Score:3)
Apologists like you are why we have lousy computer security as a nation.
You blame the users, elsewhere people blame the sysadmins for not locking down the systems. Which is it? Neither, because the root problem is that Windows is designed to be used in a non-locked down mode.
How many people actually run Windows as no
Re: (Score:2)
How many people actually run Windows as non-admin users? It's a pain.
Actually in Win7 it's no worse than running Linux as a standard user. Most everything works, and for any corner cases that don't, you get a graphical popup window that prompts for a password.
In this particular case it isn't really Windows' fault. The only way to work around the Dancing Bunnies problem is to prevent the user from executing arbitrary code - on a Linux distro that doesn't have /home mounted as noexec, the exact same thing could have happened, with some idiot running Dancing Bunnies.sh that ins
Re: (Score:3)
How many people actually run Windows as non-admin users?
In an enterprise environment? The majority. On government systems? EVERYONE.
This e-card had nothing to do with admin rights, so claiming that "the root problem is that Windows is designed to be used in a non-locked down mode" is silly, at best.
Or, to put it in simpler words: "Apologists like you are why we have lousy computer security as a nation."
Re: (Score:3)
So, what you are saying is that it is impossible to lock down Windows so that it is secure?
Re: (Score:2)
Re: (Score:2)
Actually Windows only allows the program to run as whatever the current user is. The problem is that on XP and earlier, that was usually an administrator.
Re: (Score:3)
MLS policies should forbid a program that you download from some random website from even opening a file that is "Top Secret," let alone sending a copy to some other system.
I seriously question the idea that Classified was downloaded from any Government / Military computers by this malware, SIPRNET and NIPRNET are two distinct networks. No one is opening greeting card email on SIPRNET. It simply isn't happening.
There is a difference between For Official Use Only (FOUO), which can be on any gov computer, and actual classified material.
Now, *Contractors*, who knows...
If these "hackers" were serious, they would have sent out Lady GaGa cd's to random gubment employees...
Re: (Score:2)
Most GNU/Linux systems (and I assume but cannot really say for sure about Mac OS X) will not just execute an arbitrary file that you download. Generally you have to at least set execute permissions on the file to get it to run, or feed it to its interpreter on its own (if it is a script). Additionally, for a secure desktop, one would generally set "noexec" on the home directories partition, so that users cannot just execute random code.
Compressing the files before sending them gets around the victim having to set it as executable.
/bin/sh will get around noexec.
Using a shell script and telling the user to run it from
When the majority of boxes run GNU/Linux we will still have to deal with clueless lusers rooting their boxes.
Re: (Score:2)
Re: (Score:2)
Hello Employee
Merry Christmas! Attached please find card. Remember to set executable bit to yes before running this jar file.
Regards
The Whitehouse
Ps - If you fell for this one you will need to retake your computer proficiency test.
Re:jar (Score:2)
Check out this Screensaver from the upcoming Star Wars MMO!
Binks.jar.jar
Re: (Score:3)
Why is the quality of malware better than the quality of some commercial SFW ware?
Re: (Score:2)
Because it's just so damned easy? Sadly, some of the "user friendly" settings Microsoft has done over the years makes some of this stuff happen pretty easily -- stuff like hiding the extension of well known documents so that evil-virus.jpg.exe looks like evil-virus.jpg.
Hell, at one point, Microsoft made an urban myth true -- that you could get a virus/malware without even clicking on it, just by reading the email that
Re: (Score:2)
It's due to install base.
It's an easy attack, and the things that make Linux secure would not be tolerated by the general public. Having to set permission to execute? that wuold last 15 seconds before a demand to automate it happen. And then there you are.
AS a note, install base isn't in and of itself the only reason, and it's foolish to think so.
Re: (Score:2)
Having to set permissions to execute something is quite rare. You either use something like a .deb or .rpm installer package, or download a .tar with the files already set as executable when you extract them.
New Rule: Detachment (Score:2)
OR - Never open an attachment to an email (or any file sent to you) unless you know who sent it to you, and you have confirmed that they did send it to you, and they did send it at a certain time and date with the same file name.
This should be mandatory for all employees who do not understand the danger of phishing, trojans or malware attacks.
Re: (Score:2)
New Rule:
Don't run an insecure operating system. One thing people forget about government employees is that they can be given fucking orders to change, and they don't have to fucking like it. You can literally tell people to "do it and shut up".
For example, when the USAF went from green screen Unix terminals to Windows, snivelling wasn't an option. Obey orders or be punished.
If security is ever taken seriously, issue orders to change, fry those who refuse, end of story.
Re: (Score:2)
You can't get your plausible deniability if you pick someone good!
Re: (Score:2)
But that would be the end of the government as we know it :(
Re: (Score:2)
Re: (Score:2)
Your username/post combo makes you sound like an anarchist :P
Re: (Score:2)
Rule 0: don't allow stupid people near important data.
Rule -1: Don't allow stupid people.
Re: (Score:2)
Running a different, more secure OS isn't security by obscurity (especially when going from closed source to open source). It's just better security.
Re: (Score:2)
new rule: don't allow attachments, ever.
Encryption? DRM? Hello? (Score:2)
I'm still amazed that you can just suck sensitive documents off people's computers. Wouldn't these be encrypted? Or at least require a certain key to open?
People put so much research into making your music/software only run on one computer (DRM) - and yet they can't extend it to only allow the opening of sensitive documents on certain computers? These aren't pictures of your last holiday in Greece...
Re: (Score:2)
These aren't pictures of your last holiday in Greece...
But I'm a suspected terrorist who just had a holiday in Greece! And I was sure those guys with cameras were government operatives! Well, at least the malware authors didn't get a good look at me in my speedos.
Re: (Score:2)
Too late, you've been caught - and what a ladies man you are!
http://www.sportouring.com/itemImages/image/borat-mankini-2.jpg [sportouring.com]
(^only technically SFW)
Re: (Score:2)
People believe encryption works differently than it does.
Bitlocker, for example, is largely worthless except specific scenario, because when you mount the drive, it becomes unencrypted for all users.
EFS is somewhat better, because the file contents will only be available to the user who owns the key, or who has access to import that key.
But neither will protect the currently logged in user or any processes he starts from accessing the documents. You need a vault for that. (Programs that encrypt/decrypt fi
Re: (Score:2)
Exactly, full-disk encryption adds to the computer's physical security, it adds nothing to software security.
Re: (Score:2)
Believe it or not, people do actually have to get work done, even with sensitive documents. Make it so e.g. they have to type in a 100-character passphrase and enter a one-time password from a key card every time they open the document, and they're going to leave the document open all the time or spoil the security in some other way.
Re: (Score:2)
If they required a key to open every file it would be too annoying.
But this sort of thing requires a DRM-ish approach (send A to C without B seeing when B and C are the same thing - the user's computer), which is somewhere between very difficult and impossible to pull off successfully.
I think the first step to securing these government networks is to switch to a more secure OS and go centralized. Use diskless network booting thin clients and/or virtualized desktops (I'm thinking they can use net-booting thi
they could stop it immediately (Score:2)
just by giving up their windows obsession and using Linux instead.
Re: (Score:2)
Right, because users never willingly install or run applications on Linux. Oh, but you're going to say that Linux provides granular enough security to prevent that. So does Windows, if you're using a recent version. Doesn't matter. This is an admin issue, and a social hacking issue.
Re: (Score:2)
Re: (Score:2)
I think most Linux users see desktops very similar (though IMO better) to Windows. They open programs the same way, look at directories the same way, etc.
And in both Windows and Linux, you can grab a terminal window and go all command line if you want to.
Re: (Score:2)
Imagine yourself offering phone tech support to these people during the switchover, trying to talk them through a simple command line task.
I actually had to do that, it was nearly impossible to get my sister to open a terminal window (she had never used it before and had no idea it even existed) on her Ubuntu laptop and type in "alsactl restore" but it turned out she just had her headset plugged in wrong, so it wasn't needed anyway.
So, problems so far when switching clueless users to Linux: 0
Problems avoided by not running Windows: OVER 9000!!!
Re: (Score:2)
Would not help.. at all.
They ran a program that did this, they could also be tricked into running a program in Linux.
Linux can NOT stop any user from doing stupid shit. It protects them in that properly set up recovery is simple.
Re: (Score:2)
It help a lot to be running Linux because normal users cant extend or modify the operating system or its configuration. Normal Windows users (and processes they run) can.
Re: (Score:2)
Re: (Score:2)
Simple solution is not putting the sensitive documents as user's documents but give read permissions only to root or another user which has a seperate password. If you want to access the documents, you need to su. If a program looks for them, it won't find them.
Re: (Score:2)
That's actually possible with Linux, and trivially easy to do. Mount /home as noexec, don't give user the root password, and they can click on the dancing bunnies all they want.
Read the victim list (Score:5, Insightful)
It's not so much the crime than the type of victims:
-An employee at the National Science Foundation’s Office of Cyber Infrastructure.
-An intelligence analyst in Massachusetts State Police
-An unidentified employee at the Financial Action Task Force, [in a government body whose purpose is to fight] money laundering and terrorist financing.
-An official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.
Me, I'm an idiot with no influence, but the people who set policies and can put people in jail should know better.
Belarus (Score:3, Insightful)
This type of activity is illegal in Belarus too. The streets there do have names and houses are numbered. True, it is not in English.
Still if it was some kid, a call from the Interpol to Belarus police, and the employees probably could have they files back. Sometimes learning foreign languages at school could be very useful.
Re: (Score:2)
Re:Belarus (Score:4, Informative)
In the article it is written that files were sent to a server in Belarus. My point is that it is not like they were sent to the Mars.
And if there were a good working relationship between criminal police in D.C. and in Minsk, this could be easily solved or even prevented.
"Criminal police" indeed (Score:2)
If the criminal police in the U.S. and those in Belarus had a good working relationship, presumably they would just cooperate to exploit their governmental authority to accomplish even more crime.
Re: (Score:2)
There might be information about the next link in the chain or there might not. If it was real espionage, I doubt there will be traces and there will be a number of intermediaries.
Re: (Score:2)
Belarus is a country in Eastern Europe, with the capital - Minsk.
Re: (Score:2)
It's not a large, sea-going mammal with really large tusks?
Who knew?
So you mean (Score:3)
Interesting
Re: (Score:2)
What are you talking about? They don't leak out on their own. If someone installs a piece of software that grants a third party access to their desktop, then you've just had an insider getting involved. The difference is between an insider doing it stupidly but unintentionally, vs someone like PFC Manning, who stupidly did it on purpose.
Re: (Score:2)
- the HR "professional" that decided against providing proper drone training for handling highly sensitive documents
As a professional responsible for training and development programs, I have to take offence at that one. There is nothing indicating this was an issue with lack of training. In my experience one of the things the government is very good at is distributing trainings on how to handle sensitive materials. However one thing that many employees are bad at is learning things that don't immediately impact their day to day existence.
If dimwits or super egotistical self described savants can't be bothered to pay
freeze the bank account of the sender! (Score:2)
Block their credit cards too!
Re: (Score:2)
I had to give some phone tech support today to somebody who installed random internet toolbars and eventually complained to me about their machine running so slowly. It's not like they're a bad person, terrible at their job (the opposite, really), they're just terrible at maintaining a computer. I suppose it's a little more serious when you have sensitive information on your machine.
Earlier today I was also reading an article written b
Espionage Case-in-Point (Score:2)
A run-of-the-mill malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents ... espionage attacks.
Looking for the upside here: It is nice to have a solid case of espionage as an example against which to compare and contrast WikiLeaks.
Hypothesis: When a person or organization uses deception or other coercion to manipulate a person with clearance into exposing sensitive information, that is espionage. Whether WikiLeaks engaged in espionage is a question
These gov employees are high-tech terrorists... (Score:2)
Sensitive Data + Malware Solution (Score:2)
If a government employee works with sensitive data and has his computer infected with malware due to his own mistake (esp. the types in cybersecurity), he should be fired and so should the networking guy who should have offloaded the sensitive data to a computer not connected to the Internet. This is what I consider unforgivable incompetence.
Re: (Score:2)
That's a great way ti repeat the mistakes and keep retraining.
Or, you know suck it up and fix the problem. THAT is what should happen.
But people like you want to run around blaming the victims.
Re: (Score:2)
Excuse me? *runs EXE screensaver advertising Glee Girls Nude!* *reveals nuclear codes*
*is upset when is fired for being stupid*
And I fail to see how a network admin is a "victim" when he "engineers" a crappy security system.
And I have worked for the federal government. You aren't even ALLOWED on a computer that can access the Internet until you go through security training. So better to fire the moron who doesn't pay attention to his RIDICULOUSLY FRIGGING IMPORTANT security training than
What do they earn? (Score:2, Interesting)
I'd love to see a salary list of all the morons that fell for this. I'm sure most make pretty solid money, yet are too stupid or gullible to see these obvious scams for what they are. Fucking pathetic. God bless america!
Re: (Score:2)
Naw AC, this $hit is *Different*. It's not anything at all like the $hit you grew up with, it's a whole new paradigm!
Re: (Score:3)
Error: Could not find string variable 'hit'
Re: (Score:2)
Good one.
It's an old joke from sites with silly profanity filters.
Re: (Score:3)
Ah thanks. I always read that as "Solid State Disk Drive". I wondered why it was a mission name in MW2.
Re: (Score:3)
And I read it as Single Sided Double Density.
[John]
Re: (Score:2)
Holy crap how old are you? :P
Re: (Score:2)
Re: (Score:2)
http://en.wikipedia.org/wiki/National_Security_Agency [wikipedia.org]
Re: (Score:2)
Now we have Windows and any modem using UFO hunter can have a go.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Bush one didn't have the scope of attack, and in meat space, they did NOT have a handle on leaks.
You are correct in that government agency should move forward cautiously and wisely. However when they do that the citizens laugh at the 'old' systems.