Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Christmas Cheer Government Security United States IT

Spoofed White House Card Dupes Many Gov't Employees, Steals Data 173

tsu doh nimh writes "A run-of-the-mill malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters, writes krebsonsecurity.com. The story looks at several victims who fell for the attack, and suggests it may be related to a series of similar document-harvesting runs throughout 2010. Government security vendor NetWitness notes that these types of incidents are blurring the lines between online financial fraud and espionage attacks."
This discussion has been archived. No new comments can be posted.

Spoofed White House Card Dupes Many Gov't Employees, Steals Data

Comments Filter:
  • by Dexter Herbivore ( 1322345 ) on Wednesday January 05, 2011 @08:05AM (#34764008) Journal
    Honourable employees of venerable government of USA. Please click on link to receive free gift from People's Republic of... ummm... errr... Canada!
    • To retrieve card just click on this totally legitimate official White House e-mail address: elvis.com.au/(something)

      Yeah, that address actually appears in the card, according to TFA.

      Like... seriously?

  • The governmint can't keep track of used hard drives, so this is not a big threat in real terms. When they can tell the US citizens where all the data for nukes and secrets is on their hard drives I'll care more about malware in emails.
    • :The government can't keep track of used hard drives, so this is not a big threat in real terms."

      Ok, so how about the government agency who's dept. heads were caught spending all their time in the office surfing for porn and generally goofing off last year? Were they a threat?

  • "malware-laced e-mail"
    "contractors who work on cybersecurity "

    I guess everyone falls for a good old spoof. Not just 70 year old grandmas like it was suggested in the last article on spoofing.

    • "malware-laced e-mail"

      Ok... isn't this a tautology?

      "contractors who work on cybersecurity "

      and isn't this an oxymoron?

      Signed "anxious to learn"

    • No, not at all. This just shows that there are idiots everywhere. Anyone who's ever worked in IT has had to deal with a coworker or boss who is so incompetent that they'd probably screw up a fry-chef job at McDonalds. I'm not exactly shocked that a few of them clicked a spoofed e-mail.

  • The people entrusted with these sensitive documents are not trained to check for digital signatures on emails that come from "the white house?" Do these people even bother to sign their messages?
    • Wikileaks Round 2!

    • by Alumoi ( 1321661 )
      Trained people do NOT get those jobs.
      • by arth1 ( 260657 )

        Training has little to do with it. You need the personality traits of common sense and healthy suspicion, which no amount of training will imbue you with. At best, you can be a parrot, but won't be able to apply those traits to new and unknown situations, which is what was required here.

        • Training has little to do with it. You need the personality traits of common sense and healthy suspicion, which no amount of training will imbue you with. At best, you can be a parrot, but won't be able to apply those traits to new and unknown situations, which is what was required here.

          Bull. Training has alot to do with it. Sure some people won't "get it" and continue to do stupid stuff while on a PC at work, but to blatantly write off training is stupid. Tons of Federal employees grew up without PCs and were "trained" to use them at work. Many of these folks actually pay attention to training and react accordingly to various situations.

          However, there are those folks who will NEVER get it and continue to open up every email attachment they get regardless of who it comes from and if t

  • Really silly q, but why do the scripts seem to be just so Windows based/Windows friendly?
    Is it so hard to get Mac OS X, Linux or other OS's to run something perl like via a click click of something cute in a email?
    Could anyone make something stacked/packed to be Win7/OS X/Linux aware?
    • Off the top of my head I'd say that if you're executing something which you got from the internet, the executable bit will need to be turned on manually. Installing things also requires root privilages, so if you're using a *nix I'd say its much harder to do that.

      • by mcgrew ( 92797 ) *

        things also requires root privilages

        Only if you're trying to install something that can fuck up the whole system. It's not hard at all to install FireFox in userspace, although it won't be available to other users unless they have rights to the directory it's installed in.

        Windows is the OS that insists that all its programs be installed in root, and some idiots write programs that insist you run them as administrator (why does MS allow this?).

        "Open the pod bay doors, HAL"
        "I'm sorry, Dave, I can't do that."
        "

    • by betterunixthanunix ( 980855 ) on Wednesday January 05, 2011 @08:16AM (#34764070)
      Most GNU/Linux systems (and I assume but cannot really say for sure about Mac OS X) will not just execute an arbitrary file that you download. Generally you have to at least set execute permissions on the file to get it to run, or feed it to its interpreter on its own (if it is a script). Additionally, for a secure desktop, one would generally set "noexec" on the home directories partition, so that users cannot just execute random code.

      Really though, this is all superficial by comparison with multilevel security systems, which for someone with top secret clearance seems like an obvious measure. MLS policies should forbid a program that you download from some random website from even opening a file that is "Top Secret," let alone sending a copy to some other system. A lot of research went into such systems, which are designed around the assumption that the threats are internal (e.g. a malicious program that is already running on the system) and that the goal is to prevent leaks (as opposed to the more common goal of restricting unauthorized access).
      • by AHuxley ( 892839 )
        Thanks, you would think Windows would be banned, reduced to admin ect. No air gap. UFO seekers with dial up and now more perl fun. I guess Windows keeps the 'fix it again' contractors very busy and happy.
        • Don't blame Windows. This was a case of government employees being duped by an email Christmas Card. They may as well have "checked out this screensaver!" or pictures of "Anna Kornikova"

          I suggest a new stipulation in government contracts: You will be given a one-day basic data security course. You will be trained in how to identify emails which are not genuine, and how to dispose of them properly. Once completed, you will sign to say you have undertaken the course and will enact all advice and policy conta
          • Blame Windows. These vulnerabilities don't exist, or at least are not exploitable/exploited to the same degree on other platforms.

            I'm still waiting for a -successful attack- like this on the Mac. Given the growing Apple market share, particularly concentrated at the high end (i.e. more wealthy) of the market, I'm still not buying the argument that 'all computers are equally vulnerable.' But then, I don't support purely random searches to prevent terrorism, either.

            • Interestingly, Mac OS X (last I checked) did not have a built in MLS policy framework; Windows 2000 and up do, and enterprise GNU/Linux distros do. It really comes down to a question of competence, namely, are these systems configured to actually take advantage of their security systems? Unfortunately, the answer appears to be no; you can sneak data out of secure environments using a CD, you can have a random program from the net read classified documents, etc.

              If anything, we should blame the IT staff.
              • Valid point, but I think we're conflating a couple of issues:
                    1. vulnerability to these kinds of attacks
                    2. existence of management controls to turn off some classes of access

                You can't have "a random program from the net read classified documents" unless there's a cross-domain guard of some sort to bridge the classified and unclassified networks.

            • These attacks are more difficult because as you say, lower market share makes other OSs less tempting targets, and also they are more secure by default (noexec on home directory), but that is not the issue. A government employee downloaded an eCard, and opened it, while attached to a classified network. That's a user-land issue, not a software issue. It doesn't matter how secure your OS / network is when you have users that careless / dumb.
              • No evidence in the base article this was loaded on a machine in a -classified- network.

                "lower market share" does NOT make attacks more difficult, it just reduces the number of potentially vulnerable machines.

          • Don't blame Windows. This was a case of government employees being duped by an email Christmas Card. They may as well have "checked out this screensaver!" or pictures of "Anna Kornikova"

            Apologists like you are why we have lousy computer security as a nation.

            You blame the users, elsewhere people blame the sysadmins for not locking down the systems. Which is it? Neither, because the root problem is that Windows is designed to be used in a non-locked down mode.

            How many people actually run Windows as no

            • How many people actually run Windows as non-admin users? It's a pain.

              Actually in Win7 it's no worse than running Linux as a standard user. Most everything works, and for any corner cases that don't, you get a graphical popup window that prompts for a password.

              In this particular case it isn't really Windows' fault. The only way to work around the Dancing Bunnies problem is to prevent the user from executing arbitrary code - on a Linux distro that doesn't have /home mounted as noexec, the exact same thing could have happened, with some idiot running Dancing Bunnies.sh that ins

            • How many people actually run Windows as non-admin users?

              In an enterprise environment? The majority. On government systems? EVERYONE.

              This e-card had nothing to do with admin rights, so claiming that "the root problem is that Windows is designed to be used in a non-locked down mode" is silly, at best.

              Or, to put it in simpler words: "Apologists like you are why we have lousy computer security as a nation."

              • In an enterprise environment? The majority. On government systems? EVERYONE.

                So, what you are saying is that it is impossible to lock down Windows so that it is secure?

      • MLS policies should forbid a program that you download from some random website from even opening a file that is "Top Secret," let alone sending a copy to some other system.

        I seriously question the idea that Classified was downloaded from any Government / Military computers by this malware, SIPRNET and NIPRNET are two distinct networks. No one is opening greeting card email on SIPRNET. It simply isn't happening.

        There is a difference between For Official Use Only (FOUO), which can be on any gov computer, and actual classified material.

        Now, *Contractors*, who knows...

        If these "hackers" were serious, they would have sent out Lady GaGa cd's to random gubment employees...

      • Most GNU/Linux systems (and I assume but cannot really say for sure about Mac OS X) will not just execute an arbitrary file that you download. Generally you have to at least set execute permissions on the file to get it to run, or feed it to its interpreter on its own (if it is a script). Additionally, for a secure desktop, one would generally set "noexec" on the home directories partition, so that users cannot just execute random code.

        Compressing the files before sending them gets around the victim having to set it as executable.

        Using a shell script and telling the user to run it from /bin/sh will get around noexec.

        When the majority of boxes run GNU/Linux we will still have to deal with clueless lusers rooting their boxes.

    • You could write it in something cross-platform and common, like Java, and trick people into opening the .jar file and running the program.
      • Hello Employee

        Merry Christmas! Attached please find card. Remember to set executable bit to yes before running this jar file.

        Regards

        The Whitehouse

        Ps - If you fell for this one you will need to retake your computer proficiency test.

      • Check out this Screensaver from the upcoming Star Wars MMO!

        Binks.jar.jar

    • Why is the quality of malware better than the quality of some commercial SFW ware?

    • Really silly q, but why do the scripts seem to be just so Windows based/Windows friendly?

      Because it's just so damned easy? Sadly, some of the "user friendly" settings Microsoft has done over the years makes some of this stuff happen pretty easily -- stuff like hiding the extension of well known documents so that evil-virus.jpg.exe looks like evil-virus.jpg.

      Hell, at one point, Microsoft made an urban myth true -- that you could get a virus/malware without even clicking on it, just by reading the email that

    • by geekoid ( 135745 )

      It's due to install base.

      It's an easy attack, and the things that make Linux secure would not be tolerated by the general public. Having to set permission to execute? that wuold last 15 seconds before a demand to automate it happen. And then there you are.

      AS a note, install base isn't in and of itself the only reason, and it's foolish to think so.

      • Having to set permissions to execute something is quite rare. You either use something like a .deb or .rpm installer package, or download a .tar with the files already set as executable when you extract them.

  • New Rule: NEVER open an attachment.
    OR - Never open an attachment to an email (or any file sent to you) unless you know who sent it to you, and you have confirmed that they did send it to you, and they did send it at a certain time and date with the same file name.

    This should be mandatory for all employees who do not understand the danger of phishing, trojans or malware attacks.
    • New Rule:

      Don't run an insecure operating system. One thing people forget about government employees is that they can be given fucking orders to change, and they don't have to fucking like it. You can literally tell people to "do it and shut up".

      For example, when the USAF went from green screen Unix terminals to Windows, snivelling wasn't an option. Obey orders or be punished.

      If security is ever taken seriously, issue orders to change, fry those who refuse, end of story.

    • by geekoid ( 135745 )

      new rule: don't allow attachments, ever.

  • I'm still amazed that you can just suck sensitive documents off people's computers. Wouldn't these be encrypted? Or at least require a certain key to open?

    People put so much research into making your music/software only run on one computer (DRM) - and yet they can't extend it to only allow the opening of sensitive documents on certain computers? These aren't pictures of your last holiday in Greece...

    • These aren't pictures of your last holiday in Greece...

      But I'm a suspected terrorist who just had a holiday in Greece! And I was sure those guys with cameras were government operatives! Well, at least the malware authors didn't get a good look at me in my speedos.

    • by arth1 ( 260657 )

      People believe encryption works differently than it does.
      Bitlocker, for example, is largely worthless except specific scenario, because when you mount the drive, it becomes unencrypted for all users.
      EFS is somewhat better, because the file contents will only be available to the user who owns the key, or who has access to import that key.

      But neither will protect the currently logged in user or any processes he starts from accessing the documents. You need a vault for that. (Programs that encrypt/decrypt fi

      • Exactly, full-disk encryption adds to the computer's physical security, it adds nothing to software security.

    • Believe it or not, people do actually have to get work done, even with sensitive documents. Make it so e.g. they have to type in a 100-character passphrase and enter a one-time password from a key card every time they open the document, and they're going to leave the document open all the time or spoil the security in some other way.

    • If they required a key to open every file it would be too annoying.

      But this sort of thing requires a DRM-ish approach (send A to C without B seeing when B and C are the same thing - the user's computer), which is somewhere between very difficult and impossible to pull off successfully.

      I think the first step to securing these government networks is to switch to a more secure OS and go centralized. Use diskless network booting thin clients and/or virtualized desktops (I'm thinking they can use net-booting thi

  • just by giving up their windows obsession and using Linux instead.

    • just by giving up their windows obsession and using Linux instead

      Right, because users never willingly install or run applications on Linux. Oh, but you're going to say that Linux provides granular enough security to prevent that. So does Windows, if you're using a recent version. Doesn't matter. This is an admin issue, and a social hacking issue.
    • You're suggesting Linux as a solution to people who click on random email attachments? Aside from software compatibility issues, these people are probably barely capable of doing what they do on Windows, which they use at home and can ask other people about, and are already used to. Imagine yourself offering phone tech support to these people during the switchover, trying to talk them through a simple command line task. Personally, that thought makes me cringe.
      • Um, you do know about KDE, Gnome, and other desktops that make it where users don't need to open terminal windows, right?

        I think most Linux users see desktops very similar (though IMO better) to Windows. They open programs the same way, look at directories the same way, etc.

        And in both Windows and Linux, you can grab a terminal window and go all command line if you want to.
      • Imagine yourself offering phone tech support to these people during the switchover, trying to talk them through a simple command line task.

        I actually had to do that, it was nearly impossible to get my sister to open a terminal window (she had never used it before and had no idea it even existed) on her Ubuntu laptop and type in "alsactl restore" but it turned out she just had her headset plugged in wrong, so it wasn't needed anyway.

        So, problems so far when switching clueless users to Linux: 0

        Problems avoided by not running Windows: OVER 9000!!!

    • by geekoid ( 135745 )

      Would not help.. at all.

      They ran a program that did this, they could also be tricked into running a program in Linux.

      Linux can NOT stop any user from doing stupid shit. It protects them in that properly set up recovery is simple.

      • by JustNiz ( 692889 )

        It help a lot to be running Linux because normal users cant extend or modify the operating system or its configuration. Normal Windows users (and processes they run) can.

  • by Anonymous Coward on Wednesday January 05, 2011 @08:32AM (#34764176)

    It's not so much the crime than the type of victims:

    -An employee at the National Science Foundation’s Office of Cyber Infrastructure.
    -An intelligence analyst in Massachusetts State Police
    -An unidentified employee at the Financial Action Task Force, [in a government body whose purpose is to fight] money laundering and terrorist financing.
    -An official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.

    Me, I'm an idiot with no influence, but the people who set policies and can put people in jail should know better.

  • Belarus (Score:3, Insightful)

    by Max_W ( 812974 ) on Wednesday January 05, 2011 @08:47AM (#34764260)

    This type of activity is illegal in Belarus too. The streets there do have names and houses are numbered. True, it is not in English.

    Still if it was some kid, a call from the Interpol to Belarus police, and the employees probably could have they files back. Sometimes learning foreign languages at school could be very useful.

    • by socsoc ( 1116769 )
      What?
      • Re:Belarus (Score:4, Informative)

        by Max_W ( 812974 ) on Wednesday January 05, 2011 @09:10AM (#34764430)

        In the article it is written that files were sent to a server in Belarus. My point is that it is not like they were sent to the Mars.

        And if there were a good working relationship between criminal police in D.C. and in Minsk, this could be easily solved or even prevented.

        • If the criminal police in the U.S. and those in Belarus had a good working relationship, presumably they would just cooperate to exploit their governmental authority to accomplish even more crime.

        • Dude, while I have no special information, that is most likely just a compromised box and the files were ultimately sent elsewhere.

          There might be information about the next link in the chain or there might not. If it was real espionage, I doubt there will be traces and there will be a number of intermediaries.
      • by Max_W ( 812974 )

        Belarus is a country in Eastern Europe, with the capital - Minsk.

  • by VincenzoRomano ( 881055 ) on Wednesday January 05, 2011 @08:52AM (#34764304) Homepage Journal
    That GOV documents like ehm ... cables can LEAK out without the intervantion of an insider?
    Interesting ... indeed.
    • without the intervantion of an insider?

      What are you talking about? They don't leak out on their own. If someone installs a piece of software that grants a third party access to their desktop, then you've just had an insider getting involved. The difference is between an insider doing it stupidly but unintentionally, vs someone like PFC Manning, who stupidly did it on purpose.
  • isn't this the obvious solution to hit these bad people who do such things?

    Block their credit cards too!

    • If only.... Maybe we should hit the recipients who fell for it? Naw....

      I had to give some phone tech support today to somebody who installed random internet toolbars and eventually complained to me about their machine running so slowly. It's not like they're a bad person, terrible at their job (the opposite, really), they're just terrible at maintaining a computer. I suppose it's a little more serious when you have sensitive information on your machine.

      Earlier today I was also reading an article written b
  • A run-of-the-mill malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents ... espionage attacks.

    Looking for the upside here: It is nice to have a solid case of espionage as an example against which to compare and contrast WikiLeaks.

    Hypothesis: When a person or organization uses deception or other coercion to manipulate a person with clearance into exposing sensitive information, that is espionage. Whether WikiLeaks engaged in espionage is a question

  • They should be charged with sexual crimes and placed under house arrest forthwith...
  • If a government employee works with sensitive data and has his computer infected with malware due to his own mistake (esp. the types in cybersecurity), he should be fired and so should the networking guy who should have offloaded the sensitive data to a computer not connected to the Internet. This is what I consider unforgivable incompetence.

    • by geekoid ( 135745 )

      That's a great way ti repeat the mistakes and keep retraining.

      Or, you know suck it up and fix the problem. THAT is what should happen.

      But people like you want to run around blaming the victims.

      • blaming the victims

        Excuse me? *runs EXE screensaver advertising Glee Girls Nude!* *reveals nuclear codes*
        *is upset when is fired for being stupid*

        And I fail to see how a network admin is a "victim" when he "engineers" a crappy security system.

        And I have worked for the federal government. You aren't even ALLOWED on a computer that can access the Internet until you go through security training. So better to fire the moron who doesn't pay attention to his RIDICULOUSLY FRIGGING IMPORTANT security training than

  • What do they earn? (Score:2, Interesting)

    by Anonymous Coward

    I'd love to see a salary list of all the morons that fell for this. I'm sure most make pretty solid money, yet are too stupid or gullible to see these obvious scams for what they are. Fucking pathetic. God bless america!

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Working...