10 January 2012
A lot of pixels have been spilled in the last few years about "advanced persistent threats" (APT); if nothing else, any high-end company that has been penetrated wants to blame the attack on an APT. But what is an APT, other than (as best I can tell) an apparent codename for China? Do they exist?
After thinking about it for a while, I came up with the following representation:
I dub the lower left "joy hacks". These are the province of the script kiddie or the novice hacker. They've learned about "cool" tools, and they try them out on anyone in reach. Ordinary care will generally deflect joy hackers.
As the attackers' skill level moves up, you get what I call "random hacks". (I'm not fond of that name; any better suggestions?) People who write new worms often fall into this class, especially if the worms exploit 0-days. But worms are generally random in their targets. If you're a spammer or a botnet builder, though, that's fine; a low-bandwidth node may not be able to spew as much garbage as a well-connected one, but as the saying goes, "from each according to his ability". Your best defense here is the usual technical litany: turning off unneeded services, keeping up to date on patches, etc.
The X axis, which reflects targeting, does not necessarily imply particular technical measures. In general, though, it means that the attacker will gather as much intelligence as is feasible about the target. (Again, I'm quite unhappy with my name, especially when I have to translate it into the noun for the attacker.) Spear-phishing attacks, which show a knowledge of the organization and the victim and perhaps the purported source of the message, show the efficacy of this. The attacks themselves may not be novel, but the extra information the attacker has helps immensely. This is an arena where education and process help.
The upper right (or the upper right of the upper right) is, of course, the Advanced Persistent Threat, what John Erlichman so memorably called the "big enchilada". Here, you need everything you can bring to bear and then some: patches, education, process, luck, and perhaps sacrificing the entrails of a virgin artichoke on your keyboards.
Do APTs exist? Assuredly; if it accomplished nothing else, Stuxnet showed that. Are most attacks on high-profile companies APTs? I suspect that some are and some are not — but I haven't investigated or even reviewed the investigation of any of them, so I won't comment. Are nation-states behind APTs? Unknown and probably unknowable, though the more sophisticated the attack (and especially the more comprehensive and sophisticated the target intelligence was), I'd say it becomes more likely (which is not the same as "likely"). Should you worry about APTs? Ask yourself this: who would be likely to target you, and how good are they?
13 January 2012
I received a call recently from someone at the prescription drug benefit plan administrator for Columbia University. Most likely, she wanted me to buy my medicines from their mail-order pharmacy operation, rather than buying locally. The merits of that aside (thanks, but I prefer to buy locally at a non-chain store; at the least, my local pharmacist tries to help me, rather than some mega-corporation's bottom line), she wanted me to authenticate myself before mentioning any of the medicines I take. That's not unreasonble — but before I'd give out any sensitive information about myself, I wanted her to authenticate herself. She acted like she'd nver received that response before.
Bilateral authentication is a difficult problem, even harder than the already-difficult problem of unilateral authentication. CallerID isn't helpful; bad guys are already spoofing it. If I give out a few digits of my social security number, repeated attacks can collect it all. Some folks handle this well. When I made the same request of American Express last year, the representative obviously knew what to say: she immediately said to call the number on my card, and told me exactly what to press and say to complete the transaction she was asking me about. (But not all parts of that company get it right. A year ago, I got a fraud alert on an attempted transaction, telling me to call particular 800 number to authorize it. Naturally, I called the number on my card instead. It took rather more talking and relaying to get through to someone who could Do the Right Thing, since it was a false positive on their part.)
I doubt that there's a technical solution here, unless you have (and have access to) a pair of secret numbers, one used for authentication in each direction. But getting the process right, and telling people to call back via a number they already have, can work, especially if the account can be flagged to send that specific call to the right place.
18 January 2012
There's been enough coverage of SOPA (the truly awful House bill) and PIPA (the not-quite-as-awful but still pretty bad) Senate bill that I won't bother with links. USACM has sent letters on PIPA and SOPA to the Senate and House Judiciary Committees. You can find the letters and the analyses here: