Ongoing targeted attacks during Tibet, Burma controversy and Olympic torch protests

Unfortunately, targeted computer attacks commonly occur. This morning's NPR show exposed such problems in regards to activists and journalists in China. Sadly, not much data is public about these sorts of attacks and it would be easy to speculate that such types of attacks are on the rise. Sometimes, the groups being attacked do not want members to be exposed or further put into public light and sometimes they do not fully understand they are being attacked. The NPR audio mentioned groups like the Falun Gong, Students for a Free Tibet, Human Rights in China and some China-based foreign journalists. Often, the attackers' identities are more difficult to uncover than more entertaining examples we've given in the past. While spoofed sources may seem to be from friends or friendly members of organizations, the true source remains in the shadows, hiding university or seemingly public ip addresses.

The various code used in targeted attacks that we have evaluated to date are not terribly impressive pieces of malware. The trojans and spyware often are delivered over email as embedded data within files of all formats with enticing names that the recipient would most likely be interested in. For example, the NPR interview mentioned a "resume.doc" file that was delivered to current board members and staff of the targeted Students for a Free Tibet from the spoofed email address of an ex-board member. These Microsoft Word docs, Excel spreadsheets, malicious .chm help files, and Powerpoint slideshows usually are malformed in one way or another to attack vulnerabilities in flawed software on the receiver's side. When opened by outdated software, these maliciously crafted files and the included code drop and run trojans and spyware embedded in the files on the victim's system.
Most can be prevented by keeping software updated and patched, running security solutions, and as always, security in layers is recommended.

The audio mentions that most AV scanners are often evaded by the software components of these targeted attacks (an unusual admission from a member of the AV industry!). And that trojan builders create nastier rodents in response to the AV companies' better mousetraps.
ThreatFire is different -- our behavioral-based cat is bigger and faster than that little piece of cheese sitting on the wire and wood thing in the attic. Purrs like a kitten too.

Oak Ridge visitor db compromised

While the Oak Ridge National Lab may be known for high tech research like analytical chemistry, neutron science, and providing technology and expertise to support national and homeland security needs, they also might become known for a recent breach of security at their own premises. Granted, the only data they are reporting as having been compromised is their visitors database. Seriously.

"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country. A hacker illegally gained access to ORNL computers by sending staff e-mails that appeared to be official legitimate communications. When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory."

Targeted attacks like this one are more common than they were a couple of years ago. Be wary of incoming email attachments and hyperlinks.


UPDATE (12.13.2007): Speaking of data breaches and network intrusion, Bruce Schneier has a related post on his blog today about a newly released study. The UC Berkeley Samuelson Law, Technology, & Public Policy Clinic recently completed and released a study on "Security Breach Notification Laws: Views from Chief Security Officers". It evaluates the profound effects on practices within U.S. companies resulting from the implementation of security breach notification state laws. Great read.