Internet Security Systems - AlertCon(TM)

The Google Attacks

Posted by Tom Cross on January 15, 2010 at 2:18 PM EST.

There seems to be a great deal of confusion in the media about what vulnerabilities were used in the attacks reported by Google earlier this week. Some media reports attributed to iDefense indicate the use of an Adobe Acrobat vulnerability in the attacks. A SANS diary entry provides a detailed analysis of one of the samples. Later McAfee reported a new Internet Explorer vulnerability. McAfee stated that they saw no evidence of PDF based attacks, and Adobe later posted a blog entry stating that their software was not a vector.

 

I'm guessing that the confusion might be due to the fact that there is a wide range of sophisticated, targeted attacks going on all the time. I suspect that there have been attacks incorporating both vulnerabilities. Whether those attacks are a part of the same intelligence operation or different ones is really irrelevant. The fact is that networks need to be protected against both vulnerabilities.

 

For any of our customers concerned about either of these vectors (regardless of whether they are indeed related), we have obtained samples of the PDF attack mentioned by SANS and a sample of the page that serves the IE exploit mentioned by McAfee and we do indeed block both of them with blocking IPS signatures if we observe them in the clear on a network. Here is our alert on the PDF issue and our alert on the Microsoft issue.

 

The usual MO for these attacks involves spear phishing. Targets will receive an email that may appear to come from a reputable source with either a web link or an attachment that is relevant to that person. The people who send these emails have usually researched their targets well enough to know what sort of content they are likely to click on. For example, attacks a couple of years ago targeting Tibetan activists included an attachment which professed to have information about the political situation in Tibet. The attachment may be a PDF or office document that exploits a vulnerability in the respective software, but it may be as simple as an executable file or a CHM file. (It is not safe to open CHM files from untrusted sources as they are essentially like executable files, but many people don't know that.) Once the files are opened, malware is installed on the victim's machine - and the victim is placed under surveillance.

 

These kinds of attacks have been going on for many years. Although security software such as IPS and Anti-Virus can be helpful in mitigating these attacks, user education also needs to play a role. As Google's announcement has focused people's attention on the matter, now is the time to sit down with your users and talk to them about suspicious email attachments, files, and web links. This is particularly true for executives and people who work with sensitive intellectual property. We've seen strong internal education programs play a role in catching these attacks before they are successful.

 

It may also make sense to architect air gaps between extremely sensitive information systems and the global Internet. Back in 2006 when the Bureau of Industry and Security (BIS) was attacked by China then Undersecretary of Commerce Mark Foulon wrote: "It has become clear that Internet access in itself is a vulnerability that we cannot mitigate." As someone who spends most of his waking hours trying to make it possible for people to use the Internet safely, those words were frustrating to read, but it would be naive to dismiss them out of hand. Protecting your network against a foreign intelligence agency is a difficult challenge to say the least. Sometimes absolute assurances are necessary. BIS created an air gap between computers they were using for critical business and computers they were using for Internet access. In some cases, that might be a prudent choice, depending on the costs involved, the nature of the information you are working with, and the sophistication of the threats you are facing.

 

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.