Protecting Your Agency From GhostNets, Learning Infosec from The Dalai Lama

If you are concerned about your agency’s
information security, I’d encourage you to take a look at one of the
two reports that came out last week regarding the cyber attack on the
Office of His Holiness, the Dalai Lama.

(Overview: Video http://www.youtube.com/watch?v=tnK0s6aWzCM,
Text http://government.zdnet.com/?p=4498 )

The Dalai Lama’s organization  made the analysis
public, which is unusual for an information security breach of this
nature.   The reports are available at
http://documents.scribd.com/docs/1jiyoq3c13a9a4udh2s7.pdf

and http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf

It could be argued that there is nothing new in the findings in terms
of attack vectors, exploits, and payloads. What can’t be argued is that
this was a highly structured attack after specific high-level
targets.  This attack is similar to those we’ve seen at many
Federal Civilian Agencies.

One of the big differentiators I saw in this attack was the use the
content of legitimate outbound emails as a way to strengthen the target
profile. The attackers took the content of legitimate outbound emails,
and added malicious payloads hidden in Word and Acrobat
files.  There was no distinction between the text of a
legitimate email, and a compromised email, because they were written
with the same exact text.

The reason that the web and email are exploited as attack vectors is
that these vectors allow non-security personnel to essentially make
network access control decisions. It’s the user that makes the decision
to click on the URL or download the application to their desktop. In
the past, many security people have felt that the problem with web and
email security was due to users who didn’t understand or care about
network security. The Dalai Lama attack shows that there are web and
email based attacks that even the most vigilant and knowledgeable
security person would not be able to determine on face value.

I was enthusiastic about the analysis and detailed forensics in this
report. But it was painfully obvious to me that these reports fell
short when it came to providing solutions.  Some of the
recommendations were to use user based access controls, like SeLinux,
which arguably are very difficult to implement in any environment that
interacts with the outside world.

    If your agency is concerned about these types of attacks, it would be
    beneficial to talk with my engineers and myself.  To schedule
    an appointment with my team, please call  me at
    410-740-3490
    , or email
    paul@paulmisner.com

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    1 + 6 =