DOD battles spear phishing from Mary Ellen Zurko on 2007-01-26 (public-wsc-wg@w3.org from January 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Thu, 25 Jan 2007 19:39:52 -0500
To: public-wsc-wg@w3.org
Message-ID: <OFD5C436C6.BA4E2FB4-ON8525726E.008131A7-8525726F.0003A6D5@LocalDomain>
A little old, but the interesting part is that this would be a best case 
scenario for tracking the effectiveness of education on blunting attacks 
such as these. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect


http://www.fcw.com/article97186-12-26-06-Web

DOD battles spear phishing

BY Bob Brewin
Published on Dec. 26, 2006 The Defense Department is battling ?a 
significant and widespread effort? to penetrate DOD information systems 
with sophisticated, targeted, socially engineered e-mail messages in a 
technique known as spear phishing, according to internal documents.

The Joint Task Force-Global Network Operations (JTF-GNO) warned DOD users 
last month in an internal presentation that everyone within DOD is a spear 
phishing target. Attempts have been made against all ranks in all services 
in all geographic locations. DOD civilians and military contractors have 
also been hit by spear phishing attacks, the JTF-GNO presentation states.

The Defense Security Service (DSS), which supports contractor access to 
DOD networks, said in a bulletin sent to contractors in October that 
JTF-GNO ?has observed tens of thousands of malicious e-mails targeting 
soldiers, sailors, airmen and Marines; U.S. government civilian workers; 
and DOD contractors, with the potential compromise of a significant number 
of computers across the DOD.?

U.S. Forces Korea echoed this warning in a recent information assurance 
alert. It warns that outsiders target its information systems on a daily 
basis by phishing and spear phishing attacks, which attempt to gain access 
to operational and personal information through bogus e-mail messages.

?At this point, the true scope of compromise and exploitation is unknown, 
but likely thousands more users and computers have been, or will be, 
successfully targeted,? the bulletin states.

The bulletin adds that the sophistication of the techniques spear phishers 
use is reflected in their ability to obtain and apply legitimate DOD 
documents and data. The spear phisers also use enticing subject lines 
related to legitimate operations, exercises or military topics.

The U.S. Forces Korea information assurance alert states that unsolicited 
e-mail messages lure unsuspecting users to click on links to Web sites or 
attachments that download malicious software, known as malware, onto the 
system to steal data, including sensitive but unclassified information.

JTF-GNO illustrated the sophistication of spear phishing attacks DOD faces 
in a ?DOD Spear Phishing Awareness Training? presentation obtained by 
Federal Computer Week. That presentation shows a faked message that 
appears to come from the operations division at the Pacific Command 
(Pacom) with a PowerPoint attachment concerning the Pacom ?Valiant Shield? 
exercise held this summer.

But the seemingly legitimate address and PowerPoint slides were fake, and 
clicking on the attachment would launch malware that could infect the 
user?s computer, the JTF-GNO presentation warned. All DOD employees and 
contractors must spear phising awareness training by Jan. 17, 2007, 
according to internal DOD messages.

JTF-GNO acknowledged its spear phishing challenges in its awareness 
presentation which states, ?The attacker selectively chooses the recipient 
(target) and usually has a thorough understanding of the target?s command 
or organization.?

Spear phishing e-mail messages appear genuine, have legitimate operational 
and exercise names, and may address the recipient by name and use internal 
lingo and jargon, the JTF-GNO presentation states.

Last month, JTF-GNO mandated use of plain text e-mail. HTML messages pose 
a threat to DOD because the code can contain spyware, and in some cases, 
could contain executable code that could enable intruders to access DOD 
networks, a JTF-GNO spokesman said.

The department also beefed up its network security and e-mail security in 
November with a new generation of Common Access Cards, which include 
public-key infrastructure to access e-mail. DOD users are also supposed to 
digitally sign their e-mail messages.

But the JTF-GNO spear phishing awareness presentation makes it clear that 
technology alone will not defeat the threats spear phishing pose. JTF-GNO 
instructed DOD e-mail users to ensure that the source is legitimate and 
the message is digitally signed before they click on any link in a message 
or open an attachment.

E-mail messages from organizations or individuals outside DOD should be 
viewed with caution, the JTF-GNO presentation states, and DOD e-mail users 
should be suspicious of their formats and attachments.

DOD spokespeople have declined to identify the sources behind the spear 
phishing attacks or e-mail messages infected with malware. But in a 
presentation to the AFCEA LandWarNet conference this summer, Lee LeClair 
of the Army?s Network Enterprise Technology Command/9th Signal Command 
said U.S. military networks are faced with attacks by state-sponsored 
teams that control botnets and engage in spear phishing.

Jessica Kalish, a spokeswoman at iS3, which sells anti-phishing software, 
said lone hackers do not carry out spear phishing attacks. They are 
mounted by criminal enterprises, terrorist organizations, malcontents or 
espionage operations, she said.

Spear phishing attacks are often enabled by spyware installed on a user?s 
PC, which can, for example, capture keystrokes that indicate a target is 
working on Valiant Shield, Kalish said. The attacker then crafts a fake 
PowerPoint attachment loaded with malware, which is launched when clicked 
by the unsuspecting recipient.

Kalish said the Anti-Phishing Working Group has developed a database of 
phishing attacks that can help defend against spear phishing, but only 
after it identifies an attack. Kalish said iS3?s Stopzilla anti-spyware 
and anti-phising software uses heuristics to proactively identify 
potential spear phishing attempts.

Stopzilla warns users about potential fake Web sites or attachments packed 
with malware before a user clicks through and launches a dangerous 
program, Kalish said.

Max Caceres, director of product management at Core Security Technologies, 
which sells software used by DOD and other federal agencies to test how 
their employees resists spear phising attacks, said the wide range of 
information available online makes it easy to gain inside knowledge of an 
organization and craft targeted attacks.

Core Security Technologies has never failed in its spear phishing tests 
against large organizations, Caceres said, an indication of the task DOD 
faces as it attempts to battle its latest network threat. The human factor 
which requires e-mail users to carefully examine their messages, plays a 
critical role in defeating spear phishing, Caceres said.

The JTF-GNO spokesman is on holiday leave this week and did not respond to 
detailed questions from FCW on the breadth of spear phishing attacks 
against DOD. A Pentagon spokesman deferred to JTF-GNO to answer an FCW 
query.
Received on Friday, 26 January 2007 00:40:16 UTC