High-Profile Companies Fail to Take Even Basic Security Measures
News Analysis: The recent Nitro attacks didn't use new technology or even a new vector for spreading malware. All that happened is that a hacker took advantage of poor training and security practices in companies and agencies that should know better.The news from Symantec that a cyber-attacker used an off-the-shelf Trojan called PoisonIvy to extract intellectual property from U.S. chemical and defense industries as reported by eWEEK's Fahmida Rashid is more depressing than anything else. The ease with which the hacker, named "Covert Grove" by Symantec, used crude social engineering to get employees at his target companies to open infected emails is equally disheartening. One has to wonder if the affected companies have learned anything about security over the last 20 years and if they have, whether they've done anything at all to train their employees.
The PoisonIvy Trojan is a well-known piece of malware that can't infect a computer on its own. It requires someone to run the program and that the program be given administrative rights. To accomplish this, the Trojan is embedded in an email that usually tells the user that it's a security update. In the example provided by Symantec, the email is signed by the "Department of Security."