Opinion: Those who commit espionage over the Internet have plenty of
weapons to choose from. There's no reason to make things easy for them.
Reports continue about the sort of espionage I discussed recently in "The Secret China-US Hacking War
." This Wired Report
mentions how pro-Tibet groups have been the target of many such
attacks, and it goes into more detail on the attacks themselves.
In 2006 and 2007, there were a series of attacks against Microsoft
Office users, the kind Microsoft terms as "targeted [and] isolated." We
knew at the time that these were espionage of a sort; the use of a new
vulnerability against one or two targets indicates a sophisticated,
high-value attack. Click Here to Watch the
Latest eWEEK Newsbreak Video.
Microsoft issued a series of patches against the attacks over a period of months. I had reported chatter from the anti-malware community
that deficiencies in the old Office formats, in the OLE2SS (OLE2
Structured Storage) generally would make it impossible for Microsoft to
patch the problem altogether, but only on a case-by-case basis. Perhaps
that wasn't right, but I'm not sure.
This form of attack-an e-mail, either with an attachment or a
link-is the bread-and-butter of both everyday and sophisticated
attackers. A recent BusinessWeek article
details many examples of such attacks and leads with one against Booz
Allen. But in the Wired article, F-Secure's Mikko Hypp??Ã©nen (speaking at
last week's RSA conference) ties the espionage attack wave that
occurred one to two years ago to the Microsoft patches for the first
What can enterprises and other organizations sensitive to external
attack do? I'm a big believer in moving to more secure platforms, and
it's hard to argue that Vista and Office 2007 are not more secure than
their predecessors. It is possible to do a lot to protect those
predecessors, though, such as multilevel security at the gateway and
the endpoint, and please-please!-patch disclosed vulnerabilities as
soon as possible.
Often it is the case that once the patch is released, hackers
reverse-engineer it to see what it is patching, and from that they can
construct an attack. So once the patch is out, you are all the more
vulnerable if you haven't applied it.
And if you don't patch quickly, consider the mitigation steps that
usually accompany the disclosure. For example, it is often possible to
set kill bits for an ActiveX control before a patch is available, and
this can be done through a registry setting in the login script. And
reducing the attack surface is always a good thing, so don't run any
software you don't need.
But when it comes to targeted espionage, the kind where a new
vulnerability is rolled out in order to conduct an attack, there's
nothing like education and good sense of skepticism by the user. Even
the best attacks usually look wrong somehow, if you know what to look
for. Especially when you execute an attack program you can usually see
evidence that something has gone wrong, starting with a program crash.
Some experts might recommend that you use alternative platforms like the Mac or OpenOffice, but these really don't help at all
with targeted attacks. If someone's rolling out a new vulnerability for
a targeted attack, it's just as easy for them to do it on OpenOffice
and the Mac, which have numerous vulnerabilities, as for Windows. In
fact, it's easier and cheaper for them to do it on the alternatives,
where the price for a new, unpatched vulnerability is probably much
cheaper than for Windows.
If someone is capable enough or well-funded enough and is out to get
you, they can probably get an effective attack to you, but there's no
point in making things easy for them. Good security configuration and
up-to-date patches reduce the attack surface and raise the cost of an
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.