Thursday, April 28, 2011

Advanced-Persistent-Threat

I think I better make this a little bit more clear even though it really is an extension of the last post about using email safely.  I see RSA being hacked into, then Oak Ridge Laboratory with something some people are calling "Advanced Persistent Threat (APT)".  There are sure fire ways to increase your odds of not falling prey to APT. They are almost in reverse order of importance but to do that you need to swap numbers one and two. The problem is the first is needed to make the second possible.  Here they are:

  1. Use POP email rather than web-mail and do not use Outlook or any other email client that specializes in rendering HTML email messages.  Instead use Thunderbird or some other email program that does not render HTML.  That makes those phishy links where they have a mouse over that replaces the URL you go to if you click on it with another one that looks safe with a mouse over impossible to achieve any more.  With Thunderbird, Claws Mail and other email programs that don't render HTML, the malicious URL is no longer hidden.  It stands out like a sore thumb.  That helps prevent your users from falling prey to APT spear phishing email messages.
  2. Use OpenPGP encryption.  For some place like Oak Ridge do not put your keys on the key servers.  Share them privately.  Make your keys to last no more than ten years.  If a message from HR or a colleague appears, if it has attachments or embedded URLs you should require that it be signed.  You can go either the commercial route and purchase PGP encryption (owned by Symantec as of 2011-04-29) or download GPG4Win for Windows machines.  Here is their link:  GPG4Win. You get GPG on Linux automatically and it is also available for Macintosh.  But again, on Macintosh do not use Apple Mail since it renders HTML email.  I really wanted to list this one first since it is actually the least important but you need Thunderbird or Claws Mail to do this on Windows anyway.  Do not depend on engineers to figure out how to create their own OpenPGP keys.  Engineers are bright people but they still need help in making their encryption keys the first time around. It is a lot harder to understand public/private key encryption than you think it is.  The hardest thing of all though is to come up with a suitably long passphrase. I advise only alphanumerics although some punctuation marks are okay. Your pass-phrase should be almost impossible to guess, yet easy to remember, and not too difficult to type.
  3. Do not use Microsoft Windows!  Here are some links on what file permissions do to protect you on Unix like systems.  Simple-Perm-Example. Elaborate-Perm-Example. Unix-File-Permission-Table. Even though I give them for this particular system / OS, OpenVMS, OS/400, VM/CSE, and most other operating systems all have file system protection schemes. Microsoft didn't wait for them with the NTFS file system. But even before you get to how these would protect you from getting infected with a binary for your particular system because it comes down in a form where it cannot be run because the execute bit is not set just keep one more thing in mind.  You are probably not going to get it anyway. Instead, the hackers are going to send you a link to a Windows binary that depends on an IE flaw or something else similar on Microsoft Windows. So when your Chrome, Firefox, Opera, or Safari browser on Linux, Macintosh, or Unix sees it the browser would just say "Huh? What do you want me to do with this exe thing?"  I tell the browser to download them into the usual - a folder that is named /tmp/Quarantine.  I then feed it to ClamAV and I am still keeping a back-end channel open although very little goes in it any more for the AV companies.  But it is there to help them to detect new threats as I encounter them.
So there you have it, a way to protect you from Advanced Persistent Threat (APT).  Actually, I see nothing persistent about it except that people persist in continuing to use the very things that make the threat possible despite the fact that there is an alternative.  It may or may not be "advanced" but the main reasons it works are because the hackers blind side you with something that is tailored to sell and you are using the wrong thing that makes it easy for the hackers to hide what they are doing. If you cannot see the bad URL you are already off to a bad start. Actually, I do like John Pescatore's definition of APT: "Advanced simply means it got past your defenses and persistent means it took you too long to detect it once it got in."  But shoving the responsibility entirely on people that are working 70 hours per week is not a formula for success. For others like me that 70 hours per week may ballon into 90 hours per week. I am older and not as quick as I used to be. To detect something phishy you need the right tools that help people do it when they are sick and overworked. If you use the wrong tools a disaster is going to happen just like it did at RSA and Oak Ridge Lab.  So take your pick but I really advise using all three of these improvements to make you far safer.  Who is going to use all three of them?  Just me.  Who is going to use none of them?  Almost everybody else. C'est la vie.  So whose fault is it that they click on something that it would be possible to see the threat if they had the right tools?  The person making the decision of what they use is the responsible person, not the one clicking on something that is carefully tailored to look legitimate.