Introduction to Hacker Way Philosophy

July 16, 2017

Ralph Losey – 7/16/17

I have spoken several times before concerning the Hacker Way philosophy. I have always focused on my work as a lawyer specializing in e-discovery. I have also included this philosophy in my teachings in this area of the law, including the use of AI in document review. See: the TAR Course;  HackerWay.org and HackerLaw.org.

The video talk in this blog takes it outside of the legal community so it can have maximum impact. I think it is important for everyone to understand the credo behind Facebook and most other 21st Century software tech companies. No one else seems to be talking about it, or sharing the secret sauce behind their success. That is contrary to the fundamental Hacker principle of Openness, so, as an old Hacker myself, I am stepping in to fill the gap. That’s just what I do. (Stepping-In is discussed in Davenport and Kirby, Only Humans Need Apply, and by Dean Gonsowski, A Clear View or a Short Distance? AI and the Legal Industry, and A Changing World: Ralph Losey on “Stepping In” for e-Discovery. Also see: Losey, Lawyers’ Job Security in a Near Future World of AI, Part Two.)

Facebook’ corp headquarters photo with symbols added.

In this below eleven minute video I am taking this sharing and openness to the next step. Here I address the five principles and related ideas of the Hacker Way as applied to life in general, not just my legal specialties. Hope you find this provides some value to our fast evolving computer culture. Please leave some comments, either here or at my new Facebook site: HackerWay.org.

___

___

If you have not already read Mark Zuckerberg’s original treatise on the Hacker Way, contained in his initial public offering Letter to Investors, I suggest you do so now. Also see my related ideas on history and social progress at Info→Knowledge→Wisdom.

I look forward to your comments.

Below is a graphic showing all nine concepts of the Hacker Way following the form of a enneagon or Nonagram, also known as a Star of Goliath.

 



Hacking Flash Trading on Wall Street: From Fiction to Fact in Just Three Weeks

June 22, 2014

Rogue_Code_bk_cover

I read Mark Russinovich’s new novel, Rogue Code, a few weeks ago when it was first released. The book is about flash trading and criminal hackers attacking Wall Street hedge funds. Then, just this week, I read a news flash on CNBC of a real life hack attack of a Wall Street hedge fund. Cybersecurity firm says large hedge fund attacked (CNBC 1/19/14). Again, it involved the controversial practice of flash trading. The facts of the news report were eerily close to Russinovich’s fiction. The news report seemed to come right off the pages of Rogue Code. Unless this is an elaborate hoax to promote the book, Mark Russinovich has taken predictive coding to a new level.

Remarkable Parallels

In both the book and news report a sophisticated, highly organized team of skilled hackers penetrated what was thought to be a totally secure stock trading computer system. They then planted a very complex piece of software code, malware, that hid in the system. It operated undetected for months, taking a million here, a million there. The hidden program was remotely controlled to surreptitiously interfere with flash trading in order to direct profits to the hackers from intercepted trades. Millions of dollars were stolen over several months time.

In the novel and real world some suspicious circumstances caused the brokers to hire an outside cybersecurity firm to investigate their computer systems. The cybersecurity white hats finally discovered the malware. In the book the hero catches the bad guys. In real life no one seems to even have a clue as to who they are. They are at large, enjoying the rich life of the billionaires they stole from.

In the novel the penetration went beyond just one hedge fund into the very trading platform of the New York Stock Exchange. The whole world financial system was threatened. No one is saying if that has also happened in real life.

Paul Henninger_CNBCThe cybersecurity company that broke the story, BAE Systems Applied Intelligence, made a point of saying that this kind of hack into stock trading systems, especially high-speed flash systems, has never been seen before. It may not have been seen, but Mark Russinovich certainly imagined it. The BAE spokesman, Paul Henninger (shown right), says that this hack represents a new level of attack involving both very advanced computer technical skills and advanced trading skills. Henninger says there are only a few experts in the world with the necessary skills to pull it off. Yet, this was all described in detail in Mark Russinovich’s novel. Kind of makes you wonder where Mark gets his material?

Cyber Thrillers

zero_day

Russinovich is one of the best writers in the new fiction genre that I like, cyber thrillers. For a complete list of the most popular of these books that have a cybersecurity focus see my Must Read Books on Cybersecurity page, which is a part of eDiscoverySecurity.com. Rogue Code is Russinovich‘s third in a series that stated with Zero Day in 2010 and Trojan Horse in 2012. All three books in this series star Jeff Aiken, a cybersecurity expert who saves the world as a White Hat hacker. Jeff Aiken battles Black Hat bad guys and bureaucratic bumblers at the same time. Jeff Aiken is kind of a nerdy version of James Bond and serves as his own Q. He’s got some cool hacking tools that would even make the JΞSTΞR jealous.

I can really relate with Jeff Aiken’s constant frustration with small-minded government types that get in his way. They usually suspect him of the being the bad guy. The real bad guys, the black hatters, usually come across as more sympathetic characters, which is one of the charms of the Jeff Aiken series. But the real attraction of his novels for me is how much you learn about cyber security while reading them.

Mark Russinovich and the Texas Instrument 99/4A

TI99:4AI figured Russinovich books were good, and accurate, and provided real insights, just based on the background of the author himself. Mark Russinovich is the real deal. He is now a Technical Fellow in the Cloud and Enterprise Division at Microsoft. I personally like him because at age 15, he bought himself his first computer, a TI99/4A. That was also my first personal computer and the first one I wrote programs for.

My kids still fondly remember my Make a Face program of the 99/4A. My daughter claims that was the world’s first avatar creation program, although at the time, to be honest, I thought of it as a high-tech Mr. Potato Head. You could make thousand of different looking faces, and no matter what face you made, Mr. Computerhead was always happy with your design and said, with lips moving, I sure look good now! It was one of those games where you could not lose. I offered it for sale on the TI99/4A user group newsletter. I wonder if Mark was ever tempted to buy it? I say tempted, because I know for sure he did not buy it. Sadly, I never sold any, despite my one $25 ad, and so I concentrated instead on the life of a techno-trial lawyer and computer hobbyist.

mark_russinovichAnyway, Mark Russinovich went on to become a real computer expert while I plugged along as a lawyer. Mark earned a B.S. in computer engineering from Carnegie Mellon University, a leading university for elite white hats. Then he received an M.S. in computer engineering from Rensselaer Polytechnic Institute. Then after some work in the real world, he returned to Carnegie Mellon, for a Ph.D. in computer engineering in 1994. Yeah, Mark knows his stuff. In so far as Microsoft products are concerned, he is one of the top experts in the world. He has personally discovered, and we assume quickly disclosed and fixed, many software errors and vulnerabilities that hackers could otherwise have exploited for fun and profit. Indeed, Mark now has a suspiciously large body of knowledge on how to hack into business systems of all kinds, especially those based on Microsoft operating systems.

Is Truth Stranger Than Fiction?

I had no idea how good his knowledge really was, and how close he was to the pulse of the elite hacking world, until reading the news story this week. It seemed to come right off the pages of his new book. I fully expect Jeff Aiken to be on the case right now tracking down the rogue coders who penetrated the hedge fund. I wonder if they are in Brazil watching the World Cup? In fact, come to think of it, the events Mark was writing about in Rogue Code were, we now know, taking place on the real Wall Street at the very same time he was writing about it. Hmm. What a coincidence. I wonder if well-known SEC investigator and attorney, Robert Ashton, will look into that? Too bad Patrick Oot has moved on. I’m sure he could e-discover the truth, that is, unless the Brazilian Mafia, the NL, got to him first.

For more about the Rogue Code check out this video trailer. I think this book would make a great movie.

Of course, the facts in Rogue Code and the BAE Systems report are somewhat different. You would not want to be too obvious, would you? Still, to a careful reader of both stories, both fact and faction, the similarities dominate. Both involved teams of experts working together to interfere with hedge fund flash traders to directly profit from the trades. Both involved long-term penetrations that lasted for months and resulted in the diversions (a polite word for theft) of millions of dollars. That’s right. This is big time cyber fraud, involving Big Data and Big Money and victims who usually will not want to complain. It makes for the perfect crime, especially if you like stealing from billionaires in a way that will likely go undetected.

Will the True Story of Wall Street Hacking Ever Be Known?

The full story of the real attack on the Wall Street flash trading hedge fund is still unknown. Indeed, the odds of our ever knowing the full truth of the real attack are slim to none. The as yet unnamed hedge fund has every incentive to keep it secret and keep their name out of the press. Think how their customers would react if they knew their money had been stolen by hack attack? How would their customers, billionaires all, react if they found out that their brokers had been outsmarted by hackers. No. That would not work out too well. So, as we learn in Rogue Code the novel, these things are usually hushed up and the bad guys get away with millions.

Going back to real life, and the BAE report by Paul Henninger, who said:

It’s pretty amazing,” Henninger said in an interview Wednesday from London. “The level of business sophistication involved as opposed to technical sophistication involved was something we had not seen before.”  . . .

Henninger said such business-savvy financial attacks can represent “the perfect crime,” because they are extremely difficult to trace to obscure locations around the globe, and because companies can be reluctant to go to law enforcement. “It often takes a while for firms to get comfortable with the idea of exposing what is in effect their dirty laundry to a law enforcement investigation,” Henninger said. “You can imagine the impact potentially on investor confidence.”

He said he does not know if the hedge fund reported the details of the attack—which he estimated cost the firm millions of dollars over just a few months’ time—to the SEC or the FBI.

Officials from the SEC and FBI declined to comment on this specific case.  . . .

Henninger said the malware represented a multimillion dollar problem for the hedge fund. “This was not something that was a minor issue for them,” he said. “This was something that was getting reviewed at the board level of this hedge fund precisely because it was having a material impact on performance across the portfolio.”

Public disclosure of illicit trading based on hacked information is exceedingly rare.

Eamon Javers, Cybersecurity firm says large hedge fund attacked (CNBC 1/19/14).

Conclusion

Bodek_flashThe introduction to  Rogue Code was written by Haim Bodek, Managing Partner of Decimus Capital Markets, LLC. He is an expert on flash trading who is now sounding the alarm on the abuses that flash trading is causing on Wall Street. Even without cyber intrusions and theft by hackers, Bodek thinks the stock exchanges could fall by the dishonesty and inherent unfairness of flash trading. I do not know about that, but I do know this micro-second trading gives an unfair advantage to some. We need a level playing field and a stock market that provides equal opportunities to all, including small investors. I hope that the alarm sounded by Haim Bodek about flash trading is overstated, but fear it is not. Rogue Code, and now the report by BAE, suggest that his concerns are well founded.

I am not delusional enough to think that the alarm sounded by Mark Russinovich on hacking Wall Street is a false alarm. That is a separate issue. I have no doubt in my mind that this is a clear and present danger. Although Rogue Code is a work of fiction, the hacking of Wall Street is not. The SEC must start taking cybersecurity more seriously. Indeed, all of us need to do that. Hackers are now getting organized and profit driven. This is not just an Anonymous group of kids anymore, these are criminal gangs. Hack attacks should be reported to the FBI. The days of secretive cover-ups must come to an end.


U.S. Employees Are Weakest Link In America’s Cybersecurity – Part Two

June 2, 2014

This is the second half of a two-part blog. Please read Part One first.

DOJ Allegations of a Simple Phishing Expedition that Was Able to Hack Trade Secrets from both Alcoa and U.S. Steel

The recent DOJ indictment proves the point that employees are the weakest link in cybersecurity, that they are easy victims of simple spearphishing hacks. Here are the introductory allegations in paragraph 6.f.:

6.f. In or about 2008, Alcoa Incorporated (“Alcoa”),  an aluminum manufacturer whose principal office is located in the Western District of Pennsylvania, announced a partnership with a Chinese state-owned aluminum company to acquire a stake in another foreign mining company. Approximately three weeks later, Defendant SUN targeted senior Alcoa managers with spearphishing messages designed to trick the recipients into providing SUN with access to the company’s computers.

Jack_Sun_61398_smallThe specific allegations on this hack attack begins at paragraph 41. Defendant Sun Kailiang, who uses the alias “Jack Sun,” shown right in his full military uniform, is alleged to have performed a directed phishing attack (“spearphishing”) against select employees of Alcoa and U.S. Steel:

41. Spearphishing activity targeted Alcoa including near  in time to significant events in its business relationship with SOE-3. For example, on or about February 20, 2008, about three weeks after Alcoa announced the partnership with SOE-3, Defendant SUN targeted Alcoa with a spearphishing campaign. Specifically, Defendant SUN sent e-mails to approximately 19 senior Alcoa employees, at least some of whom were located in the Western District of Pennsylvania, using an account designed to impersonate a member of Alcoa’s Board of Directors. In all but one of the e-mails, Defendant SUN attached a file disguised as an agenda for Alcoa’s annual shareholders meeting, which, once opened, would install malware on the recipients’ computers.

42. Thereafter, in or about June 2008, unidentified individuals stole at least 2,907 e-mail messages along with approximately 863 attachments from Alcoa’s computers, including internal messages among Alcoa senior managers discussing the foregoing acquisition. . . .

44. In furtherance of the conspiracy and to achieve the objects thereof, the conspirators committed the following overt acts, among others, in the Western District of Pennsylvania and elsewhere:

a. On or about April 18, 2006, Defendant SUN created e-mail account c********8@yahoo.com.

b. On or about July 17, 2006, Defendant SUN created domain account j*****r at a domain provider in the United States.

c. On or about December 12, 2006, Defendant WEN sent Defendant WANG two executable files containing tools that would be useful for intrusions.

d. On or about July 12, 2007, Defendant GU designed and tested a spearphishing message.

e. On or about February 20, 2008, Defendant SUN  created an e-mail account using the misspelled name of a person with the initials e.G., who was then a member of Alcoa’s Board of Directors (the “C. G. Spearphishing Account”).

f. On or about February 20, 2008, Defendant SUN, using the C.G. Spearphishing Account, transmitted e-mail messages with a file named “agenda.zip,” which contained malware, to approximately 19 Alcoa employees.

That is a pretty detailed description of how a spearphishing cyber attack works. Captain Jack was just doing his job as a military hacker, just following orders to steal secrets from U.S. corporations so that the Chinese government can give their state sponsored business an unfair advantage.

A little research shows that the member of Alcoa’s Board that Jack Sun pretended to be was a brand new board member, a business celebrity at that, and one who has an oddly spelled name, Carlos Ghosn. Jack Sun did his social engineering background work very well. Ghosn was the perfect new guy to impersonate. All they had to do was trick one naive Alcoa employee to click on a mail attachment that supposedly came from Ghosn, or was it Ghosen? Oh well, he’s the new boss, so we had better click on the agenda items attachments that he sent to us. And that they did. The DOJ indictment does not reveal how many were so tricked, but it only takes one.

Jack_Sun_Close-upThe indictment also describes another successful spearphising campaign against U.S. Steel, but with fewer details. All we know is the counterfeit email with malware attachment supposedly came from the CEO. Jack Sun sent the email to twenty U.S. Steel employees, and at least one of them fell for it and opened the virus ridden attachment. Who has the guts to ignore a direct request from the CEO? Very clever again Captain Jack.

What happened to Alcoa and U.S. Steel could have happened to any organization. A cybersecurity consulting firm, CrowdStrike Inc., has found that between  5% to 10% of employees will click on almost any email. Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing ScamThis kind of statistic is ridiculous. Our employees really need to be trained not to be so gullible. Everyone needs basic cybersecurity training in today’s world.

Even our senior military officers are vulnerable to tricky social engineering, as I will explain next. Most of the older CEOs and military officers are, like most of my generation, clueless when it comes to technology and the Internet. One has only to think of the recent scandal with David Petraeus, CIA Director, and four-star general whose unencrypted, sex-filled, webmail showed he was carrying on an extramarital affair with his biographer.

Train All Employees in Cybersecurity, Including Especially Social Engineering Threats

The DOJ says indictment does not specifically identify who was tricked by Sun, no doubt to avoid unnecessary public disclosure and embarrassment, but does say the phishing emails were sent to 19 senior Alcoa employees. I am willing to bet that included one or more administrative assistants to top officers of the corporation. They are the ones used to receiving emails like this pertaining to agenda items. They are also the ones most likely to open attachments for their boss. Maybe it went to some V.P.s, and they forwarded it to their assistants to deal with it. They did not want to be bothered with attachments and such. Or maybe their assistants screen all of their email for them. Believe it or not, this is still common on the senior level for people my age or older.

ralph_1990sMy email observations are based on very long experience with business email. Due to my peculiar background as a computer hobbyist and a lawyer, I have probably used business email longer than most everybody else still practicing in the legal world. Remember The Source and Compuserve? I used those for online communications when they were dial-up BBS systems in the early 1980s. That was way before the Internet was opened for non-academics. I remember when sending computer mail or text messages for communications with a client was considered very exotic. We would anxiously wait for confirmation that the message was received. I remember the same for faxes too, but that’s another story.

The observation on secretaries screening email for bosses is also in accord with the experience of Kevin Haley, director of Symantec Corp.’s Security Response team. As the previously cited Bloomberg article mentioned, personal assistants are a prime target because they have access to key information and are opening email attachments all day. This is one reason that Kevin Haley recommends that all employees be required to receive cybersecurity training.

Training, especially in social engineering, should include the top brass too, the C-Suite. This point was recently proven by one of the largest, ongoing social engineering cyber attacks yet discovered. This one was orchestrated by the Iranian government. The hack attack was discovered by a private cybersecurity consulting firm, iSight Partners. The Iranians were able to trick many leaders, including a four-star Admiral in the U.S. Navy. They did so over three years with an elaborate Facebook friending and fake newscaster scheme. Iranian hackers ‘friended’ four-star U.S. admiral on Facebook to steal data using social media espionage.

4-star-admiral_flagCan you believe it? One of our four-star Admirals was tricked by fake Facebook pages and friend requests into revealing secrets to the Iranians. Hey, fellow senior citizens, especially you generals and admirals – just say no! You don’t need online friends any more than you need sexy biographers. Take our national security more seriously than that.

Our four star Admiral was not the only gullible victim in the Iranian online fraud attack. According to the Reuters report, hackers used 14 fake online personas to make connections with more than 2,000 people. Then the hackers targeted several hundred high-ranking individuals to get them to visit poisoned website or open malware ridden attachments. The top brass targeted included the famous admiral (identity not yet revealed), U.S. lawmakers, U.S. ambassadors, and personnel from several other countries. Our fearless leaders are the biggest fish of all to target. Somebody should make them attend full cyber training.

Congress is the only one with the power to do that. Perhaps they should pass a law requiring all military officers and high-ranking government officials to take basic cybersecurity training. Then they should be subject to random pentesting after that, as I will described in more detail in my conclusion. I do not care about generals and admirals failing a drug test, or a sex test, but failing a pentest, well, that really worries me.

Law Firms Are Targets Too

shark lawyersLaw firms are all run my lawyers about my age; great lawyers all, but most of them are quite naive when it comes to technology and cybersecurity. As Alan Brill of Kroll is known for saying, a popular cybersecurity myth in most corporations is that “we are not a target.” He “mostly hears it from victims” and “they are usually wrong.” Law firms are targets, just like every other organization in the world.

The nickname of phishing aimed at lawyers is called Shark Phishing, a tip of the hat to our evil reputation. All lawyers are under constant attack, most likely by simple criminals, but you never know. In my world, several emails a week slip through my firm’s spam filter and I see urgent pleas for help. It is usually from people I do not know that seek my legal services for something or another. They may claim to be seeking help for payment of child support. Think of the hungry children that need your help! The emails are often personalized and mention my name in the body of the email. They may also claim to be owed money by a U.S. corporation, or otherwise need a lawyer to close on a deal or get a big inheritance. They may claim to come from a CEO of a foreign company or from another lawyer. Often the emails are accompanied by attachments that supposedly explain their problem.

I know that all lawyers everywhere get this kind of malware junk mail every day just like I do. They are very adept at fooling spam filters. I do not think twice. I mark as spam, delete, and move on. Sometime I will read the pitch for my own perverse enjoyment. They can be very clever, in an evil sort of way. Look, if you wish, but do not click. Never, never open the attachments, or click on any links. And do not respond in any way. It may not be the now indicted Captain Jack doing his job as an industrial espionage hacker, but it is certainly is not a real client. It is some kind of hacker crook after your money or your client’s secrets.

Once any lawyer takes the bait and responds to the email, or clicks on link, an elaborate fraud starts. It usually results in either a bounced check to you, and loss of your money, or release of malware. Sometimes you will get both. You will not get a client anymore than our four-star Admiral got a real Friend on Facebook. I have heard of several law firms losing hundreds of thousands of dollars in these scams. They usually involve their bank accounts. Sometimes the banks will reimburse them, but more and more lately, they will not. Yes, lawyers, sharks or not, can be quite gullible and fall for various social engineering fraud tricks just like everyone else.

Common Sense Advice on How to Avoid Phishing Frauds

click-notThe basic advice is really very simple. Never click on a link or download an attachment in an email unless you are absolutely sure that they are legitimate. The same goes for or a text message or other kind of online communication. If you have any doubt at all, do not do not click it. Do not be a victim. Remember spoofing too. Just because an email  is apparently  from someone you know and trust, like your banker for instance, does not mean that it is legitimate.  It is easy to copy logos and even set up fake websites. Inspect carefully the email address that an email is sent from. That will often reveal the fraud. But even if all looks legit, still resist the urge to click. Why, for instance, would your banker or broker send out an email like that?

Bottom line, never click on a link, or download an attachment, unless you have independently verified the identity of the person who claims to have sent you the message. You can do so through a telephone call, text message, or email. You cannot get a virus by calling your banker or broker or friend. Verify that they actually sent you the email with attachment or link. Like Reagan said, trust but verify.

Further, you should always make sure that your anti-malware software and anti-virus software is up to date. Even though your security software is not effective against the very latest malware programs, it can still catch many of the older known viruses out there.

For a good source of information on all of this see the Anti Phishing Working Group,  APWG is, in its own words, a global industry, law enforcement, and government coalition focused on unifying the global response to cyber crime through development of data resources, data standards and model response systems and protocols for private and public sectors. As a semi-humorous interlude, you also might want to click on this YouTube video on phishing.

rebecca_greenfieldAnother useful article on how to avoid phishing attacks was written by Rebecca Greenfiled in 2013: How to Avoid Getting Spear-Phished by China’s Hackers Who Cracked Apple. She came up with six common sense steps to avoid being a spearphishing victim.

Step 1: Understand the Difference Between Phishing and Spear-Phishing. 

Phishing attacks are the more blatantly malicious. They are emails that pretend to come from big organizations, like your bank or broker. They are form emails from generic addresses and are sent to thousands of in-boxes. They are not custom designed, and instead rely on quantity. The bad guy hopes that a few out of thousands will be dumb enough to click a malicious link or download an infected file. Spear-phishing, on the other hand, targets a small group of specific users. As security firm Norton explains:

Spear phishing is an email that appears to be from an individual or business that you know. But it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC.

This is more fully explained with examples by ComputerWorld’s Gregg Keizer in a 2011 post. Spearphishing emails are designed to look like they come from colleagues or friends. They also tend to include personalized touches, which again Norton explains on its site:

The salutation on the email message is likely to be personalized: “Hi Bob” instead of “Dear Sir.” The email may make reference to a “mutual friend.” Or to a recent online purchase you’ve made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for.

Step 2: Check the Sender’s Full Email Address  

The full email address of the sender will often reveal that it does not exactly match with the supposed sender. The cyber-security firm Mandiant used this example when describing another spear fishing attackby the same Chinese “Comment Crew” back in 2012. In this attack the hackers tried to exploit the name of the CEO of Mandiant, Kevin Mandia.

Apart from the dubious details click here line in this email, it looks like a bona fide message from Mandiant’s CEO – kevin.mandia@rocketmail.com. But think about it. Why would the CEO of Mandiant, a major corporation in the security field, be using a Rocketmail account to discuss a press release? He wouldn’t. Still, maybe some that know him might think he had a new personal email account, and was using it instead of the corporate account for some reason. You should not click on that email until you first check with Kevin.

Step 3: Remember That Hackers Can Email Back, Too. 

One obvious way to test a suspicious email is to respond to the sender. But that often will just lead you right make to the fraudster, hacker. According to the Mandiant report, one of their experts as a test wrote back to one of the Chinese hackers and said: “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, the hacker from Unit 61398 responded back: “It’s legit.” The correct way to double-check the legitimacy of a sender is to contact the “friend” in a separate email, via phone, or by any other means. Do not just reply.

Step 4: Check the Attachment File Type Closely. 

According to the Mandiant report, most spear-phishing files come in .zip format. Still, the clever hackers will sometimes dress up Zip files as PDFs in disguise. They do it like this:

That looks like a standard .pdf file, and has the little Adobe icon, but the little ellipses give it away. Again, according to the Mandiant report, the file name continues after the PDF extension to include 119 spaces followed by .exe. Pretty tricky of these Unit 61398 military hackers, eh? I hope our military cyber teams are as good or better at spying on state, military secrets. Although, the U.S. military, unlike the Chinese, does not steal trade-secrets to benefit purely commercial interests. That’s the government’s story anyway, and I for one am inclined to believe it.

Step 5: Check for Vague Filenames. 

While spear-phishing emails are usually very personalized, the message content, and infected file names,  tend to be fairly generic.  Something like “updated_office_contact.zip” is common. The file names also tend to include military, economic, and diplomatic themes, largely because of the kind of organizations that military hackers attack. Criminal hackers, the ones who are just in it for the money, tend to have other investment and business type themes. They may suggest that you open an attached marketing plan pertaining to a new product you are working on.

Step 6: Be Paranoid. 

Andrew_HowardRebecca Greenfiled‘s last recommendation is from a security research report by the Georgia Tech Research Institute (GTRI), featuring the work of Andrew Howard, their malware expert and Chief of Emerging Threats and Countermeasures, who said:

Spear phishing is the most popular way to get into a corporate network these days. Because the malware authors now have some information about the people they are sending these to, they are more likely to get a response. When they know something about you, they can dramatically increase their odds.

The success of spear phishing attacks depends on finding the weakest link in a corporate network. That weakest link can be just one person who falls for an authentic-looking email.

Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it.

As to what to do about it, Howard is working on new types of AI based phishing detection software. It sounds much like predictive coding for malware and phishing. But in addition to that, Howard recommends a healthy dose of paranoia:

It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time. Users are the front line defense. We need every user to have a little paranoia about email.

Conclusion

Ralph_beach

In addition to the good advice of Rebecca Greenfiled and Andrew Howard, I strongly recommend employee training as a key component of cybersecurity. So to do many others, including PhishMe.com, which offers employee training in phishing avoidance. I also suggest companies do random pentesting to reinforce that training. The penetration attempts should focus on social engineering techniques against employees, including especially phishing and spearphishing. That would be a good way to reinforce a healthy paranoia, but not too much paranoia such that no work gets done. After all, we do have to send and receive email attachments all of the time, even when on vacation.

The company should start by requiring training of all employees — high and low, no exceptions. The CEO should have to attend training, as well as the receptionist. After that, the company CISO should contract with white hat hackers to do approved spearphishing. The tests would be unannounced, of course, and ongoing. Not one and done. The tests would feature clever social engineering hacks, including especially phishing and spear phishing, but would also include some bonafide email tests with links and attachments.

The goal would be to reinforce healthy paranoia, but, at the same time, make sure that employee paranoia is not too intense, such that it is interfering with efficient operations. It is a difficult line to draw, but necessary. In my opinion, this would be great fun to test; far better that the many law school exams I given and graded. Designing a special spearphish for the CEO or Admiral would be especially entertaining.

Only the employees who failed a surprise pentest would have to endure further retraining. You know, the employees who were either fooled into taking the bait, and downloading virus, or were too paranoid, or too lazy, to open a valid attachment needed for work. Some attachments might require the tested employees to make a call first. Some may not.

This kind of pentesting would be a relatively easy but effective way to strengthen the weakest links in every organizations cybersecurity. If someone fails time and time again, even after counseling and retraining, well, maybe they should find another job. That should work, that is, unless they are a four-star admiral. ¯\_(ツ)_/¯

This means that even CEOs of companies should be tested and objectively graded by a third-party. Maybe every Board of Directors should require that, or every insurer. Maybe Congress and the Pentagon should require such training and tests of military officers. You should not get promoted unless you have good pentesting scores. The same requirements should apply to anyone who has a secrecy clearance of any level, including members of Congress and their staff.

If you want more information to assist you in designing a cybersecurity training program for your employees, just click here.


%d bloggers like this: