February 13, 2009: The U.S. Department of Defense is trying new ways to motivate their millions of computer users to resist "social engineering" attacks, where, instead of sneaky computer code, a clever bit of malarkey separates the victims from the data they are supposed to be protecting. The deceptive pitch is usually delivered via an email or popup on your screen. Once you reply (by clicking on the popup message or opening a file attached to the email) a hacker program begins grabbing information off your PC, or even secretly taking control of it. This shows how vulnerable organizations are to losing valuable information via nothing more than an email message or a mouse click.
The new motivation takes the form of announcing that there will be a test attack in, say, the next two weeks. Anyone who takes the bait will be notified, and perhaps required to undergo additional training. This sort of security testing is in addition to the long used "Tiger Team" approach. Tiger Teams use experienced good guy ("white hat") hackers working for a security testing firm, and using the same tools as the bad guy ("black hat") hackers use, to attack the target system and see just how vulnerable it is.
There are many other ways to gain access to corporate, or military networks, with similar social engineering techniques. For example, just leaving some thumb (flash memory) drives around for your target population to pick up, will see many of the marks plugging the drive into a USB port, where your special software will inflect that system with whatever sneaky software you wanted to get in there. All the mark will see are some innocent files. The Department of Defense has recently handled this threat by forbidding anyone from using a thumb drive on a military PC. The military networks are equipped with software that detects a thumb drive, refuses to connect with it, and alerts the security people. This protection is not perfect, but it's a big improvement.
But it gets worse. A pretty girl just coming up to a guy and asking for his password, works more frequently than you imagine. Mostly you have to worry about less personal, or in-your-face techniques. Carefully prepared emails (with virus attached) and addressed, by name, to the recipient, would have fooled many recipients, because they were personalized, and this helped prevent network defenses from detecting the true nature of these messages. These targeted emails from hackers were very successful. If the recipient tried to open the attached file, their computer who have hacking software secretly installed. This software would basically give the hacker control of that PC, making it possible to monitor what the user does on the computer, and have access to whatever is on that machine.
While many recipients sense that the "spear fishing" (or "phishing") attack is just that, some don't, and it only takes a few compromised PCs to give someone access to a lot of secret information. This would be the case even if it is home PCs that are being infected. American legislators have discovered office and personal PCs of themselves and their staffers infected.
But many other attacks are only discovered when they are over, or nearly so. The attackers are very well prepared, and usually first make probes and trial run attacks on target systems. When the attackers come in force, they don't want to be interrupted. And usually they aren't. Most government sponsored attackers use techniques similar to those employed by criminal gangs trying to get into banks, brokerages and big businesses in general. Thus it is believed that Chinese hackers try, as much as possible, to appear like just another gang of cyber criminals. But the Chinese have certain traits that appear more military than gangster.
