Slashdot Mirror
Spoofed White House Card Dupes Many Gov't Employees, Steals Data
tsu doh nimh writes "A run-of-the-mill malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents from dozens of victims over the holidays, including a number of government employees and contractors who work on cybersecurity matters, writes krebsonsecurity.com. The story looks at several victims who fell for the attack, and suggests it may be related to a series of similar document-harvesting runs throughout 2010. Government security vendor NetWitness notes that these types of incidents are blurring the lines between online financial fraud and espionage attacks."
Honourable employees of venerable government of USA. Please click on link to receive free gift from People's Republic of... ummm... errr... Canada!
The governmint can't keep track of used hard drives, so this is not a big threat in real terms. When they can tell the US citizens where all the data for nukes and secrets is on their hard drives I'll care more about malware in emails.
"malware-laced e-mail"
"contractors who work on cybersecurity "
I guess everyone falls for a good old spoof. Not just 70 year old grandmas like it was suggested in the last article on spoofing.
The people entrusted with these sensitive documents are not trained to check for digital signatures on emails that come from "the white house?" Do these people even bother to sign their messages?
Palm trees and 8
Same shit, different day. We're used to being screwed by the Obama Whitehouse.
And the Bush II Whitehouse.
And the Clinton Whitehouse.
And...
Really silly q, but why do the scripts seem to be just so Windows based/Windows friendly?
Is it so hard to get Mac OS X, Linux or other OS's to run something perl like via a click click of something cute in a email?
Could anyone make something stacked/packed to be Win7/OS X/Linux aware?
Domestic spying is now "Benign Information Gathering"
New Rule: NEVER open an attachment.
OR - Never open an attachment to an email (or any file sent to you) unless you know who sent it to you, and you have confirmed that they did send it to you, and they did send it at a certain time and date with the same file name.
This should be mandatory for all employees who do not understand the danger of phishing, trojans or malware attacks.
He who knows best knows how little he knows. - Thomas Jefferson
I'm still amazed that you can just suck sensitive documents off people's computers. Wouldn't these be encrypted? Or at least require a certain key to open?
People put so much research into making your music/software only run on one computer (DRM) - and yet they can't extend it to only allow the opening of sensitive documents on certain computers? These aren't pictures of your last holiday in Greece...
just by giving up their windows obsession and using Linux instead.
Windows, Linux, or Mac? What platform was affected? Why don't they EVER tell us? *sigh*
Ok I was among those that received this spoofed WH holiday e-card and let me tell you, it was an AWFUL spoof attempt. I can't/won't go into the specifics, but it was terrible and anyone who fell for it should be smacked silly.
It's not so much the crime than the type of victims:
-An employee at the National Science Foundation’s Office of Cyber Infrastructure.
-An intelligence analyst in Massachusetts State Police
-An unidentified employee at the Financial Action Task Force, [in a government body whose purpose is to fight] money laundering and terrorist financing.
-An official with the Moroccan government’s Ministry of Industry, Commerce and New Technologies.
Me, I'm an idiot with no influence, but the people who set policies and can put people in jail should know better.
I'm sure you think you're being clever but there is/was a point to holding the lid on technology in the White House.
You may or may not recall how the Clinton staffers all made fun of the Bush 1 White House upon learning they didn't use email and had "old fashioned" phones.
Guess what? The Bush 1 administration had a good handle on leaks because they didn't rush to embrace the latest and greatest unlike just about everyone now.
This type of activity is illegal in Belarus too. The streets there do have names and houses are numbered. True, it is not in English.
Still if it was some kid, a call from the Interpol to Belarus police, and the employees probably could have they files back. Sometimes learning foreign languages at school could be very useful.
New Rule:
Don't run an insecure operating system. One thing people forget about government employees is that they can be given fucking orders to change, and they don't have to fucking like it. You can literally tell people to "do it and shut up".
For example, when the USAF went from green screen Unix terminals to Windows, snivelling wasn't an option. Obey orders or be punished.
If security is ever taken seriously, issue orders to change, fry those who refuse, end of story.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
To be fair, though, there is at least one government agency that uses the latest and greatest (or so we think) and that has remained secure:
http://en.wikipedia.org/wiki/National_Security_Agency
Palm trees and 8
mentality of the average government drone.
That GOV documents like ehm ... cables can LEAK out without the intervantion of an insider? ... indeed.
Interesting
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
The real tip off that this wasn't real it that it was a CHRISTMAS card from the white-house, Kwanzaa, would have been more believable.
(For future reference, just get it over with and call the guy a nigger; it's immediately obvious that that's how you feel, so you don't need to dance around that shit.)
"malware-laced e-mail"
Ok... isn't this a tautology?
"contractors who work on cybersecurity "
and isn't this an oxymoron?
Signed "anxious to learn"
Funny how the "professionals" are totally clueless where they think that even in this day and age of "understanding" (hello to you, navy guy who just wanted to make some people laugh) that they can trust emails, even on Xmas day.
This time, this one time, I'm rooting for the bad guys.
Yes the NSA got it right from day one via COMINT only (above top secret), slap on eg Trine, Dinar, Vipar, Froth designations. Then make sure only Gout cleared people can read Gout message. Unless oathed, briefed, certified, you dont get in.
Now we have Windows and any modem using UFO hunter can have a go.
Domestic spying is now "Benign Information Gathering"
To be fair, though, there is at least one government agency that uses the latest and greatest (or so we think) and that has remained secure:
I don't think so! :)
http://it.slashdot.org/article.pl?sid=10/12/17/1540256
Rule 0: don't allow stupid people near important data.
Block their credit cards too!
Well, the relevant quote is "There's no such thing as 'secure' any more", which isn't quite the same as the NSA saying "we are not secure but we believe X's network is."
A run-of-the-mill malware-laced e-mail that spoofed seasons greetings from The White House siphoned gigabytes of sensitive documents ... espionage attacks.
Looking for the upside here: It is nice to have a solid case of espionage as an example against which to compare and contrast WikiLeaks.
Hypothesis: When a person or organization uses deception or other coercion to manipulate a person with clearance into exposing sensitive information, that is espionage. Whether WikiLeaks engaged in espionage is a question of whether WikiLeaks engaged in such deception or other coercion.
Is that a valid principle?
Stop-Prism.org: Opt Out of Surveillance
The date may have changed, but the facts have not. As inconvenient as it is for you to understand, your black messiah is a fraud.
Check out this Screensaver from the upcoming Star Wars MMO!
Binks.jar.jar
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
You can't get your plausible deniability if you pick someone good!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
They should be charged with sexual crimes and placed under house arrest forthwith...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
What privileged operation is required to access resources that are readily available to the user context? None that I can think of. You can read files and connect to the network without root/administrator. This can only be solved with a combination of policy and user education. AV and attachment filtering would be a start. As this was a targeted attack I don't think that security by obscurity would necessarily work (i.e. running a different OS)
But that would be the end of the government as we know it :(
Wait, I've got an even better idea, Einstein! How about cryptographically signing your damn messages and only opening attachments from legit senders?
Don't you have a street corner to go stand on?
If the criminal police in the U.S. and those in Belarus had a good working relationship, presumably they would just cooperate to exploit their governmental authority to accomplish even more crime.
Space game using normal deck of cards: http://BattleCards.org
What ever you do, don't mention Windows or Redmond :)
You make that sound as if it's a bad thing.
Ironic, because President Clinton himself only ever sent two emails.
Gamingmuseum.com: Give your 3D accelerator a rest.
If a government employee works with sensitive data and has his computer infected with malware due to his own mistake (esp. the types in cybersecurity), he should be fired and so should the networking guy who should have offloaded the sensitive data to a computer not connected to the Internet. This is what I consider unforgivable incompetence.
I just love our government.
So how long until they try to blame this on Wikileaks or Assange?
new rule: don't allow attachments, ever.
The Kruger Dunning explains most post on
Bush one didn't have the scope of attack, and in meat space, they did NOT have a handle on leaks.
You are correct in that government agency should move forward cautiously and wisely. However when they do that the citizens laugh at the 'old' systems.
The Kruger Dunning explains most post on
Apologists like you are why we have lousy computer security as a nation.
You blame the users, elsewhere people blame the sysadmins for not locking down the systems. Which is it? Neither, because the root problem is that Windows is designed to be used in a non-locked down mode.
How many people actually run Windows as non-admin users? It's a pain. Why is it that sysadmins don't lock down Windows machines? If this were not the norm, one could blame a few sysadmins for not doing their job properly, but it reflects how most Windows systems are used. Why is this? The answer lies in how people expect to run Windows -- from developers through to users -- they all expect the systems to be open.
So, while in theory Windows systems should be locked down, and users should not click on such things, in practice they are not locked down and people click on dangerous links because that is the way Windows is designed.
Car analogy: if a car manufacturer built cars with ineffective brakes, would you blame drivers for not braking early enough?
Where Windows is today is that the driver can make an adjustment that would make the brakes work properly, but if that were done, the car would be limited to 50mph. No-one chooses that option.
The real "Libtards" are the Libertarians!
Rule 0: don't allow stupid people near important data.
Rule -1: Don't allow stupid people.
If I have nothing to hide, you have no reason to search me
I'd love to see a salary list of all the morons that fell for this. I'm sure most make pretty solid money, yet are too stupid or gullible to see these obvious scams for what they are. Fucking pathetic. God bless america!
Without something decent to instantly take over and maintain our lives, yes, it would be a very bad thing indeed.
There never WAS any such thing as 'secure' and probably never will be! Hmmm... Folderol's first theorem :)
"A system's security is inversely proportional to the value of the material being protected."
Your username/post combo makes you sound like an anarchist :P
"When information is power, privacy is freedom" - Jah-Wren Ryel
Running a different, more secure OS isn't security by obscurity (especially when going from closed source to open source). It's just better security.
"When information is power, privacy is freedom" - Jah-Wren Ryel
They know how to use email, that's how they send emails around saying Obama is a Muslim who isn't actually an American citizen and that net neutrality means bringing back the fairness doctrine.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Or should it be .su, like it was back when the original ASCII IBM Christmas Tree hack came out?
In Soviet Russia, Wiki Leaks You!
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
...to also start monitoring government employees and contractors for suspicious levels of happiness, a love of cute furry pets and high levels of chrismas card appreciation:
http://www.msnbc.msn.com/id/40916433/ns/us_news-wikileaks_in_security/
(Jacob J. Lew, director of the White House Office of Management and Budget, suggests that agencies use psychiatrists and sociologists to measure the “relative happiness” of workers or their “despondence and grumpiness” as a way to assess their trustworthiness.")
The surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.
Let me tell you how this would work in neighboring Ukraine. I'd bet it's the same in Russian and Belarus.
Assuming you can get someone like Interpol to contact the local police, then you'll have a rather corrupt and slothful police organization to deal with. I can assure you that they do not care one whit about an American security problem as they view all people in NATO countries as rich people who deserve it when bad things happen to them. If you can get the police to actually try to contact someone, the only reason they'll go at all is to tell the crooks that if they were to pay a "fine" directly to the police, the police can forget all about the case. Or if the US government somehow makes enough of a stink that it actually has to be prosecuted, the judge can always be bought off. And keep in mind that this in Ukraine where in general the population actually likes the USA as does the government. The US government is not liked in Belarus.
** THE LINKS ARE STILL SERVING THE MALWARE AND HAVE BEEN REMOVED**
From: Megan Cote, megan.cote at whitehouse.gov
Subject: Re: Merry Christmas!
Date: 2010-12-23 15:10:55 GMT
As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our
greetings. Be sure that we're profoundly grateful for your dedication to duty and wish you inspiration
and success in fulfillment of our core mission.
Greeting card:
** Removed **
** Removed **
Merry Christmas!
___________________________________________
Executive Office of the President of the United States
The White House
1600 Pennsylvania Avenue NW
Washington, DC 20500
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
They know how to use email, ...
Hardly surprising, given that the Tea Party was organized on the Internet in the first place. Its existence was dependent on having a broadly-deployed communication medium that was usable by the common citizens and wasn't subjected to government or mainstream media censorship.
It's the first major US example of the Internet enabling an anti-establishment rebel/liberation movement. (Remember how much talk there used to be about how free network media would enable those? B-) )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Still if it was some kid, a call from the Interpol to Belarus police, and the employees probably could have they files back.
I think the point was that copies of files were sent to the server, not that the files were sent there and deleted on the original machine.
So it's not that they're missing, just that somebody has access to sensitive information that he shouldn't be able to look at.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This incident underscores how little influence the NSA really has when it comes up against lobbyists and morally-corrupt senators trying to ingratiate themselves to the same lobbyists. It is shameful that this country has a group that is very, very good at analyzing security issues yet it isn't allowed force use of a secure operating system within the government.
But you've ignored my main point which is that no alternative OS protects from this scenario (without using some unmanageable SELinux configuration that you will switch off): User gets program as attachment, authorises the running of said program and program accesses everything user normally accesses. Therefore no privilege escalation. It is not 'more secure' in this scenario.
In Linux, you can use AppArmor which is not a PITA, or you can mount /home as noexec, leaving the user with no way to execute unauthorized code.
"When information is power, privacy is freedom" - Jah-Wren Ryel
I'm an anarcho-syndicalist.
Both of these suggestions are cool. You could also use AppLocker on Windows to do application whitelisting.