Q&A: David Jevans on phishing attacks
Recent phishing attacks against high profile targets--such as White House officials and the International Monetary Fund--have put this particular cyber attack back in the public consciousness. FierceGovernmentIT recently caught up with David Jevans, founder and chairman of the Anti-Phishing Working Group for an update and his thoughts on security measures federal agencies can take against phishing attacks. Among his advice: No social media, at least not on a computer that isn't logically partitioned into personal- and work-use domains. Jevans is also chairman and founder of IronKey, a Sunnyvale, Calif.-based computer security company.
FGIT: We've seen a lot in the news lately on phishing attacks--is this indicative of an increase in phishing, or just of an increase in openness about phishing attacks?
Jevans: It is a little bit of both. What it is showing is a marked increase in spear-phishing. Traditional phishing used to be, back when we started tracking it in 2003, emails to 100 million people with the hope that 20 million of them had Citibank accounts and that 1 percent of those would fall for the thing.
We could track it and we could do historical analysis and we could see which companies and agencies were getting spoofed. But now, what we've seen is very much targeted. It's also about targeting, it's all about very sophisticated long-term attacks. They're profiling employees inside of government agencies and they're doing that through, for example, LinkedIn, Facebook, other kinds of ways.
The whole point is typically to get malicious software into the agency, so they can control a computer. Once they have control of someone's computer, then they can start jumping around inside and try to find databases. What it's showing here is a way big increase in spear-phishing.
In fact, one of the more concerning things is that it's showing the collaboration between the phishers, the malware writers, potential hostile nation-states. If you look at the IMF thing, it's a targeted spear-phishing with a customized payload of malware targeted basically at that institution to get around anti-virus, because it's brand new and nobody's ever seen it before. That's the type of thing we're seeing.
FGIT: Who's the they behind the attacks?
Jevans: There are really three, if you will, theys. Three groups, three types of activities and communities that are contributing to this major rise in sophisticated attacks.
One is the traditional financial crime groups--Eastern European but now we're seeing it coming out of China, as well. More and more people are getting into this game, the malware they're writing is more and more sophisticated, they're targeting government agencies, they're targeting small and medium businesses, trying to infect those computers. They can move hundreds of thousands or millions of dollars out of bank accounts at a time.
The second aspect appears to be the involvement of nation-states that are trying to get, for example, government secrets, defense contractor secrets, perhaps influence economic issues--through, for example, getting into the IMF and getting information from them.
Some of that is, candidly, driven by the politicization and militarization of the discussion in the past 2 years. In the U.S., we've started to use the term "cyber war," and we've had government agencies, including DHS, NSA and the Air Force all vying for funding to run cyber warfare, or cyber defense activities.
The problem is that if you start saying that stuff, then other countries say, "Well, the U.S. has a cyber war thing, we'd better have one too." You create a self-fulfilling prophecy. That's the second thing that's been contributing to the rise.
The third they is the activism community, the hacker-activists. The hacktivism community is growing and is going to continue to grow and continue to get more radicalized. There will be far more splinter groups.
The famous one we all know of is the Anonymous group. Some of the original attacks were against the Church of Scientology some years ago, and it has grown and splintered, and now we've seen political things going on against companies. For example, Sony was prosecuting somebody who had been hacking PlayStation 3 machines--these guys took it as "We should be able to hack whatever we want" and so they attacked Sony and publicized 70 million people's information.
That same group is becoming more and more politicized, and so they've been threatening to attack NATO. They put something on Facebook last week, saying "We want Bernanke out of the Federal Reserve," we're going to attack the Fed. Every time there's an attack and every time they do a p.r. statement, they get more people involved.
And then you've got now the splinter groups like LulzSec, that are attacking companies and agencies basically very single day - breaking into the Senate website, the CIA front-facing website. They're out there saying "Hey, you called it cyber war, what do you think about it?" We've got all of these different things starting to happen and everyday it's getting more and more intense.
FGIT: It used to be that people could say don't click on skeezy-looking emails, but with personalization, that's much harder advice to give. What do you do?
Jevans: The new advice needs to be a couple of things. One is personal computers and work computers need to be different. If they're not different, then you need to use virtualization to make them virtually different. Because personal types of things--responding to social networking, reading email--those are all ways in which you can get infected and targeted.
Keeping work systems separate form personal systems--personally restricting personal use on work systems if they're not separated is another piece of advice.
FGIT: I can find .gov email addresses online almost as easily as I can find .com email addresses. Wouldn't that suggest that keeping the two systems won't necessarily protect you?
Jevans: It won't necessarily protect you, but it goes a long way. What we find is that a lot of these infections are coming more and more through social networking. The use of social networking on government computers that can access sensitive systems should be limited to basically zero.
FGIT: No Facebook on a government computer.
Jevans: On a government computer that can access a sensitive system, yes. If it's a secretary on a properly protected computer, maybe. But any IT administration inside of the government, anybody that's got access to sensitive information, absolutely, that should not be done on government computers, unless you use a virtualized environment where you can have a personal world and a work world and they're separated.
The NSA has got some proposals out for that.
FGIT: Federal CIOs tell their employees "No Facebooking or social media while at work" and they get resistance and derision.
Jevans: Yeah. They need to understand why they're saying it. I understand CIOs will get derision--"You don't get it, this is how we communicate"--and that's really great, but the bad guys know that. And they use that as a targeting and infection vector. They use it as a social engineering tool. I know here you work, where you used to work, and I can find five other people that you're linked to who work in different agencies, I can now attack you.
Agencies should assume that employees are infected. Assume that you have infected computers, because I guarantee that you do, and there's no way to 100 percent stop it. Now what we need to be doing is filtering and tracking the outbound traffic. The problem these days isn't necessarily stopping bad guys from getting into the network--there are pretty good products that do that. It's really--assume an employee got infected, somehow. Through Facebook, through spear-phishing, through something. Now we have to start tracking the data that's leaving our network.
For example, if there's traffic going to Russia, that might be a signal that something bad is happening inside of your network.
FGIT: At what point does network monitoring, whether in or out, bump up into privacy concerns?
Jevans: It's going to bump up into privacy concerns, but at the end of the day, inside of the United States--certainly in both companies and in government agencies--if you're using equipment that is owned by the company or the agency, effectively you don't have a realistic expectation of privacy.
FGIT: What about teleworkers? If they're located in their homes, how much monitoring is acceptable?
Jevans: When you're doing telework form home and you're coming into government agency systems, when you're running applications, those session need to be virtualized. All traffic that goes through there is just as if you're at the office. You can have your own personal web browsing and other traffic on the computer, that's fine, but in a virtual machine, that's where you do your work, that's where your data is saved. Anything you do in that virtual machine is subject to all the same restrictions you have at work. All data would be tunneled back to the office and go through all the same scrubbing and filtering.
It's not unreasonable; rather, I think it's necessary and it's the way people have started to move forward.
FGIT: Is a logical partition enough to guarantee that there won't be crossover?
Jevans: Nothing is 100 percent. But, it's 100 times better than any other option people have today, which is to use the same browser to go visit Facebook and use the same thing to login to the VPN at work.
Federal government has dot-secure Internet domain under consideration
Mahnken: Cyber warfare favors the strong
Online 'personas' at heart of privacy protection in identity ecosystem, says U.K. think tank