It appears that the hackers used "spear-phishing" tactics targeting specific government officials, fooling them into giving away sensitive information, and having them open documents infected with viruses.
In a few sentences, spear-phishing works a bit like this:
- Hacker Zhang sends an email to Industry Canada clerk Bob.
- The email appears to come from Bob's colleague Rita working at the "Gov of Canada's Central File Repository" administration. It warns Bob that his password has been compromised and needs to be reset. It provides him with a link.
- Bob clicks on the link and resets his password.
- The link is actually pointing to a website hosted in Indonesia that "appears" to be an official government website, but actually isn't.
- Hacker Zhang now has the password, and does what he wants with it.
How could this have been prevented?
Well let's first start by identifying the security holes that allowed this to happened:
- Government officials exchange emails with no encryption, allowing hackers to send emails "appearing" to come from legitimate contacts.
- Government email system has bad virus cleansing strategies.
- Government officials with access to sensitive system credentials have little IT training.
Every government agency should encrypt emails with with digital signatures to ensure that the sender is actually who he / she claims to be, and so that no middle-man can read sensitive data. See this for more information: http://www.openpgp.org/
This is not something new.. this could have been implemented years ago.
Better Virus Cleansing Strategies:
Allow only the exchange of safe file formats by email. No .doc, .pdf, .exe, .zip etc... The email servers should filter all files that are potentially dangerous, and government agencies should use "safe" file formats such as restructured text.. txt... etc. It won't be as pretty as docs / pdfs, but it will prevent getting infected because of a bad file attached to a spoofed email.
Also, perhaps e-mail should simply not be used as a file-exchange medium. Emailing's initial purpose was to exchange messages, not mp3s, videos, pdfs... Other technologies are much better at dealing with file exchange.
IT Training:
This is perhaps the most important point of all! Regardless of how high-ranking a government official may be, he / she can the the victim of phishing attempts / impersonation attempts. Classes on Information Security in IT should be mandatory for ALL government officials that have access, or CAN have access (through a colleague) to sensitive credentials allowing them to access sensitive data.
There are simple things that most people should know regarding network security.
Few examples:
-How to store passwords (or should you store passwords?)
-What's phishing?
-What's social engineering?
-Is email a safe medium for communication?
-How to send files?
-What can I install on my computer?
-.. and so on.
Why wasn't the government ready to prevent such simple cyber-attacks? How can the Harper government have billions of dollars to spend on brand new planes, while its network security infrastructure is failing in every way and needs major restructuring?
Why do I know this, yet millions of dollars in consultation fees spent every year couldn't prepare them for such an attack?
How are we now supposed to trust our own government for keeping our data safe when its network security standards (that are actually in place) are practically non-existent?
Just my two cents.
-
Benoit
0 comments:
Post a Comment