They’re out there. Be afraid. They could be anywhere, everywhere, anyone. They are shadowy, deadly, mysterious, guided by intellects vast and cool and unsympathetic. Security consultants and antivirus firms whisper legends of them to their clients to scare them straight. They are the Voldemort of online security, except that everyone is all too eager to say their name: the Advanced Persistent Threat. Hide your children! You cannot stop them!
…well, actually you probably could, and pretty easily too, but apparently most folks can’t be bothered.
Vanity Fair just wrote breathlessly about “Operation Shady RAT”, which featured “a species of malware that had never been seen before: a spear-phishing e-mail containing a link to a Web page that, when clicked, automatically loaded a malicious program—a remote-access tool, or rat—onto the victim’s computer.” Military-industrial standard-bearer Northrop Grumman is “constantly under attack by cyber-gangs.” A few months ago Security firm RSA’s SecurID systems were the victim of “an advanced persistent threat, a slow and consistent attack used by hackers to obtain specific information.” The Pentagon is alive to the APT threat, and says it is beginning to focus more on deterrence than on defence, because “each year, a volume of intellectual property exceeding the size of the Library of Congress is stolen from U.S. government and private-sector networks.” Why, just this week, San Francisco’s government-owned BART system was hacked by—
…waaaaaait a minute.
One can never be sure, particularly in this arena, but it seems that BART’s police database was hacked by … a teenage French girl, who reported: “They had zero security.” Here’s the link she allegedly used to hack them. Don’t worry, it’s no longer active. Take a good look at that URL. Remind you of anything? It should, if you’re an XKCD reader:
Ah, SQL injection, that old canard. But wait, it gets even worse:
BART's been hacked and it looks like they stored user passwords as plain text. Looks like they missed the class on Security 101 #opBART
Seriously? Seriously? Plaintext? Who runs security for these jokers, Mr. Bean?
OK, so maybe the BART hack was a script kiddie enabled by morons. But what about “Shady RAT”? So glad you asked. Vanity Fair’s clueless hyperbole makes it sound like no one in the history of the Internet had ever sent an email that linked to a page with a browser exploit before. Earth to their editors: you’re about a decade-and-a-half behind the times. The attacker then used steganography to communicate with the compromised machines. Ooo, steganography, scary and hard to pronounce! Sure, that might have been amazingly sophisticated…ten years ago.
The RSA hack worked in exactly the same way: emails to employees with an enticing-looking attachment, plus a zero-day Flash vulnerability. And the tech media went crazy about the deadly APT attack on a security company. Are you kidding me? That’s an example of an “advanced persistent threat”? Adobe products are legendary for their insecurity. If that’s an APT, so was News Corporation’s kindergarten-tech-level hacking of cell phones.
But don’t just take my word for it: “Is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case,” says Symantec security researcher Hon Lau. Or as IT World trenchantly put it, re APT attacks in general: “The striking thing is sophistication of the excuses of victims, not the techniques of crackers … Only 3 percent of attacks were considered too slick for the victims to have been able to stop. That leaves 97 percent of data breach victims trying to find something other than themselves to blame. “
There are genuine, sophisticated, brilliant black-hat hackers out there. Some of them work in groups. Some even work for nation-states and militaries, including, very likely, the people who hacked Google eighteen months ago. But most hacks are made possible because the victims allowed them; and we shouldn’t forget that security companies have every incentive to make the dangers seem as deadly and sophisticated as possible.
Organizations everywhere put up full-spectrum firewalls, draft byzantine and Kafkaesque security policies, send delegates to security conferences to talk very seriously in hushed voices about APTs, and make endless pointless and/or disastrously counterproductive demands in the name of security theatre, such as forcing people to use impossible-to-remember passwords
while storing those incomprehensible passwords in plaintext on databases vulnerable to URL SQL injection, as their employees open poisoned attachments sent by strangers. That’s like being so worried about whether an enemy nation-state has fired a cruise missile at your house that you forget you left your car parked overnight with the door open and the keys in the ignition. In Oakland. Worrying about APTs directed by, say, China is very sexy—if blatantly sinophobic—these days, but maybe organizations shouldn’t start worrying about the enmity of the Middle Kingdom until they’ve first established their ability to handle bored teenage French girls with a bone to pick.
Image credit: “Public Enemy / Minor Threat”, believekevin, Flickr.