Reminder: not everything you read on the web is accurate
In a post a few days ago meant to highlight the recent attacks on Google and many other companies as a textbook example of the advanced persistent threat, we cited zero-day exploits in Microsoft and Adobe software programs (in addition to really well-crafted phishing attacks) as evidence of the complexity and sophistication of the attacks. Not 12 hours later we received a very polite (really) email from Adobe pointing out that security vendor iDefense had withdrawn its initial assertion that the attacks used PDF file payloads to exploit vulnerabilities in Adobe Reader, and asking that we edit the post. We did, primarily because the last thing we want to do in this forum is convey inaccurate information, and in this case, the source of the information itself provided the retraction. However, in an article on the Google attacks in the January 11 issue of Information Week, writer Kelly Jackson Higgins quotes Mikko Hypponen of F-Secure, who claims that PDF files were sent to phishing attack victims, and when these attachments were opened they used a zero-day exploit in Adobe Reader to install a Trojan horse on the vicitims’ computers. F-Secure has also posted copies of subsequent phishing emails that use the attack incident itself as a subject to get recipients to open the malicious PDF attachment (the vulnerability in question has been around for about a month and was patched last week by Adobe).
The point of the post that originally referred to sources mentioning Adobe exploits was not meant to criticize the company or its products (many of which we at SecurityArchitecture.com use every day), and the point of this post is not to suggest that Adobe was right or wrong to object about their products being associated with the Chinese attacks (although our post was written several days after Adobe published its security bulletin on the vulnerability). What this situation highlights is that it’s hard to know how to make sense of potentially conflicting information on the Web, even when you leave bloggers and Twitterers out of the mix and look to reputable security vendors and media sources.
Trustworthiness (or more specifically perceived trustworthiness) of information is a constant theme online, whether in the context of social media or electronic equivalents of conventional news media and personal communications. The level of personalization reported with the Chinese attacks is remarkable in this regard. Even with heightened security awareness and sensitivity to phishing, spyware, and malware attack attempts, it’s not hard to imagine how these victims were compromised. These were not the shotgun-approach mass emails purporting to be from EBay or Bank of America; the attackers harvested names, contact information, and email addresses from individuals and organizations with which the victims were already familiar, and crafted fake emails using subjects and content personally relevant to the recipients. How many of us would think twice about opening a PDF attachment (not a .zip or and .exe or a .vbs mind you) seemingly on a directly relevant topic and apparently coming from a known business or personal associate? Formal models exist to manage information flows between different levels of trust, most notably the Biba integrity model, adaptations of which are used in Microsoft Windows and Google Chrome as well as many other systems. Of course, formal integrity models like Biba basically say you shouldn’t rely on any information where the trustworthiness of those who write the information can’t be confirmed (think Wikipedia). More practically, fundamentals of security awareness tell us not to open files received from unknown or untrusted sources, but as the spear-phishing attacks demonstrate, that’s not always as easy to do as it sounds.