In March and April, small bunches of e-mail messages arrived at the offices of defense agencies and contractors in the U.S. and Europe. To recipients, the messages seemed credible: Each was addressed to a specific worker, with a valid return address within the organization and visual elements that made it look like internal e-mail. Too sparse and sophisticated to trip anti-spam filters, the messages exploited a previously unknown hole in Microsoft Word that allowed them to slip by anti-virus filters. Those recipients who were unlucky enough to open the e-mails’ malicious attachments unwittingly installed a Trojan horse, which used the Internet Explorer Web browser to report back, through the network firewall, to machines in China and Taiwan.
Phishing attacks such as this one are nothing new. Online scams that lure online banking and e-commerce customers to phony Web sites and trick them into giving up sensitive account information have been a mainstay of online criminals for years. However, the increase in so-called spear-phishing attacks is new, as is the increasing sophistication of the software they use to penetrate enterprise networks.
In the past year, the number of targeted attacks against companies has increased from one or two a week to one or more a day. Although those numbers might sound laughable compared with e-mail virus and spam campaigns, which can be measured in the millions of messages, spear-phishing attacks are much more dangerous, says Paul Wood, senior analyst at MessageLabs.
“These are not headed to the kind of addresses you harvest from the Internet,” Wood says. “These people have massive intelligence on organizations they want to penetrate. … The messages are specific to the organizations that they’re trying to get something from.”
That is usually intellectual property: software source code, design documents, or schematics. In the case of a defense contractor, however, the potential harm from lost intelligence outstrips the usual costs. What’s an enterprise to do?
With single-factor user names and passwords fast becoming an IT joke and traditional strong authentication products still expensive to buy and deploy, enterprises are looking for new ways to make authentication smarter, more pervasive, and easier to use.
Click for larger view.
The problem with passwords
As Bob Blakley sees it, it’s not that passwords have outlived their usefulness. It’s just that they never really worked to begin with.