In March and April, small bunches of e-mail messages arrived at the offices of defense agencies and contractors in the U.S. and Europe. To recipients, the messages seemed credible: Each was addressed to a specific worker, with a valid return address within the organization and visual elements that made it look like internal e-mail. Too sparse and sophisticated to trip antispam filters, the messages exploited a previously unknown hole in Microsoft Word that allowed them to slip by antivirus filters. Those recipients who were unlucky enough to open the e-mails' malicious attachments unwittingly installed a Trojan horse, which used the Internet Explorer Web browser to report back, through the network firewall, to machines in China and Taiwan.
Phishing attacks such as this one are nothing new. Online scams that lure online banking and e-commerce customers to phony Web sites and trick them into giving up sensitive account information have been a mainstay of online criminals for years. However, the increase in so-called spear-phishing attacks is new, as is the increasing sophistication of the software they use to penetrate enterprise networks.
In the past year, the number of targeted attacks against companies has increased from one or two a week to one or more a day. Although those numbers might sound laughable compared with e-mail virus and spam campaigns, which can be measured in the millions of messages, spear-phishing attacks are much more dangerous, says Paul Wood, senior analyst at MessageLabs.
"These are not headed to the kind of addresses you harvest from the Internet," Wood says. "These people have massive intelligence on organizations they want to penetrate. The messages are specific to the organizations that they're trying to get something from."
That is usually intellectual property: software source code, design documents, or schematics. In the case of a defense contractor, however, the potential harm from lost intelligence outstrips the usual costs. What's an enterprise to do?
With single-factor user names and passwords fast becoming an IT joke and traditional strong authentication products still expensive to buy and deploy, enterprises are looking for new ways to make authentication smarter, more pervasive, and easier to use.
According to the experts, IT departments everywhere may soon need to deploy protections akin to those now used by finance companies, which have struggled with fraud for centuries (see case study). In response, the once-staid authentication market is rapidly transforming. New startups, new form factors, and an influx of venture capital mean help is on the way. The challenge for enterprise IT is to make it all work before the fraudsters find their way in.
The problem with passwords
As Bob Blakley sees it, it's not that passwords have outlived their usefulness. It's just that they never really worked to begin with.
"The basic problem is that there's a built-in trade-off between the human cognitive capability and password strength," says Blakley, who is chief scientist for security and privacy at IBM. If standard strong-password protocol is to use values with eight or more characters and a mixture of alphabetic and numeric values, users either settle for passwords that aren't secure or choose secure passwords they can't remember.
Sam Tuohey, CTO of Stanford Federal Credit Union, reached the same conclusion in a more empirical audit of password strength for 45,000 customers. Tuohey's team threw standard cracking tools at the list of encrypted passwords and found that approximately 80 percent of the values could be cracked "in about a second," Tuohey says.
For many years, simple passwords were a sufficient deterrent to relatively low levels of hacking and online crime. No longer. What was once acceptable laxness of user access is now an open invitation to sophisticated online criminals, who have quickly discovered how to make short work of passwords with phishing attacks, in combination with malicious code to harvest other sensitive data.
Changes in the threat environment are spurring rapid change in the authentication business, says Chris Young, senior vice president and general manager of consumer solutions at RSA Security.
"You've seen a movement from high-school kids who write viruses to organized criminal rings that are doing phishing and pharming and propagating Trojans that steal information purely for profit," Young says.
Stanford Federal knows that only too well. The credit union is hardly a target like Bank of America or Wells Fargo, but phishers still found it late last year and used a sophisticated and targeted scam to try to compromise customer accounts, Tuohey says.
Taking advantage of the credit union's connection to Stanford University, the phishers harvested thousands of publicly available stanford.edu addresses and sent phishing e-mails to them, spoofed to look as if they came from the credit union. Tuhoey only knows of four customers who responded to the e-mail messages and says he doesn't believe that any accounts were actually compromised in the scam. But the incident was a wake-up call.
Factors against fraud
Strong authentication using additional factors such as smart cards, one-time password generators, and USB tokens has been the traditional weapon of choice for organizations worried about fraud, and it's still a popular choice for many organizations. RSA claims to have 20,000 customers worldwide using its SecurID token. But strong authentication has always been pricey to deploy and maintain, and many users find them inconvenient, especially in the U.S.
That was the conclusion that Stanford Federal Credit Union reached, as well. "Sending out 45,000 tokens, then supporting them when people broke or lost them, would have been prohibitive," Tuohey says.
Stanford Federal Credit Union does use smart cards for employees who travel and work from home, but traditional smart cards wouldn't have been practical for customers who don't own readers to insert them into, Tuohey says. The credit union's solution was to turn to a friendlier form of two-factor authentication, including antifraud and Web site authentication technology from PassMark Security (now part of RSA).