If you'd never heard the phrase 'advanced persistent threat' before, you may have gotten an ear full of it the past week in a collection of news stories that used the APT term to describe a variety of network security problems that are causing big problems.
"APT is originally from the Air Force," says Ryan Kalember, director of product marketing for HP ArcSight, during our discussion of Ponemon Institute's annual study on cybercrime. The term arose as Air Force shorthand to describe endless, unremitting network attacks coming from mainland China — the People's Republic of China (PRC). "It's a running joke in the industry that APT is short for PRC," he adds.
But the phrase APT has evolved into something broader. It suggests the effort not just by nation-states, but also industrial competitors, along with any hired-hand assistance, to infiltrate the networks of targets to steal important and sensitive information, such as intellectual property.
And in the news last week, McAfee, based on finding a server on the Internet and analyzing its logs, identified 72 compromised organizations — mostly in the U.S. but also in Canada and Asian nations — it says had APT-style attacks carried out against them for months if not years, starting in 2006.
According to McAfee, an attacker — probably a "nation-state" though it declined to name any country — carried off huge volumes of sensitive information, including "closely guarded national secrets (including from classified networks), source code, bug databases, e-mail archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more." McAfee didn't release most of the names of the victims though it did name a few, such as the World Anti-Doping Agency, as well as some Olympic committees.
APT came up in a story on the RSA data breach that blamed China for that breach earlier this year. Joe Stewart, director of malware research at Dell SecureWorks, said the finding was based on research into APT malware called HTran, which was developed by Chinese hackers, that was used in the attack on RSA. The HTran malware, usually installed on a compromised server, is meant to hide transmission of data where an attacker stealing it wants it to go. Stewart found error messages from HTran inadvertently revealed exact IP addresses, leading directly to ISPs in Beijing and Shanghai.
No wonder the Security for Business Innovation Council, a group of 16 security leaders in corporations that include eBay, Coca-Cola Company, SAP, FedEx Corp., Johnson & Johnson and Northrop Grumman, last week said the APT problem is a top concern and it's changing how you should look at security.
More security news: Corporate cybercrime costs skyrocket
In their report, entitled "When Advanced Persistent Threats go Mainstream," they say "Focusing on fortifying the perimeter is a losing battle" and "today's organizations are inherently porous. Change the perspective to protecting data throughout the life cycle across the enterprise and the entire supply chain."
The report adds: "The definition of successful defense has to change from 'keeping attacks out' to 'sometimes attackers are going to get in; detect them as early as possible and minimize the damage' Assume that your organization might already be compromised and go from there." The focus, they say, needs to be more on working with business managers to ascertain the "crown jewels" of the organization and protect these "core assets."
Other hot security news this week included:
Black Hat: Lots of hacks and a patriotic plea
Black Hat hasn't disappointed this year, with research revealing a flaw that undercuts Open Shortest Path First routing, two separate assertions that security for Apple products in the enterprise isn't that bad and a friendly hand being offered to hackers and crackers to join the U.S. fight against terrorists in cyberspace. Perhaps the biggest blockbuster, because of the sheer scope of the potential problem, is the vulnerability an Israeli researcher found in the OSPF routing protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.
Black Hat: Researcher picks apart Sophos antivirus package
A researcher presenting at Black Hat picked apart Sophos Antivirus software and found it lacking in several areas that leave it vulnerable to attack or circumvention - something he says might apply to other antivirus vendors' products as well, but he just hasn't looked. Tavis Ormandy, who works as a researcher for Google, says he reverse engineered the product and found, among other things:
* The key used to encrypt some data is stored with the data, making it relatively easy to decrypt.
* Its buffer overflow protection only works on Windows platforms prior to Vista.
* The signatures Sophos selects to identify viruses are weak and can be generated independent of Sophos, making it possible to flood users with false positives.
Black Hat: System links your face to your Social Security Number and other private things
Soon it will be practicable to take someone's photo on a smartphone and within minutes know their Social Security number and a range of other private data like their personal interests, sexual preference and credit status, researchers told the Black Hat security conference this week. The technique calls for linking faces of random individuals to images in databases that contain other information about them and using that information to project Social Security numbers, says Alessandro Acquisti, a professor at Carnegie Mellon University, who will present the research at the conference.
U.S. wants to build cybersecurity protection plan for cars
As cars and other forms of transportation increasingly rely on online systems for everything from safety to onboard entertainment, the cybersecurity threat from those who would exploit such electronic control packages has also increased. That's why the US Department of Transportation (DOT) today issued a Request For Information to the security industry to help it create a road map to build "motor vehicle safeguards against cybersecurity threats and assure the reliability and safety of automotive electronic control systems."
LulzSec gets Google+ boot, but returns
Hacker group LulzSec ("the world's leaders in high-quality entertainment at your expense") has had its initial Google+ account nixed this week. Though LulzSec has quickly and brashly re-emerged with a new one, LulzSec appears to have fallen victim to Google's purge of accounts on its new Google+ social network that are based on profiles not associated with a real individual's name. The same fate befell fellow hacking group Anonymous last month, and the outfit responded by saying it was developing its own social network and that it knew of an "operation" being organized against Google+.
Android Trojan records phone calls
A new Android Trojan is capable of recording phone conversations, according to a CA security researcher. While a previous Trojan found by CA logged the details of incoming and outgoing phone calls and the call duration, the malware identified this week records the actual phone conversations in AMR format and stores the recordings on the device's SD card.
Read more about wide area network in Network World's Wide Area Network section.