Iranian military spear-phish of State Department employees detected first by Facebook

Cyber-espionage effort may be tied to the arrest of Iranian American in Tehran.

Read the whole story

 

[fuzzyfuzzyfungus]

It's too bad that we don't have some sort of agency dedicated to national security, with the technical skills needed to protect sensitive operations and organizations like the State Department. Maybe we should try that.

 

[abend s0c0]

It's too bad people can't live without their facebooks or tweeters. Social media - just say no.

 

[KGFish]

fuzzyfuzzyfungus[/url]":36i0s16d]It's too bad that we don't have some sort of agency dedicated to national security, with the technical skills needed to protect sensitive operations and organizations like the State Department. Maybe we should try that.

On the upside, if Iranians can get in that easy, I'm pretty sure we have similar access to the Iranians' intel. I don't know if I'll get too much up in arms about this. At this point, it seems that offense has a huge upper hand over defense. Kinda how mortars and trebuchets had the upper hand over castle walls.

 

[slugabed]

"The State Department's e-mail systems have been the target of repeated attacks ... "

Maybe Hilary's not so dumb after all.

 

[Fatesrider]

KGFish[/url]":3u1fy6ip]

fuzzyfuzzyfungus[/url]":3u1fy6ip]It's too bad that we don't have some sort of agency dedicated to national security, with the technical skills needed to protect sensitive operations and organizations like the State Department. Maybe we should try that.

On the upside, if Iranians can get in that easy, I'm pretty sure we have similar access to the Iranians' intel. I don't know if I'll get too much up in arms about this. At this point, it seems that offense has a huge upper hand over defense. Kinda how mortars and trebuchets had the upper hand over castle walls.

I believe he was being sarcastic.

 

[Uxorious]

Given that US Government employment is an exam/school-based system as opposed to "at-will" in the private sector, would it be reasonable for the government to create a security school and "red-team" style ongoing validation program that would bar employee access to systems if they succumb to fishing attacks?

Given the increasing technological nature of government business, these attacks will only become more damaging in the future, so up-front investments in technological defense systems and personnel would be cheaper in the long run than relying on an annual review of a Power Point presentation on computer security.

Having been through hands-on anti-phishing training, I found it useful even for people working in software development to be on the receiving end of real exploits that we read about but don't often see as a result of our personal security habits and the skill of our security admins in protecting our corporate systems.

 

[andrewb610]

Uxorious[/url]":283h565c]Given that US Government employment is an exam/school-based system as opposed to "at-will" in the private sector, would it be reasonable for the government to create a security school and "red-team" style ongoing validation program that would bar employee access to systems if they succumb to fishing attacks?

Given the increasing technological nature of government business, these attacks will only become more damaging in the future, so up-front investments in technological defense systems and personnel would be cheaper in the long run than relying on an annual review of a Power Point presentation on computer security.

Having been through hands-on anti-phishing training, I found it useful even for people working in software development to be on the receiving end of real exploits that we read about but don't often see as a result of our personal security habits and the skill of our security admins in protecting our corporate systems.

The problem I see is that the mandatory government IA training in all areas is terrible. It becomes to most employees just another process of getting a PDF certificate so that you don't get a wag of the finger from your supervisor. The mentality behind the need for training, then the training itself has to change before any progress will really be made. Unfortunately, it took incidents like this push a mentality change.

 

[KGFish]

Fatesrider[/url]":5hfl6w1w]

KGFish[/url]":5hfl6w1w]

fuzzyfuzzyfungus[/url]":5hfl6w1w]It's too bad that we don't have some sort of agency dedicated to national security, with the technical skills needed to protect sensitive operations and organizations like the State Department. Maybe we should try that.

On the upside, if Iranians can get in that easy, I'm pretty sure we have similar access to the Iranians' intel. I don't know if I'll get too much up in arms about this. At this point, it seems that offense has a huge upper hand over defense. Kinda how mortars and trebuchets had the upper hand over castle walls.

I believe he was being sarcastic.

I know. His point being that our defense sucks. My point being that everyone's defense sucks because the technology currently in play makes it so. It's not that castle builders sucked after the invention of the mortar, it's that castles were fundamentally reduced in capability by new technology.

 

[Tiernoc]

KGFish[/url]":2mkeejk4]

I know. His point being that our defense sucks. My point being that everyone's defense sucks because the technology currently in play makes it so. It's not that castle builders sucked after the invention of the mortar, it's that castles were fundamentally reduced in capability by new technology.

FWIW there's a LOT of good tech available that helps secure networks and locks down traffic and plugs vulnerabilities (DISA creates guides for this, called Security Technical Implementation Guides (STIGs) that helps immensely in preventing the hardware / software vulnerabilities' being exploited.

The trouble absolutely occurs where program-focused managers are blind to the realities of security, and see IT as nothing more than an unnecessary cost to their program, and one they resent having to fund to boot.

With that sort of attitude is it really surprising that the soft targets are increasingly proving to be people, more so than the equipment?

 

[Asinar]

andrewb610[/url]":1ib27hts]The problem I see is that the mandatory government IA training in all areas is terrible. It becomes to most employees just another process of getting a PDF certificate so that you don't get a wag of the finger from your supervisor. The mentality behind the need for training, then the training itself has to change before any progress will really be made. Unfortunately, it took incidents like this push a mentality change.

The training is one of the the things I most certainly don't miss from my days as a government employee*. Even when they come up with an effective training course, they end up replacing it a year or two later with something terrible. I got in the habit of using the text-only disability versions so I can run through it faster instead of dealing with their annoying flash crap.

* There's not a whole lot I actually do miss. It was a pretty miserable job for a technical worker.

 

[CppThis]

KGFish[/url]":1p4yiqsz]

fuzzyfuzzyfungus[/url]":1p4yiqsz]It's too bad that we don't have some sort of agency dedicated to national security, with the technical skills needed to protect sensitive operations and organizations like the State Department. Maybe we should try that.

On the upside, if Iranians can get in that easy, I'm pretty sure we have similar access to the Iranians' intel. I don't know if I'll get too much up in arms about this. At this point, it seems that offense has a huge upper hand over defense. Kinda how mortars and trebuchets had the upper hand over castle walls.

The hacker will always get through.

 

[Furz]

Oh look, another state sponsored attack that will most likely receive no response at all from the US government.

 

[AdamM]

Furz[/url]":1j92fzn1]Oh look, another state sponsored attack that will most likely receive no response at all from the US government.

Just because the US doesn't make its response known to the public doesn't mean a response didn't happen. A strongly worded public response doesn't exactly serve much purpose.

The US does dish it out as much as we receive it after all.

 

[iPirateEverything]

The Iranian hackers missed an opportunity... once they knew they had been detected, they should have used their captured social accounts to spread pics of their mighty of their new stealth aircraft.









After a generous amount of photoshop of course!

 

[fuzzyfuzzyfungus]

abend s0c0[/url]":3qa8bsee]It's too bad people can't live without their facebooks or tweeters. Social media - just say no.

As much as I have no patience for 'social' nonsense; as a matter of operational security; the stuff is so prevalent that not doing it probably carries risks of its own.

Once something becomes common enough, being the guy who doesn't do that starts to be as identifying as much of what the people who do do it post.

In the specific context of spear phishing, you are probably better off if there are fewer vectors available; but if, say, you are the CIA agent who "works for the State Department", you aren't exactly going to blend in with all the diplomats and IR majors if you mysteriously have zero online presence and everybody else has the usual banal nonsense.

 

[rockforbrains]

Uxorious[/url]":3ur69a6l]Given that US Government employment is an exam/school-based system as opposed to "at-will" in the private sector, would it be reasonable for the government to create a security school and "red-team" style ongoing validation program that would bar employee access to systems if they succumb to fishing attacks?

Given the increasing technological nature of government business, these attacks will only become more damaging in the future, so up-front investments in technological defense systems and personnel would be cheaper in the long run than relying on an annual review of a Power Point presentation on computer security.

Having been through hands-on anti-phishing training, I found it useful even for people working in software development to be on the receiving end of real exploits that we read about but don't often see as a result of our personal security habits and the skill of our security admins in protecting our corporate systems.

The upfront costs of the training are measurable and not cheap. But the savings, which are also real, are much more nebulous. The bean counters and other assorted PHBs do not grasp that the true costs of a major incident could be devastating, dwarfing the training costs by orders of magnitude. But if you do not suffer from a major break in because of your effective training how are cost savings for avoiding one calculated?

I agree, the annual PowerPoint "training is laughable and at best good for a brief nap.

 

[ars_sq]

fuzzyfuzzyfungus[/url]":iq16pac6]It's too bad that we don't have some sort of agency dedicated to national security, with the technical skills needed to protect sensitive operations and organizations like the State Department. Maybe we should try that.

Too busy collecting bulk data on their own citizens to bother preventing attacks on .gov

 

[CppThis]

So, what I'm gonna take home from this is that if I score some government email addresses and goatse the hell out of them, it's basically doing my patriotic duty by training them against foreign aggressors. Awesome!

 

[RickyP784]

fuzzyfuzzyfungus[/url]":1ilacz18]It's too bad that we don't have some sort of agency dedicated to national security, with the technical skills needed to protect sensitive operations and organizations like the State Department. Maybe we should try that.

The first warning of the attacks came from Facebook, which alerted some of the affected users that their accounts had been compromised by a state-sponsored attack, The New York Times reports.

I think it's a travesty that Facebook does a better job protecting its users than the government protects its own employees and citizens. Our tax dollars at work!

Maybe we should let them raise a troll army for our digital defense!

 

[macnews]

fuzzyfuzzyfungus[/url]":77w6nk58]It's too bad that we don't have some sort of agency dedicated to national security, with the technical skills needed to protect sensitive operations and organizations like the State Department. Maybe we should try that.

Agreed. Watching passively as every federal department and large corporation is pilfered for sensitive data is starting to get sickening.

 

[matthewslyman]

abend s0c0[/url]":2onlqsy8]It's too bad people can't live without their facebooks or tweeters. Social media - just say no.

In this case; we're actually seeing some possible evidence that people might be safer if they open a fake Facebook account and use Facebook's authentication and monitoring services as a trip-wire to sound the alarm when someone is trying to attack their accounts/ steal information about them.

Unfortunately, most people (even in sensitive professions, doing sensitive work) apparently aren't smart enough to do that: they put real information on Facebook, and then fail to adequately secure their accounts/ machines/ etc. Unfortunately, Facebook constantly nags users for personal contact details "for account recovery purposes" etc. Unfortunately, the State Department's in-house security people/ procedures appear to be substantially less advanced/ spartan/ effective than those at Facebook.

The government should be knocking on the door of Facebook, and paying them consultation fees to share analysis and account protection techniques. The old "multilevel security" models (which all but prevent information flow from classified to public) are obsolete for some security purposes: we desperately need a more active culture of sharing security/ analysis techniques (we can still protect the actual information). We need an active exchange between government and private industry, particularly now that private software/ services industry is getting mature enough to sit at the same table as an equal partner, on the basis of technology.

Until we start doing these things, even a real Facebook account with real contact information might enhance the security of some people — by alerting them to a possible intrusion before it gets too deep and embedded. But this is of course still very debatable, given the way in which the Facebook intrusions helped facilitate further attacks with information garnered thereby.

 

[otaviokzuk]

I honestly don't feel safe to trust these fonts. They are all either government or anonymous. Could be just Republican aligned people trying to make the Iran deal look bad, could be something else. When there's no "producible" proof, we are left to believe in USA's government honesty, which I really don't take for granted.

Am I being too skeptic?

 

[asharkinasuit]

It's really too bad that these things keep happening. It seems to cast such a bad image on the people from the countries involved. The thing is, most of the Iranians I know (which admittedly isn't that many) are fine people, so judging the people by the actions of their government seems wrong. It's just as naive to deride Americans for electing the kind of government that supports the NSA, FISC and whatever may be revealed later. On the other hand, isn't the government supposed to be a representative of the people, particularly in democracies? It feels like cheating to disavow your choice for government officials as soon as they do something you don't agree with, unless perhaps they don't act in accordance with their stated policy. There is a tension between seeing the government as representative and treating it as an autonomous body.

 

[AxMi-24]

Furz[/url]":223mdmp0]Oh look, another state sponsored attack that will most likely receive no response at all from the US government.

Exactly what kind of response do you expect? Should Iran have sunk a carrier or two after US and Israel attacked its centrifuges? Would you feel that is an appropriate response or do you want response only in one direction?

US is spying on everyone and their dog so it's just fair that everyone else tries to spy back.

 

[asharkinasuit]

AxMi-24[/url]":16r6m5w4]

Furz[/url]":16r6m5w4]Oh look, another state sponsored attack that will most likely receive no response at all from the US government.

Exactly what kind of response do you expect? Should Iran have sunk a carrier or two after US and Israel attacked its centrifuges? Would you feel that is an appropriate response or do you want response only in one direction?

US is spying on everyone and their dog so it's just fair that everyone else tries to spy back.

I don't know that it's fair, but it is understandable. Fair would be if everyone just stopped doing it and played nicely. If you allow everyone to spy on each other, it's still unfair because not everyone has the same resources or knowledge they can put into it.

 

[AxMi-24]

asharkinasuit[/url]":3eyq5jsd]

AxMi-24[/url]":3eyq5jsd]

Furz[/url]":3eyq5jsd]Oh look, another state sponsored attack that will most likely receive no response at all from the US government.

Exactly what kind of response do you expect? Should Iran have sunk a carrier or two after US and Israel attacked its centrifuges? Would you feel that is an appropriate response or do you want response only in one direction?

US is spying on everyone and their dog so it's just fair that everyone else tries to spy back.

I don't know that it's fair, but it is understandable. Fair would be if everyone just stopped doing it and played nicely. If you allow everyone to spy on each other, it's still unfair because not everyone has the same resources or knowledge they can put into it.

Good point. Would be nice if humans attempted civilization for a while instead of current situation that is somewhat south of barbarism.

 

[i662i812r11]

KGFish[/url]":2daxhs4a]

fuzzyfuzzyfungus[/url]":2daxhs4a]It's too bad that we don't have some sort of agency dedicated to national security, with the technical skills needed to protect sensitive operations and organizations like the State Department. Maybe we should try that.

On the upside, if Iranians can get in that easy, I'm pretty sure we have similar access to the Iranians' intel. I don't know if I'll get too much up in arms about this. At this point, it seems that offense has a huge upper hand over defense. Kinda how mortars and trebuchets had the upper hand over castle walls.

Well, that explains why we are arresting more Iranian journalist/businessperson spies than Iran.

 

[DaVuVuZeLa]

slugabed[/url]":3pmn1u4v]"The State Department's e-mail systems have been the target of repeated attacks ... "

Maybe Hilary's not so dumb after all.

Yeah, who needs to deal with those pesky foia requests anyway?

 

[Uroshnor]

Tiernoc[/url]":1y79h634]

FWIW there's a LOT of good tech available that helps secure networks and locks down traffic and plugs vulnerabilities (DISA creates guides for this, called Security Technical Implementation Guides (STIGs) that helps immensely in preventing the hardware / software vulnerabilities' being exploited.

Unfortunately, US Government security guidance is frequently hamstrung by their inability to recruit and retain competent staff as public servants. As a consequence, much of the work is being done by contractors. Contractors who work at the companies that run testing and certification labs, or charge the government money to "secure" or "audit" systems.

Essentially you have people writing & approving the standards from the organisations that generate a revenue stream from the implementation and testing of those implementations.

In some countries that would be considered somewhere between a conflict of interest and outright corruption.

The US is largely oblivious to this - the military-industrial complex mind set is too well entrenched.

Perversely, I've more confidence in the NSA's guidance than DISA's (lies and information operations not withstanding) - the NSA seems to grasp the relationship between risk and action far better than DISA , who by contrast seem to be concentrating on creating revenue generating opportunities for external parties.

Its a classic example of outsourcing deskilling an organisation to the point where its functionally incompetent in what you'd otherwise think was a core function.