How to not get phished like the Canadian government

The cyber attacks on several key Canadian government offices reported yesterday were not much different from spear phishing and online social engineering incidents reported by typical computer users, according to security specialists.

But even as government officials claim that no sensitive information was compromised, the incident should serve as a wake up call for the government to beef up its cyber security posture, they said.

“If you’re asking me if the government’s security could have been better, I would say yes,” said Claudiu Popa, an independent security and privacy expert based in Toronto.

Popa, principal of Informatica Corp a company that provides risk assessment, security management, compliance and corporate education programs, said the government’s database are filled with private and confidential information of individuals and organizations and should have been better protected. “The government is entrusted with vast amounts of private and sensitive data with the implied understanding that it will be properly protected.”

“The government obviously has the resources and access to security expertise but this incident shows that they failed on the most basic level – providing security training for personnel,” said Popa.

Early Thursday morning it was reported that hackers using servers based in China had broken into the computer networks at the Finance Department, The Treasury Board office and the Defence Research and Development Canada sometime in January.

The attackers reportedly used a technique called spear-phishing wherein victims are tricked to open attached documents that contained a malware. Opening the attachment activates the malware which is usually programmed to either steal data from the target machine or take control over it. The Canadian Broadcasting Corporation (CBC) also said that in other instances the attackers posed as federal executives, sent e-mails to technical staffers and attempted to con them into providing passwords for accessing government networks. The government had to shut Internet access for several employees in the targeted departments as a result of the intrusions.

The CBC also quoted a cyber spying expert as saying that the hackers may have been looking for information about weapons.

Charles Burton, who teaches Chinese politics at Brock University and has written extensively on Chinese cyber spying programs, said that in the case of defense department, the hackers were looking for information on new weapons.

“Canada has access to secrets that are shared with other Western industrial countries, such as the United States, with regard to sophisticated weaponry. And the Chinese government would have strong interest in getting hold of technologies,” the CBC quoted Burton.

Related stories

Is Google really fed up with censorship and spying in China?

There’s a cyber war looming and we’re doing little about it

China has denied involvement in the incident. Yesterday Prime Minster Stephen Harper said we wouldn’t speak directly about the incident which a government official described as an “unauthorized attempt” to access the network.

“I can’t comment on any specific report. But this is an issue we are aware of and out security personnel are engage in dealing with,” he was quoted as saying yesterday.

A spokesperson for the Treasury Board also said no data was stolen. “There was no indication that any data relating to Canadians was compromised in this unauthorized attempt,” said Jay Denney, a spokesperson for Treasury Board President Stockwell Day.

Social engineering and spear phishing

Treasury Board and Finance Department personnel likely fell for the oldest trick in the cyber crime book, according to Popa of Informatica.

“Judging from the very little information we are getting now, this appears to be a simple case of social engineering and spear phishing attack,” he said. “It is not much different from the attacks launched against many businesses and individuals.”

Related story – GhostNet probers want Ottawa to thwart cyber spying

This time however, Popa said, the stakes are higher because the government offices targeted may contain sensitive or secret government data.

Social engineering techniques, he said, typically involves gaining the confidence of a victim by deception in order to manipulate the victim into performing an act or divulging confidential information.

Spear phishing is a targeted form of phishing where cyber criminals send malware carrying e-mails to a specific person or group of persons rather than a sending an e-mail blast. These spear phishing e-mail are often made to appear as though they came from an official source or a colleague.

Organizations may have the best network protection in place, but with these types of attacks, the weakest link turn out to be the computer users, according to another security specialist.

“Organizations can always do a better job at staying on top of patches and best practice configurations, but a good social engineer can always get user credentials,” said Brian Bourne, security industry expert and co-founder of SecTor, the security education conference in Toronto.

“The only way to limit abuse of those credentials is to enforce multi-factor authentication and to follow least-privilege practices,” he said.

This means limiting staff to as little access to systems and information as possible while still providing enough access to enable them to carryout their duties. “High value information assets should always be protected with stronger security mechanisms and access control,” said Bourne.

Different from Ghosnet

The attack described in yesterday’s reports indicate that it was very different from those attributed to Ghostnet, the cyber spy ring busted by Canada-based security researchers some two years ago.

Related stories:

East European gang ‘responsible’ for two-thirds of phishing attacks

Phishing scam lures Canadian taxpayers with promise of cash

The cyber spy network which was traced to China by researchers at the Citizen Lab at the University of Toronto’s Munk Centre for International Studies is believed to have infiltrated more than 1,295 computers in 103 countries, including machines in the private office of the Dalai Lama in Dharamsala, India.

“That was a much bigger operation. From what we know to day, this one appears to be concentrated on the two government offices,” said Popa of Informatica.

He also cautioned against pinning the blame on China. “This attack could have come from China, Scotland, or even Toronto. The attackers could have hacked into a server based in China to make it appear that the attack was coming from that country.”

On the other hand, Internet and cyber security experts such as Ron Deibert, head of the Citizen Lab, have been calling on the government to bolster its cyber security stance.

Deibert has warned that the Internet is being “weaponized and militarized” by government and cyber crime gangs that use technology to spy on or suppress dissidents and other governments.

The Citizen Lab chief and researchers who discovered the Ghostnet network said Ottawa has to act now to stop Internet filtering and snooping strategies by heavy-handed governments.

How you can protect your business

Seth Hardy, malware specialist for Symantec Hosted Services said that nearly 90 per cent of all e-mails in Canada are spam and one in 383 emails contains a malware or virus.

Hardy said many online threats can be avoided by applying basic Internet safety precautions that have been around for years.

He said SMBs can employ these simple and practical security best practices that will limit their exposure to online threats:

1.Be selective about registering your e-mail address to limit exposure to phishing attacks. Consider creating a separate e-mail account which you can use when signing up for mailing lists.

2.Delete spam immediately and unsubscribe to even legitimate mailing list that you no longer need. Never buy products from spam messages.

3.Avoid clicking on suspicious email links or instant messages. Many spammers also create bogus sites that appear to be Web pages of legitimate firms.

4.Deploy an anti-spam tool across the whole organization. Remember that signature-based anti-virus solutions are no longer adequate.

5.Do not fill out online forms that ask for personal or financial information and passwords.

Nestor is a Senior Writer at Follow him on Twitter, read his blogs on Blogs and join the Facebook Page.

Share on LinkedIn Share with Google+