Macs are not safe from Bears

Bear fancy pattern Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT group they call “Fancy Bear”.

The malware is a trojan executable designed to look and act like a PDF file. It is being used in highly targeted attacks where the apparent content of the file is something that the recipient was expecting to receive.

These kinds of attacks typically start with the nation state level APT attackers and quickly make their way down to the street level cybercriminals. Everyone on every platform needs to pay attention to their security and take proper precautions.

Why targeting is a trend and how to protect yourself

Rhino in the cross hairs at a watering hole At the recent BSides security conference in San Francisco (just before the RSA conference) I had the opportunity to give a talk about targeted attacks and how they are changing the game of cyber defense. The talk was recorded so you can listen to the whole thing, or read a brief summery below.

Sophisticated targeting is one of the most important trends in security right now. Although most of the malware and attacks we see are still un-targeted the biggest and most damaging ones are highly targeted.

  1. Targeted attacks are harder to detect because they impact a much smaller population.
  2. Targeted attacks avoid attacking security researchers, bots, and honeypots making discovery and analysis more difficult and time consuming.
  3. Targeted attacks preserve expensive zero-day exploits from being added to detection signatures.
  4. Attackers know exactly what they want and what they want to do with it so they can get much more impact for a given effort (whether cash, political impact, revenge, or whatever).

A random attack like a ransomware incident should be no more than an annoyance to a reasonably prepared business. Employees can be trained to avoid clicking on links or attachments in suspicious emails. The same is not true of targeted attacks. A masterfully crafted spear phishing email will fool just about anyone, even the most savvy or expert users. Attack emails will come from people the victim knows and will be written in that person’s style and be completely appropriate to their topics of discussion. Attachments and links will appear normal and expected. Targeted watering hole attacks compromise marquee websites like Forbes and Yahoo, and then avoid detection by only launching attacks against the small handful of desired victims. Far from being in the dark back alleys of the Internet, these attacks happen in the cyber equivalent of noon in Times Square. Because targeted attacks are harder to detect, attackers are willing to deploy their most valuable zero-day or otherwise undetectable exploits and tools. They know that they are likely to remain effective long after the attack. These tools are also the most effective and reliable at penetrating the target company.

Once the attacker is in, they can move directly to getting what they came for. That could be credit card numbers, personal information, business secrets, or just embarrassing emails. The Sony hackers almost certainly knew what they wanted to do with their stolen emails before they started. Likewise the OPM hackers doubtless had very specific plans for the detailed personal information they were able to take. Defending against targeted attacks is also much more difficult. The low volume makes it much less likely that anomaly detection system will trigger. The use unknown tools makes signature detection fail. And attacker research allows them to find a soft entry point to the enterprise and move strategically from there. Businesses need to move quickly towards security that is less reliant on detection for protection. Architectures must contain attacks, minimize damage, and automatically restore systems whether or not they are known to be compromised. Detection and training will always be valuable but we can not rely on them to be effective, especially against targeted attacks.

Loan rates based on your browser

This article on The Consumerist reports that Capital One provides different car loan rates based on the browser you use when visiting their site. I suspect that there are some strong demographic trends among the users of various browsers. It would be interesting to see if they give different rates to the same browser in different states or zip codes. Once again, evidence that "they" are using your personal information in way that may not be good for you.