If you’re a United States military service member — or maybe even if you just follow defense news — get ready to be spear-phished.
Again.
On June 27 Gannett Government Media — a subsidiary of media giant Gannett that publishes a range of defense and intelligence focused publications including Army, Air Force, Navy, and Marine Corps “Times”, the Armed Forces Journal, and Defense News — announced that on June 7 it had suffered a cyber attack where information on some users had been accessed, including “first and last name, userID, password, email address, the internal number we assigned to the account, and, if provided, ZIP code, duty status, paygrade, and branch of service.”
In some ways the Gannett attack is just the latest in a recent rash of intrusions, including:
- On May 10 Citigroup was attacked and the “…customer names, account numbers and contact information…” of more than 360,000 credit card holders was accessed.
- In mid-April the Sony PlayStation Network was hacked and the “…names, birthdates, physical and e-mail addresses, and PlayStation Network/Qriocity passwords, logins, handles and online IDs” of the service’s 70 million users were potentially compromised.
- On March 30 an attack on Epsilon, a firm that sends marketing emails for more than 2,500 companies to millions of recipients, accessed records for 19 firms containing users names and emails.
In each of these cases, and in previous ones, security experts warned of spear-phishing in their wake. Spear-phishing is the computer security term for targeted phishing attacks. “Phishing attacks work by the scam artist sending ‘spoofed’ emails that appear to come from a legitimate website that you have online dealings with such as a bank, credit card company or ISP — any site which requires users to have a personal identity or account. The email may ask you to reply with your account details in order to ‘update security’ or for some other reason.” Unlike traditional phishing attacks, which are usually blasted out with little personalization, spear-phishing is customized to the target, often containing personal information and other details that might increase the target’s willingness to trust the authenticity of the sender and then usually either click through to a website that will download malicious code onto the users machine or download a file containing malicious code.
But what makes the Gannett attack different is the fact that it was targeted at individuals in the military (although the same could be said of more than a few of the users of the PlayStation Network). Although not all readers of Gannett Government Media’s publications are military service members, many are, and their ZIP code, duty status, paygrade and branch of service information in Gannett’s database represents a treasure-trove for potential spear-phishers.
Less than a month ago, Google uncovered a spear-phishing attack directed against personal accounts of “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.” While this attack specifically targeted senior level officials, previous attacks directed at military personal have not necessarily been segregated by paygrade. And one of the lessons of the Bradley Manning/Wikileaks incident is that sometimes an E-4 can have access to more information than an O-4 — and maybe give less thought to how he or she uses it.
The March attack on RSA Security, a leading security firm that supplies government, military and defense contractor organizations with authentication tools, led to spear-phishing attacks on defense contractors Lockheed Martin and L-3 Communications less than a month later. By waiting 20 days to release news of the attack on their systems, Gannett has given would-be attackers plenty of time to prepare a similar assault. Sony has already taken criticism from private sector security experts and from Congressional committees for its lag in releasing news of the PlayStation Network breach, and Gannett may come under similar criticism from the same corners. But another question that comes out of this incident is if, and how, businesses and organizations that serve military service members should protect user data, and if there are any additional precautions that they should take with this data.
The US Department of Defense has struggled in the past few years to cope with the rapidly changing pace of information technology, stumbling over issues as varied as social networking to thumb drives as it tries to balance the needs of its service members to stay connected in a digital world against the threat of attacks from both cyber criminals and cyber warriors. And while it can to some extent control what happens on DoD systems, the fact is that with so many service members deployed so often for so long, there is perhaps a greater threat in the vulnerabilities within the many commercial web services that services members use every day to stay connected to the world outside of the war zone. And while the government and private sector often come together to encourage best practices in coding web sites — for example the recent joint project of the Department of Homeland Security, the MITRE corporation, and the SANS Institute to identify the “…top 25 technical software problems that hackers exploit…” — there is still a long way to go in creating best practices for what user can should be stored, and how, and for how long. And while the government may not want to get involved in what seems like a private sector problem, unless there is a discussion about how to protect the identities and personal information of service members they are likely to be targeted for more frequent and more sophisticated attacks.
Again.
Wednesday, September 21, 2011 at 03:54PM 
