The running theme of the Check Point Experience 2011 conference was that no security system can protect a business from human error. No matter what your technology, it relies on employees using it correctly.
Social Engineering
Check Point’s Security Evangelist, Tomer Teller, explained to delegates how hackers, appreciating this fact, have in the last few years started using social engineering to access the computers of low-level employees and thus bypass business security software.
Initial contact can be as simple as going through a company’s rubbish looking for unshredded documents, which may display employees’ names, phone numbers and email addresses. From these, hackers can investigate employees’ profiles on social networking sites like Facebook and LinkedIn, and begin to build up a map of who regularly communicates what with whom.
At this point, Teller says, hackers may also attempt to learn which operating systems the company uses, by looking at which systems their IT job ads request experience in, or even taking a peek at the receptionist’s computer to check which icons show up on his or her taskbar.
Once the hacker has selected a target, he or she must get control of his or her computer. This is done via malware known as Remote Access Tool (RAT). These RATs can be introduced through email, by sending the victim messages either with infected attachments or with URL links which take the victim to a site that then infects the user’s computer (known as a ‘drive-by download’). Most people know to simply delete unidentified emails, but the hacker can disguise the email as an internal message very easily thanks to the research done earlier; or, they may disguise the email as a message from a common site like Facebook or Amazon.
With the RAT in place, Teller says, the hacker can use the victim’s computer to repeat the process upwards through the organisation, until he or she reaches an employee high enough to communicate plausibly with the CEO, CTO or other high-ranking executive.
"You can’t rely on technological protection,” Teller says.
"Companies need to think beyond compliance, and invest in education and security awareness.
"You need to think like a criminal in order to stop a criminal.”
How to take over a nuclear plant
Teller also delivered a talk discussing his experiences investigating a malware attack known as Stuxnet. This was a virus found in the Bushehr nuclear plant in Iran last year, which Teller studied for nine months to understand how its creators infiltrated such a high-security facility.
The goal of Stuxnet was to infiltrate the plant’s Programmable Logic Computer (PLC), the device responsible for controlling the operation of the facility.
As the PLC did not run on a recognised operating system, the Stuxnet hackers opted to infiltrate an operating computer called a Field PG. There was no way to access this computer directly, so the hackers had to create a virus which would spread itself throughout the Bushehr network.
Teller says although the hackers may have broken into a contractor’s home and infected his or her computer, counting on that computer later being connected to the Bushehr network, they may also have used simple USB drives, bribing an employee to plug one in, or simply throwing a few over the fence and waiting for an unwitting employee to plug one in to identify it.
Teller then demonstrated to the audience how, from here, the virus designers could have made simple modifications to tools like Shortcut and Autorun to make sure the virus was spread around other computers. It could even have been updated and possibly set in motion over the internet, Teller says.
Once it was spread to the Field PG, Stuxnet began altering the commands being sent to the PLC, all the while relaying messages to users that the system was running as normal.
In the end, one fifth of the facility’s centrifuges were damaged before Stuxnet was discovered, Teller says.
The source of the virus is still unknown.