"The sender was offering Mr. Kodric the opportunity to join Upsilon Pi Epsilon (UPE), the International Honour Society for the Computing and Information Disciplines. The UPE site is hosted within the acm.org domain. On 11 December, as part of this offer, the attacker sent a number of attachments. One of these, UPE_application_form.doc, contained obfuscated malicious VBA script. When opened, this script ran automatically and pulled down a malicious file from IP address
185.31.209.145, thereby compromising the machine."
It's 2015 and Visual Basic for Application scripts embedded in Word Docs is still a viable channel for attacking people.
That makes me pretty sad. Who needs bare-metal/firmware rootkits or virtualization escape exploits when a DOC file + some VBS let's you rob some crypto currency?
Social engineering will ALWAYS be the most effective means of compromising a system. If you can get the user to run a thing, you have got them to run anything you want forever. This is not a problem with VBA, VBA is merely providing functionality (and useful functionality in many respects). There is no way to prevent this in VBA or any other technology. The only vector of mitigation is educating the user.
Social engineering will be always effective, but that's not the point. This /is/ a problem with VBA - as a person viewing a document, it doesn't seem like you're running anything, but really you're running arbitrary unsigned code that has full r/w access to everything on your system. To make it worse, this has been a major attack vector for over a decade yet it's still completely unsandboxed.
That's not really true, it doesn't run by default, the user is prompted and warned about possible malicious scripts AND they run them anyway. All you have to do is put instructions/picture in the doc telling the user to click that button to see the content, and they usually will. Users are simply ignorant of the dangers, that's the problem and it's always been the problem and that's unlikely to change.
I know it doesn't run by default - a warning about malicious scripts is a cop out and everyone knows it. Yes, if we trained everyone to be programmers, then maybe no one would click it.
However, the point is, how do I know what will happen when I click this button? Will it run a helpful macro to format my data or will it delete all my files? Why is a macro language allowed to do that? Why do those two things have the same security level assigned to them?
You should run executables only from trusted sources - that's what we're told, right? Now - do you trust an email appearing to genuinely be from a very prestigious honor society from the world's largest CS authority? Why not? Why was the person not able to cryptographically verify that, yes, that is indeed where this file came from? What is that - you say that since they didn't know the sender personally, they shouldn't have trusted the file anyway? A different example: What if, say, someone used windowsupdate or apt-get as an attack vector? I bet you're trusting those strangers already, as we speak, and you have pretty much no say in the matter.
"Oh, we'll put in a warning dialog" is the most crappy duct-tape there-I-fixed-it style solution to this extremely nuanced problem, and blaming the user does nothing to secure real world systems.
> You should run executables only from trusted sources - that's what we're told, right?
No, that's what computer savvy people know, normal users don't think twice about running an executable from any source, that's the whole point. Nothing you suggested will stop what people simply do continually, open anything from anyone without caring who the sender is. Sandboxes don't just protect things, they forbid necessary and useful things so you can't simply sandbox everything because users will simply refuse to use your crippled software and opt for the less secure but more functional version. Users don't care about security, that's the problem; it's a social problem, not a technical one.
I get what you are saying, and fundamentally it is a social/education vector. However there are easy, obvious things that Microsoft can do to make this better.
Off the top of my head, macro execution shouldn't be a boolean choice. Don't let Macros modify the file system or connect the network, without additional prompts/warnings. Default to not allowing these at all, and the user can't just click a "OK" dialog to start allow it. Bury that setting deep in Control Panel.
OS X/HFS+ has an interesting feature of using meta data to tell where files came from. You get security prompts even days later when doing certain actions with files downloaded from the Internet. Word/Office could act differently with Macros based on whether this file was an email attachment or downloaded vs. a local file the user created.
When enabling VBA scripts, they could be run in a sandbox for a few seconds to see what it modifies on the system. Yes, there are ways around this, but lets raise the bar some.
Moreover, we need to be very careful not to educate other criminal hackers about how we "safeguard" our assets and information. Accordingly, no part of this report may be made public or given to a third party without the prior express written permission of Bitstamp Ltd.
If this is public now, presumably they've finally airgapped wallet.dat? It sounds like Kodric is getting the blame for this, with his boneheaded doc opening, but with the architecture they had this might have been just a matter of time. After all the CTO had previously opened another doc, but the embedded VBA didn't run for unspecified reasons.
While the total number of emails used per campaign has decreased and the number of those targeted has also decreased, the number of spear-phishing campaigns themselves saw a dramatic 91 percent rise in 2013.
b) scanned and OCR'd with some problems visible on the first page.
If this is officially public I would like to read it, please provide a legible copy. If this a leaked document than I can't use it and don't particularly want to read it.
Motive: I write this sort of thing from time to time and I would not enjoy seeing it leaked and discussed.
I doubt there is a central repository of things like this as most (this one included) are eyes-only and normally, in an effort to present the raw facts and point out the failures, is not something that makes the company it's about look good (Lax security or bad practices, I'm not saying that was the case here one way or the other just that normally that's what they are going to cover). I think the most telling line (in regards to your comment) is:
> ...we need to be very careful not to educate other criminal hackers about how we safeguard our assets and information. Accordingly, no part of this report may be made public or given to a third party without the prior express written permission of Bitstamp Ltd
Well I was going to quote it but it's been taken down already, wish I still had it open in a tab. The line was something to effect of "This document should not ever be made public as it outlines our weaknesses and we don't want to give future attackers any more tools to attack us"
Edit: I've updated the above with the quote, I found it after all
Edit 2: All of that said I too would love to read more in-depth post-mortems on hacks/breaches/thefts. I knew phising like this was possible but I would have fallen prey to some of that probably. Now I don't use a windows computer so I might have been marginally safer but there is nothing to say that the attacker didn't have linux/osx tricks up his/her sleeve. The graphic that shows the different avenues of attack and the one that finally succeeded was a really cool way to visualize the attack as well.
How is anyone supposed to trust nincompoops who open word documents from unsolicited emails on Windows while connected to a sensitive VPN? Furthermore: with your money.
Pretty much everyone opened the docs, including the CTO. If you're more comfortable on Windows, that's fine, use Windows, but remember that you're using Windows.
Perhaps? I don't use either package. If someone sends me a .doc and I really want to read it then I upload to GDrive. If I'm sending something that can't be text then it's a pdf. I'm not saying I can't be phished, but I certainly won't be running any VBA without knowing it.
> I think the chance for remote execution would be far less if they used unix based systems.
OSX is a *nix based system and has had far worse security than Windows for ages (lagging with basic things like address space randomization). Just because Unix is not considered a primary attack surface area for viruses and alike, it does not make it inherently more secure. That kind of attitude is indeed even more dangerous than having a well secured Windows computer.
Security isn't necessarily better or worse, but different. Remember that Windows (used to?) run code on every attached USB Mass Storage. The bundled web browser executed native code embeded on web pages (but don't worry as it's all signed, right?) and great efforts were made to build enterprise software on top of it. That has nothing to do with unix-ness or lack thereof. It's also nothing you can fix by layering more technology over it.
Both systems have unpatched root exploits if you have access to the display subsystem. Both were initially developed for trusted local environments, then adapted for public network use some ten or fifteen years later and whatever security issues that brought was patched as they were found. I'm just not sure how to argue more or less security in that environment. Users still get owned by running Flash (so no ASLR for you) and Outlook.
I agree, but using software based on open source rather than closed, I think it would would be far more secure. And if they do find bugs, I believe it will be fixed faster than it's counterparts.
so if you are an insider and you wanted to steal a hot wallet a good way to do it is to stage a fishing attack against yourself. (i think Mr Kodric is a victim here)
Can we stop using and supporting scribd yet? They don't let you get past page 3 on mobile devices without installing their app. Most phones have PDF viewing capabilities, what is the need to host PDFs on scribd?
The people who had legitimate access to this document would either have had the necessary skills, or could have just read this document to learn them. Of course, I'm assuming that "Diann J. Anderson" is a pseudonym, rather than the name of the dumbest secretary at Stroz Friedberg.
EDIT: I'm referring to a scribd doc. For the reasons you cite, GDrive would not be appropriate for this.
