This article describes a Trojan horse attack introduced via MS Office
(Word) documents that provided remote access by adversaries to
compromised systems. It doesn't say if the exploit - "design flaw" -
was intentionally introduced (a product of deliberate subversion) or
not. While the article may provide "comfort" to the "defense in depth"
crowd (the State department THINKS the issue was discovered immediately
- but then again, after they were made aware of it - so they knew what
to watch for - they found numerous other compromised systems, so I
wonder how many haven't (yet) been caught).
This isn't terribly surprising, but it brings to mind a new insight (for
me, anyway) into the issue that government and commercial customers are
We've (Aesec) been saying that subversion (deliberately introduced
design and implementation defects into a customer's IT supply chain) is
the preferred avenue of attack of professional adversaries, and I agree
that it is.
We've (Aesec) also noted that the commercial security industry is
largely focused, instead, on discovering and patching software defects
that can be easily discovered (via fuzzing and testing) and exploited to
gain access to systems.
Both those two avenues can lead to serious security breeches.
But it's not necessary to plant an operative into a vendor's shop in a
position to introduce flaws into software to gain advantage. Simply
knowing enough about the internal design and implementation of the
system is likely to provide the adversary with the knowledge and
opportunity to discover paths of attack that can be researched at their
leisure, held until needed as what would be considered a private "zero
So at one end of the spectrum of malicious attacks are pure opportunists
(including amateurs and script kiddies) using defects discovered through
fuzzing interfaces and related black box testing techniques. At the
other end of the scale are paid professional operatives infiltrating
vendor development and delivery supply chains to introduce defects
intentionally. And in the middle are those with "gray box" knowledge of
products involved, who are in a better position than the public to
identify attack vectors worth investigating.
This middle ground would seem to significantly increase the threat -
there are many more jobs in vendor organizations (and their supply and
support chains) that provide privileged insight to product design,
development, implementation and delivery than there are with direct code
modification roles in the product. So I think you'd have to assume that
the pool of unreported zero day exploits may be much larger than
Just a thought.
This doesn't reduce the challenge or need to deal with subversion by the
professional adversary - it just expands my appreciation for the size of
the threat customers face.
State Department got mail _ and hackers
By TED BRIDIS, Associated Press Writer/Wed Apr 18, 8:29 PM ET/
A break-in targeting State Department computers worldwide last summer
occurred after a department employee in Asia opened a mysterious e-mail
that quietly allowed hackers inside the U.S. government's network.
*In the first public account revealing details about the intrusion and
the government's hurried behind-the-scenes response, a senior State
Department official described an elaborate ploy by sophisticated
international hackers. They used a secret break-in technique that
exploited a design flaw in Microsoft software.*
Consumers using the same software remained vulnerable until months
Donald R. Reid, the senior security coordinator for the Bureau of
Diplomatic Security, also confirmed that a limited amount of U.S.
government data was stolen by the hackers until tripwires severed all
the State Department's Internet connections throughout eastern Asia. The
shut-off left U.S. government offices without Internet access in the
tense weeks preceding missile tests by North Korea.
Reid was scheduled to testify Thursday at a cybersecurity hearing for a
House Homeland Security subcommittee. He was expected to tell lawmakers
an employee in the State Department's Bureau of East Asian and Pacific
Affairs --- which coordinates diplomacy in countries including China,
the Koreas and Japan --- opened a rigged e-mail message in late May
giving hackers access to the government's network.
*The chairman of the Homeland Security Committee, Rep. Bennie Thompson
(news, bio, voting record), D-Miss., said hackers are no longer
considered harmless, bored teenagers. "These are experienced,
sophisticated people who are trying to exploit our vulnerabilities and
gain access to our information," Thompson said.*
Reid was not expected to disclose the identities or nationalities of the
hackers believed to be responsible for the break-ins or to disclose
whether U.S. authorities believe a foreign government was responsible.
The department struggled with the break-ins between May and early July.
*The panel's chairman, Rep. James R. Langevin, D-R.I., called
cybersecurity an often-overlooked line of defense. "Since much of our
critical infrastructure is dependent on computers and networks and is
interconnected and interdependent, a cyberattack could disrupt major
services and cripple economic activity," Langevin said.*
The mysterious State Department e-mail appeared to be legitimate and
included a Microsoft Word document with material from a congressional
speech related to Asian diplomacy, Reid said. By opening the document,
the employee activated hidden software commands establishing what Reid
described as backdoor communications with the hackers.
*The technique exploited a previously unknown design flaw in Microsoft's
Office software, Reid said. *State Department officials worked with the
Homeland Security Department and even the FBI to urge Microsoft to
develop quickly a protective software patch, but the company did not
offer the patch until Aug. 8 --- *roughly eight weeks after the break-in.*
Microsoft said it works as quickly as possible to provide customers with
"If we release a security update that is not adequately tested, we could
potentially put customers at risk, especially as the release of an
update can lead to reverse-engineering the fix and lead to broader
attacks," said Microsoft's senior security strategist, Phil Reitinger.
"Updates must be able to be deployed by customers with confidence."
At the time, Microsoft described the software flaw as "a newly
discovered, privately reported vulnerability" but did not suggest any
connection to the U.S. government break-in. It urged consumers to apply
the update immediately. It also recommended that consumers not open or
save Microsoft Office files they receive from sources they don't trust
or files they receive unexpectedly from trusted sources.
*The State Department detected its first break-in immediately, Reid
said, and worked to block suspected communications with the hackers. But
during its investigation, it discovered new break-ins at its Washington
headquarters and other offices in eastern Asia, Reid said.*
*At first, the hackers did not immediately appear to try stealing any
U.S. government data. Authorities quietly monitored the hackers'
activity, then tripwires severed Internet connections in the region
after a limited amount of data was detected being stolen, Reid said.*
Reid also complained the State Department's efforts to deal quietly with
the break-in were disrupted by news reports. The Associated Press was
first to reveal the intrusions.
"We were successful here until a newspaper article telegraphed what we
were dealing with," Reid said.
Copyright © 2007 The Associated Press. All rights reserved. The
information contained in the AP News report may not be published,
broadcast, rewritten or redistributed without the prior written
authority of The Associated Press.
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.