Social hackers target McAfee staff in church, at carparks

No place was sacred from cybercriminals who were getting bolder in their attempts to steal confidential data, going so far as to bail up a security vendor's staff member - in a church.

McAfee chief security officer Brett Wahlin said the security vendor's staff were physically harassed and its network defences tested by hackers.

Hackers sought information to undermine McAfee's firewalls, intrusion-prevention systems and critical infrastructure protection platforms relied on by millions of users, he said.

At least one worker was approached by a suspected attacker while in church after his movements were tracked through online social networks, he said. He posed as a colleague in an attempt to wheedle information from the McAfee worker. And similar attempts were made on staff in car parks outside of company offices, Wahlen said.

Others received phone calls from suspected attackers who attempted to obtain information such as usernames and passwords.

Attackers have assumed the roles of contractor, customer or partner to convince staff to hand over sensitive data.

The attacks started in March when security company RSA was hacked and information on its popular SecurID token system was stolen.

SC Magazine believed attackers stole crucial information to link SecurID serial numbers to seeds, allowing them to determine the token numbers used by customers.

Last week, defence contractor and RSA customer Lockheed Martin was hacked in an attack that may have used duplicate SecurID keys and a keylogger that provided enough information to access the company network.

The contractor denied that data was stolen but Wahlin said it was part of bigger plans beyond Lockheed's systems.

"They are building a respository on stolen information. I don't know what the final target will be, just wait and watch", Wahlin said.

McAfee replaced its SecurID tokens and shored-up security after the RSA breach, he said, because they were among those to be targeted.

Such  attacks were often called advanced persistent threats and include attacks using known and zero-day exploits.

Wahlin expected the frequency to increase: "To accentuate the damage of APTs is to exploit social engineering".

He advised organisations to educate their staff about the dangers of talking to strangers or those not authorised to receive information.

Cold war tactics

Information control is difficult for organisations so McAfee turned to Cold War tactics.

"We are looking at applying the principles of counter-intelligence to the private sector, notably around security clearances," said Wahlin, a former US counter-intelligence operator.

"We are testing what the employee base will accept. Tracking what you do when you are not at work - that was possible in the military, but that doesn't fly in business."

Workers bringing their own computers and devices such as smartphones into the office further complicated attempts to lock down the business, he said: "You can't simply sieze a personal device to perform forensics, there are laws that prevent that".

Circles of trust

By the end of this year, McAfee's internal network will have four rings to allocate access rights to devices depending on their levels of trust.

The private cloud, defence-in-depth model provided the greatest access on the inner rings to the most secure devices, and restricts access towards the outer rings.

While devices in the outer rings are assumed to be vulnerable and must use virtual interfaces to connect to limited services such as email, it was the second layer that Wahlin said was most interesting.

"Devices are supported but unmanaged ... the problem is who owns the device?" he said.

Copyright © SC Magazine, Australia