Spear Phishing in Tennessee

Looking at the evolution of cyber attacks over the years, beginning with the “Morris” Internet worm in 1988, and up to the present, one thing that stands out is the increase in the professionalism of the attacks.   By this, I don’t mean the technical sophistication of the attacks — though that has grown, too — but rather in the overall effectiveness of the operation.  Early attacks were often carried out as a sort of intellectual exercise (as the Morris worm seemingly was), or as pranks by socially- and hygienically-challenged adolescents.  Today, many attacks are part of organized criminal enterprises (to steal credit card numbers, for example), or are at least suspected of being mounted by governments.  More than ever, there is an “arms race” between the attackers and the security people charged with protecting systems.

Even highly sophisticated target organizations have been successfully attacked.  According to a post on the “Threat Level” blog at Wired,  the latest victim of a targeted attack was the Oak Ridge National Laboratory [ORNL], in Tennessee.

The Oak Ridge National Laboratory was forced to disconnect internet access for workers on Friday after the federal facility was hacked, and administrators discovered data being siphoned from a server.

The attack was an instance of “spear phishing“.  Phishing is a general term for attacks that attempt, often via E-mail, to elicit personal information (e.g.,  credit card numbers, bank account details, or passwords) from users under false colors.  Spear phishing is used to describe attacks that are targeted at particular individuals or groups (often, employees of a given organization).   The ORNL attack was a fairly standard example.

According to [Thomas] Zacharia [deputy director of ORNL], the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users’ machines.

The IE vulnerability used was patched by Microsoft on April 12 [MS11-018]; this incidentally highlights that today’s attackers typically need only a short window of opportunity to mount a successful attack.   The E-mail message was sent to slightly more than 10% of the lab’s ~5,000 staff, and only 57 clicked on the link, but that was enough for the malware payload to install itself and gain a foothold on ORNL’s network.

The lab says that only a “few megabytes” of data were successfully extracted by the attackers; however, the incident is undoubtedly embarrassing, given that cyber security is one of the lab’s specialties.

The lab’s science and technology research includes work on nuclear nonproliferation and isotope production. The lab, ironically, also does cybersecurity research focusing on, among other things, researching malware and vulnerabilities in software and hardware as well as phishing attacks.

The incident is still being investigated.

YouTube Will Serve Up WebM Video

I’ve posted a couple of articles here about Google’s WebM project to create an open Web video standard, one unencumbered by patents.  Google appears to have been making steady, if unexceptional, progress on the project.

Google, of course, owns one of the Internet’s major video sites: YouTube, which has been making WebM versions of some recently uploaded content available.  Now, in a post at the official YouTube Blog, the company has announced that it is in the process of making all of its video content available in the WebM format; this is, obviously, a very considerable project.

Transcoding all new video uploads into WebM is an important first step, and we’re also working to transcode our entire video catalog to WebM. Given the massive size of our catalog – nearly 6 years of video is uploaded to YouTube every day – this is quite the undertaking. So far we’ve already transcoded videos that make up 99% of views on the site or nearly 30% of all videos into WebM.

Google is one of the few firms in the world with the computing infrastructure to undertake this sort of job as a sort of background task.  It enables them to shift processing resources in response to user demand.

It works like this: at busy upload times, our processing power is dedicated to new uploads, and at less busy times, our cloud will automatically switch some of our processing to encode older videos into WebM.

Google also says that it will continue to support the H.264 codec, as well as an HTML 5 video player now under development.  (H.264 is covered by patents, and subject to royalties, at least potentially.)  Even with Google’s resources, transcoding the entire YouTube video inventory is a sizable undertaking.  It is another indication that they are very serious about WebM.