Latest cybersecurity threat lies in trusted software and hardware

Justice e-mail is indicative of a larger threat agencies face called supply-chain attacks.

An e-mail the Justice Department sent in July warning employees about thumb drives left in offices and pre-loaded with software that could steal information from a computer is the latest example of a new cybersecurity threat that involves seemingly innocuous hardware devices.

Comment on this article in The Forum.Security personnel from the Executive Office of U.S. Attorneys found two USB thumb drives containing malicious code last month that were left unattended in Justice's offices in Downtown Washington, according to an e-mail obtained by Nextgov last week. If inserted into a computer, the thumb drives would secretly capture certain information and send it to an undisclosed computer outside Justice, according to the July e-mail. The thumb drives were left where any department employee or contractor could find them.

It's unclear whether the stashed thumb drives were part of a security training exercise at Justice or if it was a legitimate threat. The department declined to comment on the incident, but the e-mail raises questions about how easy it would be for hackers to penetrate the defenses of federal agencies.

"What you're dealing with is one of the top 10 new threats," said Alan Paller, director of research at the SANS Institute, a cybersecurity research and education group. With this kind of attack, called a supply-chain attack, a device is infected before it reaches the customer, he explained.

"It's a different kind of attack from most of what we've talked about, where you've got a computer that's OK and someone comes in and does something to it," Paller said.

Supply-chain attacks can be carried out using almost any form of hardware, including thumb drives. Paller said the worst case he has seen involved a user who visited China and came back to discover his laptop was infected, despite the fact he had not connected it to any networks or let it out of his sight. The user later found out that his computer had been infected when it was connected to a digital projector.

Howard Schmidt, the former White House cybersecurity adviser who was recently appointed the first international president of the Information Security Forum, said the threat could include any device plugged into a computer, such as digital picture frames, USB drives, external hard drives and cameras. He said people have discussed on Internet message boards hackers who distribute USB drives at conferences that come pre-loaded with Trojans or other malware that can steal data from a system.

"[There's been] a massive shifting from dumb attacks against systems to attacks against people," Paller said. "If my kid buys me a digital picture frame and the computer asks if I'm sure I want to install the software, I click yes. This malware uses the system, but fools you into doing something."

A significant number of the supply-chain attacks originate in China, which manufactures much of the hardware U.S. and other foreign companies use. The motivation to do so can be economic - to commit commercial espionage - and strategic. For instance, the Commerce Department tracks all technologies that are deemed too sensitive to export. That information is what hackers target for attack.

The scale of the attacks also is greater than most information security professionals realize. One senior law enforcement official told Paller that his agency receives at least one new extortion case involving stolen data daily and the majority goes unreported.

"One thing I believe is true, though I can't prove it, is that every agency with sensitive data has already been penetrated at several levels," Paller said. He described a warning letter British intelligence agency MI5 sent to companies last year informing them that their computers and those of their solicitors were being penetrated by Chinese hackers seeking to get a leg up in negotiations. "It's a fact, it's happening on a large scale in the U.S. as well," Paller said.

Paller said the nature of the attacks makes them very difficult to prevent. He compared the attacks to sophisticated e-mail spear phishing scams that use real information about a user to trick him or her to open an e-mail, which contains a virus.

One of the only ways to defend against supply-chain attacks is to focus on the acquisition of IT. "It has to be defended by the hardware and software you buy," he said. "It isn't going to be done by people trying to do their jobs."

Paller said one of the more effective methods to prevent such attacks is to follow the Federal Desktop Core Configuration mandate, which requires federal agencies to standardize desktops and applications to prevent unauthorized programs from being downloaded onto computers.

Schmidt also recommended several steps users could take to prevent supply-chain attacks on their systems. "First and foremost, if you find a USB drive lying around, treat it with a great deal of caution," he said. "Second, if one is given to you from a reputable vendor or you buy one off the shelf, treat it like any other sort of media and scan it to find out what's on it."

Schmidt also said users should make sure the antivirus software on systems is up to date and set to scan for viruses on any new device that is plugged into it.