A Monster Lesson: Security Must Be Everywhere
A trojan targeting Monster.com shows that protection from the center to the edge -- and beyond -- is still needed.
- By Chris DeVoney
I should have more sympathy for those who spent several hours removing the Storm virus from their systems during the last two weeks. I have somewhat less sympathy for those who have the virus on their systems but don’t know it, and even less for Monster.com. I want the organized rings that operate the Storm botnet to have an extended stay at one of the franchises of the U.S. federal prosecutor’s choice.
I also want all of us to get smarter.
In a conversation with Dan Larkin of an FBI’s cyber task force a few weeks ago, some of his words were prophetic. According to Larkin, "The bad guys are more interested in walking in the front door of your business or bank with the keys to the vault and walking right out with the cash or merchandise." Sounds exactly like Monster.com, except the merchandise stolen was identities and more computers for the botnet.
Harvesting of résumé data from Monster.com was executed by a trojan called Monstres. This particular malware accesses portions of the Web site hiring.monster.com used by hiring managers, and recruiter.monster.com used, obviously, by recruiters. The trojan uses legitimate credentials, probably stolen from some other data-harvesting trojan, run by the same gang. The corrupted desktops may be inside corporate walls, on freelancers' machines, or on computers in agencies or small or home offices. The specific compromised accounts and their sources have not been publicly disclosed.
It is obvious, however, that someone’s desktop got hacked—and there were probably many of them. Some of those desktops may be sitting in a company's human resources department or on a notebook sitting in an employee’s home. Some may likewise be owned by individuals with no IT department watching their backs. No matter, we all suffer.
The Monstres trojan surfaced in the cyberworld specifically to harvest résumés. With information from them—name, address, phone number, employer— cybercriminals can build a better profile of potential identify-theft victims, using any data that makes such a crime easier.
The trojan e-mails came in the form of socially-engineered spam that appears to come from Monster.com to trick other victims into installing more remote-control trojans to expand the criminal’s infrastructure. After all, your résumé is on Monster.com, so wouldn't you expect e-mail from them?
Security broke down in several places. Obviously, the endpoint security of some recruiter’s computer failed. Perhaps a blended threat with good social engineering got the mouse click that shouldn’t be. It's very probable the antivirus or operating system didn’t have the latest update to catch the malware code coming down the wire. Once infected, a computer becomes a launch pad to infect other machines so it can build a botnet infrastructure and then spew profitable spam to others.
Obviously, user education remains a problem. Spam is still a high-profit, low-risk business. Ron O’Brien, senior security analyst at security vendor Sophos, mentioned that five percent of those surveyed reported having bought a product solicited in an e-mail. Are user’s truly that gullible? How often can a stranger sell you a product that you haven’t seen? A high direct-mail response rate is under three percent, and you must consider the postage costs. Do the math on an almost no-cost-per-person campaign that fills millions of e-mail boxes in an hour and you’ll see the attractive return on investment.
We have supposedly taught people not to click on attachments from people or sources they don’t know. We now need to increase that education level to not clicking on unfamiliar Web links—training both corporate employees and customers.
We need better filtering products at the edge to knock down spam and blended threats. The latter requires more sensitive, and perhaps more controversial, Web filtering.
For its part, Monster.com was the target of good credentials in the wrong hands. Nevertheless, Monster.com missed an obvious piece of the puzzle by not applying behavioral monitoring of the searches of its resume database. It is difficult to pull 1.6 million records of personal information out of a database without having some of that activity appear atypical, such as the time of day of the search or the geographic locations searched relative to the recruiter’s own sphere. That’s the purpose of database monitoring and compliance tools.
I asked O’Brien what individuals and corporations should do. For individuals, the most important advice is to have regularly-updated anti-virus protection, preferably automatically updated. The 30-day trial version you got when you brought your computer probably expired long ago. Next, be sure to install updates for all your systems, Mac or Windows, as soon as possible.
O’Brien thinks that corporations should recognize that “the most vulnerable point on the network is the desktop and the most vulnerable part of the desktop is the user. Corporations need to enact policies to prevent users from putting the network or data at risk.”
He suggests that credentials must be changed more frequently. Passwords need to be changed more frequently, and users and IT must heed the advice to make them more complex rather than working around the complexity requirement.
O’Brien thinks corporations have a greater responsibility to realize that employees are human. They must provide the tools necessary for their personal lives, such as policies to either prohibit or accommodate such actions as Web browsing, peer-to-peer use, VoIP, or instant messaging. If an activity is allowed, chose one program in each category (one IM program, one VoIP program, etc.) as the standard, keep it up to date, and secure it. Network administrators and the human resources department should meet regularly to develop and enforce these policies.
Problems like the one Monster.com experienced prove that all of us, individuals and enterprises alike, are in this together. Any weak point becomes a platform to attack everyone else. Security needs to be everywhere.
Chris DeVoney is a Seattle-based 30-year veteran of computing who has written numerous technology books and articles. He is currently an IT specialist within the University of Washington.