By Phil Reitinger
In “The Princess Bride,” Inigo Montoya is fencing against the Man-in-Black. They begin fencing with swords in their left hands, but shortly after Inigo switches to his right hand – he was using his left hand as an intentional handicap – the Man-in-Black switches to his right hand also, saying “I’m not left-handed either.” The Man-in-Black wins.
In this analogy, cybersecurity defenders are Inigo Montoya, not the Man-in-Black. We are not fighting the war we think we are. Instead, the men and women-in-black will switch (or have switched) to their stronger, right hand: attacks via mobile applications which government and commercial enterprises have never vetted or approved, and over which they may have zero visibility.
CrowdStrike released a report yesterday stating that a legitimate Android application used by the Ukrainian military had been infected with an implant that, among other things, might allow intelligence gathering and high-level tracking of artillery units. The report has drawn considerable attention because it adds weight to the conclusion that the Russian government was responsible for the hack of the U.S. Democratic National Committee. I think the report is even more important for a different reason – it describes a targeted attack using an Android application that had never been distributed by an official app store, but was home-grown and distributed by social media.
How would you fare again such an attack? You may be thinking, “Well, my organization isn’t an artillery unit,” or maybe “We only use authorized applications.” Hold those thoughts for a second.
Last year Lookout.com released a study that found:
- 50% of US Federal Government employees access their work email from a personal device;
- 48% of employees say they are not allowed to store work information on personal devices, but 30% of them are doing it anyway; and
- 24% of employees install apps from places other than official app stores.
In short, unauthorized “Shadow BYOD” is widespread within the US Federal Government, and if you prohibit the use of personal devices in your organization, I’ll bet you have significant Shadow BYOD too. And whether it is BYOD or Shadow BYOD, how much do you rely on the security protections of an official app store to prevent installation of malicious applications?
Concern about malware or vulnerabilities inserted in software has been around for a long time. “The Department of Defense (DoD) is concerned that security vulnerabilities could be inserted into software that has been developed outside of the DoD’s supervision or control,” said the Software Engineering Institute in 2010. Mobile has irrevocably changed this game. With mobile devices and the app-centered ecosystem, the “supply chain” is no longer just systems software and a few applications; it is hundreds or thousands of applications that your employees may use. With BYOD or Shadow BYOD, these may be un-vetted applications over which you have no visibility.
For me, those concerns dispose of the “We only use authorized applications” argument. It’s still true, of course, that few of you are equivalent to a military unit operating in a zone of conflict. But think about it, if your organization has enough value to be targeted by spear-phishing, why wouldn’t a capable adversary use targeted apps as well? How about an application to arrange pick-up basketball, football (or soccer), or softball games in a national capital? How about a social networking application for the financial services industry? And why not release a new trojanized version of a previously legitimate app, which already has a loyal following among the target audience?
Of course, this attack vector isn’t new. But together the combination of mobile devices, the app-centered ecosystem, Shadow BYOD, and the CrowdStrike report that extremely sophisticated adversaries are using targeted app attacks, are quite significant. Be sure to consider this type of attack in your threat modeling.
Your adversary isn’t left-handed.
The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.