RSA Blog

Don’t you just love conspiracy theories? Here’s a new one for you.

April 21, 2009: F35 Fighter Jet Program Breached

The Wall Street Journal reported a data breach in the F35 Joint Strike Fighter Jet program. According to the report, someone allegedly hacked into one of the program’s databases – perhaps run by a third party involved in the project – and siphoned off an unknown amount of sensitive information. The breach was apparently in an area connected to the Internet and databases segregated from the Web were not affected.

Also according to the report, attacks on military and government databases have escalated in the past six months. "There’s never been anything like it", according to a quoted former U.S. official briefed on the matter, adding that other military and civilian agencies as well as private companies are affected: "It’s everything that keeps this country going ."

November 14, 2008: A Wave of Corporate Breaches

USA Today’s Byron Acohido reported that targeted attacks on corporate resources ballooned in the previous few months.

October 31, 2008: Trojan Credential Theft Increases Tenfold Since June 2008

The RSA FraudAction Lab shared its findings on its discovery of over 510,000 credentials and payments cards stolen by the gang behind the Sinowal Trojan. In the chart posted within the blog, you’ll notice a ten times increase in the number of stolen credentials during just a few months in the summer of 2008.

OK – so now let’s think about what this means.

What can possibly connect an increase of cyber crime attacks on U.S. government and critical infrastructure targets in the past few months, the increase in corporate resources being targeted by cyber criminals; and the exponentially growing numbers of computers infected by the notorious Sinowal Trojan?

Is it really a coincidence that consumer security, enterprise security and government security are all under attack in such a short period of time? I’d say there’s one common link: all of these data points relate to a material change in the fabric of the Internet as a secure medium – a change that started in mid-2008.

Since summer 2008, the hijacking of personal computers for sinister uses has dramatically increased due to breakthrough advancements in infection technologies, and these include

• According to Byron Acohido through a posting in his Last Watchdog blog,  SQL Injection botnets hack legitimate websites so they can support ‘drive by download’ distribution of malware
• ZDNet reported that Paul McCartney’s official website was used to this end
• Phishing-based distribution of malware with the address dimension of social engineering has skyrocketed recently; a good example of this is the Cease Fire Trojan reported by RSA FraudAction Labs.
• Brian Krebs through his Security Fix blog in the Washington Post reported that social networks spread Trojans in what can be literally described as viral marketing.
• Panda Labs reported upon an increase of 800% in infection of PCs by malware from first half of 2008 to the second half.

It’s all about infection. There are so many hijacked personal computers out there that if a fraudster operates a large botnet, they could make hijacked PCs available to other online fraudsters interested in financial transactions, governments interested in access to sensitive areas in military and government, or enterprises interested in intellectual property.

The only thing that would change is the payload delivered to the hijacked device. Online fraudsters can use the back door to install a financial Trojan. A government entity will use a strategically placed sniffer to capture secrets. Enterprises can leverage access for industrial espionage.

So here’s my personal conspiracy theory in a nutshell: Private computers’ back-doors are being used to access corporate and government networks. That’s why it’s all connected: infiltrations of military data, exposed government resources, financial services hit by Trojans, corporations penetrated for industrial espionage.

If you think about it, nothing has fundamentally changed in network security; but something has certainly happened with endpoint security. The bad guys may be simply riding the wave. They have a back door to sensitive resources through hijacked personal computers – many belonging to employees.

Does the link really exist? Are all of these just different "use cases" of the same back door into Internet security obtained through the proliferation of botnets hijacking personal computers?

Hey, it’s just a conspiracy theory. And like any other conspiracy theory, chances are we’ll never know the entire truth. You simply decide whether to believe it or not.