National politics being what they are, the news in our part of the world is rather narrow and self-absorbed these days. Thus, the media here wasn’t too impressed by a story out of China a few days ago about a piece of malware called Swearing Trojan. Named for some Chinese profanity embedded in comments in the code, Swearing Trojan is big news in China, where it continues to unleash havoc, even after the original perpetrators were arrested.
Various observers have already noted that the techniques are portable and will likely show up on this side of the Pacific soon.
Swearing Trojan spreads two ways, one logical and one physical. The logical method uses general phishing and targeted spear-phishing attacks to lure individuals to code-injection sites. The physical involves interposing a fake cell tower, which appears to be that of a legitimate telecom carrier, and sending automated texts with poison links from there to victims’ phones.
Although possibly millions of people have been infected in China, the current victim count in the United States is zero. For now. But it might be good for us over here to cease contemplating our navels for a bit and try to get in front of this currently foreign object likely barreling our way.
While most of the attention has been on the new attack vector, the physical base stations, the malware technique still requires a rube to click on a link. In phishing messages, the links can be enticing (nude celebrity pics!) but are more likely alarming in spear-phishing gambits (your boss appears to be saying, “Look at this linked document and comment right away!” Or “get this software update immediately!”). Spear-phishing is more fear inducing anyway, because you’ve been targeted with some specific information about you that the attacker knows and crafts into the attack. In the case of Swearing Trojan, this information — your name, email address and maybe title — can simply come from a colleague’s phone that got hacked.
A major portion of the problem is attributable to the fact that email security still takes place at the server level. That is, on the recipient end, you can tell if the domain is right (www.democrats.org), but not the actual sender. An email that looks like it comes from your boss can be determined to come from your company, but not from that specific individual. Thus, the mailroom guy can pose as the CFO.
The simple answer to this problem is identity verification, an artifact of the encryption process. It’s really more of a mirror result than artifact, but people don’t generally think of it that way. Most people are focused on how encryption protects the outgoing message from prying eyes and allows it to be opened again at the far end with the right key.
Without lecturing anyone who knows about public key infrastructure (PKI), the simplest explanation is that every encrypted message has two keys, one private and one public. With your private key, you can open a message encrypted by someone else with your public key. An analogy is a safe deposit box at the bank. It has two keys, too. The bank teller has the public one; that is, it’s known to be yours and goes to your box alone, but all the bank employees can handle it. You keep the private one. The analogy isn’t perfect, but it gives the idea of having two keys and keeping the private one on a user’s device and nowhere else. A user’s public key is “known” to everyone in the system. It can be used by anyone to encrypt a message sent to that particular user, who can decrypt it with their private key. If you have the private key, then it’s assumed that you are the intended recipient.
An analogous structure can produce definitive identity verification. In this case, the sender uses a private key for “signing.” Like an actual written signature, signing is a guarantee that the sender is who they say they are. The person who controls the sender’s email address — having been verified previously by physical or other means — is presumed to be themselves. Their identity is verified when the recipient opens the message.
It turns out that identity verification is exactly what we need to defend against breaches like John Podesta’s email snafu. They can be addressed by products like Inky Phish Fence, which uses PKI to deliver identity-secured phishing protection. Others offer their own approaches, but an important feature of Inky Phish Fence is that all signing and verification occurs on endpoint devices. Real identity verification works only if the encryption chain runs from one end all the way to the other. Email is easy to forge, but if its content depends on a tightly controlled private key, the recipient can reliably tell who the true sender is.
It’s time for us to sit up and take this threat seriously. The American cousins of Swearing Trojan will likely emerge here soon.