A cyber-security primer.
By Joe Dysart
Once the province of teenage boys spreading graffiti for kicks and notoriety, hacking today is done by organized, financially motivated gangs that need constant monitoring, according to researchers of a new in-depth study, “Security Threat Report: 2010,” recently published by cyber security firm Sophos.
“In the past, virus writers displayed offensive images and bragged about the malware they had written,” the report’s researchers say. “Now, hackers target companies to steal intellectual property, build complex networks of compromised PCs and rob individuals of identities.”
In just the past few years, cybercriminals have successfully launched attacks that put science fiction to shame. In January 2007, TJX Companies Inc. lost key details associated with 45 million credit card accounts due to a hacker, according to Sophos. In 2008, 12.5 million account records were lost on backup tapes owned by BNY Mellon. And in January of last year, hackers penetrated the Heartland Payment Systems computer network, home of 130 million credit card accounts.
Nor are hackers limiting themselves to major corporations and government entities. Even the smallest of companies are beginning to report incidents in which their websites are attacked and shut down for hours or even days. Other small companies have received ransom e-mails from hackers, demanding money in exchange for the computer fixes needed to get their disabled sites up and running again. It’s enough to send chills down the spine of any specialty fabrics business.
Even worse, as the Web has evolved, so have cyberpunks. One of the newest and most pervasive online security threats these days is widespread employee use of social networks like Facebook, MySpace and LinkedIn®. More than a third of companies surveyed say they have picked up malware via the social networking sites, according to Sophos, and more than 72 percent believe that employee behavior on social networking sites could pose a threat to their business security.
“Computer users are spending more time on social networks, sharing sensitive and valuable personal information, and hackers have sniffed out where the money is,” says Graham Cluley, a senior technology consultant for Sophos. “The dramatic rise in attacks in the last year tells us that social networks and their millions of users have to do more to protect themselves from organized cybercrime, or risk falling prey to identity theft schemes, scams and malware attacks.”
It seems that as soon as a new wrinkle on computing or social networking unfolds, cybercriminals begin probing for vulnerabilities. Relatively new social networking upstart Twitter™, for example, has already been hit with spamming worms. Blackberry® users have been hit by malicious PDFs. Even the seemingly omnipotent iPhone can become hacker-vulnerable if users decide to “unlock” the phones and import applications that are not officially approved by Apple®.
Meanwhile, phishing—loosely defined as e-mails and websites designed to trick users into believing they are visiting and interacting with an official company Web property—is becoming ever more sophisticated. One of the most brazen ruses victimized none other than The New York Times last fall, when hackers boldly purchased ad space in the paper and embedded a phishing scam right inside the online edition.
The “gang of hackers purchased ad space posing as Internet telephone company Vonage,” Sophos’ Cluley says. “Visitors to The New York Times website who were served the poisoned advert saw pop-up messages warning them that their computer had been infected, and urging them to install fake anti-virus software (also known as scareware).”
The solution to all the mayhem for specialty fabrics businesses? Unrelenting diligence, accompanied by these common sense remedies, according to security experts:
- Experiment with Internet access rights. Web use on the job has become so widespread that many employees see internet access as a right. John Lavin, president of Edge3 Corp., a business consulting firm, sees things differently. “Fortunately and unfortunately, the use of the Internet on the job has skyrocketed. The amount of time wasted by employees really cuts into productivity,” Lavin says. “Internet use needs to be evaluated for each job description. If you do not need to give an employee Internet access to perform their job, then do not. A solution that works for a couple of reasons may be this: set up a network-isolated area that has Internet access, and partial privacy for employees. Set some rules about use. Productivity will increase, and an added benefit is that if these PCs are isolated from the main network, viruses become nearly nonexistent.”
- Guard IDs and passwords very carefully. This goes double for any IDs and passwords associated with the social networks employees visit. “Social network log-on credentials have become as valuable as e-mail addresses,” Sophos researchers say, “because these [social network originating] e-mails are more likely to be opened and trusted than standard messages.”
- Establish a policy on social network use. “You need a written policy that outlines what your expectation is with regard to social networking interaction using company equipment and during company time, simply for the reason that if you don’t have a policy in place, then you have no grounds to stand on when you may need it,” says Ben Becker, president of Becker Solutions Inc., a custom application and IT solution provider.
- Adopt Web-filtering technology—and get employee buy-in on the concept. The best thing a business can do to protect itself is to make its environment foolproof, according to Becker. “They should install filters, proxies, virus scanning, spam filtering, local security policy restrictions, etc., to make it as hard as possible for users to be faced with anything that may pose risk. This will irritate users, but at the end of the day, whatever they are blocked from, they probably shouldn’t be doing anyway during business hours. Very few people will come to you and say they can’t do their job because they can’t update their status on Facebook or instant message with their mother.” Sophos’ researchers add: “Those who are tempted to try to circumvent the protection should be educated about its value.”
- Disable the autoplay feature for thumb-drive programs on Windows® XP. Many hackers attempt to spread malware and viruses by engineering the software to migrate to thumb drives, which are often used interchangeably among many computers. The problem with that scenario is that Windows XP is programmed to autoplay any program resident on a thumb drive, whether it’s legitimate or malicious.
“The idea that someone can simply take a thumb drive from a friend or family member, insert it into their computer, and then watch everything go bye-bye is a pretty scary oversight,” says Jay Correia, senior production coordinator at DreamCo Design, a Web design firm. IT managers should double-check that autoplay is disabled on Windows XP. As for the new Windows 7, autoplay for programs on thumb drives is disabled by default.
- Warn employees about porn-dialers on phones. Watching porn on the job can become a double-whammy for employees if they’re hit with embedded dialer programs that pose as porn videos, software or utilities. Once activated on a company mobile phone, these programs autodial expensive porn numbers owned by cybercriminals, who then bill your business as if they’re a legitimate vendor.
- Adopt a zero-tolerance policy for software not approved by your firm. Specialty fabrics businesses should not allow individuals to install any software on company computers without management permission, and that should be stated clearly to employees upon being hired, according to Correria.
Keep in mind that sometimes the good guys do win. This past December, Albert Gonzalez pled guilty to masterminding the hacking of T.J. Maxx, Heartland Payment Systems, 7-Eleven and the supermarket chain Hannaford Brothers. He faces a prison term of at least 17 years, according to Sophos.