Since 07-20-05
Information Security: Where the Dangers Are
Since 07-20-05
From:
Waspscpo@aol.com [mailto:Waspscpo@aol.com]
Sent: Wednesday, July 20, 2005 6:11 AM
To: undisclosed-recipients
Subject: Information Security: Where the Dangers Are
http://www.mindfully.org/Technology/2005/Information-Security-Dangers18jul05.htm
Information Security:
Where the Dangers Are
DAVID BANK and RIVA RICHMOND
Wall Street Journal
18 July 2005
In the world of cybercrime, the bad guys are getting smarter — and more
ambitious.In recent months, hackers have carried out a flurry of increasingly
sophisticated attacks, highlighting the vulnerability of key computer networks
around the world. Criminals penetrated the database of CardSystems Solutions
Inc., nabbing up to 200,000 Visa, MasterCard, American Express and Discover card
numbers and potentially exposing tens of millions more.
Leading high-tech companies in Israel allegedly planted surveillance software on
the computers of their business rivals. British security officials warned of a
computer attack aimed at stealing sensitive information from banks, insurers and
other parts of that country's "critical infrastructure." Security experts fear
things will only get worse. As technology gets more complex, more
vulnerabilities are springing up in computer networks — and more criminals,
terrorists and mischief makers are rushing to exploit them.
"What people can do on computer networks and what they can find on them has
increased tenfold from a few years ago," says Bill Hancock, chief security
officer of Savvis Inc., a major Internet-service provider. Infiltrating those
machines and using them for evil intent is easier than ever, he says. Some of
the threats are well known; home-computer users for years have battled viruses
and spam and more recently have been barraged with spyware, adware and
fraudsters "phishing" for sensitive information.
Less visible is the constant probing of corporate networks by would-be intruders
seeking trade secrets or competitive intelligence, and the data breaches caused
by disgruntled or dishonest insiders. Meanwhile, government authorities report
that hackers are stepping up attempts to attack critical systems such as water,
electricity, finance, transportation and communications.
Last year, the Department of Homeland Security prepared a worst-case
cyberdisaster scenario where criminals broke into financial-services facilities.
Twenty million credit cards were canceled, automated teller machines failed
nationwide, payroll checks couldn't be delivered, and computer malfunctions
caused a weeklong shutdown of pension and mutual-fund companies. "Citizens no
longer trust any part of the U.S. financial system," the scenario concluded.
Here's a look at the threats the security experts worry about the most — and
what businesses and consumers can do to protect themselves. TARGETED ATTACKSThe
mass mailings of worms and viruses that clogged email in-boxes and corporate
networks in recent years have given way to less visible but more dangerous
attacks aimed at specific business and government targets. In many cases, these
invasions involve a Trojan — malicious software that hides inside another,
innocuous program.
Once planted on a victim's computer system, the Trojan can, among other things,
steal information at will and send it back to a criminal. Trojans that are
customized for a specific target are particularly dangerous, since conventional
antivirus programs are designed to spot and block previously identified threats.
"Because these things are one-off, the virus scanners do not recognize them at
all," says Bryan Sartin, director of technology for Ubizen, a unit of Cybertrust
Inc. of Herndon, VA.
Criminals use a variety of methods to get Trojans onto their targets' systems.
Often, they trick employees at a targeted company into installing the software.
In the Israeli case, law-enforcement officials discovered that the alleged
perpetrators gave victims floppy disks containing seemingly legitimate business
proposals. The disks contained Trojans that used "key logger" software to record
what users typed, and then transmitted that data, along with documents and
emails, to a computer in London. Hackers also take advantage of security flaws
in Web browsers.
Last year, hackers invaded the computer system of a large bank using a known,
but unpatched, vulnerability in Microsoft Corp.'s Internet Explorer, says Alfred
Huger, senior director of engineering for computer-security firm Symantec Corp.,
Cupertino, Calif., who investigated the break-in. For 90 days, the criminals
collected network and database passwords and intercepted secure communications,
among other things. Mr. Huger says he doesn't know how much money was lost.
Security experts are increasingly concerned about break-ins that come via a
company's partners and vendors.
These smaller companies often have privileged access to their larger partner's
computer systems, but may not be as well protected. Last year, John Pironti, a
security consultant with Unisys Corp., of Bluebell, Pa., says he helped discover
a powerful Trojan that had been planted in the computer network of a major
financial institution. A hacker penetrated one of the bank's custom-software
suppliers and discovered the "open pipe" to the financial-services provider's
network.
The most effective method for protecting against such attacks is also the
simplest — disconnect databases containing sensitive information, such as
credit-card data, from the Internet. "Systems like that should not have Internet
access, period," says Ubizen's Mr. Sartin. If that's not possible, all such
systems should have "firewall" technology that monitors Internet connections and
raises a red flag if it detects suspicious activity, such as high volumes of
data sent at unusual times.
Other tools can take a snapshot of legitimate system configurations and sound
alarms when changes occur. And, of course, all computers need to be kept up to
date with security patches and antivirus software, and users need to be educated
about opening unknown attachments or visiting suspicious Web sites. BOTNETSA
single computer infected with a Trojan is bad enough. An army of infected
computers is a weapon of mass digital destruction. "Botnets," short for robot
networks, are made up of home and business PCs that have been taken over by
hackers and joined together to create remote-controlled networks.
The hackers (sometimes called "bot herders") use the combined power of these
machines to mount a variety of Internet attacks, right under the noses of the
PCs' rightful owners. The size, and power, of such botnets is growing rapidly,
as bot herders learn how to manage networks of tens of thousands of compromised
"zombie" or "drone" PCs. Here's how it works: Hackers or criminals slip Trojans
carrying the bot software onto the PCs of unwitting targets.
The infected computers are then programmed to listen for instructions, generally
sent via instant-messaging channels. Once assembled, the botnet can be used to
send spam, launch phishing attacks or disrupt a Web site by flooding it with
visits, a so-called denial-of-service attack. One popular tactic of organized
cybercriminals: denial-of-service attacks against Internet gambling sites.
The criminals then extort the sites for payment to halt the attack.Home
computers, which generally lack sophisticated network-monitoring tools, are most
vulnerable to becoming unwitting conscripts. Early last year, Time Warner Cable
began sending Matt McKay "spam ticket" citations and threatened to turn off his
Internet service. The 32-year-old Charlotte, NC, attorney wasn't moonlighting as
a spammer.
A hacker had hijacked his computer. "I was spamming people, and I didn't know
it," he says. The Federal Trade Commission in May urged Internet-service
providers to more actively combat botnets, which the FTC estimated send as much
as 80% of spam. The FTC suggested ISPs monitor their customers for suspicious
emailing patterns, block Internet connections favored by bot herders and help
consumers clean up infected machines.
BLACKOUTS In last season's television thriller "24," terrorists used the
Internet to penetrate control systems at dozens of U.S. nuclear power plants —
and cause one to melt down. Hollywood fantasy? Security experts warn that such
an attack is not as far-fetched as it might seem. The systems used to control
the nation's water, power, transportation and communication systems are
increasingly being connected to corporate networks that are in turn connected to
the Internet.
That makes it easier to control and maintain the systems remotely, but also
makes the systems vulnerable to viruses, worms and other Net-based threats.
Cyberattacks that successfully penetrate such "supervisory control and data
acquisition," or Scada, systems appear to be increasing. The British Columbia
Institute of Technology and the PA Consulting Group in London, which documented
a handful of such incidents through 2000, have reports of at least 80 successful
attacks world-wide since 2001. "Some just snoop around, some do damage," says
Eric Byres, who manages the research project. In May, the General Accounting
Office reported similar findings.
Security consultants cited in the report said hackers are continuously probing
the power grid for vulnerabilities; in some cases, intruders gained access to
utilities' control systems and affected operations, though not causing serious
damage. The vulnerability of vital networks was highlighted by the Northeast
blackout of 2003. Though not caused by a cyberattack, the incident was
exacerbated by one: The "Blaster" worm, which had been released days earlier,
clogged communications links and hurt operators' ability to stem the cascading
blackout. Security experts say such power-control systems are unlikely to be the
primary target of terrorists, who arguably are more interested in spectacular
physical attacks that generate casualties.
But experts are increasingly concerned that attacks on critical systems could be
used in conjunction with more-violent tactics to compound the damage — for
instance, by disabling emergency-response systems. Some of the vulnerabilities
of these control systems can be offset by rigorous compliance with standard
cybersecurity practices. Congress is considering adding such requirements to the
federal energy bill now pending. But many security experts say existing Scada
systems are obsolete and need to be replaced by new sensors with multiple layers
of security, including in the hardware, the network and the application.
Perhaps more important, says S. Shankar Sastry, a professor of electrical
engineering at the University of California, Berkeley, are strategies for
"graceful degradation," for example by installing several layers of defenses, to
ensure that vital networks remain at least partly operational during and after a
major attack. "We should expect in the future for attacks to succeed," Mr.
Sastry says. "The question is: How do you keep the infrastructure from
completely falling apart?"
CRASHING THE NET Hackers can take down a corporate computer
network.
But could they crash the whole Internet? The same qualities of trust and
openness that have made the Internet successful also make it vulnerable to major
outages. The experts' top worry: an arcane mechanism known as the "border
gateway protocol." The protocol is used by the hundreds of networks that make up
the Internet to advertise their routes so they can carry each other's traffic.
By falsifying such announcements, hackers could intercept Internet traffic,
modify it or simply make it vanish by directing it to bogus or nonexistent
routes.
And by directing a flood of traffic onto a route too small to handle it, a
hacker could overload and crash at least parts of the global Internet. "You can
take out some portion of the Net for some amount of time," says Steven Bellovin,
a longtime security expert at AT&T Labs and now professor of computer science at
Columbia University.
If a sophisticated adversary sent out fraudulent routing announcements from a
dozen different points, "you could have a very serious situation," he says. In
the past decade, security specialists say, inadvertent glitches in the protocol
have caused a half-dozen large network outages and many smaller ones.
In December 1999, such a mistake took down AT&T's Worldnet Internet service for
most of a day, leaving 1.8 million customers without Web access. An even larger
outage occurred two years earlier, when a small Internet-service provider
mistakenly advertised incorrect routes, causing a two-hour disruption for large
parts of the Internet. Now, security experts are seeing apparently intentional
attacks exploiting the weaknesses in the protocol. In one case, the Web site of
a large Internet-networking company vanished, meaning no traffic could reach it
for several hours.
In another, some Internet traffic went into a "black hole" along an advertised
route that didn't really exist; email, Web requests and so on simply
disappeared. Neither incident was considered serious, but they showed "the
threat is real," says Craig Labovitz, director of engineering at Arbor Networks
Inc., a network-security firm in Lexington, Mass.
Spammers are also starting to take advantage of the technique. By advertising
fake Internet addresses for just long enough to launch their spam, then
withdrawing the addresses, it's possible to erase any trail that law enforcement
might follow. "Nobody can find it," Mr. Bellovin says. "It's not in the
database. You can't map your way to it. It's just gone." Because the Internet is
used by nearly everybody but owned by no one, systemic vulnerabilities have
proved difficult to correct. For starters, a change would require upgrades to
thousands of routers.
And there's no consensus on how to fix the border-gateway protocol.Still, the
Net has proved remarkably resilient against large-scale attacks. "We've been
hearing these end-of-the-Internet stories for the last 10 years," Mr. Labovitz
says. "But we haven't seen many of these mega-attacks." The most likely reason:
Hackers, thieves and terrorists have come to depend on the Internet just like
everybody else, and don't want it wrecked.PHRAUDInternet-related fraud accounted
for 53% of all consumer-fraud complaints made to the Federal Trade Commission
last year.
Among the biggest threats are those involving scammers who use elaborate ruses
to pretend to be someone else.In "phishing" scams, fraudsters send emails that
appear to come from a trusted source, like Citibank or eBay. Click on a link in
the email, and you're directed to a fake Web site, where you're asked to reveal
account numbers, passwords and other private information. In some cases,
phishing sites plant hidden programs, such as key loggers, on victims'
computers. So even if a visitor doesn't enter any data into the phony site, the
phisher can try to filch it later.Then there's "pharming," where hackers attack
the server computers where legitimate Web sites are housed.
Type in the address of the legitimate site, and you are redirected to a
look-alike. In a similar ruse, hackers use Trojans to manipulate the browser
cache on a victim's computer, where copies of Web pages are stored so that they
don't have to be reloaded from scratch with each visit. When you visit a site
stored in your cache, you are directed to a fake site instead. In "Evil Twin"
attacks, hackers set up Wi-Fi hot spots that trick your computer into thinking
it's accessing your home wireless network or a safe public network. While you
use the network, attackers can monitor your moves and steal the information you
enter into a Web site, if the site doesn't have the right safety measures.
To combat phishing, assume that any email asking for personal information is a
fake, says Robert C. Chesnut, senior vice president of rules, trust and safety
at eBay Inc. Consumers can also get help from new phishing-site blockers from
service providers Time Warner Inc.'s America Online unit and EarthLink Inc. As
for pharming, some banks are beginning to look at ways to help consumers
distinguish real sites from fake ones, such as letting consumers choose
personalized images that appear on the site whenever they visit.
To combat the variation on pharming that involves meddling with PCs, consumers
should be sure to regularly sweep for Trojans with antivirus and antispyware
programs available from companies such as Symantec, McAfee Inc. and Webroot
Software Inc. For Evil Twin attacks, wireless users should enter private
information only into sites that protect data with encryption technology, which
is signified by a little lock on the bottom of the page.
HIJACKING Many hackers who covertly take control of your computer
are looking to draft it into a botnet.
But there are a host of other ways to get hijacked. Aggressive marketers are
using "adware" to hijack Web searches, display pop-up ads and drag surfers to
unwanted Web sites. Adware's more insidious cousin, spyware, can capture
users' keystrokes and follow their browsing activities. These programs often
arrive bundled with free software or sneak onto users' computers when they visit
dodgy Web sites.
Viruses, meanwhile, have become a tool for delivering malicious payloads and not
just a form of causing mischief. Hackers are using them to install bots and
Trojans that give them control of PCs, allowing them to send spam and steal
private personal information silently. After Mr. McKay, the Charlotte attorney,
cleared up his botnet problem, the home page of his Web browser was hijacked by
an adware program, forcing him to view a "flashy, gaudy" page featuring links to
mortgage lenders and pornography.
Only when his girlfriend refused to touch the computer did he cave. "I said,
'All right, this is embarrassing,' " he recalls. " 'I'm going to fix it.' "Mr.
McKay had to undergo a crash course in Internet security to get rid of the
programs that hijacked his computer. He ran a battery of different security
programs, killing anything that looked suspicious. But after a slew of software
failed to clean out his machine, he turned to extracting the pests manually.
Security experts advise consumers to make sure they install and use firewall and
up-to-date antivirus programs, combined with regular sweeps with a spyware-removal
program. Increasingly, Internet-service providers are offering their embattled
customers security tools. Many people are also switching to Apple Computer
Inc.'s Macintosh machines and the Firefox Web browser, which have rarely been
the target of malicious code.
AIRBORNE ASSAULT In the future, security attacks will come out of
thin air.
Smartphones and some personal digital assistants boast always-on wireless
connections and run more-sophisticated software than standard cellphones, making
them susceptible to viruses, worms and data theft just like PCs. The hackers'
current pathway of choice: Bluetooth. This radio technology allows short-range
wireless communication for sending messages, exchanging electronic business
cards and using wireless headsets. But hackers can exploit flaws in Bluetooth to
steal information from digital gadgets or spread viruses.
For now, mobile viruses have done little more than drain their victims' phone
batteries and send off text messages using their account. But bigger threats may
be coming. The invasions so far were merely "science projects" for hackers
wanting to see if they could attack mobile devices, says Victor Kouznetsov,
senior vice president of mobile solutions for McAfee.
"They discovered it's not that hard. "Mr. Pironti of Unisys says people should
use built-in Bluetooth security features that let only authorized headsets and
PCs talk to their phones. They should also change default passwords for wireless
headsets. Meanwhile, security-software companies are rushing to offer antivirus
protection for mobile devices. Japanese carrier NTT DoCoMo Inc. sells phones
with built-in antivirus software from McAfee. A number of large carriers offer
similar protection from F-Secure Corp. of Finland.
But the best defense will come from wireless carriers blocking attacks within
their networks, before they can reach people's phones, says Gartner Inc. analyst
John Pescatore. Cellphone users should start asking their providers what
protection they offer or intend to provide, he says. F-Secure, for one, says its
network-level technology has been deployed by nine wireless operators that
altogether serve 32 million subscribers.
YOUR KIDS What's the quickest way to get your computer infested with spyware,
bots and Trojans? Let your kids use it. Kids often use music and video
file-sharing programs like Kazaa, LimeWire and BitTorrent, where they can
unwittingly download adware and spyware. They also pick up nasty programs at
"code and cheat" sites, which help them get higher rankings in online games. And
curiosity will take them to plenty of other risky places, including porn sites.
Some security experts advise parents to have a separate computer for the kids.
John Esposito of Ridgewood, NJ, keeps financial records on his own laptop, so
they won't be endangered if nine-year-old Zoe or 13-year-old Zach inadvertently
lets in a hacker program. In addition to protecting their PC with the usual
array of security software, parents can use parental-control tools to restrict
access to inappropriate sites.
Parry Aftab, executive director of WiredSafety Group, a New York-based advocate
for online safety, recommends kid-safe search engines, such as Yahoo Inc.'s
Yahooligans and Ask Jeeves Inc.'s Ask Jeeves Kids. These sites won't steer kids
to sites meant for adults, including porn sites that try to lure visitors with
misspellings of popular keywords.
Parents should also talk to their children about online dangers and set ground
rules for computer use. Parents may even want to use some spyware tools of their
own to monitor what kids do online. Ms. Aftab recommends monitoring software
from SpectorSoft Corp. because it's able to capture instant messaging in
multiple formats.
—Mr. Bank is a staff reporter in the Wall Street Journal's San Francisco bureau, and Ms. Richmond is a reporter for Dow Jones Newswires in Jersey City, N.J.